Cryptology ePrint Archive: Report 2010/532

A 3-Subset Meet-in-the-Middle Attack: Cryptanalysis of the Lightweight Block Cipher KTANTAN

Andrey Bogdanov and Christian Rechberger

Abstract: In this paper we describe a variant of existing meet-in-the-middle attacks on block ciphers. As an application, we propose meet-in-the-middle attacks that are applicable to the full 254-round KTANTAN family of block ciphers accepting a key of 80 bits. The attacks are due to some weaknesses in its bitwise key schedule. We report an attack of time complexity 2^75.170 encryptions on the full KTANTAN32 cipher with only 3 plaintext/ciphertext pairs and well as 2^75.044 encryptions on the full KTANTAN48 and 2^75.584 encryptions on the full KTANTAN64 with 2 plaintext/ciphertext pairs. All these attacks work in the classical attack model without any related keys.

In the differential related-key model, we demonstrate 218- and 174-round differentials holding with probability 1. This shows that a strong related-key property can translate to a successful attack in the non-related-key setting. Having extremely low data requirements, these attacks are valid even in RFID-like environments where only a very limited amount of text material may be available to an attacker.

Category / Keywords: secret-key cryptography / cryptanalysis, meet-in-the-middle attacks, block cipher, key schedule, lightweight cipher, key-recovery, RFID

Publication Info: An extended version of the paper accepted for SAC 2010

Date: received 18 Oct 2010, last revised 14 Feb 2011

Contact author: and bogdanov at googlemail com,christian rechberger@groestl info

Available format(s): PDF | BibTeX Citation

Note: Fixed typos and extended acknowledgements.

Version: 20110214:100301 (All versions of this report)

Short URL:

Discussion forum: Show discussion | Start new discussion

[ Cryptology ePrint archive ]