**Generic related-key and induced chosen IV attacks using the method of key differentiation**

*Enes Pasalic and Yongzhuang Wei*

**Abstract: **Related-key and chosen IV attacks are well known cryptanalytic tools in cryptanalysis of stream ciphers. Though the related-key model is considered to be much more unrealistic scenario than the chosen IV model we show that under certain circumstances the attack assumptions may become equivalent. We show that the key differentiation method induces a generic attack in a related-key model whose time complexity in the on-line phase is less than the exhaustive key search. The case of formal equivalency between the two scenarios arises when so-called {\em differentiable polynomials} with respect to some subset of key variables are a part of the state bit expressions (from which the output keystream bits are built). Then the differentiation over a key cube has the same effect as the differentiation over the corresponding IV cube, so that a generic nature of a related-key model is transferred into a more practical chosen IV model. The existence of such polynomials is confirmed for the reduced round stream cipher TRIVIUM up to some 710 rounds and an algorithm for their detection is proposed.
The key differentiation method induces a time/related-key trade-off (TRKTO) attack which (assuming the existence of differentiable polynomials) can be run in a chosen IV model. The resulting trade-off curve of our TMDTO attack is given by $T^2M^2D^2=(KV)^2$ ($V$ denoting the IV space), which is a significant improvement over the currently best known trade-off $TM^2D^2=(KV)^2$ \cite{IVDunkel08}.

**Category / Keywords: **secret-key cryptography / Stream ciphers, Cryptanalysis, Chosen IV attacks, Related-key attacks, Time-Memory-Data trade-off attacks, Differntiable polynomials, Key differentiation.

**Date: **received 11 Sep 2013

**Contact author: **enes pasalic6 at gmail com

**Available format(s): **PDF | BibTeX Citation

**Version: **20130914:030819 (All versions of this report)

**Short URL: **ia.cr/2013/586

[ Cryptology ePrint archive ]