Improved AllSubkeys Recovery Attacks on FOX, KATAN and SHACAL2 Block Ciphers
Abstract
The allsubkeys recovery (ASR) attack is an extension of the meetinthemiddle attack, which allows evaluating the security of a block cipher without analyzing its key scheduling function. Combining the ASR attack with some advanced techniques such as the function reduction and the repetitive ASR attack, we show the improved ASR attacks on the 7round reduced FOX64 and FOX128. Moreover, the improved ASR attacks on the 119, 105 and 99round reduced KATAN32, KATAN48 and KATAN64, and the 42round reduced SHACAL2 are also presented, respectively. As far as we know, all of those attacks are the best singlekey attacks with respect to the number of attacked rounds in literature.
Keywords
Block cipher Meetinthemiddle attack Allsubkeys recovery attack1 Introduction
Since the meetinthemiddle (MITM) attack was applied to KTANTAN [7], a lot of its improvements have been introduced such as the spliceandcut technique [4], the initial structure [24], the biclique cryptanalysis [6, 19], the internal state guess [10, 14], the sieveinthemiddle technique [9] and the parallelcut technique [23]. Since the MITM attack basically exploits the weakness in the key scheduling function, it was believed that a block cipher having a strong key scheduling function has enough immunity against the MITM attack.
Summary of attacks on FOX64/128, KATAN32/48/64 and SHACAL2 (singlekey setting)
Algorithm  Attack type  # attacked rounds  Time  Memory  Data  Reference 

FOX64  Integral  5  \(2^{109.4}\)  Not given  \(2^{9}\) CP  [26]\(^\mathrm{a}\) 
Impossible Diff.  5  \(2^{80}\)  Not given  \(2^{40}\) CP  [27]\(^\mathrm{a}\)  
ASR  6  \(2^{124}\)  \(2^{124}\)  15 CP  This paper  
ASR  7  \(2^{124}\)  \(2^{123}\)  \(2^{30.9}\) CP  This paper  
FOX128  Integral  5  \(2^{205.6}\)  Not given  \(2^{9}\) CP  [26] 
Impossible Diff.  5  \(2^{144}\)  Not given  \(2^{72}\) CP  [27]  
ASR  5  \(2^{228}\)  \(2^{228}\)  14 KP  [16]  
ASR  6  \(2^{221}\)  \(2^{221}\)  26 CP  This paper  
ASR  7  \(2^{242}\)  \(2^{242}\)  \(2^{63}\) CP  This paper  
KATAN32  ASR  110  \(2^{77}\)  \(2^{75.1}\)  138 KP  [16] 
Differential  114  \(2^{77}\)  Not given  \(2^{31.9}\) CP  [2]  
ASR  119  \(2^{79.1}\)  \(2^{79.1}\)  144 CP  This paper  
KATAN48  ASR  100  \(2^{78}\)  \(2^{78}\)  128 KP  [16] 
ASR  105  \(2^{79.1}\)  \(2^{79.1}\)  144 CP  This paper  
KATAN64  ASR  94  \(2^{77.1}\)  \(2^{79.1}\)  116 KP  [16] 
ASR  99  \(2^{79.1}\)  \(2^{79.1}\)  142 CP  This paper  
SHACAL2  ASR  41  \(2^{500}\)  \(2^{492}\)  244 KP  [16] 
ASR  42  \(2^{508}\)  \(2^{508}\)  \(2^{25}\) CP  This paper 
In this paper, we first apply the function reduction technique to LaiMassey, LFSRtype and sourceheavy generalized Feistel schemes to extend the ASR attacks on those structures. Then, we further improve the attacks on those structures by exploiting structure dependent properties and optimizing data complexity in the function reduction. For instance, the ASR attack with the function reduction on FOX can be improved by using the keyless oneround relation in LaiMassey scheme. Moreover, combined with the repetitive ASR approach, which optimizes the data complexity when using the function reduction, the attack on FOX can be further improved. Those results are summarized in Table 1. As far as we know, all of the results given by this paper are the best singlekey attacks with respect to the number of attacked rounds in literature^{1} We emphasize that our improvements keep the basic concept of the ASR attack, which enables us to evaluate the security of a block cipher without analyzing its key scheduling function. Therefore, our results are considered as not only the best singlekey attacks on the specific block ciphers but also the lower bounds on the security of the target block cipher structures independently from key scheduling functions.
The rest of this paper is organized as follows. Section 2 briefly reviews the previously shown techniques including the allsubkeys recovery approach, the function reduction and the repetitive allsubkeys recovery approach. The improved allsubkeys recovery attacks on FOX64/128, KATAN32/48/64 and SHACAL2 are presented in Sects. 3, 4 and 5, respectively. Finally, we conclude in Sect. 6.
2 Preliminary
2.1 AllSubkeys Recovery Approach [16]
The allsubkeys recovery (ASR) attack was proposed in [16] as an extension of the meetinthemiddle (MITM) attack. Unlike the basic MITM attack, the ASR attack is guessing allsubkeys instead of the master key so that the attack can be constructed independently from the underlying key scheduling function.
2.2 Improvements on AllSubkeys Recovery Approach
In the ASR attack, the number of the subkeys required to compute the state \(S\) from \(P\) or \(C\), i.e., \(\mathcal {K}_{(1)}\) or \(\mathcal {K}_{(2)}\), is usually dominant parameter in the required complexities. Thus, in general, reducing those subkeys \(\mathcal {K}_{1}\) and \(\mathcal {K}_{2}\) will make the ASR attack applicable to more rounds. In the followings, we briefly review and introduce a couple of techniques to reduce such subkeys required to compute the matching state.
Function Reduction Technique. For Feistel ciphers, the function reduction technique that directly reduces the number of involved subkeys was introduced in [17]. The basic concept of the function reduction is that fixing some plaintext bits, ciphertext bits or both by exploiting degrees of freedom of a plaintext/ciphertext pair allows an attacker to regard a key dependent variable as a new subkey. As a result, substantial subkeys required to compute the matching state are reduced. By using the function reduction, the lower bounds on the security of several Feistel ciphers against generic key recovery attacks were given in [17]. Note that a similar approach was presented in [11] for directly guessing intermediate state values, while in the function reduction, equivalently transformed key values are guessed.
Suppose that the \(i\)th round state \(S_{i}\) is computed from the \((i1)\)th round state \(S_{i1}\) XORed with the \(i\)th round subkey \(K_{i}\) by the \(i\)th round function \(G_{i}\), i.e., \(S_{i} = G_{i}(K_{i} \oplus S_{i1})\). For clear understanding, we divide the function reduction into two parts: a key linearization and an equivalent transform as follows.

