Impossible Differential Cryptanalysis of 16/18-Round Khudra

摘要

Khudra is a recently proposed lightweight block cipher specifically dedicated for Field Programmable Gate Arrays (FPGAs) implementation. It is a 4-branch type-2 generalized Feistel structure (GFS) of 18 rounds with 64-bit block size and 80-bit security margin. This paper studies the security of Khudra against impossible differential cryptanalysis. In the single-key scenario, the best impossible differential attack given by the designers works for 11 rounds with 2~(57) chosen plaintexts and 2~(61) encryptions. In this paper, by exploiting the structure of Khudra and the redundancy in its key schedule, we significantly improve previously known results. First, we propose an impossible differential attack on 14-round Khudra with 2~(54.06) chosen plaintexts, 2~(50.26) encryptions and 2~(49) memory. Then, we extend the attack by including pre-whitening keys with 2~(59.03) known plaintexts, 2~(67.06) time and 2~(59.03) memory complexities. Finally, we present an impossible differential attack against 16-round Khudra where whitening-keys are omitted. The 16-round attack requires 2~(49.58) chosen plaintexts, 2~(79.26) encryptions and 2~(64) memory. To the best of our knowledge, these attacks are the best known attacks in the single-key scenario.