Some Instant- and Practical-Time Related-Key Attacks on KTANTAN32/48/64
The hardware-attractive block cipher family KTANTAN was studied by Bogdanov and Rechberger who identified flaws in the key schedule and gave a match-in-the-middle attack. The authors revisit their result before investigating how to exploit the weakest key bits. They then develop several related-key attacks, e.g., one on KTANTAN32 which finds 28 key bits in time equivalent to 23:0 calls to the full KTANTAN32 encryption. The main result is a related-key attack requiring 228:44 time (half a minute on a current CPU) to recover the full 80-bit key. For KTANTAN48, they find three key bits in the time of one encryption, and give several other attacks, including full key recovery.