Security Analysis of the Lightweight Block Ciphers XTEA, LED and Piccolo
In this paper, we investigate the security of the lightweight block ciphers against the meet-in-the-middle (MITM) attack. Since the MITM attack mainly exploits low key-dependency in a key expanding function, the block ciphers having a simple key expanding function are likely to be vulnerable to the MITM attack. On the other hand, such a simple key expanding function leads compact implementation, and thus is utilized in several lightweight block ciphers. However, the security of such lightweight block ciphers against the MITM attack has not been studied well so far. We apply the MITM attack to the ciphers, then give more accurate security analysis for them. Specifically, combining thorough analysis with new techniques, we present the MITM attacks on 29, 8, 16, 14 and 21 rounds of XTEA, LED-64, LED-128, Piccolo-80 and Piccolo-128, respectively. Consequently, it is demonstrated that the MITM attack is the most powerful attack in the single-key setting on those ciphers with respect to the number of attacked rounds. Moreover, we consider the possibility of applying the recent speed-up keysearch based on MITM attack to those ciphers.
Keywordsblock cipher lightweight meet-in-the-middle attack speed-up keysearch
Unable to display preview. Download preview PDF.
- 1.3rd Generation Partnership Project, Technical Specification Group Services and System Aspects, 3G Security, Specification of the 3GPP Confidentiality and Integrity Algorithms; Document 2: KASUMI Specification, V3.1.1Google Scholar
- 4.Biham, E., Dunkelman, O., Keller, N., Shamir, A.: New data-efficient attacks on reduced-round IDEA. IACR Cryptology ePrint Archive, vol. 2011, p. 417 (2011)Google Scholar
- 9.Chen, J., Wang, M., Preneel, B.: Impossible differential cryptanalysis of the lightweight block ciphers TEA, XTEA and HIGHT. IACR Cryptology ePrint Archive, vol. 2011, p. 616 (2011)Google Scholar
- 11.Dunkelman, O., Keller, N., Shamir, A.: A Practical-Time Related-Key Attack on the KASUMI Cryptosystem Used in GSM and 3G Telephony. In: Rabin, T. (ed.) CRYPTO 2010. LNCS, vol. 6223, pp. 393–410. Springer, Heidelberg (2010)Google Scholar
- 12.FIPS, Advanced Encryption Standard (AES). Federal Information Processing Standards Publication 197Google Scholar
- 14.Hong, D., Koo, B., Kwon, D.: Biclique attack on the full HIGHT. In: ICISC 2011(2011) (to appear)Google Scholar
- 16.Khovratovich, D., Rechberger, C., Savelieva, A.: Bicliques for preimages: Attacks on Skein-512 and the SHA-2 family. In: FSE 2012 (to appear, 2012)Google Scholar
- 17.Knellwolf, S.: Meet-in-the-middle cryptanalysis of KATAN. In: Proceedings of the ECRYPT Workshop on Lightweight Cryptography (2011)Google Scholar
- 18.Needham, R.M., Wheeler, D.J.: Tea extensions. Techniacl report, Computer Laboratory, University of Cambridge (October 1997), http://www.cix.co.uk/~klockstone/xtea.pdf
- 23.van Oorschot, P.C., Wiener, M.: A Known-Plaintext Attack on Two-Key Triple Encryption. In: Damgård, I.B. (ed.) EUROCRYPT 1990. LNCS, vol. 473, pp. 318–325. Springer, Heidelberg (1991)Google Scholar
- 26.Bogdanov, A., Wang, M.: Zero Correlation Linear Cryptanalysis with Reduced Data Complexity. In: FSE 2012 (to appear, 2012)Google Scholar