Key Linearization. Since the \(i\)th round function \(G_{i}\) is a nonlinear function, the \(i\)th round subkey \(K_{i}\) cannot pass through \(G_{i}\) by an equivalent transform. The key linearization technique, which is a part of the function reduction, exploits the degree of freedom of plaintexts/ciphertexts to express \(S_{i}\) as a linear relation of \(S_{i1}\) and \(K_{i}\), i.e., \(S_{i} = L_{i}(S_{i1}, K_{i})\), where \(L_{i}\) is a linear function. Once \(S_{i}\) is represented by a linear relation of \(S_{i1}\) and \(K_{i}\), \(K_{i}\) can be forwardly moved to a next nonlinear function by an equivalent transform. Note that, if the spliceandcut technique [4] is used with the key linearization, \(K_{i}\) can be divided into both forward and backward directions.

Equivalent Transform. After the key linearization, the \(i\)th round subkey \(K_{i}\) is replaced with a new subkey \(K'_{i}\) to pass through a nonlinear function. However, in order to reduce the involved subkey bits on the trails to the matching state, allsubkeys on the trails affected by \(K'_{i}\) are also replaced with new variables by an equivalent transform. Consequently, the number of subkeys required to compute the matching state can be reduced. For the Feistel ciphers, it is easily done by replacing allsubkeys in the even numbered rounds \(K_{j}\) with \(K'_{j} (= K'_{1} \oplus K_{j})\), where \(j\) is even.
The spliceandcut technique [4], which was originally presented in the attack of the twokey triple DES [21], was well used in the recent meetinthemiddle attacks [3, 6, 7, 19, 24]. It regards that the first and last rounds are consecutive by exploiting degree of freedom of plaintext/ciphertexts, and thus any round can be the start point. In general, the spliceandcut technique is useful to analyze the specific block cipher that keydependency varies depending on the chunk separation. However, in the ASR approach, the spliceandcut technique does not work effectively, since the ASR treats allsubkeys as independent variables to evaluate the security independently from the key scheduling function. On the other hand, the function reduction exploits degrees of freedom of plaintexts/ciphertexts to reduce subkey bits required to compute the matching state, and does not use relations among subkeys. Therefore, the function reduction technique is more useful and suitable for the ASR approach than the spliceandcut technique. However, as mentioned in the description of the key linearization, the combined use of the spliceandcut and the function reduction in the key linearization is also possible, e.g. the attack on Feistel1 [17] and the attack on SHACAL2 in this paper.
Repetitive AllSubkeys Recovery Approach. Since the function reduction exploits the degree of freedom of plaintexts/ciphertexts, it sometimes causes an attack infeasible due to lack of available data. For such cases, we introduce a variant of the allsubkeys recovery approach called repetitive allsubkeys recovery approach that repeatedly applies the allsubkeys recovery to detect the correct key. The variant can reduce the required data for each allsubkeys recovery phase, though the total amount of the required data is unchanged. Note that a similar technique, called inner loop technique, was used in [5, 23] for reducing the memory requirements. The repetitive allsubkeys recovery approach is described as follows.
 1.
Mount the ASR attack with \(N\) plaintext/ciphertexts, where \(N\) is supposed to be less than \((\mathcal {K}_{(1)} + \mathcal {K}_{(2)}) / s\), then put the remaining key candidates into a table \(T_1\). The number of expected candidates is \(\mathcal {K}_{(1)} + \mathcal {K}_{(2)}  N \cdot s\).
 2.
Repeatedly mount the ASR attack with different \(N\) plaintext/ciphertexts. If the remaining candidate match with ones in \(T_1\), such candidates are put into another table \(T_2\). The number of expected candidates is \(\mathcal {K}_{(1)} + \mathcal {K}_{(2)}  2 \cdot N \cdot s\).
 3.
Repeat the above processes until the correct key is found, i.e., \(M = (\mathcal {K}_{(1)} + \mathcal {K}_{(2)})/(N \cdot s)\) times.
3 Improved AllSubkeys Recovery Attacks on FOX64 and FOX128
3.1 Descriptions of FOX64 and FOX128
FOX [18], also known as IDEANXT, is a family of block ciphers designed by Junod and Vaudenay in 2004. FOX employs a LaiMassey scheme including two variants referred as FOX64 and FOX128 (see Fig. 1).
3.2 Function Reduction on FOX64
Equivalent Transform (Fig. 3 ). In the second round, \(OK'_1\) and \(K'_1\) are XORed with \(LK_2\) in the first and last operations of \(\mathtt {f32}\) function. Let \(LK'_2 = LK_2 \oplus K'_1 \oplus OK'_1\), \(K1'' = K1' \oplus LK2\), and \(OK1'' = \mathtt {or} (OK'1 \oplus LK2)\) be new keys. Then \(\mathtt {f32}\) function contains \(K'_2\) \((= LK'_2  RL_2)\), and \(K''_1\) and \(OK1''\) linearly affect outputs of the second round.
In the third round, \(OK''_1\) and \(K''_1\) are also XORed with \(LK_3\) in the first and last operations of \(\mathtt {f32}\) function. Let \(LK'_3 = LK_3 \oplus K''_1 \oplus OK''_1\), \(K1''' = K1'' \oplus LK2\), and \(OK1''' = \mathtt {or}(OK''1 \oplus LK2)\) be new keys (see Fig. 3).
Note that the same technique can be applied to the inverse of FOX64, because the round function of FOX64 has the involution property.
3.3 Attack on the 6Round FOX64
Forward Computation in \(\varvec{\mathcal {F}_{(1)}}\) : For given \(\{\) \(K'_{2}\), \(LK'_{3}\), \(RK'^{(3)}_{3}\), \(RK'^{(1)}_{3}\), \(K'''^{(3)}_1\), \(K'''^{(1)}_1\), \(OK'''^{(3)}_1\), \(OK'''^{(1)}_1 \) \(\}\), \((L^{(3)}_{3}  L^{(1)}_{3}) \oplus (R^{(3)}_{3}  R^{(1)}_{3})\) is computable. Since (\(K'''^{(3)}_1\) \(\) \(K'''^{(1)}_1\)) and (\(OK'''^{(3)}_1 OK'''^{(1)}_1 \)) linearly affect \((L^{(3)}_{3}  L^{(1)}_{3})\) and \((R^{(3)}_{3}  R^{(1)}_{3})\), respectively, we can regard \((K'''^{(3)}_1  K'''^{(1)}_1) \oplus (OK'''^{(3)}_1 OK'''^{(1)}_1)\) as a new 16bit key \(XORK_1\). Then, \((L^{(3)}_{3}  L^{(1)}_{3}) \oplus (R^{(3)}_{3}  R^{(1)}_{3})\) is obtained from \(112 (=64 + 32 + 8 + 8)\) bits of the key \(\{K'_{2}, LK'_{3}, RK'^{(3)}_{3}, RK'^{(1)}_{3} \}\) and linearlydependent 16bit key \(XORK_1\).
