Known-Key Attack on GIFT-64 and GIFT-64[$$g_0^c$$] Based on Correlation Matrices

Block ciphers are often used as building blocks for one-way compression functions, which in turn, can be employed to construct hash functions. Two well-known important methods in the design of one-way compression function from block ciphers are the Davies-Meyer compression and the Myagushi-Preneel compression. To verify the security of such a construction, it is necessary to evaluate the robustness of the underlying block cipher against, e.g., the secret key, which is the so-called known-key model. In this paper, we evaluate the security of the lightweight block cipher GIFT-64 in the known-key setting, when used as a building block of hash functions. We significantly improve the known-key distinguisher to full GIFT-64. The distinguisher is composed of truncated differentials over 13 rounds and a meet-in-the-middle distinguisher over 15 rounds. We leverage a relationship between truncated differentials and multiple linear approximations cryptanalysis. It allows us to transfer searching for truncated differentials to constructing multiple linear approximations, resulting in the improved probability of truncated differentials. To collect the related linear approximations as many as possible, we use a relatively low-dimensional binary correlation matrix where the hamming weight of the linear mask for the internal state can reach 8. Employing this correlation matrix, we precisely calculate all linear approximations that satisfy the specific conditions. To obtain a full-round distinguisher, these approximations are pre-filtered by a meet-in-the-middle distinguisher via a new matching method called rotational recombination. We would like to highlight that our distinguisher can apply successfully to the full-round GIFT-64 with a time complexity of $$2^{60}$$ . Furthermore, we implement the attack successfully on a variant of GIFT-64, GIFT-64[ $$g_0^c$$ ], proposed at Eurocrypt 2022.