Advances in Cryptology - ASIACRYPT 2010

Volume 6477 of the series Lecture Notes in Computer Science pp 130-145

Conditional Differential Cryptanalysis of NLFSR-Based Cryptosystems

  • Simon KnellwolfAffiliated withFHNW
  • , Willi MeierAffiliated withFHNW
  • , María Naya-PlasenciaAffiliated withFHNW


Non-linear feedback shift registers are widely used in lightweight cryptographic primitives. For such constructions we propose a general analysis technique based on differential cryptanalysis. The essential idea is to identify conditions on the internal state to obtain a deterministic differential characteristic for a large number of rounds. Depending on whether these conditions involve public variables only, or also key variables, we derive distinguishing and partial key recovery attacks. We apply these methods to analyse the security of the eSTREAM finalist Grain v1 as well as the block cipher family KATAN/KTANTAN. This allows us to distinguish Grain v1 reduced to 104 of its 160 rounds and to recover some information on the key. The technique naturally extends to higher order differentials and enables us to distinguish Grain-128 up to 215 of its 256 rounds and to recover parts of the key up to 213 rounds. All results are the best known thus far and are achieved by experiments in practical time.


differential cryptanalysis NLFSR distinguishing attack key recovery Grain KATAN/KTANTAN