Meet-in-the-middle attack on round-reduced SCARF under single pair-of-tweaks setting

SCARF, an ultra low-latency tweakable block cipher, is the first cipher designed for cache randomization. The block cipher design is significantly different from other common tweakable block ciphers; with a block size of only 10 bits, and yet the input key size is a whopping 240 bits. Notably, the majority of the round key in its round function is absorbed into the data path through AND operations, rather than the typical XOR operations. In this paper, we present a key-recovery attack on a round-reduced version of SCARF with 4 + 4 rounds under the single pair-of-tweaks setting. Our attack is essentially a Meet-in-the-Middle (MitM) attack, where the matching phase is represented by a system of linear equations. Unlike the cryptanalysis conducted by the designers, our attack is effective under both security requirements they have outlined. The data complexity of our attack is \(2^{10}\) plaintexts, with a time complexity of approximately \(2^{60.63}\) 4-round of SCARF encryptions. It is important to note that our attack does not threaten the overall security of SCARF.