Impossible Differential Cryptanalysis of 16/18-Round Khudra

Abstract

Khudra is a recently proposed lightweight block cipher specifically dedicated for Field Programmable Gate Arrays (FPGAs) implementation. It is a 4-branch type-2 generalized Feistel structure (GFS) of 18 rounds with 64-bit block size and 80-bit security margin. This paper studies the security of Khudra against impossible differential cryptanalysis. In the single-key scenario, the best impossible differential attack given by the designers works for 11 rounds with 2(57) chosen plaintexts and 2(61) encryptions. In this paper, by exploiting the structure of Khudra and the redundancy in its key schedule, we significantly improve previously known results. First, we propose an impossible differential attack on 14-round Khudra with 2(54.06) chosen plaintexts, 2(50.26) encryptions and 2(49) memory. Then, we extend the attack by including pre-whitening keys with 2(59.03) known plaintexts, 2(67.06) time and 2(59.03) memory complexities. Finally, we present an impossible differential attack against 16-round Khudra where whitening-keys are omitted. The 16-round attack requires 2(49.58) chosen plaintexts, 2(79.26) encryptions and 2(64) memory. To the best of our knowledge, these attacks are the best known attacks in the single-key scenario.