An Improved Truncated Differential Cryptanalysis of Klein

Abstract KLEIN is a family of lightweight block ciphers which was proposed at RFIDSec 2011 by Gong et. al. It has three versions with 64, 80 or 96-bit key size, all with a 64-bit state size. It uses 16 identical 4-bit S-boxes combined with two AES’s MixColumn transformations for each round. This approach allows compact implementations of KLEIN in both low-end software and hardware. Such an unconventional combination attracts the attention of cryptanalysts, and several security analyses have been published. The most successful one was presented at FSE 2014 which was a truncated differential attack. They could attack up to 12, 13 and 14 rounds out of total number of 12, 16 and 20 rounds for KLEIN-64, -80 and -96, respectively. In this paper, we present improved attacks on three versions of KLEIN block cipher, which recover the full secret key with better time and data complexities for the previously analyzed number of rounds. The improvements also enable us to attack up to 14 and 15 rounds for KLEIN-80 and -96, respectively, which are the highest rounds ever analyzed. Our improvements are twofold: the first, finding two new truncated differential paths with probabilities better than that of the previous ones, and the second, a slight modification in the key recovery method which makes it faster.