Framework for faster key search using related-key higher-order differential properties: Applications to Agrasta

The relevance of the related-key model is usually controversial. However, in some cases, related-key properties have already been used to reduce the effective key length of the cipher in the single-key model. Hence, research into this direction can be helpful to bridge the gap between theory and practice aspects of the related-key model. Motivated by this challenge, the authors develop a new framework to provide further evidence that deterministic related-key characteristics can be utilised in the single-key model. The authors describe a sound framework for utilising related-key higher-order differential distinguishers that can beat the boundaries given by exhaustive key search. The data required is only one known as plaintext-ciphertext pair if the number of ciphertext bits matches the key length. From a theoretical point of view, the connection between related-key higher-order differential properties and the security of cryptographic primitives in the single-key model are precised. From a practical point of view, the proposed framework is used to evaluate the security of Agrasta cipher which is a variant of Rasta cipher presented at CRYPTO 2018. The proposed method is the first analysis of Agrasta reduced to three rounds that performs better than exhaustive key search and is independent of the used linear layers.