上海交通大学学报(英文版) ›› 2013, Vol. 18 ›› Issue (2): 147-152.doi: 10.1007/s12204-013-1377-2

• 论文 • 上一篇    下一篇

Differential Fault Analysis and Meet-in-the-Middle Attack on the Block Cipher KATAN32

ZHANG Wen-ying1,2 (张文英), LIU Feng1* (刘枫), LIU Xuan1 (刘宣), MENG Shuai1 (孟帅)   

  1. (1. School of Information Science and Engineering, Shandong Normal University, Jinan 250014, China; 2. State Key Laboratory of Information Security, Institute of Information Engineering, Chinese Academy of Sciences, Beijing 100093, China)
  • 出版日期:2013-04-30 发布日期:2013-05-10
  • 通讯作者: LIU Feng(刘枫) E-mail:liufengbiji@163.com

Differential Fault Analysis and Meet-in-the-Middle Attack on the Block Cipher KATAN32

ZHANG Wen-ying1,2 (张文英), LIU Feng1* (刘枫), LIU Xuan1 (刘宣), MENG Shuai1 (孟帅)   

  1. (1. School of Information Science and Engineering, Shandong Normal University, Jinan 250014, China; 2. State Key Laboratory of Information Security, Institute of Information Engineering, Chinese Academy of Sciences, Beijing 100093, China)
  • Online:2013-04-30 Published:2013-05-10
  • Contact: LIU Feng(刘枫) E-mail:liufengbiji@163.com

摘要: We investigate the lightweight block cipher KATAN family which consists of three variants with 32, 48 and 64-bit block sizes, called KATAN32, KATAN48 and KATAN64 respectively. However, three variants all have the same key length of 80 bits. On the basis of the bit-oriented faulty model and the differential analysis principle, we describe the attack that combines differential fault attack with the meet-in-the-middle (MITM) attack on the KATAN32. More precisely, inducing a fault at a bit, we can recover some linear differential fault equations on the key bits. During solving equations, without the help of computer, we need only algebraic deduction to obtain relations of some key bits. The complexity in this process is neglectable. The secret key of the full cipher can be recovered faster than exhaustive search for all three block sizes in the KATAN family. Our result describes that KATAN32 is vulnerable.

关键词: KATAN32, differential fault analysis, meet-in-the-middle (MITM) attack, block cipher, lightweight cipher

Abstract: We investigate the lightweight block cipher KATAN family which consists of three variants with 32, 48 and 64-bit block sizes, called KATAN32, KATAN48 and KATAN64 respectively. However, three variants all have the same key length of 80 bits. On the basis of the bit-oriented faulty model and the differential analysis principle, we describe the attack that combines differential fault attack with the meet-in-the-middle (MITM) attack on the KATAN32. More precisely, inducing a fault at a bit, we can recover some linear differential fault equations on the key bits. During solving equations, without the help of computer, we need only algebraic deduction to obtain relations of some key bits. The complexity in this process is neglectable. The secret key of the full cipher can be recovered faster than exhaustive search for all three block sizes in the KATAN family. Our result describes that KATAN32 is vulnerable.

Key words: KATAN32, differential fault analysis, meet-in-the-middle (MITM) attack, block cipher, lightweight cipher

中图分类号: