Some Instant- and Practical-Time Related-Key Attacks on KTANTAN32/48/64

Abstract: Abstract. The hardware-attractive block cipher family KTANTAN was studied by Bogdanov and Rechberger who identified flaws in the key schedule and gave a meet-in-the-middle attack. We revisit their result before investigating how to exploit the weakest key bits. We then develop several related-key attacks, e.g., one on KTANTAN32 which finds 28 key bits in time equivalent to 2 3.0 calls to the full KTANTAN32 encryption. The main result is a related-key attack requiring 2 28.44 time (half a minute on a current CP… Show more

“…To some commentators the need for yet another lightweight block cipher proposal will be open to question. However, in addition to the fact that many proposals present some weaknesses [2,10,45], we feel there is still more to be said on the subject and we observe that it is in the "second generation" of work that designers might learn from the progress, and omissions, of "first generation" proposals. And while new proposals might only slightly improve on successful initial proposals in terms of a single metric, e.g.…”

“…Our scheme is meant to be resistant to classical attacks, but also to the type of related-key attacks that have been effective against AES-256 [9] and other ciphers [2]. We will even study the security of LED in a hash function setting, i.e.…”

“…Moreover, the PRESENT Sbox is described by e = 21 quadratic equations in the v = 8 input/output-bit variables over GF (2). The entire system for a fixed-key LED permutation therefore consists of (16 · r · e) quadratic equations in (16 · r · v) variables.…”

“…In practice this is often perfectly reasonable. However, researchers will continue to derive cryptanalytic results in the related-key model [18,2] and there has been some research on how to modify or strengthen key schedules [35,15,39]. So having provable levels of resistance to such attacks would be a bonus and might help confusion developing in the cryptographic literature.…”

The LED Block Cipher

“…To some commentators the need for yet another lightweight block cipher proposal will be open to question. However, in addition to the fact that many proposals present some weaknesses [2,10,45], we feel there is still more to be said on the subject and we observe that it is in the "second generation" of work that designers might learn from the progress, and omissions, of "first generation" proposals. And while new proposals might only slightly improve on successful initial proposals in terms of a single metric, e.g.…”

“…Our scheme is meant to be resistant to classical attacks, but also to the type of related-key attacks that have been effective against AES-256 [9] and other ciphers [2]. We will even study the security of LED in a hash function setting, i.e.…”

“…Moreover, the PRESENT Sbox is described by e = 21 quadratic equations in the v = 8 input/output-bit variables over GF (2). The entire system for a fixed-key LED permutation therefore consists of (16 · r · e) quadratic equations in (16 · r · v) variables.…”

“…In practice this is often perfectly reasonable. However, researchers will continue to derive cryptanalytic results in the related-key model [18,2] and there has been some research on how to modify or strengthen key schedules [35,15,39]. So having provable levels of resistance to such attacks would be a bonus and might help confusion developing in the cryptographic literature.…”

The LED Block Cipher

“…Multidimensional meet-in-themiddle attacks on reduced round KATAN that are faster than exhaustive search were presented in [277]. Several related-key attacks which recover the full 80-bit key of KTANTAN with a probability of one are presented in [278].…”

SPD-Safe: security, privacy and dependability management on embedded systems in safety-critical applications

Conditional Differential Cryptanalysis of Trivium and KATAN