Biclique Cryptanalysis Of PRESENT, LED, And KLEIN

Transcription

1 Bclque Cryptanalyss Of PREENT, LED, And KLEIN Reson Farzaneh Abed, Chrstan Forler, Ek Lst, tefan Lucks, Jakob Wenzel Bauhaus-Unerstät Wemar, Germany Abstract. In ths paper, we analyze the resstance of the lghtweght cphers PREENT, LED, and KLEIN to bclque attacks. Prmarly, we descrbe attacks on the full-round ersons PREENT-80, PREENT-128, LED-64, LED-128, KLEIN-80, and KLEIN-96. Our attacks hae tme complextes of , , , , , and encryptons, respectely. In addton, we consder attacks on round-reduced ersons of PREENT and LED, to show the securty margn for whch an adersary can obtan an adantage of at least a factor of two compared to exhauste search. Keywords: PREENT, LED, KLEIN, lghtweght block cpher, ndependent bclque, matchng-wth-precomputatons 1 Introducton Bclque cryptanalyss. Bclque cryptanalyss s a rather young generc technque that was ntroduced by Khoratoch et al., frst n 2011 [18], and later presented at the FE 2012 [19]. Hereby, a bclque s a complete bpartte graph, where eery element n a set of startng states s connected wth eery element n a set of endng states. In the context of cryptanalyss, eery path n such a graph represents the encrypton under a unque key oer some steps of a prmte. If the paths do not share acte non-lnear components, then a bclque allows an adersary to test a set of key canddates ery effcently, whch can be used to reduce the effort or to extend the number of steps n a meet-n-the-mddle (MtM) or smlar attack. Whle ther frst applcatons targeted hash functons [18,19], bclques hae proen to be well-suted also for key-recoery attacks on block cphers. In June 2011, Bogdano et al. adapted the approach for ther analyss of the AE. Ther work receed a hgh leel of attenton, snce t showed the frst attacks on full ersons of the cpher n the sngle-key model [17,4]. nce then, bclque-based key-recoery attacks hae been successfully appled to a arety of cphers, ncludng QUARE, HIGHT, Pccolo, ARIA-256, L-Block, TWINE, IDEA, KLEIN-64, and mcrypton [1,9,7,13,16,20,24,26,27], all of these works beng the frst attacks on full-round ersons of these cphers. Bclques for bruteforce-lke cryptanalyss. When there exsts a MtM attack oer the rounds not coered by a bclque, then an adersary can gan almost the same adantage as from the MtM attack. Howeer, f there s no MtM attack aalable, one can stll combne a bclque wth an optmzed bruteforcelke cryptanalyss,.e., testng all keys oer the remanng rounds; a technque whch was ntroduced by Bogdano et al. n [17,4] and whch was essental to coer the full number of rounds n ther attacks on the AE. Followng ths approach, the adersary precomputes and stores a number of computatons and later re-uses the stored alues to lower the total effort. As a consequence, the adantage for the adersary s rather low. The results mentoned aboe hae ganed a factor between 0.5 and 8. Moreoer, snce ths approach s generc, t can be appled to any prmte and any number of rounds. Thus, a successfully mounted attack does not allow a cryptanalyst to dentfy cpher-specfc weaknesses (cf. We et al. [28]). Thus, there s an ongong debate on how to rate the mportance of bruteforce-lke cryptanalyss. We et al. stress that een small adantages can stll be helpful for practcal attacks, whch apples to cphers wth a key length of bts. For larger key lengths, such mnor mproements were only of academc nterest. We share ths pont

2 of ew; howeer, we generalze that bclque-based bruteforce-lke cryptanalyss s an effecte method to establsh a new lower securty margn for cphers. PREENT. PREENT s a 64-bt ultra-lghtweght cpher that was proposed by Bogdano et al. n 2007 [5] and s now standardzed n the IO/IEC tandard In ther proposal, the desgners descrbed two ersons of PREENT; a recommended arant, whch employs an 80-bt key (PREENT-80), and a less mportant erson wth a 128-bt key (PREENT-128). In 2008, Wang demonstrated a frst dfferental analyss of a 16-round erson of PREENT, whch had a tme complexty equalent to 2 65 encryptons [25]. Later that year, Albrecht and Cd presented a combned dfferental-algebrac attack on 19 rounds wth a tme complexty equalent to encryptons [2]. To the best of our knowledge, the preously most powerful attack on PREENT wthout exhauste components s the work of Cho [8], whch allows to dstngush 25 rounds of PREENT-80 from a random permutaton. In the same work, the author proposed an addtonal attack on 26 rounds, whch, n our opnon, s not a stronger analyss, snce t requres the entre codebook. A few weeks after our ntal publcaton of ths work, Jeong et al. [15] publshed bclque-based bruteforce-lke attacks on LED, PREENT and Pccolo, whch are smlar to ours. Consderng PREENT, ther attacks prode an extremely low adantage for the adersary, of 0.24 bts for PREENT-80 and 0.19 bts for PREENT-128. LED. LED s a famly of AE-lke lghtweght cphers that was desgned by Jan et al. n 2011 [12]. It supports arbtrary key lengths between 64 and 128 bts, where the two most-releant ersons are LED-64 and LED-128. In ther securty analyss, the desgners of LED clamed that the best probablstc dfferental attacks on LED could coer only 15 out of 32 rounds for the 64-bt and 27 out of 48 rounds for the 128- bt erson. In [14], Isobe and hbutan proposed a splce-and-cut attack on eght rounds of LED-64 wth a computatonal complexty equalent to 2 56 encryptons. In the same work, the authors appled another splce-and-cut analyss on 16 rounds of LED-128 whch requred encryptons. Mendel et al. analyzed dfferental propertes of LED and publshed related-key attacks on up to 16 rounds of LED-64 and up to 24 rounds of LED-128 [21]. At the FE 2013, Nkolc et al. presented key-recoery attacks on up to eght rounds of LED-64 and 24 rounds of LED-128 (note, that we consder only the sngle-key model here), as well as chosen-key dstngushers on up to 16 rounds of LED-64 and up to 40 rounds of LED-128. Lke t s the case for PREENT, the best when consderng the number of coered rounds preous attacks on LED n the sngle-key model are due to Jeong et al. [15], who descrbe an analyss of 29 rounds of LED-64 and 45 rounds of LED-128. Both results prode an adantage of about 0.5 bts. Whle the authors also consder an attack on full LED-128, we do not consder ths as an attack, snce t requres the full codebook. KLEIN. Lke LED, KLEIN s a famly of AE-lke lghtweght block cphers whch was proposed by Gong, Nkoa and Law at the RFIDec 2011 [11]. The cpher has a 64-bt state and supports key lengths of 64, 80, or 96 bts. The best attacks on KLEIN before 2013 were publshed by Yu et al. [29], who proposed ntegral attacks on up to eght out of 12 rounds of KLEIN-64, and by Aumasson et al., who presented a practcal dstngushng attack and seeral key-recoery attacks on up to eght rounds of ths erson. The best recent attack s due to Ahmadan et al., who publshed two bclque-based attacks on full KLEIN-64 wth workloads of and encryptons and data complextes of 2 39 and 2 43 chosen plantexts, respectely. o, snce the securty of KLEIN-64 has already been analyzed, we only consdered the ersons KLEIN-80 and KLEIN-96 n ths work. Contrbuton. In ths paper, we descrbe our cryptanalytc results of bclque attacks on full PREENT- 80, PREENT-128, LED-64, LED-128, KLEIN-80, and KLEIN-96. In addton, we ge short descrptons of attacks on reduced ersons of PREENT, LED, and KLEIN-96 n order to llustrate the number of rounds requred to obtan at least an adantage factor of two compared to a tral exhauste search. Our results are the best attacks on these cphers n the sngle-key model regardng the number of rounds coered and 2

