Improved Key Recovery Attacks on Simplified Version of K2 Stream Cipher

Abstract The K2 stream cipher, designed for 32-bit words, is an ISO/IEC 18033 standard and is listed as a recommended algorithm used by the Japanese government in the CRYPTREC project. The main feature of the K2 algorithm is the use of a dynamic feedback control mechanism between the two linear feedback shift registers, which makes the analysis of the K2 algorithm more difficult. In this paper, for its simplified version algorithm, a key recovery attack is performed by using differential attacks. Firstly, for the unknown key, the same IV is fixed in two chosen IV differential attacks, and we use the input differences and the output differences of the S-box to recover the input of S-box; the internal state values can be uniquely determined by taking intersection of the input of S-box. This technology is used to improve the key recovery attack of seven-round algorithm proposed by Deike Priemuth-Schmid. Secondly, we find the constraint relationship between the keystream equations and the unknown differences by introducing the guess difference bit and eliminate the impossible differences by the constraint relationship. Thus, we expand the key recovery attack from seven to nine rounds. The time complexity of the attack is $\boldsymbol{O} \boldsymbol{(2^{113.93})}$, the data complexity is $\boldsymbol{O}\boldsymbol{(2^{8.71})}$ and the success rate is $\textbf{99.07\%}$.

Some cryptanalytic results on Lizard

10.46586/tosc.v2017.i4.82-98 ◽

2017 ◽

pp. 82-98

Author(s):

Subhadeep Banik ◽

Takanori Isobe ◽

Tingting Cui ◽

Jian Guo

Keyword(s):

Stream Cipher ◽

Secret Key ◽

Key Recovery ◽

Key Recovery Attack ◽

Lizard is a lightweight stream cipher proposed by Hamann, Krause and Meier in IACR ToSC 2017. It has a Grain-like structure with two state registers of size 90 and 31 bits. The cipher uses a 120-bit secret key and a 64-bit IV. The authors claim that Lizard provides 80-bit security against key recovery attacks and a 60-bit security against distinguishing attacks. In this paper, we present an assortment of results and observations on Lizard. First, we show that by doing 258 random trials it is possible to find a set of 264 triplets (K, IV0, IV1) such that the Key-IV pairs (K, IV0) and (K, IV1) produce identical keystream bits. Second, we show that by performing only around 228 random trials it is possible to obtain 264 Key-IV pairs (K0, IV0) and (K1, IV1) that produce identical keystream bits. Thereafter, we show that one can construct a distinguisher for Lizard based on IVs that produce shifted keystream sequences. The process takes around 251.5 random IV encryptions (with encryption required to produce 218 keystream bits) and around 276.6 bits of memory. Next, we propose a key recovery attack on a version of Lizard with the number of initialization rounds reduced to 223 (out of 256) based on IV collisions. We then outline a method to extend our attack to 226 rounds. Our results do not affect the security claims of the designers.

Cryptanalysis of Plantlet

10.46586/tosc.v2019.i3.103-120 ◽

2019 ◽

pp. 103-120

Author(s):

Subhadeep Banik ◽

Khashayar Barooti ◽

Takanori Isobe

Keyword(s):