Backward Computation in \(\varvec{\mathcal {F}_{(2)}}\) : \(((L^{(1)}_{4} \oplus L^{(3)}_{4})  L^{(3)}_{4}) \oplus (R^{(3)}_{4}R^{(1)}_{4}) \) is obtained from 112 (=64 + 32 + 16) bits of the key \(\{\) \(K_6\), \(LK_{5}\), \(RK^{(1)}_{5}\), \(RK^{(3)}_{5}\) \(\}\). Using the indirect matching technique [3], 8 bits out of 16 bits of \(XORK_1\) are moved to the left half of the matching equation. Then, the left and right halves of the equation contains 120 bits of the key, i.e., \(\mathcal {K}_{(1)} = \mathcal {K}_{(2)} = 120\).
3.4 Attack on the 7Round FOX64
If the function reduction is applied as well in the backward direction, the 7round attack is feasible, i.e., the relation of \(L_{7} \oplus R_{7}\) is fixed to a constant \(CON_{2}\). Due to the involution property of the FOX64 round function, \(((L^{(1)}_{4} \oplus L^{(3)}_{4})\) \(\) \(L^{(3)}_{4})\) \(\oplus \) \((R^{(3)}_{4}R^{(1)}_{4})\) is also obtained from 112 (= 64 + 32 + 8 + 8) bits of the key and linearlydependent 16bit key \(XORK_2\). In this attack, we further regard \(XORK_1 \oplus XORK_2\) as a 16bit new key. Then, similar to the attack on the 6round FOX64, the left and right halves of the equation contain 120 bits of the key, i.e., \(\mathcal {K}_{(1)} = \mathcal {K}_{(2)} = 120\).
Repetitive ASR Approach. Recall that plaintexts and ciphertexts need to satisfy the 32bit relations, \(L_{0} \oplus R_{0} = CON_{1}\) and \(L_{7} \oplus R_{7} = CON_{2}\). The required data for finding such pairs is equivalently estimated as the game that an attacker finds 32bit multicollisions by 32bitrestricted inputs. It has been known that an \(n\)bit \(t\)multicollision is found in \(t!^{1/t} \cdot 2^{n \cdot (t1) / t}\) random data with high probability [25].
In the basic ASR approach, at least \(15 (= 240/16)\) multicollisions are necessary to detect the 240bit involved key. To obtain such pairs with a high probability, it require \( 2^{32.55} ( = 15!^{1/15} \cdot 2^{32 \cdot (14) / 15})\) plaintext/ciphertext pairs. However, it is infeasible, since the degree of freedom of plaintexts is only 32 bits.
In order to overcome this problem, we utilize the repetitive allsubkeys recovery approach with \(M = 2\) variant. In each allsubkeys recovery phase, the required data is reduced to \(8\) and \(7\). Then, such eight 32bit multicollisions are obtained from \(2^{29.9}\) plaintext/ciphertext pairs with a high probability. Thus, we can obtain the required data by exploiting free 32 bits.
The required data is \(2^{30.9} (= 2^{29.9} \times 2)\) plaintext/ciphertext pairs, and the required memory is about \(2^{123}\) (=\( \max (2^{240  128}, \min (2^{120}, 2^{120}) \times 8\))) blocks.
3.5 Function Reduction on FOX128
3.6 Attack on the 6Round FOX128
Backward Computation in \(\varvec{\mathcal {F}_{(2)}}\) : \(((LL^{(1)}_{4} \oplus LL^{(3)}_{4})  LL^{(3)}_{4}) \oplus (LR^{(3)}_{4}LR^{(1)}_{4})\) is obtained from \(208 (=128 + 64 + 16)\) bits of the key \(\{\) \(K_6\), \(LK_{5}\), \(RKL^{(1)}_{5}\), \(RKL^{(3)}_{5}\) \(\}\). Using the indirect matching technique, 8 bits out of 16bit \(XORK_1\) are moved to the left half of the matching equation. Then, the left and right halves of the equation contain 216 bits of the key, i.e., \(\mathcal {K}_{(1)} = \mathcal {K}_{(2)} = 216\).
The required data is only 26 chosen plaintext/ciphertext pairs, and the required memory is about \(2^{221} (=\min (2^{216}, 2^{216}) \times 26\)) blocks.
3.7 Attack on the 7Round FOX128
If the function reduction is also used in the backward direction, the 7round attack is feasible, i.e., two 16bit relations of \(LL_{7} \oplus LR_{7}\) and \(RL_{7} \oplus RR_{7}\) are fixed to \(CON_{3}\) and \(CON_{4}\), respectively.
Due to the involution property of the FOX128 round function, \(((LL^{(1)}_{4}\) \(\oplus \) \(LL^{(3)}_{4})\) \(\) \(LL^{(3)}_{4})\) \(\oplus \) \((LR^{(3)}_{4}LR^{(1)}_{4})\) is also obtained from \(208 (=128 + 64 + 8 + 8)\) bits of the key and linearlydependent 16 bits key \(XORK_2\). In this attack, we further regard \(XORK_1 \oplus XORK_2\) as a 16 bit new key. Then, similar to the attack on the 6round FOX128, the left and right halves of the equation contain 216 bits of the key, i.e., \(\mathcal {K}_{(1)} = \mathcal {K}_{(2)} = 216\).
Repetitive ASR Approach. Recall that plaintexts and ciphertexts need to satisfy 64bit \((32 \times 2)\) relations, \(LL_{0} \oplus LR_{0}\) and \(RL_{0} \oplus RR_{0}\), and \(LL_{7} \oplus LR_{7}\) and \(RL_{7} \oplus RR_{7}\), respectively. The cost is equivalently estimated as the game that an attacker finds 64bit multicollisions with 64bitrestricted inputs.