3 Prmte Attack type Rounds Tme Data Memory Reference PREENT-80/-128 PREENT-80 PREENT-128 LED-64 LED-128 KLEIN-64 KLEIN-80 KLEIN-96 Dfferental [25] Dff. + Algebrac [2] aturaton [10] Lnear [23] Lnear [8] Lnear [8] Bclque ec. 4.5 Bclque 31 (full) [15] Bclque 31 (full) ec. 4 Bclque ec. 5.5 Bclque 31 (full) [15] Bclque 31 (full) ec. 5 plce-and-cut [14] Dfferental [22] Bclque ec. 7.5 Bclque [15] Bclque 32 (full) ec. 7 plce-and-cut [14] Dfferental [22] Dfferental [22] Bclque ec. 8.5 Bclque [15] Bclque 48 (full) [15] Bclque 48 (full) ec. 8 Integral [29] Dfferental [29] Dfferental [3] Bclque 12 (full) [1] Bclque 12 (full) [1] Integral [29] Bclque 16 (full) ec. 10 Bclque ec. 11 Bclque 20 (full) ec. 11 Table 1. Best preously publshed attacks on PREENT, LED, and KLEIN n the sngle-key model. Memory complexty s gen n bytes, -: not gen. the computatonal complexty at the tme of wrtng ths paper. A comparson of preous works and our results s gen n Table 1. Outlne. Frst, n ecton 2, we recap the general detals of ndependent-bclque cryptanalyss. ecton 3 then prodes the detals of PREENT, before we ge a descrpton of our attacks on PREENT-80 and -128 n the ectons 4 and 5. mlarly, n ecton 6, we frst reew the necessary detals of LED, before ectons 7 and 8 explan our attacks on LED-64 and Next, we hae a short look on KLEIN n ecton 9, and show attacks on full KLEIN-80 and KLEIN-96 n ectons 10 and 11. We conclude our paper n ecton 12. 3

4 Resed aspects. In ths erson, we take care of the helpful comments we were gen by the reewers of the ntal erson of ths paper. In our preous attacks, we had constructed bclques oer as many rounds as possble, whch resulted n attacks wth relately hgh number of 2 56 and 2 64 requred chosen plantexts for LED-64 and LED-128, as well as 2 60 and 2 44 chosen plantexts for PREENT-80 and PREENT-128, respectely. We re-constructed our bclques n order to reduce the number of plantexts whch hae to be collected by the adersary. In our attacks on LED, we could reduce the numbers to 2 8 ; for PREENT, we could achee 2 25 and 2 23 for PREENT-80 and PREENT-128. Furthermore, concernng LED, we had mounted attacks on reduced ersons wthout the wrappng key addtons. nce the key njecton s located after eery fourth round, our reewers ponted out the necessty of consderng only attacks on full steps,.e., 4-round nterals whch nclude the wrappng key addtons to be comparable to preous works. We resed our attacks on LED accordngly. 2 Bclque Cryptanalyss In ths secton, we ge a bref oerew on bclque cryptanalyss based on the descrptons by Bogdano et al. [4]. 2.1 Defnton A bclque s a complete bpartte graph whch connects eery element n a set of startng states wth eery element n a set of endng states C. We represent the elements n by j, and those n C by C. A path from j to C represents the encrypton under some key K[, j] oer some sub-cpher B. The 3-tuple of sets [{ j }, {C }, {K[, j]}] s called a d-dmensonal bclque, f, j {0,..., 2 d 1} : j K[,j] B C. As a generalzaton, note that the sets and C do not need to hae dentcal numbers of elements. Then, we call the 3-tuple of sets [{ j }, {C }, {K[, j]}] a (d 1, d 2 )-dmensonal (asymmetrc) bclque, f {0,..., 2 d1 1}, j {0,..., 2 d2 1} : j K[,j] B C. In the followng, we regard the smple case of a d-dmensonal bclque. Assume, an adersary s gen a cpher E, on whch she wants to mount a bclque-based attack. Frst, she ddes the secret-key space nto 2 k 2d subspaces of 2 2d keys each, where k denotes the key length and d the dmenson of the used bclques. Further, she defnes a splttng E = B E 2 E 1, where E 1 s the subcpher that maps a plantext P to an nternal state, E 2 maps to another nternal state and B maps the state at to the cphertext C: P E1 E2 B C. The adersary can construct a bclque oer an arbtrary part of the cpher and can use a meet-n-the-mddle or a bruteforce-lke procedure to compute the remanng parts. Note, that she needs to hae access to only ether an encrypton or decrypton oracle to obtan plantext-cphertext pars. Ths settng s llustrated n Fgure 1 for a bclque oer the last part of the cpher. Bogdano et al. ntroduced two dfferent paradgms of bclques for cryptanalyss: ndependent bclques, whch can be constructed wth low effort, but coer only a small number of rounds, and long bclques, whch can potentally coer more rounds, but are harder to construct. In the followng, we focus on the former approach. 4

