부산대학교 도서관

K2 is an LFSR-based dynamic feedback stream cipher and has been standardized by ISO/IEC 18033-4. The fast correlation attack (FCA) is a well-known cryptanalysis tool for LFSR-based stream ciphers. In this paper, we propose a guess-and-determine FCA on a dynamic feedback stream ciphers model. Moreover, we give a fast calculation method to calculate the correlation of the function $F(x,y,z)=x\boxplus _{n} S(y)\boxminus _{n} z$ by directly characterizing subtraction modulo $2^{n}$ . Then we propose a kind of mask structure of the linear approximations of the function $F(x,y,z)$ with high correlations. The structural characteristics of the kind of masks reduce both the time complexity of the fast calculation and the memory complexity of connection matrices, which enables us to efficiently search for linear approximations with high correlations. Based on the structural characteristics and the analysis of the number of active S-boxes of the linear approximations of K2, we present an effective search strategy, where the number of active S-boxes is 4. The best absolute correlation we found is $2^{-24.21}$ . Finally, we study the resistance of K2 against the FCA. For any of the four variants of K2, we give the best key recovery attack so far. The time/data/memory complexity is $O(2^{190.06})/O(2^{189.80})/O(2^{188.80})$ , respectively. The results indicate that the four variants of K2 cannot guarantee the claimed 192-bit and 256-bit security if we ignore the design constraint that the maximum keystream length for a single pair of key and IV is limited to $2^{64}$ . For the full version of K2, we present the first FCA, which is also the best attack result yet. And the time/data/memory complexity is $O(2^{313.57})/O(2^{149.02})/O(2^{148.02})$ , respectively. The large security redundancy indicates that the dynamic feedback structure provides higher security.