In the basic ASR approach, at least \(27 (=432/16)\) multicollisions are needed to detect the 432bit involved key. To obtain such pairs with a high probability, it requires \( 2^{65.1} (= 27!^{1/27} \cdot 2^{64 \cdot (26) / 27})\) pairs. However, it is infeasible, since the degree of freedom of plaintexts is only 64 bits.
We utilize the repetitive allsubkeys recovery approach with \(M = 2\) variant. In each allsubkeys recovery phase, the required data is reduced to \(13\) and \(14\). Such 14 64bit multicollisions are obtained, given \(2^{62.0}\) plaintext/ciphertext pairs with high probability.
The required data is \(2^{63.0} (= 2^{62.0} \times 2)\) plaintext/ciphertext pairs, and the required memory is about \(2^{242}\) blocks.
4 Improved AllSubkeys Recovery Attacks on KATAN32/48/64
In this section, we show that the function reduction techniques are applicable to KATAN32/48/64, then we improve the ASR attacks on KATAN32/48/64 block ciphers by 9, 5 and 5 rounds, respectively.
After a short description of KATAN, we show how to apply the function reduction to KATAN32 in detail. Then, the detailed explanation for the attack on the 119round reduced KATAN32 is given. For KATAN48 and KATAN64, the detailed explanations for applying the function reductions are omitted, since the analysis is done similar to KATAN32.
4.1 Description of KATAN
Parameters of KATAN family
Algorithm  \(L_{1}\)  \(L_{2}\)  \(x_{1}\)  \(x_{2}\)  \(x_{3}\)  \(x_{4}\)  \(x_{5}\)  \(y_{1}\)  \(y_{2}\)  \(y_{3}\)  \(y_{4}\)  \(y_{5}\)  \(y_{6}\) 

KATAN32  13  19  12  7  8  5  3  18  7  12  10  8  3 
KATAN48  19  29  18  12  15  7  6  28  19  21  13  15  6 
KATAN64  25  39  24  15  20  11  9  38  25  33  21  14  9 
4.2 Function Reduction on KATAN32
Key Linearization. In the \(i\)th round function of KATAN32, two key bits \(k_{2i}\) and \(k_{2i+1}\) are linearly inserted into states \(L^i_1[0]\) and \(L^i_2[0]\), respectively, these states are not updated in the \(i\)th round. Thus, the key linearization technique is not necessary.

\(L^4_{2}[3]: ((X[0] \oplus k_1 ) \cdot IR^4)\) is XORed with \(k_8\). If \(X[0]\) is fixed to a constant \(CON_{1}\), a new key \(k'_8\) is defined as \(((CON_{1} \oplus k_1 ) \cdot IR^4) \oplus k_8\).

\(L^6_{2}[5]: ((X[0] \oplus k_1 ) \cdot L^6_1[8])\) = \(((X[0] \oplus k_1 ) \cdot L^0_1[2])\) is XORed with \(k_{12}\). If \(L^0_1[2]\) is also fixed to a constant \(CON_{2}\), a new key \(k'_{12}\) is defined as \(((CON_{1} \oplus k_1) \cdot CON_{2}) \oplus k_{12}\).

\(L^8_{2}[7]: (X[0] \oplus k_1 )\) is directly XORed with \(k_{16}\). A new key \(k'_{16}\) is defined as \((CON_{1} \oplus k_1) \oplus k_{16}\).

\(L^9_{2}[8]\) : \(((X[0] \oplus k_1 ) \cdot L^9_1[5])\) = \(((X[0] \oplus k_1 ) \cdot (X[3] \oplus k_7 ))\) is XORed with \(k_{18}\). If \(X[3]\) is also fixed to a constant \(CON_{3}\), a new key \(k'_{18}\) is defined as \(((CON_{1} \oplus k_1) \cdot (CON_{3} \oplus k_7 )) \oplus k_{18}\).

\(L^{13}_{2}[12]: (X[0] \oplus k_1 )\) is directly XORed with \(k_{26}\). A new key \(k'_{26}\) is defined as \((CON_{1} \oplus k_1) \oplus k_{26}\).
Conditions for 8bit function reductions
Key bit  State bits to be fixed 

\(k_1\)  \(X[0]\), \(L^0_1[2]\), \(X[3]\) 
\(k_3\)  \(X[1]\), \(L^0_1[1]\), \(X[4]\) 
\(k_5\)  \(X[2]\), \(L^0_1[0]\), \(X[5]\) 
\(k_7\)  \(X[3]\), \(X[0]\), \(X[6]\) 
\(k_9\)  \(X[4]\), \(X[1]\), \(X[7]\) 
\(k_{11}\)  \(X[5]\), \(X[2]\), \(X[8]\) 
\(k_{13}\)  \(X[6]\), \(X[3]\), \(X[9]\) 
\(k_{15}\)  \(X[7]\), \(X[4]\), \(X[10]\) 
Conditions for Function Reduction. Table 3 shows conditions for 8bit function reductions. If these 14 bits of \(L^0_1[0]\), \(L^0_1[2]\), \(L^0_1[2]\), \(X[0], \ldots , X[10]\) are fixed to constants or expressed by only key bits, then we can eliminate 8 bits of the key, \(k_1\), \(k_3\), \(k_5\), \(k_7\), \(k_9\), \(k_{11}\), \(k_{13}\) and \(k_{15}\), in the forward computation of KATAN32.
In \(X[9]\) and \(X[10]\), 4 bits of \(Y[0]\), \(Y[1]\), \(Y[5]\) and \(Y[6]\) are needed to be fixed. These values are controlled by \(L^{0}_{1}[12]\), \(L^{0}_{1}[11]\), \(L^{0}_{1}[7 ]\) and \(L^{0}_{1}[6]\). If the other bits are fixed by \(L^{0}_{2}[9]\) and \(L^{0}_{2}[8]\), \(X[9]\) and \(X[10]\) are expressed by only key bits.
Therefore, if plaintexts satisfy \(23 (= 3 + 4 + 5 + 4 + 1 + 4 + 2)\) bit conditions described in Table 3, 8 bits of the key are able to be omitted when mounting the ASR attack.
Procedure for Creating Plaintexts. We show how to create plaintexts satisfying the conditions. By using the equations of \(X[0]\) to \(X[10]\) and \(Y[0]\) to \(Y[6]\), such plaintexts are easily obtained as follows.
 1.
Set 18 predetermined values of \(L^{0}_{1}[0]\), \(L^{0}_{1}[1]\), \(L^{0}_{1}[2]\), \(X[0], \ldots , X[10]\), \(Y[0]\), \(Y[1]\), \(Y[5]\) and \(Y[6]\).
