Portal de Periódicos da CAPES

Conditional Differential Cryptanalysis for Kreyvium

2017; Springer Science+Business Media; Linguagem: Inglês

10.1007/978-3-319-60055-0_22

1611-3349

Yuhei Watanabe, Takanori Isobe, Masakatu Morii,

Coding theory and cryptography

Kreyvium is a NLFSR-based stream cipher which is oriented to homomorphic-ciphertext compression. This is a variant of Trivium with 128-bit security. Designers have evaluated the security of Kreyvium and concluded that the resistance of Kreyvium to the conditional differential cryptanalysis is at least the resistance of Trivium, and even better. However, we consider that this attack is effective due to the structure of Kreyvium. This paper shows conditional differential cryptanalysis for Kreyvium. We propose the method of arrangement of differences and conditions to obtain good higher-order conditional differential characteristics. We use two types of higher-order conditional differential characteristics to find the distinguisher, e.g. the bias of higher-order conditional differential characteristics of keystream and the neutrality of keystreams. In the first one, we obtain a distinguisher on Kreyvium with 730 rounds from 20-th order characteristic. In the second one, we obtain a distinguisher on Kreyvium with 899 rounds from 24-th and 25-th order conditional differential characteristic. We experimentally confirm all our attacks. The second one shows that we can obtain the distinguisher on Kreyvium with more rounds than the distinguisher on Trivium. Therefore, Kreyvium has lower security than Trivium for the conditional differential cryptanalysis.