5 Oracle E 1 (k f,p ) E 2 1 (k b, ) j P C j Fg. 1. MtM attack wth a bclque at the end of the cpher. 2.2 Bclque Constructon Independent bclques allow the constructon of bclques oer some subcpher B from two dfferentals. The adersary chooses a so-called base computaton,.e., a 3-tupel { 0, C 0, K[0, 0]}, where the key K[0, 0] maps the nternal state 0 to the cphertext C 0 : K[0,0] 0 C 0. B Then, she searches for 2 d forward dfferentals, whch connect the state 0 wth the cphertexts C, 0 K[0,0] K C 0 = C, B and smlarly, for 2 d backward dfferentals j, whch connect the cphertext C 0 wth the states j : j = 0 j K[0,0] K j B 1 C 0. If the trals of all -dfferentals do not share acte non-lnear operatons wth any of the j -dfferentals, then, there exsts an encrypton path connectng any of the 2 d nput dfferences j wth any of the 2 d output dfferences. Thus, we obtan a set of 2 2d ndependent (, j )-dfferental trals: 2.3 Matchng-wth-Precomputatons K[0,0] K 0 K j j C 0, j {0,..., 2 d 1}. B Khoratoch et al. ntroduced matchng-wth-precomputatons as an effecte technque to perform a matchng on the parts not coered by the bclque. For ths approach, an adersary frst chooses an nternal state whch splts the remanng parts nto the sub-cphers E 1 and E 2. Then, she precomputes and stores 2 d alues,0 n forward drecton from the plantext P to, and 2 d alues 0,j n backward drecton from each of the startng states j : P For all 2 2d 2 d further computatons P K[,0],0, and K[0,j] 0,j j. E1 E 1 2 K[,j],j, and K[,j],j j, E1 E 1 2 the adersary has to recompute only those parts of the key schedule and the round transformaton that dffer from the stored alues. By usng ths method, the computatonal effort for matchng can be reduced sgnfcantly compared to an exhauste search. A further reducton s possble by matchng only n a part of the state at (partal matchng). 5

6 2.4 Complexty Calculatons For eery bclque, the adersary tests 2 2d keys. Hence, t needs to construct 2 k 2d bclques to coer the full key space. Concernng the tme complexty, [4] proposed the equaton where C full = 2 k 2d (C bclque + C decrypt + C precomp + C recomp + C falsepos ), (1) C bclque denotes the costs for computng 2 2 d trals oer B, C decrypt s the complexty of the oracle to decrypt 2 d cphertexts, C precomp represents the effort for 2 d computatons of E 2 E 1 to determne 0,j and,0. C recomp descrbes the costs of recomputng 2 2d alues,j and,j, and C falsepos s the complexty to elmnate false postes. The full computatonal effort of the attack s domnated by the recomputatons. The memory requrements are upper bounded by storng 2 d ntermedate states,j. Note, that n attacks wth a low data complexty, t can be approprate to ask and store all requred plantext-cphertext pars n adance, so that C decrypt becomes a neglgble term n the full tme complexty. 2.5 ee-n-the-mddle The number of rounds coered by a MtM or a bclque-based attack can be further extended by precomputng a number of steps near the matchng state, as announced by Canteaut et al. [6]. Pror to an attack, the adersary creates a precomputaton table for the possble transtons through some sub-cpher n the mddle of a gen cpher. In the MtM attack, nstead of matchng by computng the same bts of a matchng state from both drectons, the adersary can already stop at the nput and output steps of, and use the precomputed table to look, f nputs and outputs produce a ald transton to see out false keys. Thus, ths procedure transforms the search for collsons at a certan matchng pont nto the search for ald transtons. Assume, we are gen an m m--box,.e., nputs and outputs hae a state length of m bt. We say that a transton through the -box exsts wth a probablty p. Further, we denote by n n the number of fxed known nput bts, by n out the number of known output bts, then, there exst at most 2 m nn alues for the output bts. The probablty p for a ald transton s then gen by p 2m nn n out. To hae an effecte see, the adersary requres to hae an a-pror probablty of p < 1. Thus, we requre n n + n out > m. n n k unknown n out Fg. 2. ee n the mddle. Colored trals ndcate known, black trals unknown bts. If the see consders key bts, whch we denote by k s, the number of unknown key bts has to be taken nto account as a further parameter. If one denotes by k unknown the number of unknown key bts n a see, one obtans 2 nn+nout m k unknown bts for seng. 6

7 3 Bref Descrpton Of PREENT 3.1 Round Transformaton PREENT s a 64-bt lghtweght cpher whch transforms the state n 31 rounds of a substtuton-permutaton network. After the fnal round, the state s XORed wth a post-whtenng round key to generate the cphertext. Eery round conssts of three operatons: a key addton wth a round key (AK), a non-lnear substtuton layer (L) and a permutaton layer (PL), as shown n Fgure 3 (cf. [5]). k Fg. 3. Round structure n PREENT. Each tral represents a bt. 3.2 Key chedule The key schedule of PREENT expands the secret key to 32 round keys. At the begnnng, the secret key s stored n a regster. After extractng the most-sgnfcant 64 bts as the ntal round key RK 1, the regster s updated wth a rotaton by 61 postons to the left, an -box call, and an XOR operaton wth a round counter r. Ths procedure s repeated 31 tmes untl all round keys are generated. For the 80-bt erson, we denote the state of the regster by (k 79, k 78,..., k 1, k 0 ), where k represents the -th, and k 79 the most-sgnfcant bt of the key. A formal descrpton of the update functon for the key regster, whch creates the round key RK r+1, can be wrtten as follows: (k 79, k 78,..., k 1, k 0 ) = (k 18, k 17,..., k 1, k 0, k 79, k 78,..., k 20, k 19 ) (k 79, k 78, k 77, k 76 ) = box(k 79, k 78, k 77, k 76 ) (k 19, k 18, k 17, k 16, k 15 ) = (k 19, k 18, k 17, k 16, k 15 ) r. mlarly, the key schedule for the 128-bt erson can be descrbed by: (k 127, k 126,..., k 1, k 0 ) = (k 66, k 65,..., k 1, k 0, k 127, k 126,... k 68, k 67 ) (k 127, k 126, k 125, k 124 ) = box(k 127, k 126, k 125, k 124 ) (k 123, k 122, k 121, k 120 ) = box(k 123, k 122, k 121, k 120 ) (k 66, k 65, k 64, k 63, k 62 ) = (k 66, k 65, k 64, k 63, k 62 ) r. Table 2 n Appendx A summarzes the secret-key bts on whch the round keys RK depend. 3.3 ee-n-the-mddle We can apply the see-n-the-mddle approach to reduce the recomputatonal effort n our attacks. Hereby, we can explot the lmted sngle-round dffuson of PREENT. More precsely, oer the operaton sequence E s = L PL AK L, we can dentfy four dstnct groups of 16 bts of the output, whch depend on only 16 bts of the nput, and only 16 bts of the key. Thus, we can precompute a table T,j,,j whch stores the transtons,j,j for 2 16 possble nputs,j and 2 16 possble key bts n RK oer E s wth practcal effort. 7

