Some instant- and practical-time related-key attacks on KTANTAN32/48/64

Ågren, Martin

Some instant- and practical-time related-key attacks on KTANTAN32/48/64

Mark

Ågren, Martin ^LU (2012) Selected Areas in Cryptography In Lecture Notes in Computer Science 7118. p.213-229

Abstract: The hardware-attractive block cipher family KTANTAN was studied by Bogdanov and Rechberger who identified flaws in the key schedule and gave a meet-in-the-middle attack. We revisit their result before investigating how to exploit the weakest key bits. We then develop several related-key attacks, e.g., one on KTANTAN32 which finds 28 key bits in time equivalent to $2^{3.0}$ calls to the full KTANTAN32 encryption. The main result is a related-key attack requiring $2^{28.44}$ time (half a minute on a current CPU) to recover the full 80-bit key. For KTANTAN48, we find three key bits in the time of one encryption, and give several other attacks, including full key recovery. For KTANTAN64, the attacks are only slightly more expensive, requiring... (More); The hardware-attractive block cipher family KTANTAN was studied by Bogdanov and Rechberger who identified flaws in the key schedule and gave a meet-in-the-middle attack. We revisit their result before investigating how to exploit the weakest key bits. We then develop several related-key attacks, e.g., one on KTANTAN32 which finds 28 key bits in time equivalent to $2^{3.0}$ calls to the full KTANTAN32 encryption. The main result is a related-key attack requiring $2^{28.44}$ time (half a minute on a current CPU) to recover the full 80-bit key. For KTANTAN48, we find three key bits in the time of one encryption, and give several other attacks, including full key recovery. For KTANTAN64, the attacks are only slightly more expensive, requiring $2^{10.71}$ time to find 38 key bits, and $2^{32.28}$ for the entire key. For all attacks, the requirements on related-key material are modest as in the forward and backward directions, we only need to flip a single key bit. All attacks succeed with probability one. Our attacks directly contradict the designers' claims. We discuss why this is, and what can be learnt from this. (Less)

Please use this url to cite or link to this publication: https://lup.lub.lu.se/record/2296383

author

Ågren, Martin ^LU

organization

publishing date

2012

type

Chapter in Book/Report/Conference proceeding

publication status

published

subject

Electrical Engineering, Electronic Engineering, Information Engineering

keywords

cryptanalysis, related key, block cipher, key schedule, lightweight cipher, key-recovery

host publication

Selected Areas in Cryptography : 18th International Workshop, SAC 2011, Toronto, ON, Canada, August 11-12, 2011, Revised Selected Papers - 18th International Workshop, SAC 2011, Toronto, ON, Canada, August 11-12, 2011, Revised Selected Papers

series title

Lecture Notes in Computer Science

volume

7118

pages

213 - 229

publisher

Springer

conference name

Selected Areas in Cryptography

conference location

Toronto, Canada

conference dates

2011-08-10 - 2011-08-12

external identifiers

scopus:84857758140

ISSN

1611-3349

0302-9743

ISBN

978-3-642-28495-3

978-3-642-28496-0

DOI

10.1007/978-3-642-28496-0_13

project

EIT_HSWC:Coding Coding, modulation, security and their implementation

language

English

LU publication?

yes

id

324ae4fb-190f-4004-8569-5ce19514a550 (old id 2296383)

date added to LUP

2016-04-04 10:51:30

date last changed

2024-01-12 22:02:18

@inbook{324ae4fb-190f-4004-8569-5ce19514a550,
  abstract     = {{The hardware-attractive block cipher family KTANTAN was studied by Bogdanov and Rechberger who identified flaws in the key schedule and gave a meet-in-the-middle attack. We revisit their result before investigating how to exploit the weakest key bits. We then develop several related-key attacks, e.g., one on KTANTAN32 which finds 28 key bits in time equivalent to $2^{3.0}$ calls to the full KTANTAN32 encryption. The main result is a related-key attack requiring $2^{28.44}$ time (half a minute on a current CPU) to recover the full 80-bit key. For KTANTAN48, we find three key bits in the time of one encryption, and give several other attacks, including full key recovery. For KTANTAN64, the attacks are only slightly more expensive, requiring $2^{10.71}$ time to find 38 key bits, and $2^{32.28}$ for the entire key. For all attacks, the requirements on related-key material are modest as in the forward and backward directions, we only need to flip a single key bit. All attacks succeed with probability one. Our attacks directly contradict the designers' claims. We discuss why this is, and what can be learnt from this.}},
  author       = {{Ågren, Martin}},
  booktitle    = {{Selected Areas in Cryptography : 18th International Workshop, SAC 2011, Toronto, ON, Canada, August 11-12, 2011, Revised Selected Papers}},
  isbn         = {{978-3-642-28495-3}},
  issn         = {{1611-3349}},
  keywords     = {{cryptanalysis; related key; block cipher; key schedule; lightweight cipher; key-recovery}},
  language     = {{eng}},
  pages        = {{213--229}},
  publisher    = {{Springer}},
  series       = {{Lecture Notes in Computer Science}},
  title        = {{Some instant- and practical-time related-key attacks on KTANTAN32/48/64}},
  url          = {{https://lup.lub.lu.se/search/files/5637670/2296435.pdf}},
  doi          = {{10.1007/978-3-642-28496-0_13}},
  volume       = {{7118}},
  year         = {{2012}},
}

Lund University Publications

LUND UNIVERSITY LIBRARIES

Some instant- and practical-time related-key attacks on KTANTAN32/48/64