Improved Linear Sieving Techniques with Applications to Step-Reduced LED-64

Abstract

AbstractIn this paper, we present advanced meet-in-the-middle (MITM) attacks against the lightweight block cipher LED-64, improving the best known attacks on several step-reduced variants of the cipher in both single-key and related-key models. In particular, we present a known-plaintext attack on 2-step LED-64 with complexity of \(2^{48}\) and a related-key attack on 3-step LED-64 with complexity of \(2^{49}\). In both cases, the previously known attacks have complexity of \(2^{60}\), i.e., only 16 times faster than exhaustive key search.While our attacks are applied to the specific scheme of LED-64, they contain several general methodological contributions: First, we present the linear key sieve technique, which allows to exploit linear dependencies between key bits to obtain filtering conditions in MITM attacks on block ciphers. While similar ideas have been previously used in the domain of hash functions, this is the first time that such a technique is applied in block cipher cryptanalysis. As a second contribution, we demonstrate for the first time that a splice-and-cut attack (which so far seemed to be an inherently chosen-plaintext technique) can be used in the known-plaintext model, with data complexity which is significantly below the code-book size. Finally, we extend the differential MITM attack on AES-based designs, and apply it independently in two stages from both sides of the cipher, while using the linear key sieve and other enhancements.KeywordsCryptanalysisLEDAESEven-MansourMeet-in-the-middle attackSplice-and-cutKnown plaintext splice-and-cut