8 RK Fg. 4. ee oer the steps L PL AK L for PREENT. In our attacks, we consder one of the four groups, whch contans the most-sgnfcant 16 bts for the nputs, and the bts at the ndces (63,..., 60, 47,..., 44, 31,..., 28, 15,..., 12) for the key and outputs. The trals of these bts through E s are shown n Fgure 4. Our resultng table stores 2 32 entres under the ndces (,j,j k s ),.e., we requre = bytes. Note, that the effort for constructng the table s a neglgble summand n our attacks on PREENT. 4 Independent-Bclque Attack On Full PREENT-80 In ths secton, we descrbe an ndependent-bclque attack on PREENT-80. The attack conssts of three steps: parttonng the key space, constructng a bclque, and performng a matchng oer the remanng rounds. At the end of ths secton, we explan the resultng complextes of the attack n detal. 4.1 Key pace Parttonng We dde the 80-bt key space nto 2 66 sets of 2 14 keys each wth respect to the key regster state after extracton of the round key RK 30. nce the key schedule of PREENT s a bjecte mappng of eery regster state to a unque alue of the secret key, ths parttonng coers the full secret-key space. The base keys K[0, 0] of our sets are all 80-bt secret keys wth 14 bts fxed to zero, whereas the remanng 66 bts terate oer all possble alues. The keys n a set {K[, j]} are defned relate to the base key K[0, 0] and two dfferences K and K j, where, j {0,..., 27 1}. Hereby, we chose the key dfferences K to terate oer all alues of the bts (k 61, k 60, k 59, k 58, k 57, k 56, k 55 ) n the forward trals, and the dfferences K j oer all alues for the bts (k 36, k 35, k 34, k 33, k 32, k 31, k 30 ) n the backward trals Round Bclque Of Dmenson 7 We lmted our bclques to coer only three rounds, and we chose the key dfferences K so that we do not hae acte bts n RK 29. Therefore, we could obtan a relately low data complexty for ths attack. As a result, we construct bclques of dmenson seen oer the rounds Fgure 5 sualzes the - and j -trals wth red and blue lnes, respectely. As one can see, the trals do not share acte non-lnear components (here, -boxes), and are therefore ndependent. Addtonally, we stress that the red trals affect only 25 bts of the cphertexts C. Hence, an adersary who fxes the cphertexts C 0 oer all bclques, wll hae to collect at most 2 25 chosen cphertexts to mount ths attack. 4.3 Matchng Oer 28 Rounds In the followng, we apply a matchng-wth-precomputatons procedure oer the rounds Hereby, we locate the states,j after Round 14 and the states,j before the -box layer of Round 16. At each of these states, we want to reconstruct 12 out of 16 bts whch sere as nput to our see E s. Consderng the complexty of the attack, we are mostly nterested n the number of operatons whch hae to be recomputed. In order to hae a sngle number whch refers best to the total effort, we nterpret PREENT as a nbble-wse 8

9 RK 29 j RK 30 RK 31 RK 32 C Fg. 5. The bclque oer the rounds n our attack on full PREENT-80. The red colored trals ndcate bts affected by the dfferences K, the blue trals bts affected by the dfferences K j. RK 17 RK 1 P RK 18 RK RK RK RK 13 RK 27 RK 14 RK 28 RK 15 j Fg. 6. Matchng for the attack on full PREENT-80 n forward drecton from the plantexts P to,j (left), and n backward drecton from the states j to,j (rght). operatng cpher and approxmate the recomputaton costs n the matchng part by countng the number of requred -box operatons n the round transformaton and the key schedule. These operatons are sualzed by the blue trals n forward drecton n Fgure 6. All non-hghlghted parts of the states and round keys can be used from the precomputed alues. As one can see, there are four acte -boxes n the frst round, eght n the second round, n the rounds 3-12, 12 -boxes n Round 13, 12 -boxes n Round 14, and four n Round 15. In eery forward computaton, ths sums up to 196 acte -boxes. The operatons whch hae to be recomputed n backward drecton are shown by the red trals n Fgure 6. Agan, all non-hghlghted trals n the round transformaton can be used from the precomputed alues. Ths tme, there are seen acte -boxes n Round 27, 8 16 n the rounds 19-26, 12 n Round 18, 12 n Round 17, and four n Round 16, whch yelds 159 -boxes for ths part. In addton, we hae to consder the -box operatons whch hae to be recomputed n the key schedule. Concernng the K -dfferences, we hae to noke the -box to compute the round keys RK 25, RK 21, and RK 17. For the K j -dfferences, we hae to recompute fe -boxes, namely to obtan the updated alues of the RK 3, RK 3, RK 7, RK 11, RK 24, and RK 28. In total, the recomputatons sum up to 363 -boxes. 9

