Fault Analysis of the KATAN Family of Block Ciphers

  • Shekh Faisal Abdul-Latip
  • Mohammad Reza Reyhanitabar
  • Willy Susilo
  • Jennifer Seberry
Part of the Lecture Notes in Computer Science book series (LNCS, volume 7232)


In this paper, we investigate the security of the KATAN family of block ciphers against differential fault attacks. KATAN consists of three variants with 32, 48 and 64-bit block sizes, called KATAN32, KATAN48 and KATAN64, respectively. All three variants have the same key length of 80 bits. We assume a single-bit fault injection model where the adversary is supposed to be able to corrupt a single random bit of the internal state of the cipher and this fault injection process can be repeated (by resetting the cipher); i.e., the faults are transient rather than permanent. First, we determine suitable rounds for effective fault injections by analyzing distributions of low-degree (mainly, linear and quadratic) polynomial equations obtainable using the cube and extended cube attack techniques. Then, we show how to identify the exact position of faulty bits within the internal state by precomputing difference characteristics for each bit position at a given round and comparing these characteristics with ciphertext differences (XOR of faulty and non-faulty ciphertexts) during the online phase of the attack. The complexity of our attack on KATAN32 is 259 computations and about 115 fault injections. For KATAN48 and KATAN64, the attack requires 255 computations (for both variants), while the required number of fault injections is 211 and 278, respectively.


Block ciphers cube attack differential fault analysis KATAN 


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    Abdul-Latip, S.F., Reyhanitabar, M.R., Susilo, W., Seberry, J.: Extended Cubes: Enhancing the Cube Attack by Extracting Low-Degree Non-Linear Equations. In: Cheung, B., et al. (eds.) ASIACCS 2011, pp. 296–305. ACM (2011)Google Scholar
  2. 2.
    Abdul-Latip, S.F., Reyhanitabar, M.R., Susilo, W., Seberry, J.: Fault Analysis of the KATAN Family of Block Ciphers. Cryptology ePrint Archive: Report 2012/030 (full version of this paper)Google Scholar
  3. 3.
    Bard, G.V., Courtois, N.T., Nakahara Jr., J., Sepehrdad, P., Zhang, B.: Algebraic, AIDA/Cube and Side Channel Analysis of KATAN Family of Block Ciphers. In: Gong, G., Gupta, K.C. (eds.) INDOCRYPT 2010. LNCS, vol. 6498, pp. 176–196. Springer, Heidelberg (2010)CrossRefGoogle Scholar
  4. 4.
    Blum, M., Luby, M., Rubinfield, R.: Self-Testing/Correcting with Application to Numerical Problems. In: STOC, pp. 73–83. ACM, New York (1990)Google Scholar
  5. 5.
    Biham, E., Shamir, A.: Differential Fault Analysis of Secret Key Cryptosystems. In: Kaliski Jr., B.S. (ed.) CRYPTO 1997. LNCS, vol. 1294, pp. 513–525. Springer, Heidelberg (1997)Google Scholar
  6. 6.
    Boneh, D., DeMillo, R., Lipton, R.: On the Importance of Checking Cryptographic Protocols for Faults. In: Fumy, W. (ed.) EUROCRYPT 1997. LNCS, vol. 1233, pp. 37–51. Springer, Heidelberg (1997)Google Scholar
  7. 7.
    De Cannière, C., Dunkelman, O., Knežević, M.: KATAN and KTANTAN — A Family of Small and Efficient Hardware-Oriented Block Ciphers. In: Clavier, C., Gaj, K. (eds.) CHES 2009. LNCS, vol. 5747, pp. 272–288. Springer, Heidelberg (2009)CrossRefGoogle Scholar
  8. 8.
    Dinur, I., Shamir, A.: Cube Attacks on Tweakable Black Box Polynomials. In: Joux, A. (ed.) EUROCRYPT 2009. LNCS, vol. 5479, pp. 278–299. Springer, Heidelberg (2009)CrossRefGoogle Scholar
  9. 9.
    Hoch, J.J., Shamir, A.: Fault Analysis of Stream Ciphers. In: Joye, M., Quisquater, J.-J. (eds.) CHES 2004. LNCS, vol. 3156, pp. 240–253. Springer, Heidelberg (2004)CrossRefGoogle Scholar
  10. 10.
    Hojsík, M., Rudolf, B.: Differential Fault Analysis of Trivium. In: Nyberg, K. (ed.) FSE 2008. LNCS, vol. 5086, pp. 158–172. Springer, Heidelberg (2008)CrossRefGoogle Scholar
  11. 11.
    Hojsík, M., Rudolf, B.: Floating Fault Analysis of Trivium. In: Chowdhury, D.R., Rijmen, V., Das, A. (eds.) INDOCRYPT 2008. LNCS, vol. 5365, pp. 239–250. Springer, Heidelberg (2008)CrossRefGoogle Scholar
  12. 12.
    Hu, Y., Zhang, F., Zhang, Y.: Hard Fault Analysis of Trivium. Cryptology ePrint Archive, Report 2009/333 (2009)Google Scholar
  13. 13.
    Knellwolf, S., Meier, W., Naya-Plasencia, M.: Conditional Differential Cryptanalysis of NLFSR-Based Cryptosystems. In: Abe, M. (ed.) ASIACRYPT 2010. LNCS, vol. 6477, pp. 130–145. Springer, Heidelberg (2010)CrossRefGoogle Scholar
  14. 14.
    Lai, X.: Higher Order Derivatives and Differential Cryptanalysis. In: Communication and Cryptology, pp. 227–233. Kluwer Academic Publisher (1994)Google Scholar
  15. 15.
    Skorobogatov, S.P., Anderson, R.J.: Optical Fault Injection Attacks. In: Kaliski Jr., B.S., Koç, Ç.K., Paar, C. (eds.) CHES 2002. LNCS, vol. 2523, pp. 31–48. Springer, Heidelberg (2003)CrossRefGoogle Scholar
  16. 16.
    Vielhaber, M.: Breaking ONE.FIVIUM by AIDA an Algebraic IV Differential Attack. IACR ePrint Archive, Report 2007/413 (2007),
  17. 17.
    Vielhaber, M.: AIDA Breaks BIVIUM (A&B) in 1 Minute Dual Core CPU Time. Cryptology ePrint Archive, Report 2009/402, IACR (2009)Google Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2012

Authors and Affiliations

  • Shekh Faisal Abdul-Latip
    • 1
    • 2
  • Mohammad Reza Reyhanitabar
    • 1
  • Willy Susilo
    • 1
  • Jennifer Seberry
    • 1
  1. 1.Centre for Computer and Information Security Research, School of Computer Science and Software EngineeringUniversity of WollongongAustralia
  2. 2.Information Security and Digital Forensics Lab (INSFORLAB), Faculty of Information and Communication TechnologyUniversiti Teknikal MalaysiaMelakaMalaysia

Personalised recommendations