 2.
Choose values of free 9 bits of \(L^{0}_{2}[5]\), \(L^{0}_{2}[6]\), \(L^{0}_{2}[7]\), \(L^{0}_{1}[3]\), \(L^{0}_{1}[4]\), \(L^{0}_{1}[5]\), \(L^{0}_{1}[8]\), \(L^{0}_{1}[9]\) and \(L^{0}_{1}[10]\).
 3.
Obtain \(L^{0}_{2}[8], \ldots , L^{0}_{2}[13]\) from equations of \(X[5], \ldots , X[10]\), and \(L^{0}_{1}[6]\) and \(L^{0}_{1}[7]\) from equations of \(Y[5]\) and \(Y[6]\), respectively.
 4.
Obtain \(L^{0}_{2}[14], \ldots , L^{0}_{2}[18]\) from equations of \(X[0], \ldots , X[4]\), and \(L^{0}_{1}[11]\) and \(L^{0}_{1}[12]\) from equations of \(Y[0]\) and \(Y[1]\), respectively.
 5.
Repeat steps 2 to 4 until the required number of plaintexts are obtained.
4.3 Attacks on 119Round KATAN32
Let us consider the 119round variant of KATAN32 starting from the first (0th) round. In this attack, \(L^{69}_2[18]\) is chosen as the matching state.
Forward Computation in \(\varvec{\mathcal {F}_{(1)}}\) : \(L^{69}_2[18]\) depends on 83 subkey bits. This implies that \(L^{69}_{2}[18]\) can be computed by a plaintext \(P\) and 83 bits of subkeys. More specifically, \(L^{69}_{2}[18] = \mathcal {F}_{(1)}(P, \mathcal {K}_{(1)})\), where \(\mathcal {K}_{(1)} \in \) \(\{k_{0}, ..., k_{70}\), \(k_{72}\), \(\ldots \), \(k_{76}\), \(k_{80}\), \(k_{83}\), \(k_{84}\), \(k_{85}\), \(k_{89}\), \(k_{93}\), \(k_{100} \}\) and \(\mathcal {K}_{(1)} = 83\). If the function reduction technique with the 23bit condition of plaintexts is used, 8 bits of \(\{k_1\), \(k_3\), \(k_5\), \(k_7\), \(k_9\), \(k_{11}\), \(k_{13}\), \(k_{15}\}\) can be omitted in computations of \(\mathcal {F}_{(1)}\). Thus, \(L^{69}_2[18]\) is computable with \(75(= 83  8)\) bits. In addition, since 4 bits of \(\{k_{68}, k_{75}, k_{85}, k_{100} \}\) linearly affect \(L^{69}_{2}[18]\), we can regard \(k_{68} \oplus k_{75} \oplus k_{85} \oplus k_{100}\) as a new key \(k_f\). Thus, \(72 (= 75  4 + 1)\) bits are involved in the forward computation.
Backward Computation in \(\varvec{\mathcal {F}_{(2)}}\) : In the backward computation starting from the 118th round, the matching state \(L^{69}_{2}[18]\) is computed as \(L^{69}_{2}[18] = \mathcal {F}_{(2)}^{1}(C, \mathcal {K}_{(2)})\), where \(\mathcal {K}_{(2)} \in \) \(\{k_{138}\), \(k_{150}\), \(k_{154}\), \(k_{158}\), \(k_{160}\), \(k_{162}\), \(k_{165}\), \(k_{166}\), \(k_{168}\), \(k_{170}\), \(k_{172}, \ldots k_{237}\}\), and \(\mathcal {K}_{(2)} = 76\). Since 4 bits of \(\{k_{138}, k_{160}, k_{165}, k_{175} \}\) linearly affect \(L^{69}_{2}[18]\), we can regard \(k_{138} \oplus k_{160} \oplus k_{165} \oplus k_{175}\) as a new key \(k_b\). Furthermore, by the indirect matching, \(k_b\) is moved to the forward computation, then \(k_b \oplus k_f\) is regarded as a new key in \(\mathcal {F}_{(1)}\). Thus, \(72 (= 76  4 )\) bits are involved in the backward computation.
Finally, we need to find the remaining \(94 (= 119 \times 2  144)\) bits of subkeys by using the simple MITM approach in the setting where \(\mathcal {K}_{(1)}\) and \(\mathcal {K}_{(2)}\) are known. The time complexity and the required memory for this process are roughly estimated as \(2^{49} (= 2^{48}+2^{46})\) and \(2^{46}\) blocks, respectively. These costs are obviously much less than those of finding \(\mathcal {K}_{(1)}\) and \(\mathcal {K}_{(2)}\).
4.4 Function Reduction on KATAN48
Conditions for 4bit function reductions
Key bit  State bits to be fixed 

\(k_1\)  \(X'[0]\), \(X'[1]\), \(L^0_{1}[6]\), \(L^0_{1}[7]\), \(X'[8]\), \(X'[9]\) 
\(k_3\)  \(X'[2]\), \(X'[3]\), \(L^0_{1}[4]\), \(L^0_{1}[5]\), \(X'[10]\), \(X'[11]\) 
\(k_5\)  \(X'[4]\), \(X'[5]\), \(L^0_{1}[2]\), \(L^0_{1}[3]\), \(X'[12]\), \(X'[13]\) 
\(k_7\)  \(X'[6]\), \(X'[7]\), \(L^0_{1}[0]\), \(L^0_{1}[1]\), \(X'[14]\), \(X'[15]\) 
\(X'[0], \ldots ,X'[6]\) are fixed by controlling 7 bits of \(L^0_{2}[22], \ldots , L^0_{2}[28]\) (7 bit condition). \(X'[7], \ldots ,X'[15]\) contain key bits in AND operations. If \(L^0_{2}[8] = L^0_{2}[7] =, \ldots , = L^0_{2}[1] = L^{0}_{2}[0] = 0\), these key bits are omitted from these equations (9 bit condition). Then \(X'[7], \ldots ,X'[15]\) are also fixed by controlling 9 bits of \(L^0_{2}[13], \ldots , L^0_{2}[21]\) (9 bit condition).
Therefore, if plaintexts satisfy 33 (= 8 + 7 + 9 + 9) bit conditions described in Table 4, 4 bits of the key are able to be omitted when mounting the ASR attack.
4.5 Attacks on 105Round KATAN48
Let us consider the 105round variant of KATAN48 starting from the first (0th) round. In this attack, \(L^{61}_2[28]\) is chosen as the matching state.