Stream Cipher ◽

Internal State ◽

Polynomial Equations ◽

Secret Key ◽

Key Recovery ◽

Internal States ◽

Key Recovery Attack ◽

System Of Polynomial Equations ◽

The Given ◽

Generic Time

Plantlet is a lightweight stream cipher designed by Mikhalev, Armknecht and Müller in IACR ToSC 2017. It has a Grain-like structure with two state registers of size 40 and 61 bits. In spite of this, the cipher does not seem to lose in security against generic Time-Memory-Data Tradeoff attacks due to the novelty of its design. The cipher uses a 80-bit secret key and a 90-bit IV. In this paper, we first present a key recovery attack on Plantlet that requires around 276.26 Plantlet encryptions. The attack leverages the fact that two internal states of Plantlet that differ in the 43rd LFSR location are guaranteed to produce keystream that are either equal or unequal in 45 locations with probability 1. Thus an attacker can with some probability guess that when 2 segments of keystream blocks possess the 45 bit difference just mentioned, they have been produced by two internal states that differ only in the 43rd LFSR location. Thereafter by solving a system of polynomial equations representing the keystream bits, the attacker can find the secret key if his guess was indeed correct, or reach some kind of contradiction if his guess was incorrect. In the latter event, he would repeat the procedure for other keystream blocks with the given difference. We show that the process when repeated a finite number of times, does indeed yield the value of the secret key. In the second part of the paper, we observe that the previous attack was limited to internal state differences that occurred at time instances that were congruent to 0 mod 80. We further observe that by generalizing the attack to include internal state differences that are congruent to all equivalence classed modulo 80, we lower the total number of keystream bits required to perform the attack and in the process reduce the attack complexity to 269.98 Plantlet encryptions.

Cryptanalysis of Loiss Stream Cipher-Revisited

Journal of Applied Mathematics ◽

10.1155/2014/457275 ◽

2014 ◽

Vol 2014 ◽

pp. 1-7

Author(s):

Lin Ding ◽

Chenhui Jin ◽

Jie Guan ◽

Qiuyan Wang

Keyword(s):

Time Complexity ◽

Stream Cipher ◽

Linear Equations ◽

Data Complexity ◽

Secret Key ◽

Key Recovery ◽

Systems Of Linear Equations ◽

Key Recovery Attack ◽

Better Than

Loiss is a novel byte-oriented stream cipher proposed in 2011. In this paper, based on solving systems of linear equations, we propose an improved Guess and Determine attack on Loiss with a time complexity of 2231and a data complexity of 268, which reduces the time complexity of the Guess and Determine attack proposed by the designers by a factor of 216. Furthermore, a related key chosenIVattack on a scaled-down version of Loiss is presented. The attack recovers the 128-bit secret key of the scaled-down Loiss with a time complexity of 280, requiring 264chosenIVs. The related key attack is minimal in the sense that it only requires one related key. The result shows that our key recovery attack on the scaled-down Loiss is much better than an exhaustive key search in the related key setting.

Breaking Trivium Stream Cipher Implemented in ASIC Using Experimental Attacks and DFA

Sensors ◽

10.3390/s20236909 ◽

2020 ◽

Vol 20 (23) ◽

pp. 6909

Author(s):

Francisco Eugenio Potestad-Ordóñez ◽

Manuel Valencia-Barrero ◽

Carmen Baena-Oliva ◽

Pilar Parra-Fernández ◽

Carlos Jesús Jiménez-Fernández

Keyword(s):

Stream Cipher ◽

Internal State ◽

Clock Cycle ◽

Fault Analysis ◽

Invasive Technique ◽

Sensitive Information ◽

Secret Key ◽

Key Recovery ◽

Differential Fault Analysis ◽

Secret Keys

One of the best methods to improve the security of cryptographic systems used to exchange sensitive information is to attack them to find their vulnerabilities and to strengthen them in subsequent designs. Trivium stream cipher is one of the lightweight ciphers designed for security applications in the Internet of things (IoT). In this paper, we present a complete setup to attack ASIC implementations of Trivium which allows recovering the secret keys using the active non-invasive technique attack of clock manipulation, combined with Differential Fault Analysis (DFA) cryptanalysis. The attack system is able to inject effective transient faults into the Trivium in a clock cycle and sample the faulty output. Then, the internal state of the Trivium is recovered using the DFA cryptanalysis through the comparison between the correct and the faulty outputs. Finally, a backward version of Trivium was also designed to go back and get the secret keys from the initial internal states. The key recovery has been verified with numerous simulations data attacks and used with the experimental data obtained from the Application Specific Integrated Circuit (ASIC) Trivium. The secret key of the Trivium were recovered experimentally in 100% of the attempts, considering a real scenario and minimum assumptions.

