The parallel-cut meet-in-the-middle attack

Abstract

We propose a new type of meet-in-the-middle attack that splits a cryptographic primitive in parallel to the execution flow of the operations. The result of the division are two primitives that have smaller input sizes and thus require lower attack complexities. The sub-primitives are not completely independent, but mutually depend on a certain number of bits. When the number of such bits is relatively small, we show a technique based on three classical meet-in-the-middle attacks that can recover the secret key of the cipher faster than an exhaustive search. We apply our findings to the lightweight block cipher Klein and show attacks on 10/11/13 rounds of Klein-64/-80/-96. We note that our approach works in the known-plaintext attack model and requires only one or two pairs of known plaintexts.