Integral Attack on CHILOW

Khalesi, Akram; Ahmadian, Zahra

doi:10.22042/isecure.2026.242054

Integral Attack on CHILOW

Articles in Press

Document Type : Research Article

Authors

Akram Khalesi ¹

Zahra Ahmadian ²

¹ Research Center for Development of Advanced Technologies, Tehran, Iran.

² Department of Electrical Engineering, Shahid Beheshti University, Tehran, Iran.

10.22042/isecure.2026.242054

Abstract

CHILOW is a family of tweakable block ciphers introduced at Eurocrypt 2025, prioritizing decryption speed over encryption speed. This is achieved through a low-latency non-linear layer of degree two within the round function and a minimal number of rounds. As a result, CHILOW presents an appealing target for attacks that exploit its algebraic properties. These characteristics, along with the strict query limitations imposed by the designers, motivate our investigation into CHILOW’s security against integral attacks leveraging the division property. We have identified several integral distinguishers, which vary in data complexity and the number of balanced output bits. Specifically, for CHILOW-(32+τ), we derived a 4-round distinguisher with 15 constant bits in the input, in which all the 32 output bits are balanced. However, the longest integral distinguisher that complies with query limitations extends up to 3 rounds. For CHILOW-40, integral distinguishers up to 5 rounds are detected; however, only those spanning three rounds meet the query constraints. Furthermore, we have explored the potential for extending these distinguishers to key-recovery attacks and analyzed their complexity. Using the 3-round distinguisher on CHILOW-(32+τ), we propose key recovery attack with a 32-bit advantage, data complexity of 240 chosen ciphertexts and time complexity of 240 decryptions, all within the query limits. Therefore, by performing an exhaustive search over the remaining key candidates, a single candidate for the master key can be recovered, resulting in an overall attack time complexity of 296 decryptions. Additionally, we present an integral key-recovery attack on the 6-round version of CHILOW-(32+τ) with a data complexity of 28 chosen ciphertexts and a time complexity of 2102.6 encryptions. This attack only obtains information from the tweaks of the last three rounds, and using this information to recover the master key will be the subject of future research.

Keywords

CHILOW

Division Property

Integral attack

[1] Yanis Belkheyar, Patrick Derbez, Shibam Ghosh, Gregor Leander, Silvia Mella, Léo Perrin, Shahram Rasoolzadeh, Lukas Stennes, Siwei Sun, Gilles Van Assche, et al. Chilow and chichi: new constructions for code encryption. In Annual International Conference on the Theory and Applications of Cryptographic Techniques, pages 212–243. Springer, 2025.

[2] Guido Bertoni, Joan Daemen, Michaël Peeters, and Gilles Van Assche. Keccak. In Annual international conference on the theory and applications of cryptographic techniques, pages 313–314. Springer, 2013.

[3] Christoph Dobraunig, Maria Eichlseder, Florian Mendel, and Martin Schläffer. Ascon v1. 2: Lightweight authenticated encryption and hashing. Journal of Cryptology, 34(3):33, 2021.

[4] Parisa Amiri Eliasi, Yanis Belkheyar, Joan Daemen, Santosh Ghosh, Daniël Kuijsters, Alireza Mehrdad, Silvia Mella, Shahram Rasoolzadeh, and Gilles Van Assche. Koala: a low-latency pseudorandom function. In International Conference on Selected Areas in Cryptography, pages 239–266. Springer, 2024.

[5] Yosuke Todo. Structural evaluation by generalized integral property. In Annual International Conference on the Theory and Applications of Cryptographic Techniques, pages 287– 314. Springer, 2015.

[6] Yosuke Todo and Masakatu Morii. Bit-based divisionpropertyandapplicationtosimonfamily. In International Conference on Fast Software Encryption, pages 357–377. Springer, 2016.

[7] Yonglin Hao, Gregor Leander, Willi Meier, Yosuke Todo, and Qingju Wang. Modeling for three-subset division property without unknown subset: improved cube attacks against trivium andgrain-128aead. InAnnual International Conference on the Theory and Applications of Cryptographic Techniques, pages 466–495. Springer, 2020.

[8] Senpeng Wang, Bin Hu, Jie Guan, Kai Zhang, and Tairong Shi. Milp-aided method of searching division property using three subsets and applications. In International Conference on the Theory and Application of Cryptology and Information Security, pages 398–427. Springer, 2019.

[9] Jiahui He, Kai Hu, Hao Lei, and Meiqin Wang. Massive superpoly recovery with a meet-in-themiddle framework: Improved cube attacks on trivium and kreyvium. In Annual International Conference on the Theory and Applications of Cryptographic Techniques, pages 368– 397. Springer, 2024.

[10] Zejun Xiang, Wentao Zhang, Zhenzhen Bao, and DongdaiLin. Applyingmilpmethodtosearching integraldistinguishersbasedondivisionproperty for 6 lightweight block ciphers. In International conference on the theory and application of cryptology and information security, pages 648–678. Springer, 2016.

[11] Xuejia Lai. Higher order derivatives and differential cryptanalysis. In Communications and Cryptography: Two Sides of One Tapestry, pages 227–233. Springer, 1994.

[12] Joan Daemen, Lars Knudsen, and Vincent Rijmen. The block cipher square. In International Workshop on Fast Software Encryption, pages 149–165. Springer, 1997.

[13] Lars Knudsen and David Wagner. Integral cryptanalysis. InInternational Workshop on Fast Software Encryption, pages 112–127. Springer, 2002.