Practical attack on 8 rounds of the lightweight block cipher KLEIN

Authors:
Jean-Philippe Aumasson;María Naya-Plasencia;Markku-Juhani O. Saarinen
Affiliations:
NAGRA, Switzerland;FHNW, Windisch, Switzerland;Revere Security
Venue:
INDOCRYPT'11 Proceedings of the 12th international conference on Cryptology in India
Year:
2011

Citing 11
Cited 0

Initial Observations on Skipjack: Cryptanalysis of Skipjack-3XOR

SAC '98 Proceedings of the Selected Areas in Cryptography
PRESENT: An Ultra-Lightweight Block Cipher

CHES '07 Proceedings of the 9th international workshop on Cryptographic Hardware and Embedded Systems
KATAN and KTANTAN -- A Family of Small and Efficient Hardware-Oriented Block Ciphers

CHES '09 Proceedings of the 11th International Workshop on Cryptographic Hardware and Embedded Systems
QUARK: a lightweight hash

CHES'10 Proceedings of the 12th international conference on Cryptographic hardware and embedded systems
PRINTcipher: a block cipher for IC-printing

CHES'10 Proceedings of the 12th international conference on Cryptographic hardware and embedded systems
The IPS compiler: optimizations, variants and concrete efficiency

CRYPTO'11 Proceedings of the 31st annual conference on Advances in cryptology
SPONGENT: a lightweight hash function

CHES'11 Proceedings of the 13th international conference on Cryptographic hardware and embedded systems
The LED block cipher

CHES'11 Proceedings of the 13th international conference on Cryptographic hardware and embedded systems
Piccolo: an ultra-lightweight blockcipher

CHES'11 Proceedings of the 13th international conference on Cryptographic hardware and embedded systems
KLEIN: a new family of lightweight block ciphers

RFIDSec'11 Proceedings of the 7th international conference on RFID Security and Privacy
The hummingbird-2 lightweight authenticated encryption algorithm

RFIDSec'11 Proceedings of the 7th international conference on RFID Security and Privacy

Quantified Score

Hi-index	0.00

Visualization

Abstract

KLEIN is a family of lightweight block ciphers presented at RFIDSec 2011 that combines a 4-bit Sbox with Rijndael's byte-oriented MixColumn. This approach allows compact implementations of KLEIN in both low-end software and hardware. This paper shows that interactions between those two components lead to the existence of differentials of unexpectedly high probability: using an iterative collection of differential characteristics and neutral bits in plaintexts, we find conforming pairs for four rounds with amortized cost below 212 encryptions, whereas at least 230 was expected by the preliminary analysis of KLEIN. We exploit this observation by constructing practical (≈235-encryption), experimentally verified, chosen-plaintext key-recovery attacks on up to 8 rounds of KLEIN-64--the instance of KLEIN with 64-bit keys and 12 rounds.