Automated Key Recovery Attacks on Round-Reduced Orthros

Orthros is a low-latency keyed pseudo-random function designed by Banik et al. in FSE 2022. It adopts the parallel structure composed of two keyed permutations. Both branches take the same 128-bit input and their outputs are XORed to generate the final 128-bit output. Benefiting from this special structure, it's security is hard to evaluate, especially for key recovery attacks. In its specification, the most effective distinguisher proposed is a 7-round integral one. However, it can only lead to key recovery attacks worse than exhaustive attack. Besides, there is no key recovery attack presented in the design document. Therefore, we are motivated to see whether a valid key recovery attack exists and how powerful it can be. In this paper, we aim to proceed differential and differentiallinear key recovery attacks on Orthros. To deal with the special structure, we introduce two automated key recovery attack frameworks that work for such twobranch ciphers. With the help of them, we finally got a 7-round differential-linear key recovery attack and a 6-round differential one. Both attacks are the first key recovery attacks on this cipher. However, they are so far from threatening its fullround security.