10 4.4 Complexty The computatonal complexty of the attack s gen by our equaton C full = 2 k 2d (C bclque + C precomp + C recomp + C falsepos ). The full cpher conssts of 31 rounds, where eery round has 16 -box operatons n the nput transformaton and one n the key schedule. Hence, the recomputaton costs can be approxmated by C recomp (16+1) full encryptons. The effort for constructng a bclque requres the computaton of 2 8 tmes three out of 31 rounds, or approxmately C bclque full encryptons. The precomputatonal costs are gen by computng 2 7 tmes 28 out of 31 rounds, whch s equalent to C precomp encryptons. Note, that we can ask for the decrypton of our 2 25 chosen cphertexts before the attack, so we hae to consder the effort for C decrypt only once. It remans to clarfy the complexty to elmnate false postes. As mentoned aboe, we reconstruct 12 bts of,j and 12 bts of,j. nce four nput bts (from,j ) to the see are unknown, there are at most = 2 4 possble output alues for,j. The chance that a false poste key K[, j] matches n all 12 known bts of,j s therefore = 2 8. For a set of 2 14 keys, we can expect to obtan C falsepos = = 2 6 false postes n aerage, that hae to be tested wth a full encrypton operaton each. In total, the tme complexty of the attack s gen by C full = 2 66 ( ) encryptons. Concernng the memory complexty, we hae to store 2 25 states, or 2 28 bytes for the attack, and bytes for the see, whch sums up to approxmately bytes. 4.5 Independent-Bclque Attack On 17 Rounds Of PREENT-80 In general, t s desrable to hae an adantage of at least one power of two compared to exhauste search for the computatonal complexty. Therefore, we can mount an attack on a reduced erson of PREENT-80, consstng of the rounds 15-31, by usng the same bclque structure and matchng procedure as aboe. Ths tme, we locate the matchng states,j,.e., the nputs to the see-n-the-mddle at the states after Round 19, and the states,j,.e., the outputs of the see, at the states before the -box layer of Round 21. Note, that we use the same nput and ouput bts as n the attack aboe for matchng. As hghlghted by the blue trals n Fgure 7, n the forward part, we now hae to recompute two -boxes n Round 16, ten n Round 17, 12 n Round 18, and 12 n Round 19. Hence, the forward recomputatons requres 36 -box operatons. Consderng the recomputatons n the backward part, one can see n the red trals n Fgure 7 that there are stll seen acte -boxes n Round 27, boxes n the rounds 24-26, 12 n Round 23, and 12 n Round 22, whch sums up to 79 -box operatons for ths part. Concernng the key schedule, we hae to recompute only three -boxes; for the dfferences K one for the key RK 25, and two for the dfferences K j, namely to obtan the round keys RK 24 and RK 28. Thus, we hae to recompute 118 -box operatons n total. Hence, C recomp s equal to (16+1) encryptons. The constructon of the bclque requres to compute 2 8 tmes three out of 17 rounds or encryptons, C precomp s gen by 2 7 computatons of 14 out of 17 or encryptons, and C falsepos can be expected to be 2 6 n aerage. The total tme complexty then results from C full = 2 66 ( ) encryptons. The data and memory complextes reman the same as n the attack on full PREENT Independent-Bclque Attack On Full PREENT-128 Ths secton descrbes our attack on the full erson of PREENT

11 RK 15 RK 22 P RK 23 RK RK 17 RK 26 RK 18 RK 27 RK 19 RK 28 RK 20 j Fg. 7. Matchng for the attack on 17-round PREENT-80 n forward drecton from the plantexts P to,j (left), and n backward drecton from the states j to,j (rght). The colored trals ndcate the parts of the state that hae to be recomputed. 5.1 Key pace Parttonng Ths tme, we dde the key space nto sets of 2 11 keys each, agan wth respect to the key regster state after extracton of the round key RK 30. The base keys K[0, 0] of our sets are all 128-bt keys wth 11 bts fxed to zero, whereas the remanng 117 bts terate oer all possble alues. The keys n a set {K[, j]} are defned relate to the base key K[0, 0] and two dfferences K and K j, where {0,..., 23 1} and j {2 7 1}. We adapted from [15] the choce of the key dfferences K to terate oer all alues of the bts (k 19, k 18, k 17 ). In addton, for the key dfferences K j, we terate oer the bts (k 55, k 54,..., k 48 ) Round Bclque Of Dmenson (3, 8) Here, we construct bclques of dmenson (3, 8) oer the fnal four rounds. By ths choce, we proft from the low number of acte bts n the dfferences K, whch allows us to hae a low data complexty n the attack. On the same tme, the hgher number of acte bts n the dfferences K j allows us to test more keys for one bclque than wth a 3-dmensonal bclque. Therefore, the effort for precomputatons and decryptons hae a lower nfluence on the total tme complexty of the attack. Fgure 8 shows the ndependent - and j -dfferentals as red and blue trals. As one can see from the fgure, the red trals affect only 23 bts of the cphertexts. Hence, an adersary who fxes the cphertexts C 0 oer all bclques, wll hae to collect at most 2 23 chosen cphertexts to mount ths attack. 5.3 Matchng Oer 27 Rounds We apply a matchng-wth-precomputatons procedure oer the rounds 1-27, where the states,j are placed after Round 19 and the states,j before the -box layer of Round 21. Agan, we want to reconstruct 12 out of 16 bts of each state,j and,j whch sere as nput to our see E s. The operatons whch hae to be recomputed n forward and backward drecton are hghlghted n Fgure 9 by the blue and red trals, respectely. From the fgure, we can see that there are four acte -boxes n the second round, eght n the thrd round, n the rounds 4-17, 12 n Round 18, and 12 n Round 19, whch yelds 260 acte -boxes n forward drecton. In the backward computatons, we hae to take nto account three acte -boxes n Round 26, 12 n Round 25, 16 n Round 24, 12 n Round 23, and 12 n Round 22, summng up to 55 -boxes for ths part. In addton, we hae to consder fe -boxes n the key schedule: 11

12 RK 28 j RK 29 RK 30 RK 31 RK 32 C Fg. 8. The bclque oer the rounds n our attack on full PREENT-128. The red colored trals ndcate bts affected by the dfferences K, the blue trals bts affected by the dfferences K j. one -box to recompute the round key RK 28 n the dfferences K. In addton, there are four -boxes to recompute the round keys for the dfferences K j ; one -box to recompute RK21, two -boxes to recompute RK 19, and one to recompute RK 17. Hence, ths sums up to = 320 -box operatons. RK 1 P RK 22 RK 2 RK 23 RK 3 RK 24 RK 4 RK RK 18 RK 26 RK 19 RK 27 RK 20 j Fg. 9. Matchng for the attack on full PREENT-80 n forward drecton from the plantexts P to,j (top), and n backward drecton from the states j to,j (bottom). The colored trals ndcate the parts of the state that hae to be recomputed. 12

13 5.4 Complexty PREENT-128 nokes the -box 16 tmes n each of ts 31 rounds, and two tmes n eery teraton of the key schedule. Hence, we can approxmate the recomputaton costs C recomp by (16+2) full encryptons. The effort for constructng a bclque, C bclque, concerns the computaton of ( ) = 263 tmes four out of 31 rounds, or approxmately full encryptons. Furthermore, C precomp s gen by computng 2 3 tmes 20 out of 31 rounds, and 2 8 tmes seen out of 31 rounds, whch s equalent to encryptons. Lke n the attack on PREENT-80, the probablty for a false poste s 2 8 for each key, as n our attack on PREENT-80. Therefore, we can expect to obtan C falsepos = 2 3 false postes n aerage. All together, the tme complexty of ths attack s gen by C full = ( ) encryptons. We ask a decrypton oracle only once for the decryptons of all occurng cphertexts C n the attack, and store them. Concernng the memory complexty, we hae to store 2 23 plantexts or 2 26 bytes for the attack, and bytes for the see, whch sums up to bytes. 5.5 Independent-Bclque Attack On 19 Rounds Of PREENT-128 To obtan an adantage of at least one half of the total effort, we mount an attack on a erson of PREENT- 128 reduced to the rounds wth the same bclque and matchng procedure as n the attack on full PREENT-128. As hghlghted by the blue trals n Fgure 10, n the forward part, we now hae to recompute RK 13 P RK 14 RK 15 RK RK 18 RK 19 RK 20 Fg. 10. Forward part of the matchng for the attack on 19-round PREENT-128 from the plantexts P to,j. The colored trals ndcate the parts of the state that hae to be recomputed. four -boxes n Round 14, eght n Round 15, 2 16 n the rounds 16-17, plus 12 n Round 18 and 13 n Round 13