Security analysis of linearly filtered NLFSRs

Journal of Mathematical Cryptology ◽

10.1515/jmc-2013-5009 ◽

2013 ◽

Vol 7 (4) ◽

pp. 313-332 ◽

Cited By ~ 3

Author(s):

Mohammad Ali Orumiehchiha ◽

Josef Pieprzyk ◽

Ron Steinfeld ◽

Harry Bartlett

Keyword(s):

Linear Combination ◽

Mobile Communication ◽

Stream Cipher ◽

High Efficiency ◽

Security Analysis ◽

Linear Feedback ◽

Attractive Feature ◽

Key Recovery ◽

Distinguishing Attack ◽

Feedback Shift Register

Abstract. Non-linear feedback shift register (NLFSR) ciphers are cryptographic tools of choice of the industry especially for mobile communication. Their attractive feature is a high efficiency when implemented in hardware or software. However, the main problem of NLFSR ciphers is that their security is still not well investigated. The paper makes a progress in the study of the security of NLFSR ciphers. In particular, we show a distinguishing attack on linearly filtered NLFSR (or LF-NLFSR) ciphers. We extend the attack to a linear combination of LF-NLFSRs. We investigate the security of a modified version of the Grain stream cipher and show its vulnerability to both key recovery and distinguishing attacks.

Key Recovery Attack on Stream Cipher Mir-1 Using a Key-Dependent S-Box

Information and Communications Security - Lecture Notes in Computer Science ◽

10.1007/978-3-540-88625-9_9 ◽

2008 ◽

pp. 128-140

Author(s):

Yukiyasu Tsunoo ◽

Teruo Saito ◽

Hiroyasu Kubo ◽

Tomoyasu Suzaki

Keyword(s):

Stream Cipher ◽

Key Recovery ◽

Key Recovery Attack

Boomeyong: Embedding Yoyo within Boomerang and its Applications to Key Recovery Attacks on AES and Pholkos

10.46586/tosc.v2021.i3.137-169 ◽

2021 ◽

pp. 137-169

Author(s):

Mostafizar Rahman ◽

Dhiman Saha ◽

Goutam Paul

Keyword(s):

Time Complexity ◽

Block Cipher ◽

New Technique ◽

Small Scale ◽

Key Recovery ◽

Boomerang Attack ◽

Tweakable Block Cipher ◽

Key Recovery Attack ◽

This work investigates a generic way of combining two very effective and well-studied cryptanalytic tools, proposed almost 18 years apart, namely the boomerang attack introduced by Wagner in FSE 1999 and the yoyo attack by Ronjom et al. in Asiacrypt 2017. In doing so, the s-box switch and ladder switch techniques are leveraged to embed a yoyo trail inside a boomerang trail. As an immediate application, a 6-round key recovery attack on AES-128 is mounted with time complexity of 278. A 10-round key recovery attack on recently introduced AES-based tweakable block cipher Pholkos is also furnished to demonstrate the applicability of the new technique on AES-like constructions. The results on AES are experimentally verified by applying and implementing them on a small scale variant of AES. We provide arguments that draw a relation between the proposed strategy with the retracing boomerang attack devised in Eurocrypt 2020. To the best of our knowledge, this is the first attempt to merge the yoyo and boomerang techniques to analyze SPN ciphers and warrants further attention as it has the potential of becoming an important cryptanalysis tool.

A Real-Time Key Recovery Attack on the Lightweight Stream Cipher A2U2

Cryptology and Network Security - Lecture Notes in Computer Science ◽

10.1007/978-3-642-35404-5_2 ◽

2012 ◽

pp. 12-22

Author(s):

Zhenqing Shi ◽

Xiutao Feng ◽

Dengguo Feng ◽

Chuankun Wu

Keyword(s):

Real Time ◽

Stream Cipher ◽

Key Recovery ◽

Key Recovery Attack

Automatic Search of Cubes for Attacking Stream Ciphers

10.46586/tosc.v2021.i4.100-123 ◽

2021 ◽

pp. 100-123

Author(s):

Yao Sun

Keyword(s):