Forward Computation in \(\varvec{\mathcal {F}_{(1)}}\) : \(L^{61}_2[28]\) depends on 79 subkey bits. This implies that \(L^{61}_{2}[28]\) can be computed by a plaintext \(P\) and 79 bits of subkeys. More specifically, \(L^{61}_{2}[28] = \mathcal {F}_{(1)}(P, \mathcal {K}_{(1)})\), where \(\mathcal {K}_{(1)} \in \) \(\{k_{0}, ..., k_{68}\), \(k_{70}\), \(k_{71}\), \(k_{72}\), \(k_{75}\), \(k_{77}\), \(k_{78}\), \(k_{81}\), \(k_{85}\), \(k_{87}\), \(k_{92} \}\) and \(\mathcal {K}_{(1)} = 79\). If the function reduction technique with the 33bit condition of plaintexts is used, 4 bits of \(k_1\), \(k_3\), \(k_5\), \(k_7\) can be omitted in computations of \(\mathcal {F}_{(1)}\). Thus, \(L^{61}_2[28]\) is computable with \(75(= 79  4)\) bits. In addition, 3 bits of \(\{k_{75}, k_{81}, k_{92} \}\) linearly affect \(L^{61}_{2}[28]\). Thus, we can regard \(k_{75} \oplus k_{81} \oplus k_{92}\) as a new key. By using indirect matching, \(k_f = k_{75} \oplus k_{81} \oplus k_{92}\) is moved to \(\mathcal {F}_{(2)}\). Then, \(72 (= 75  3)\) bits are involved in the forward computation.
Backward Computation in \(\varvec{\mathcal {F}_{(2)}}\) : In the backward computation starting from the 104th round, the matching state \(L^{61}_{2}[28]\) is computed as \(L^{61}_{2}[28]\! =\! \mathcal {F}_{(2)}^{1}(C, \mathcal {K}_{(2)})\), where \(\mathcal {K}_{(2)} \in \) \(\{k_{122}\), \(k_{128}\), \(k_{130}\), \(k_{134}\), \(k_{136}\), \(k_{138}\), \(k_{140}\), \(k_{141}\), \(k_{142}\), \(k_{144}, \ldots k_{209}\}\), and \(\mathcal {K}_{(2)} = 75\). 4 bits of \(\{k_{122}, k_{130}, k_{140}, k_{141} \}\) linearly affect \(L^{61}_{2}[28]\). Thus, we can regard \(k_b = k_{122} \oplus k_{130} \oplus k_{140} \oplus k_{141}\) as a new key. Furthermore, we define \(k_f \oplus k_b\) as a new key. Then, \(72 (= 75  4 + 1)\) bits are involved in the backward computation.
Finally, we need to find the remaining \(66\) \((= 105 \times 2  144)\) bits of subkeys by using the simple MITM approach in the setting where \(\mathcal {K}_{(1)}\) and \(\mathcal {K}_{(2)}\) are known. The time complexity and the required memory for this process are roughly estimated as \(2^{34} (= 2^{34} + 2^{32})\) and \(2^{32}\) blocks, respectively. These costs are obviously much less than those of finding \(\mathcal {K}_{(1)}\) and \(\mathcal {K}_{(2)}\).
4.6 Function Reduction on KATAN64
Conditions for 2bit function reductions
Key bit  State bits to be fixed 

\(k_1\)  \(X''[0]\), \(X''[1]\), \(X''[2]\), \(L^0_{1}[6]\), \(L^0_{1}[7]\), \(L^0_{1}[8]\), \(X''[9]\), \(X''[10]\), \(X''[11]\), 
\(k_3\)  \(X''[3]\), \(X''[4]\), \(X''[5]\), \(L^0_{1}[3]\), \(L^0_{1}[4]\), \(L^0_{1}[5]\), \(X''[12]\), \(X''[13]\), \(X''[14]\), 
\(X''[0], \ldots , X''[9]\) are fixed by controlling 10 bits of \(L^0_{2}[29], \ldots , L^0_{2}[38]\) (10 bit condition). \(X''[10]\), \(\ldots \), \(X''[14]\) contain key bits in AND operations. If \(L^0_{2}[4] = , \ldots , = L^{0}_{2}[0] = 0\), these key bits are omitted from these equations (5 bit condition). Then \(X''[10], \ldots , X''[14]\) are also fixed by controlling 5 bits \(L^0_{2}[18], ..., L^0_{2}[23]\) (5 bit condition).
Therefore, if plaintexts satisfy \(29 (= 9 + 10 + 5 + 5)\) bit conditions described in Table 5, 2 bits of the key are able to be omitted when mounting the ASR attack.
4.7 Attacks on 99Round KATAN64
Let us consider the 99round variant of KATAN64 starting from the first (0th) round. In this attack, \(L^{57}_2[38]\) is chosen as the matching state.
Forward Computation in \(\varvec{\mathcal {F}_{(1)}}\) : \(L^{57}_2[38]\) depends on 74 subkey bits. This implies that \(L^{57}_{2}[38]\) can be computed by a plaintext \(P\) and 74 bits of subkeys. More specifically, \(L^{57}_{2}[38] = \mathcal {F}_{(1)}(P, \mathcal {K}_{(1)})\), where \(\mathcal {K}_{(1)} \in \) \(\{k_{0}, ..., k_{66}\), \(k_{70}\), \(k_{71}\), \(k_{72}\), \(k_{75}\), \(k_{77}\), \(k_{81}\), \(k_{88}\) \(\}\) and \(\mathcal {K}_{(1)} = 74\). If the function reduction technique with the 29bit condition of plaintexts is used, 2 bits of \(k_1\), \(k_3\) can be omitted in computations of \(\mathcal {F}_{(1)}\). Thus, \(L^{57}_2[38]\) is computable with \(72(= 74  2)\) bits. In addition, 3 bits of \(\{k_{71}, k_{77}, k_{88} \}\) linearly affect \(L^{57}_{2}[38]\). Thus, we can regard \(k_{71} \oplus k_{77} \oplus k_{88}\) as a new key. Then, \(70 (= 72  3 + 1)\) bits are involved in the forward computation.