14 19, whch sums up to 68 -box operatons. Consderng the backward part, there are stll 55 acte -boxes n the rounds 22-27, and stll fe -boxes n the key schedule, whch sums up to 128 -boxes n total. The constructon of the bclque requres to compute 263 tmes four out of 19 rounds or encryptons, and we hae to compute 2 3 tmes seen out of 19 rounds, and 2 8 tmes seen out of 19 rounds, whch s equalent to encryptons. The recomputatons costs can be approxmated by (16+2) full encryptons. And we can expect, agan, 2 3 false postes n aerage. Therefore, the full computatonal effort results of the attack can be approxmated by C full = ( ) encryptons. The data and memory complextes reman the same as n the attack on full PREENT Bref Descrpton Of LED LED s an AE-lke substtuton-permutaton network, whch transforms a 64-bt text nput n 32 rounds for LED-64, and n 48 rounds for LED-128. The nternal state of the cpher s represented by a 4 4-matrx where eery cell n the matrx represents a nbble. The secret key s flled nto one 4 4-word K or two words K 1 and K 2, dependng on the key length. For the key lengths from 65 to 128 bts, the frst 64 bts of the gen key are used for K 1 and the remanng key s padded wth zeroes to fll up K Round Transformaton The encrypton process of LED conssts of two operatons, AddRoundKey (AK[K ]) and step, as shown n Fgure 12. The step operaton tself contans four AE-lke rounds, where each round ncludes the operatons AddConstants (), ubcells (C), hftrows (R), and MxColumnseral (MC) (see Fgure 11): round = MC R C step = round round round round LED = AK[K 1 ] step AK[K 2 ] step... step AK[K 1 ]. AddConstants ubcells hftrows MxColumnseral Fg. 11. One round n LED. 6.2 Key chedule LED omts a key schedule. In the 64-bt erson, the secret key s used n smply eery AddRoundKey operaton, whle n all larger ersons, the key words K 1 and K 2 are used alternatngly. For more detals on the nddual operatons, we would lke to refer the nterested reader to the orgnal proposal of LED [12]. 7 Independent-Bclque Attack On Full LED-64 Ths part ncludes the descrpton of an attack on full LED

15 K 1 K 1 K 1 K 1 K 1 P step step step C K 1 K 2 K 1 K 2 K 1 P step step step C Fg. 12. Round structure of LED wth 64-bt key (top) and 128-bt key (bottom). 7.1 Key pace Parttonng We dde the 64-bt key space nto sets of 2 16 keys wth respect to the secret key. The base keys K[0, 0] are all 64-bt secret keys wth 16 bts fxed to zero, whereas the remanng 48 bts terate oer all possble alues. The 2 16 keys n a set {K[, j]} are defned relate to the base key K[0, 0] and two dfferences K and K j, where, j {0,..., 255} and = ( 1 2 ) and j = (j 1 j 2 ). K[0, 0] = K (K 1) = K j (K 1) = Round Bclque Of Dmenson 8 Our bclque coers the rounds 29-32, ncludng the fnal key addton, as shown n Fgure 13. Obously, the - and j -trals are ndependent, snce the key addton s located at the end of the dfferental trals. One can see, that only two nbbles are acte n the cphertexts of the -dfferentals. Thus, by fxng the cphertext C 0 oer all bclques, we need at most 2 8 chosen cphertexts for the attack. 7.3 Matchng Oer 28 Rounds We locate the matchng state after Round 3 and match n two nbbles, as shown n Fgure 14. The round transformaton of LED employs constant addtons, key addtons, -boxes, row shfts and column-wse multplcatons. Followng the argumentaton from Bogdano et al. [4], the bottleneck of AE-lke cpher mplementatons s gen by the number of -box calls. We hae a neglgble number of key and constant addtons, compared to the number of -box calls. o, we can neglect the XOR and shft operatons and consder the number of MxColumnseral and ubcell operatons. nce the number of -box calls s the larger summand compared to the number of mxng operatons, we consder only the number of -boxes. In the frst three rounds, we hae to recompute = 10 -boxes n forward drecton. In addton, there are = 366 -boxes whch hae to be recomputed n backward drecton, whch sum up to 376 -boxes n the full matchng phase. 7.4 Complexty There are = 512 -boxes n the 32 rounds of the full cpher. Hence, C recomp s equalent to encryptons. The precomputaton effort C precomp s gen by 2 8 computatons of 28 out of 32 rounds, 15

16 Base computaton Forward dfferental Backward dfferental 0 0 j C R MC C R MC C R MC Round 29 C R MC C R MC C R MC Round 30 C R MC C R MC C R MC Round 31 C R MC C R MC C R MC K Δ Δ K j K 1 K 1 K 1 Round 32 C 0 C C 0 Fg. 13. The bclque on LED-64 oer the rounds wth - and j-dfferentals. P Forward matchng Round 1 Round 2 Round 3 C R MC C R MC C R MC K 1 Backward matchng Round 4 Round 5 Round 26 Round 27 Round 28 C R MC C R MC... C R MC C R MC j K 1 K 1 Fg. 14. Recomputatons for LED-64 n forward and backward drecton. or full encryptons, and C bclque represents the costs for computng 2 9 tmes four out of 32 rounds, or encryptons. Thus, the total computatonal complexty of ths attack results from C full = 2 48 ( ) encryptons. The attack requres memory to store 2 8 states, or 2 11 bytes. 7.5 Independent-Bclque Attack On 16-Round LED-64 We can mount an attack on a reduced erson of the frst 16 of LED-64 by usng the same key space parttonng, bclque, and partal matchng procedure as before. Ths tme we locate the bclque to coer the rounds Then, we requre to recompute 16 full rounds less. We stll hae to recompute = 10 -boxes n forward drecton; though, the recomputaton effort n the backward drecton reduces to = 110 -boxes, whch ges a total number of 120 -boxes to recompute. 16