Heuristic Method ◽

Stream Ciphers ◽

Divide And Conquer ◽

Key Recovery ◽

Cube Attack ◽

Automatic Search ◽

The Common ◽

Key Recovery Attack ◽

First Time ◽

Cube attack was proposed by Dinur and Shamir, and it has become an important tool for analyzing stream ciphers. As the problem that how to recover the superpolys accurately was resolved by Hao et al. in EUROCRYPT 2020, another important problem is how to find “good” superpolys, which is equivalent to finding “good” cubes. However, there are two difficulties in finding “good” cubes. Firstly, the number of candidate cubes is enormous and most of the cubes are not “good”. Secondly, it is costly to evaluate whether a cube is “good”.In this paper, we present a new algorithm to search for a kind of “good” cubes, called valuable cubes. A cube is called valuable, if its superpoly has (at least) a balanced secret variable. A valuable cube is “good”, because its superpoly brings in 1 bit of information about the key. More importantly, the superpolys of valuable cubes could be used in both theoretical and practical analyses. To search for valuable cubes, instead of testing a set of cubes one by one, the new algorithm deals with the set of cubes together, such that the common computations can be done only once for all candidate cubes and duplicated computations are avoided. Besides, the new algorithm uses a heuristic method to reject useless cubes efficiently. This heuristic method is based on the divide-and-conquer strategy as well as an observation.For verifications of this new algorithm, we applied it to Trivium and Kreyvium, and obtained three improvements. Firstly, we found two valuable cubes for 843-round Trivium, such that we proposed, as far as we know, the first theoretical key-recovery attack against 843-round Trivium, while the previous highest round of Trivium that can be attacked was 842, given by Hao et al. in EUROCRYPT 2020. Secondly, by finding many small valuable cubes, we presented practical attacks against 806- and 808-round Trivium for the first time, while the previous highest round of Trivium that can be attacked practically was 805. Thirdly, based on the cube used to attack 892-round Kreyvium in EUROCRYPT 2020, we found more valuable cubes and mounted the key-recovery attacks against Kreyvium to 893-round.

Weak Keys in Reduced AEGIS and Tiaoxin

10.46586/tosc.v2021.i2.104-139 ◽

2021 ◽

pp. 104-139

Author(s):

Fukang Liu ◽

Takanori Isobe ◽

Willi Meier ◽

Kosei Sakamoto

Keyword(s):

Time Complexity ◽

High Performance ◽

Stream Cipher ◽

Third Party ◽

Key Recovery ◽

Weak Keys ◽

Internal States ◽

Caesar Competition ◽

Key Recovery Attack ◽

Pass Through

AEGIS-128 and Tiaoxin-346 (Tiaoxin for short) are two AES-based primitives submitted to the CAESAR competition. Among them, AEGIS-128 has been selected in the final portfolio for high-performance applications, while Tiaoxin is a third-round candidate. Although both primitives adopt a stream cipher based design, they are quite different from the well-known bit-oriented stream ciphers like Trivium and the Grain family. Their common feature consists in the round update function, where the state is divided into several 128-bit words and each word has the option to pass through an AES round or not. During the 6-year CAESAR competition, it is surprising that for both primitives there is no third-party cryptanalysis of the initialization phase. Due to the similarities in both primitives, we are motivated to investigate whether there is a common way to evaluate the security of their initialization phases. Our technical contribution is to write the expressions of the internal states in terms of the nonce and the key by treating a 128-bit word as a unit and then carefully study how to simplify these expressions by adding proper conditions. As a result, we find that there are several groups of weak keys with 296 keys each in 5-round AEGIS-128 and 8-round Tiaoxin, which allows us to construct integral distinguishers with time complexity 232 and data complexity 232. Based on the distinguisher, the time complexity to recover the weak key is 272 for 5-round AEGIS-128. However, the weak key recovery attack on 8-round Tiaoxin will require the usage of a weak constant occurring with probability 2−32. All the attacks reach half of the total number of initialization rounds. We expect that this work can advance the understanding of the designs similar to AEGIS and Tiaoxin.