The Diffusion Properties of KATAN32 Block Cipher and Meet in the Middle Attack on KATAN32

This paper presents the first results on the diffusion properties of KATAN32 [1] Block Cipher accepting a key of 80 bits, a block length of 32 bits and a round number of 254. By using the symbolic computation software Mathematica 7.0, this paper gets the algebraic expressions of the internal state bits of KATAN32 with a reduced round number as the Boolean functions of the plaintext bits and the key bits. The results are as follows: Any of the 32 internal state bits between round 1 and 52 depends on at most 79 bits of the 80 key bits, Any of the 32 internal state bits between round 1 and 20 depends on at most 31 bits of the 32 plaintext bits, The 19th bit of the internal state bits after round 39 is independent on the 14th plaintext bit, which means that it is not until 40 rounds that the 32 plaintext bits will diffuse to each internal state bits, The 19th bit of the internal state bits after round 73 is independent on the 80th key bit, which means that it is not until 74 rounds that the 80 key bits will diffuse to each internal state bits. This paper also gets the algebraic expressions of some of the internal state bits of KATAN32 as the Boolean functions of the cipher text bits and the key bits. As an application, this paper sets up an equation system over GF(2) of KATAN32 of reduced round number 42 by the method of meet in the middle attack, which is the first meet in the middle attack on KATAN32. With 3 known plaintexts the equation system is solved by finding the Gröbner basis of the equation system by Magma 2.17-5 [2]. Thus the 80 bits master keys are recovered.