Conditional Differential Cryptanalysis of Trivium and KATAN

  title={Conditional Differential Cryptanalysis of Trivium and KATAN},
  author={Simon Knellwolf and Willi Meier and Mar{\'i}a Naya-Plasencia},
  booktitle={Selected Areas in Cryptography},
The concept of conditional differential cryptanalysis has been applied to NLFSR-based cryptosystems at ASIACRYPT 2010. We improve the technique by using automatic tools to find and analyze the involved conditions. Using these improvements we cryptanalyze the stream cipher Trivium and the KATAN family of lightweight block ciphers. For both ciphers we obtain new cryptanalytic results. For reduced variants of Trivium we obtain a class of weak keys that can be practically distinguished up to 961 of… 

Improved Conditional Differential Analysis on NLFSR-Based Block Cipher KATAN32 with MILP

In this paper, a new method for constructing a Mixed Integer Linear Programming (MILP) model on conditional differential cryptanalysis of the nonlinear feedback shift register- (NLFSR-) based block

Improved Conditional Differential Analysis on NLFSR Based Block Cipher KATAN32 with MILP

  • Zhaohui XingWenying ZhangGuoyong Han
  • Computer Science, Mathematics
    Lecture Notes of the Institute for Computer Sciences, Social Informatics and Telecommunications Engineering
  • 2021
The model is successfully applied to the block cipher KATAN32 in the single-key scenario, resulting in practical key-recovery attacks covering more rounds than the previous, and an approach for detecting the bit with a strongly-biased difference is proposed.

Conditional Differential Cryptanalysis for Kreyvium

This paper shows conditional differential cryptanalysis for Kreyvium, a NLFSR-based stream cipher which is oriented to homomorphic-ciphertext compression, and proposes the method of arrangement of differences and conditions to obtain good higher-order conditional differential characteristics.

Related-Key Boomerang Attacks on KATAN32/48/64

This paper investigates the KATAN family in the related-key boomerang framework with several techniques and attacks, which substantially improve the known best results whose attacked rounds are 120, 103, 94 rounds, respectively.

High order differential attacks on stream ciphers

This work reviews the various techniques of differential cryptanalysis and translates them into the terminology of high order derivatives introduced by Lai, and naturally suggests generalizations and refinements such as conditional differential crypt analysis.

Cryptanalysis of Hardware-Oriented Ciphers the Knapsack Generator, and SHA-1

A surprisingly effective guess-and-determine attack is shown that recovers large parts of the n + n secret key bits if only n bits are known and a new differential cryptanalytic perspective is proposed which is very suitable for hash functions with linear message expansion.

Improved conditional differential cryptanalysis

This work proposes an improved version of conditional differential cryptanalysis, and applies this new method to analyze the security of lightweight hash functions QUARK family of ciphers, including the recently proposed C-QUARK.

Conditional differential cryptanalysis of 105 round Grain v1

  • Subhadeep Banik
  • Computer Science, Mathematics
    Cryptography and Communications
  • 2015
This paper proposes a method that determines 9 Secret Key bits explicitly, and proves that a suitably introduced difference in the IV leads to a distinguisher for the output bit produced in the 105th round.

Conditional Differential Cryptanalysis of Grain-128a

The comparison of symbolic expressions suggests that Grain-128a is immune against dynamic cube attacks and also immune against differential attacks as the best attack could find results in a bias at round 189 out of 256.

A Key-recovery Attack on 855-round Trivium

This paper proposes a novel nullification technique of the Boolean polynomial to reduce the output Booleanpolynomial of 855-round Trivium, determines the degree upper bound of the reduced nonlinear boolean polynometric and detects the right keys.



Conditional Differential Cryptanalysis of NLFSR-Based Cryptosystems

Non-linear feedback shift registers are widely used in lightweight cryptographic primitives and a general analysis technique based on differential cryptanalysis is proposed to identify conditions on the internal state to obtain a deterministic differential characteristic for a large number of rounds.

Differential cryptanalysis of Lucifer

A new extension of differential cryptanalysis is devised to extend the class of vulnerable cryptosystems, and suggests key-dependent characteristics, called conditional characteristics, selected to increase the characteristics' probabilities for keys in subsets of the key space.

Chosen IV Statistical Analysis for Key Recovery Attacks on Stream Ciphers

Evidence is given that the present analysis is not applicable on Grain-128 or Trivium with full IV initialization, and it is experimentally demonstrated how to deduce a few key bits.

Two Trivial Attacks on Trivium

A state recovering attack with time complexity around c283.5 is presented and clearly shows that TRIVIUM has a very thin safety margin and that in its current form it can not be used with longer 128-bit keys, which resists all of the attacks proposed in this paper.

Cube Attacks on Tweakable Black Box Polynomials

This paper develops a new technique (called a cube attack ) for solving tweakable polynomials, which is a major improvement over several previously published attacks of the same type.

Cube Testers and Key Recovery Attacks on Reduced-Round MD6 and Trivium

This paper applies cube attacks to reduced round MD6, finding the full 128-bit key of a 14-round MD6 with complexity 2\^22 (which takes less than a minute on a single PC) and introduces a new class of attacks called cube testers, based on efficient property-testing algorithms, and applies them to MD6 and to the stream cipher Trivium.

KATAN and KTANTAN - A Family of Small and Efficient Hardware-Oriented Block Ciphers

A new family of very efficient hardware oriented block ciphers divided into two flavors, which is more compact in hardware, as the key is burnt into the device (and cannot be changed), and achieves encryption speed of 12.5 KBit/sec.

Some Instant- and Practical-Time Related-Key Attacks on KTANTAN32/48/64

  • Martin Ågren
  • Computer Science, Mathematics
    Selected Areas in Cryptography
  • 2011
The hardware-attractive block cipher family KTANTAN was studied by Bogdanov and Rechberger who identified flaws in the key schedule and gave a meet-in-the-middle attack, but the attacks directly contradict the designers' claims.

A 3-Subset Meet-in-the-Middle Attack: Cryptanalysis of the Lightweight Block Cipher KTANTAN

This paper proposes meetin-the-middle attacks that are applicable to the KTANTAN family of block ciphers accepting a key of 80 bits and demonstrates that a strong related-key property can translate to a successful attack in the nonrelated-key setting.

A New Randomness Extraction Paradigm for Hybrid Encryption

This framework provides an efficient generic transformation from 1-universal to 2-universal hash proof systems and allows to prove IND-CCA2 security of a hybrid version of 1991's Damgard's ElGamal public-key encryption scheme under the DDH assumption.