Fast Correlation Attacks on K2 Stream Cipher

Abstract

K2 is an LFSR-based dynamic feedback stream cipher and has been standardized by ISO/IEC 18033-4. The fast correlation attack (FCA) is a well-known cryptanalysis tool for LFSR-based stream ciphers. In this paper, we propose a guess-and-determine FCA on a dynamic feedback stream ciphers model. Moreover, we give a fast calculation method to calculate the correlation of the function <italic xmlns:mml="http://www.w3.org/1998/Math/MathML" xmlns:xlink="http://www.w3.org/1999/xlink">F(x, y, z)</i> = <italic xmlns:mml="http://www.w3.org/1998/Math/MathML" xmlns:xlink="http://www.w3.org/1999/xlink">x</i> ⊞ <sub xmlns:mml="http://www.w3.org/1998/Math/MathML" xmlns:xlink="http://www.w3.org/1999/xlink"><i>n</i></sub> <italic xmlns:mml="http://www.w3.org/1998/Math/MathML" xmlns:xlink="http://www.w3.org/1999/xlink">S(y)</i> ⊟ <sub xmlns:mml="http://www.w3.org/1998/Math/MathML" xmlns:xlink="http://www.w3.org/1999/xlink"><i>n</i></sub> <italic xmlns:mml="http://www.w3.org/1998/Math/MathML" xmlns:xlink="http://www.w3.org/1999/xlink">z</i> by directly characterizing subtraction modulo 2 <sup xmlns:mml="http://www.w3.org/1998/Math/MathML" xmlns:xlink="http://www.w3.org/1999/xlink"><i>n</i></sup> . Then we propose a kind of mask structure of the linear approximations of the function <italic xmlns:mml="http://www.w3.org/1998/Math/MathML" xmlns:xlink="http://www.w3.org/1999/xlink">F(x, y, z)</i> with high correlations. The structural characteristics of the kind of masks reduce both the time complexity of the fast calculation and the memory complexity of connection matrices, which enables us to efficiently search for linear approximations with high correlations. Based on the structural characteristics and the analysis of the number of active S-boxes of the linear approximations of K2, we present an effective search strategy, where the number of active S-boxes is 4. The best absolute correlation we found is 2 <sup xmlns:mml="http://www.w3.org/1998/Math/MathML" xmlns:xlink="http://www.w3.org/1999/xlink">–24.21</sup> . Finally, we study the resistance of K2 against the FCA. For any of the four variants of K2, we give the best key recovery attack so far. The time/data/memory complexity is <italic xmlns:mml="http://www.w3.org/1998/Math/MathML" xmlns:xlink="http://www.w3.org/1999/xlink">O</i> (2 <sup xmlns:mml="http://www.w3.org/1998/Math/MathML" xmlns:xlink="http://www.w3.org/1999/xlink">190.06</sup> )/ <italic xmlns:mml="http://www.w3.org/1998/Math/MathML" xmlns:xlink="http://www.w3.org/1999/xlink">O</i> (2 <sup xmlns:mml="http://www.w3.org/1998/Math/MathML" xmlns:xlink="http://www.w3.org/1999/xlink">189.80</sup> )/ <italic xmlns:mml="http://www.w3.org/1998/Math/MathML" xmlns:xlink="http://www.w3.org/1999/xlink">O</i> (2 <sup xmlns:mml="http://www.w3.org/1998/Math/MathML" xmlns:xlink="http://www.w3.org/1999/xlink">188.80</sup> ), respectively. The results indicate that the four variants of K2 cannot guarantee the claimed 192-bit and 256-bit security if we ignore the design constraint that the maximum keystream length for a single pair of key and IV is limited to 2 <sup xmlns:mml="http://www.w3.org/1998/Math/MathML" xmlns:xlink="http://www.w3.org/1999/xlink">64</sup> . For the full version of K2, we present the first FCA, which is also the best attack result yet. And the time/data/memory complexity is <italic xmlns:mml="http://www.w3.org/1998/Math/MathML" xmlns:xlink="http://www.w3.org/1999/xlink">O</i> (2 <sup xmlns:mml="http://www.w3.org/1998/Math/MathML" xmlns:xlink="http://www.w3.org/1999/xlink">313.57</sup> )/ <italic xmlns:mml="http://www.w3.org/1998/Math/MathML" xmlns:xlink="http://www.w3.org/1999/xlink">O</i> (2 <italic xmlns:mml="http://www.w3.org/1998/Math/MathML" xmlns:xlink="http://www.w3.org/1999/xlink">149.02</i> )/ <italic xmlns:mml="http://www.w3.org/1998/Math/MathML" xmlns:xlink="http://www.w3.org/1999/xlink">O</i> (2 <sup xmlns:mml="http://www.w3.org/1998/Math/MathML" xmlns:xlink="http://www.w3.org/1999/xlink">148.02</sup> ), respectively. The large security redundancy indicates that the dynamic feedback structure provides higher security.