Clear Sky Science
Evidence-based, jargon-light explanations

Clear Sky Science · en

An automated model for differential meet in the middle attacks on AndRX ciphers

· Back to index

Why this research matters

Every time we use a smartphone, pay online, or connect a medical device, tiny digital locks called block ciphers protect our data. Security experts constantly try to break these locks in order to design safer ones. This paper presents a new way to automate a powerful style of attack on a popular family of lightweight ciphers, helping researchers test how strong these digital locks really are.

Figure 1. Automated tool scans lightweight block ciphers to spot subtle structural weaknesses in their digital lock design.
Figure 1. Automated tool scans lightweight block ciphers to spot subtle structural weaknesses in their digital lock design.

How modern code breaking works

Modern block ciphers scramble data in many small steps, or rounds, controlled by a secret key. To judge whether a cipher is safe, cryptanalysts look for patterns that should not exist if the system behaved like pure randomness. Two classic tools are differential cryptanalysis, which tracks how small changes at the input ripple to the output, and meet in the middle attacks, which compute from both ends of the cipher and look for matches in the middle. Each tool alone has limits, but combining them creates a sharper probe of a cipher’s structure.

Blending two attack ideas

The study focuses on a hybrid technique called a differential meet in the middle attack. Here, the cipher is split into three parts: an input section, a middle section, and an output section. In the middle, the attacker searches for a “differential distinguisher” a pattern of input and output differences that occurs more often than random chance across several rounds. Around this core, the attacker partially encrypts from the start and partially decrypts from the end, guessing only selected pieces of the key. When the two directions meet in the same internal state, the guesses are more likely to correspond to the real key, which trims down the search space.

Turning a manual craft into an automated tool

Designing such combined attacks by hand is extremely tricky, especially for bit oriented ciphers whose internal state can be 64, 96, or 128 bits wide. The authors build an automated framework that uses constraint programming, a method for describing complex logical conditions so a solver can explore all valid possibilities. First, they encode how differences move through the basic building blocks of a cipher based on AND, rotation, and XOR operations, a family known as AndRX designs. Then they model which key bits influence each stage and how many of those bits must actually be guessed. The solver searches over many ways to cut the cipher into input, middle, and output sections, choosing the layout that minimizes the overall effort of an attack.

Extra tricks to cut the key space

On top of the base model, the framework adds two optimization tricks tailored to Feistel style AndRX ciphers like SIMON and Simeck. The first, called the equivalent subkey idea, mathematically shifts parts of the round keys forward or backward so that several different key bits behave as if they were the same. This reduces the number of independent bits the attacker must consider. The second, selective key guessing, studies how the nonlinear AND operation uses its inputs, and shows that under certain conditions one guessed bit can stand in for two. The authors also describe, but do not yet fully automate, two further improvements: parallel partitioning, which can add an extra round to the attack without extra time, and a data reduction trick that lowers how many chosen messages are needed.

Figure 2. Layers of a cipher attacked from both ends show how smart key guessing narrows billions of keys to a few candidates.
Figure 2. Layers of a cipher attacked from both ends show how smart key guessing narrows billions of keys to a few candidates.

What the tool reveals about real ciphers

To test their approach, the researchers apply their automated model to all standard versions of the lightweight ciphers SIMON and Simeck, which are candidates for use in constrained devices such as sensors and embedded controllers. For each variant, the tool finds a differential meet in the middle attack and estimates its data, time, and memory costs. In many cases, these attacks reach more rounds than previous meet in the middle or related techniques, and often also beat earlier impossible differential and zero correlation attacks in terms of the number of rounds covered. For example, the tool yields attacks on up to 51 rounds of a 128 bit version of SIMON with a 256 bit key, extending the reach of earlier methods while keeping the work below an exhaustive search of all keys.

Big picture for future cryptography

For non specialists, the key message is not that SIMON or Simeck are “broken” in practical settings, but that automated tools are becoming powerful enough to explore subtle weaknesses that would be very hard to find by hand. The framework introduced here is generic at the bit level and can in principle be adapted to other cipher families. By helping designers quickly test how new algorithms stand up to advanced combined attacks, such tools support the long term goal of building encryption that remains robust even as analysis techniques grow more sophisticated.

Citation: Chakraborty, D., Sahoo, S., Nguyen, P.H. et al. An automated model for differential meet in the middle attacks on AndRX ciphers. Sci Rep 16, 14773 (2026). https://doi.org/10.1038/s41598-026-41390-w

Keywords: block cipher cryptanalysis, differential meet in the middle, SIMON cipher, Simeck cipher, constraint programming