For the full 8-round KASUMI we show for the first time a wide variety of results with data complexities between $2^{32}$ chosen plaintexts and as few as 2 texts, while the speed-ups over brute force are between a factor 4 and 6. For use-cases of KASUMI in 2G networks, relying on a 64-bit master key, we describe key recovery methods with extremely low data complexity and speed-ups between a factor 2 and 3 for essentially any desired success probability. The latter results are the first of this type of cryptanalysis that could result in practically realizable cost and energy savings for key recovery efforts.
By also analyzing an earlier version of the KASUMI-64 design that had a different mapping from the 64-bit master key to the 128-bit cipher key, we shed some light on a high-level key schedule design issue that may be of independent interest.
Category / Keywords: KASUMI, KASUMI-64, Meet-in-the-Middle Attack, Cryptanalysis Publication Info: KASUMI, Meet-in-the-Middle Attack, Block Cipher, Cryptanalysis Date: received 27 Aug 2011, last revised 26 Jan 2013 Contact author: ktjia at tsinghua edu cn; c rechberger@mat dtu dk; xiaoyunwang@tsinghua edu cn; Available format(s): PDF | BibTeX Citation Version: 20130126:140037 (All versions of this report) Short URL: ia.cr/2011/466 Discussion forum: Show discussion | Start new discussion