Selected Areas in Cryptography

Volume 7118 of the series Lecture Notes in Computer Science pp 200-212

Conditional Differential Cryptanalysis of Trivium and KATAN

  • Simon KnellwolfAffiliated withFHNW
  • , Willi MeierAffiliated withFHNW
  • , María Naya-PlasenciaAffiliated withFHNW

* Final gross prices may vary according to local VAT.

Get Access


The concept of conditional differential cryptanalysis has been applied to NLFSR-based cryptosystems at ASIACRYPT 2010. We improve the technique by using automatic tools to find and analyze the involved conditions. Using these improvements we cryptanalyze the stream cipher Trivium and the KATAN family of lightweight block ciphers. For both ciphers we obtain new cryptanalytic results. For reduced variants of Trivium we obtain a class of weak keys that can be practically distinguished up to 961 of 1152 rounds. For the KATAN family we focus on its security in the related-key scenario and obtain practical key-recovery attacks for 120, 103 and 90 of 254 rounds of KATAN32, KATAN48 and KATAN64, respectively.


Trivium KATAN conditional differential cryptanalysis