Backward Computation in \(\varvec{\mathcal {F}_{(2)}}\) : In the backward computation starting from the 98th round, the matching state \(L^{57}_{2}[38]\) is computed as \(L^{57}_{2}[38] = \mathcal {F}_{(2)}^{1}(C, \mathcal {K}_{(2)})\), where \(\mathcal {K}_{(2)} \in \) \(\{ k_{114}\), \(k_{116}\), \(k_{120}\), \(k_{122}\), \(k_{124}\), \(k_{126}\), \(k_{128}\), \(k_{130}, \ldots k_{197}\}\), and \(\mathcal {K}_{(2)} = 75\). 3 bits of \(\{k_{114}, k_{122}, k_{131}\}\) linearly affect \(L^{57}_{2}[38]\). Thus, we can consider \(k_{114} \oplus k_{122} \oplus k_{131}\) as a new key, and move it to the forward computation by the indirect matching. Then, \(72 (= 75  3)\) bits are involved in the backward computation.
Evaluation. For the 99round reduced KATAN64, the matching state \(S\) is chosen as \(L^{57}_{2}[38]\) (1bit state).
Finally, we need to find the remaining \(56 (= 99 \times 2  142)\) bits of subkeys by using the simple MITM approach in the setting where \(\mathcal {K}_{(1)}\) and \(\mathcal {K}_{(2)}\) are known. The time complexity and the required memory for this process are roughly estimated as \(2^{28}\) and \(2^{28}\) blocks, respectively. These costs are obviously much less than those of finding \(\mathcal {K}_{(1)}\) and \(\mathcal {K}_{(2)}\).
5 Improved AllSubkeys Recovery Attack on SHACAL2
This section presents the ASR attacks on SHACAL2 with the function reduction techniques. Then, we propose a 42round attack on SHACAL2, based on the 41round attack on SHACAL2 [13].
5.1 Description of SHACAL2
SHACAL2 [13] is a 256bit block cipher based on the compression function of SHA256 [12]. It was submitted to the NESSIE project and selected in the NESSIE portfolio [22].
5.2 Function Reduction on SHACAL2
In the round function of SHACAL2, a round key \(W_i\) is inserted to the state \(T_i\) by an arithmetic addition operation. We show that the splice and cut framework is applicable by using the partial key linearization technique.
5.3 Attacks on 42Round SHACAL2
We show that the splice and cut framework [4] is applicable to SHACAL2 by using the key linearization technique. Then we extend the 41round attack [16] by one more round. In particular, the splice and cut technique is done in the first round, and the higher 15 bits are move to the backward computation, and the lower 17 bits are move to the forward computation. Then we choose the lowest 1 bit of \(A_{17}\) as the matching point.
Forward Computation in \(\varvec{\mathcal {F}_{(1)}}\) : The lowest 1 bit of \(A_{17}\) can be computed from the 16th state \(p_{16}\) and the lowest 1 bit of \(W_{16}\), since the other bits of \(W_{16}\) are not affected to the lower 1 bit of \(A_{17}\). Thus, the matching state \(S\) (the lowest 1 bit of \(A_{17}\)) is calculated as \(S = \mathcal {F}_{(1)}(P, \mathcal {K}_{(1)})\), where \(\mathcal {K}_{(1)} \in \) {the lower 17 bits of \(W_{0}, W_{1}, ..., W_{15}, \) the lowest 1 bit of \(W_{16}\}\) and \(\mathcal {K}_{(1)} = 498 (= 32 \times 15 + 1 + 17)\).
Backward Computation in \(\varvec{\mathcal {F}_{(2)}}\) : We utilize the following observation [16].
Observation 1
The lower \(t\) bits of \(A_{j10}\) are obtained from the \(j\)th state \(p_{j}\) and the lower \(t\) bits of three subkeys \(W_{j1}\), \(W_{j2}\) and \(W_{j3}\).
From Observation 1, the matching state \(S\) (the lowest 1 bit of \(A_{17}\)) can be computed as \(S = \mathcal {F}^{1}_{(2)}(C, \mathcal {K}_{(2)})\), where \(\mathcal {K}_{(2)} \in \) \(\{\)the higher 15 bits of \(W_{0}\), \(W_{27}, ..., W_{41}, \) the lowest \(1\) bits of \(W_{24}\), \(W_{25}\) and \(W_{26}\}\). Thus, \(\mathcal {K}_{(2)} = 498 (= 32 \times 15 + 1 \times 3 + 15)\).
6 Conclusion
The concept of the ASR attack is quite simple, which recovers allsubkeys instead of the master key, but useful to evaluate the security of block cipher structures without analyzing key scheduling functions. Thus, it is valuable to study its improvements to design a secure block cipher. We first observed the function reduction technique, which improved the ASR attack and was originally applied to Feistel schemes. Then, with some improvements such as the repetitive ASR approach, we applied the function reduction to other block cipher structures including LaiMassey, generalized LaiMassey, LFSRtype and sourceheavy generalized Feistel schemes.
As applications of our approach, we presented the improved ASR attacks on the 7, 7, 119, 105, 99, and 42round reduced FOX64, FOX128, KATAN32, KATAN48, KATAN64 and SHACAL2. All of our results updated the number of attacked rounds by the previously known best attacks. We emphasize that our attacks work independently from the structure of the key scheduling function. In other words, strengthening the key scheduling function does not improve the security against our attack. It implies that our results give the lower bounds on the security of the target structures such as LaiMassey scheme rather than the specific block ciphers against generic key recovery attack. Therefore, we believe that our results are useful for a deeper understanding the security of the block cipher structures.