17 nce there are 256 -boxes n the 16 rounds of the cpher, C recomp s equalent to encryptons. The effort for constructng one bclque can be approxmated by computng 2 9 tmes four out of 16 rounds or full encryptons. C precomp s gen by 2 8 computatons of 12 out of 16 rounds or encryptons. The full computatonal complexty therefore sums up to C full = 2 48 ( ) encryptons. As before, ths attack requres the adersary to collect 2 8 chosen plantexts, and memory to store 2 11 bytes. 8 Independent-Bclque Attack On Full LED-128 In ths part, we descrbe an ndependent-bclque attack on full LED Key pace Parttonng Ths tme, we dde the key space nto sets of 2 16 keys. The base keys K[0, 0] are all 128-bt secret keys wth 16 bts fxed to zero, whereas the remanng 112 bts terate oer all possble alues. The 2 16 keys n a set {K[, j]} are defned relate to the base key K[0, 0] and two dfferences K and K j, where, j {0,..., 255} and = ( 1 2 ) and j = (j 1 j 2 ). 0 0 K[0, 0] = 0 0 K (K 1 K 2) = K j (K 1 K 2) = Round-Bclque Of Dmenson 8 At most, for LED-128, one could construct bclques oer up to 4 steps, wthout the wrappng key addtons. nce, frst, we count only full steps, and second, we am at obtanng a low data complexty, we decded to lmt the bclque to two steps, coerng the rounds Fgure 15 llustrates the - and j -dfferentals. nce, lke n the attack on LED-64, the dfferences K affect the state only n the ery last operaton, both trals are ndependent from each other. 8.3 Matchng Oer 32 Rounds The matchng then coers the rounds We locate n the state after Round 7 and match n two nbbles, as shown n Fgure 16. One can see from there, that the rounds 1 through 4 are not affected by acte bts from the K j -dfferences. Thus, regardng the recomputatons n the forward part of the matchng, we hae to consder only = 10 -boxes n the rounds 5, 6, and 7. In backward drecton, there are = 494 -boxes whch hae to be recomputed n the rounds 8-40, whch sums up to 504 -boxes n total 8.4 Complexty There are = 768 -boxes n the 48 rounds of the cpher. Thus, for 2 16 keys n one set, C recomp s equal to full encryptons. In the precomputatons step, we requre to compute 2 8 tmes 40 out of 48 rounds, whch s equalent to round encryptons. The costs to create one bclque are gen by 2 9 computatons of eght out of 48 rounds, or encryptons. The full computatonal complexty can be approxmated by C full = ( ) encryptons. encryptons. The attack requres the adersary to store 2 11 bytes, and, when fxng C 0 oer all key sets, to collect 2 8 chosen plantexts. 17

18 Base computaton Forward dfferental Backward dfferental 0 0 j C R MC C R MC C R MC Round 41 C R MC C R MC C R MC Round 42 C R MC C R MC C R MC Round 43 C R MC C R MC C R MC K Δ Δ K j K 2 K 2 K 2 Round 44 C R MC C R MC C R MC Round 45 C R MC C R MC C R MC Round 46 C R MC C R MC C R MC Round 47 C R MC C R MC C R MC K 1 K 1 K 1 Round 48 C 0 C C 0 Fg. 15. The bclque on full LED-128 oer the rounds wth - and j-dfferentals. P Forward matchng Round 1 Round 2 C R MC C R MC C R MC Round 3 Round 4 Round 5 Round 6 Round 7 C R MC C R MC C R MC C R MC K 1 K 2 Backward matchng Round 8 Round 9 Round 38 Round 39 Round 40 C R MC C R MC... C R MC C R MC j K 1 K 1 Fg. 16. Recomputatons for LED-128 n forward and backward drecton. 18

19 8.5 Independent-Bclque Attack On 32-Round LED-128 We can mount an attack on a reduced erson of LED-128, whch coers the frst 32 rounds. number of operatons, wth the same key space parttonng, bclque, and partal matchng procedure as before (see ecton 8). In contrast to the preous attack, the matchng phase requres to recompute 16 full rounds less, and the bclque coers the rounds Ths tme, we hae to recompute = 10 -boxes n forward drecton; the effort n backward drecton becomes = 238 -boxes, whch sums up to 248 -boxes n total. There are 512 -boxes n the 32 rounds of the reduced cpher. Hence, C recomp s gen by encryptons. C precomp represents the effort of computng 2 8 tmes 24 out of 32 rounds, or round encryptons. The costs for constructng a bclque, C bclque are gen by 2 9 computatons of eght out of 32 rounds, or encryptons. Thus, the total computatonal complexty of ths attack s gen by C full = ( ) encryptons. 32-round encryptons. Agan, the attack requres 2 8 chosen plantexts and memory to store 2 11 bytes. 9 KLEIN 9.1 Round Transformaton The structure of KLEIN s a typcal substtuton-permutaton network whch combnes deas from the round transformaton of the AE wth the small 4 4--box from PREENT to hae a small mplementaton footprnt. KLEIN has a fxed block length of 64 bts and supports key lengths of 64, 80 and 96 bts. Dependng on the key length, KLEIN processes the plantext n N R = 12/16/20 rounds, where each round conssts of four operatons. AddRoundKey (AK(sk )): A 64-bt round key sk s XORed wth the state. ubnbbles (N): The nbbles n the state are replaced usng a 4 4--box. RotateNbbles (RN): The state s rotated by two nbbles to the left. MxNbbles (MN): The state s splt nto two 32-bt hales, and each half s multpled wth the MD matrx of the AE n the GF (2 4 ). After the fnal round, a fnal round key sk N R+1 s XORed wth the state to generate the cphertext. 9.2 Key chedule The key schedule of KLEIN expands the secret key to N R + 1 round keys of 64-bts. The frst round key sk 1 s ntalzed wth the secret key. A round key sk +1 s then dered from ts preous round key sk as follows: 1. Dde the subkey sk nto two hales, named a and b. For KLEIN-64, one obtans a = sk0, sk1, sk2, sk3 and b = sk4, sk5, sk6, sk7, where skj denotes the j-th byte. 2. Rotate a and b by one byte to the left to obtan a, b : a = sk1, sk2, sk3, sk0 and b = sk5, sk6, sk7, sk4. 3. XOR b to a and swap both hales to obtan a, b : a = b and b = a b. 4. XOR the round counter wth the thrd byte of a, and substtute the second and thrd byte of b usng the KLEIN -box. 5. Output the 64 leftmost bts of sk as sk +1. Fgure 17 llustrates the key schedule of KLEIN-64. For further detals on the specfcaton of KLEIN, we refer to the orgnal proposal [11]. 19