Footnotes
References
 1.Adams, C.: The CAST128 encryption algorithm. RFC2144, May 1997Google Scholar
 2.Albrecht, M.R., Leander, G.: An allinone approach to differential cryptanalysis for small block ciphers. In: Knudsen, L.R., Wu, H. (eds.) SAC 2012. LNCS, vol. 7707, pp. 1–15. Springer, Heidelberg (2013) CrossRefGoogle Scholar
 3.Aoki, K., Guo, J., Matusiewicz, K., Sasaki, Y., Wang, L.: Preimages for stepreduced SHA2. In: Matsui, M. (ed.) ASIACRYPT 2009. LNCS, vol. 5912, pp. 578–597. Springer, Heidelberg (2009) CrossRefGoogle Scholar
 4.Aoki, K., Sasaki, Y.: Preimage attacks on oneblock MD4, 63step MD5 and more. In: Avanzi, R.M., Keliher, L., Sica, F. (eds.) SAC 2008. LNCS, vol. 5381, pp. 103–119. Springer, Heidelberg (2009) CrossRefGoogle Scholar
 5.Biham, E., Dunkelman, O., Keller, N., Shamir, A.: New dataefficient attacks on reducedround IDEA. IACR Cryptology ePrint Archive, vol. 2011, p. 417 (2011)Google Scholar
 6.Bogdanov, A., Khovratovich, D., Rechberger, C.: Biclique cryptanalysis of the full AES. In: Lee, D.H., Wang, X. (eds.) ASIACRYPT 2011. LNCS, vol. 7073, pp. 344–371. Springer, Heidelberg (2011) CrossRefGoogle Scholar
 7.Bogdanov, A., Rechberger, C.: A 3subset meetinthemiddle attack: cryptanalysis of the lightweight block cipher KTANTAN. In: Biryukov, A., Gong, G., Stinson, D.R. (eds.) SAC 2010. LNCS, vol. 6544, pp. 229–240. Springer, Heidelberg (2011) CrossRefGoogle Scholar
 8.De Cannière, C., Dunkelman, O., Knežević, M.: KATAN and KTANTAN — A family of small and efficient hardwareoriented block ciphers. In: Clavier, C., Gaj, K. (eds.) CHES 2009. LNCS, vol. 5747, pp. 272–288. Springer, Heidelberg (2009) CrossRefGoogle Scholar
 9.Canteaut, A., NayaPlasencia, M., Vayssière, B.: Sieveinthemiddle: improved MITM attacks. In: Canetti, R., Garay, J.A. (eds.) CRYPTO 2013, Part I. LNCS, vol. 8042, pp. 222–240. Springer, Heidelberg (2013) CrossRefGoogle Scholar
 10.Dinur, I., Dunkelman, O., Shamir, A.: Improved attacks on full GOST. In: Canteaut, A. (ed.) FSE 2012. LNCS, vol. 7549, pp. 9–28. Springer, Heidelberg (2012) CrossRefGoogle Scholar
 11.Dunkelman, O., Sekar, G., Preneel, B.: Improved meetinthemiddle attacks on reducedround DES. In: Srinathan, K., Rangan, C.P., Yung, M. (eds.) INDOCRYPT 2007. LNCS, vol. 4859, pp. 86–100. Springer, Heidelberg (2007) CrossRefGoogle Scholar
 12.FIPS. Secure Hash Standard (SHS). Federal Information Processing Standards Publication, pp. 180–184Google Scholar
 13.Handschuh, H., Naccache, D.: “SHACAL.” NESSIE Proposal (updated), October 2001. https://www.cosic.esat.kuleuven.be/nessie/updatedPhase2Specs/SHACAL/shacaltweak.zip
 14.Isobe, T.: A singlekey attack on the full GOST block cipher. In: Joux, A. (ed.) FSE 2011. LNCS, vol. 6733, pp. 290–305. Springer, Heidelberg (2011) CrossRefGoogle Scholar
 15.Isobe, T., Sasaki, Y., Chen, J.: Relatedkey boomerang attacks on KATAN32/48/64. In: Boyd, C., Simpson, L. (eds.) ACISP. LNCS, vol. 7959, pp. 268–285. Springer, Heidelberg (2013) CrossRefGoogle Scholar
 16.Isobe, T., Shibutani, K.: All subkeys recovery attack on block ciphers: extending meetinthemiddle approach. In: Knudsen, L.R., Wu, H. (eds.) SAC 2012. LNCS, vol. 7707, pp. 202–221. Springer, Heidelberg (2013) CrossRefGoogle Scholar
 17.Isobe, T., Shibutani, K.: Generic key recovery attack on feistel scheme. In: Sako, K., Sarkar, P. (eds.) ASIACRYPT 2013, Part I. LNCS, vol. 8269, pp. 464–485. Springer, Heidelberg (2013) CrossRefGoogle Scholar
 18.Junod, P., Vaudenay, S.: FOX: a new family of block ciphers. In: Handschuh, H., Hasan, M.A. (eds.) SAC 2004. LNCS, vol. 3357, pp. 114–129. Springer, Heidelberg (2004) CrossRefGoogle Scholar
 19.Khovratovich, D., Leurent, G., Rechberger, C.: Narrowbicliques: cryptanalysis of full IDEA. In: Pointcheval, D., Johansson, T. (eds.) EUROCRYPT 2012. LNCS, vol. 7237, pp. 392–410. Springer, Heidelberg (2012) CrossRefGoogle Scholar
 20.Lu, J., Kim, J.: Attacking 44 rounds of the SHACAL2 block cipher using relatedkey rectangle cryptanalysis. IEICE Trans. 91–A(9), 2588–2596 (2008)CrossRefGoogle Scholar
 21.Merkle, R.C., Hellman, M.E.: On the security of multiple encryption. Commun. ACM 24(7), 465–467 (1981)CrossRefMathSciNetGoogle Scholar
 22.NESSIE consortium, NESSIE portfolio of recommended cryptographic primitives (2003). https://www.cosic.esat.kuleuven.be/nessie/deliverables/decisionfinal.pdf
 23.Nikolic, I., Wang, L., Wu, S.: The parallelcut meetinthemiddle attack. IACR Cryptology ePrint Archive, p. 530 (2013)Google Scholar
 24.Sasaki, Y., Aoki, K.: Finding preimages in full MD5 faster than exhaustive search. In: Joux, A. (ed.) EUROCRYPT 2009. LNCS, vol. 5479, pp. 134–152. Springer, Heidelberg (2009) CrossRefGoogle Scholar
 25.Suzuki, K., Tonien, D., Kurosawa, K., Toyota, K.: Birthday paradox for multicollisions. In: Rhee, M.S., Lee, B. (eds.) ICISC 2006. LNCS, vol. 4296, pp. 29–40. Springer, Heidelberg (2006) CrossRefGoogle Scholar
 26.Wu, W., Zhang, W., Feng, D.: Integral cryptanalysis of reduced FOX block cipher. In: Won, D.H., Kim, S. (eds.) ICISC 2005. LNCS, vol. 3935, pp. 229–241. Springer, Heidelberg (2006) CrossRefGoogle Scholar
 27.Wu, Z., Luo, Y., Lai, X., Zhu, B.: Improved cryptanalysis of the FOX block cipher. In: Chen, L., Yung, M. (eds.) INTRUST 2009. LNCS, vol. 6163, pp. 236–249. Springer, Heidelberg (2010) CrossRefGoogle Scholar
 28.Zhu, B., Gong, G.: Guessthenmeetinthemiddle attacks on the KTANTAN family of block ciphers. IACR Cryptology ePrint Archive, p. 619 (2011)Google Scholar