20 a sk 0 sk 1 sk 2 sk 3 sk 4 sk 5 sk 6 sk 7 b aʹ sk 1 sk 2 sk 3 sk 0 sk 5 sk 6 sk 7 sk 4 bʹ aʺ bʺ sk 0 sk 1 sk 2 sk 3 sk 4 sk 5 sk 6 sk 7 Fg. 17. The key schedule of KLEIN ee-n-the-mddle For KLEIN, we can construct a table T,j,,j whch stores the transtons,j,j oer the operaton sequence E s = N AK(sk ) MN RN N. Note, that oer ths sequence, we can separate the state of KLEIN nto two dstnct hales of 32 bt, where each half depends only on 32 bt of the state and 32 bts of the round key sk. The hales are llustrated by the whte and darkened cells n Fgure 18. In our concrete attacks on KLEIN, we construct a table for that half that s sualzed by the darkened cells. Howeer, to lower the memory complexty, we only consder 24 bts of the key sk,.e., those nbbles n the fgure, whch are not struck through. The effort for constructng the table T,j,,j s therefore gen by 2 32 computatons of the sequence MN RN N, and 2 56 computatons of N AK(sk ), both whch are neglgble n the total effort. We requre to store 2 56 entres under the ndex (,j,j k s ), whch means that we requre < 2 60 bytes. N RN MN AK N sk Fg. 18. ee oer the steps N AK(sk ) MN RN N for KLEIN. 10 Independent-Bclque Attack on Full KLEIN Key pace Parttonng The parttonng procedure s ery smlar to that for KLEIN-80. Frst, we dde the key space nto 2 64 groups of 2 16 keys each wth respect to the 80-bt key regster before the extracton of the second round key sk 2. The base keys K[0, 0] are all 20-nbble alues wth four nbbles fxed to zero, whereas the remanng nbbles runnng oer all other possble alues. 0 0 K[0, 0](sk 2 ) = 0 0 K (sk 2 ) = K j (sk 2 ) = 20

21 Round Bclque Of Dmenson 8 nce four-round bclques lead to fully acte states at both ends of the dfferentals, we construct a bclque oer three rounds as depcted n Fgure 19. From there, one can see that the j -dfferentals, the plantexts P j are only affected twele out of 16 nbbles. By fxng the plantexts P 0 oer all bclques n the attack, the data complexty for the bclques does not exceed 2 48 chosen plantexts. Base computaton Forward dfferental Backward dfferental P 0 P 0 P j sk 1 sk 1 sk 1 N RN MN N RN MN N RN MN Round 1 sk 2 sk 2 sk 2 N RN MN N RN MN N RN MN Round 2 sk 3 sk 3 sk 3 N RN MN N RN MN N RN MN Round Fg. 19. The bclque oer the rounds 1-3 n our attack on full KLEIN-80. The lght-blue colored trals ndcate bts affected by the dfferences K, the dark-blue trals bts affected by the dfferences K j Matchng Oer 13 Rounds We perform a matchng-wth-precomputatons oer the rounds We locate the states,j after the key addton wth sk 8, and the states,j before the -box layer of Round 9. We construct a see, as descrbed n ecton 9.3, oer Round 8 and the key addton and -box layer of Round 9. The exact matchng procedure s llustrated n Fgure 20; the darkened cells ndcate those nbbles whch hae to be recomputed n the states. In forward drecton, we hae to recompute two -boxes n Round 4, ten n Round 5, 16 n Round 6, and eght n Round 7, whch sums up to 36 -box operatons. In backward drecton, we hae to recompute eght -boxes n Round 16, and box operatons n the rounds 10-15, whch ges 104 -boxes for the backward part. In addton, we take nto account the bytes whch hae to be recomputed and that sere as nput to the -box durng the key schedule. Concernng the dfferences K j, we hae to recompute two -boxes n sk 4, and two -boxes n sk 5. Concernng the dfferences K, we need to consder two -boxes n sk 8, two n sk 9, two n sk 13, and another two -boxes n sk 14. All n all, there are 152 -boxes. 21

22 Forward matchng Round 4 N RN MN Round 5 Round 6 Round 7 N RN MN N RN MN N RN MN sk 4 sk 5 sk 6 sk 7 sk 8 Backward matchng Round 9 Round 15 Round 16 N RN MN RN MN... C j sk 10 sk 16 sk 17 Fg. 20. Matchng for the attack on full KLEIN-80 n forward drecton from the states to,j (top), and n backward drecton from the cphertexts C j to,j (bottom) Complexty In KLEIN-80, there are = 256 -boxes n the round transformaton and 16 4 = 64 -boxes n the key-schedule. C recomp s then equal to full encryptons. C bclque s equalent to encryptons and C precomp ncludes 2 8 computatons of 13 out of 16 rounds, or encryptons. One can see from Fgure 20, we know four nbbles of the nput to our see from the frst row of,j. In addton, we know the full lower half of the state,j,.e., all output bts of the see, and, gen K[, j], full sk 9. Gen our four out of eght nbbles (16 out of 32 bts) of the nput,j, there may be 2 16 possble output transtons, due to the unknown nput bts. The probablty, that we fnd a ald transton,j,j n our precomputed table T,j,,j for a wrong key, s = 2 8, snce t must match n the 24 bts of the lower half of,j, whch we hae stored as outputs of T,j,,j (cf. ecton 9.3). Hence, we can expect to hae C falsepos = = 2 8 false postes for eery bclque. The full computatonal complexty s then gen by C full = 2 64 ( ) encryptons. The memory complexty s gen by storng 2 8 states and the table T,j,,j or 2 60 bytes. 11 Independent-Bclque Attack on Full KLEIN Key pace Parttonng The key-parttonng procedure s smlar to that n our attack on KLEIN-80. We splt the key space nto 2 80 sets of 2 16 keys each, where the base keys K[0, 0] are all 24-nbble alues wth four nbbles fxed to 0 all other nbbles runnng oer all possble alues. The keys n a group {K[, j]} are enumerated by all possble dfferences = ( 1 2 ) and j = (j 1 j 2 ) wth respect to K[0, 0]. 0 0 K[0, 0](sk 2 ) = 0 0 K (sk 2 ) = K j (sk 2 ) = 22