The K2 stream cipher, designed for 32-bit words, is an ISO/IEC 18033 standard and is listed as a recommended algorithm used by the Japanese government in the CRYPTREC project. The main feature of the K2 algorithm is the use of a dynamic feedback control mechanism between the two linear feedback shift registers, which makes the analysis of the K2 algorithm more difficult. In this paper, for its simplified version algorithm, a key recovery attack is performed by using differential attacks. Firstly, for the unknown key, the same IV is fixed in two chosen IV differential attacks, and we use the input differences and the output differences of the S-box to recover the input of S-box; the internal state values can be uniquely determined by taking intersection of the input of S-box. This technology is used to improve the key recovery attack of seven-round algorithm proposed by Deike Priemuth-Schmid. Secondly, we find the constraint relationship between the keystream equations and the unknown differences by introducing the guess difference bit and eliminate the impossible differences by the constraint relationship. Thus, we expand the key recovery attack from seven to nine rounds. The time complexity of the attack is |$\boldsymbol{O} \boldsymbol{(2^{113.93})}$|⁠, the data complexity is |$\boldsymbol{O}\boldsymbol{(2^{8.71})}$| and the success rate is |$\textbf{99.07\%}$|⁠.

中文翻译：

---

简化版K2流密码的改进密钥恢复攻击

K2流密码设计用于32位字，是ISO / IEC 18033标准，被列为日本政府在CRYPTREC项目中使用的推荐算法。K2算法的主要特征是在两个线性反馈移位寄存器之间使用了动态反馈控制机制，这使得对K2算法的分析更加困难。本文针对其简化版本算法，通过使用差分攻击来执行密钥恢复攻击。首先，对于未知密钥，将相同的IV固定在两次选择的IV差分攻击中，然后使用S-box的输入差异和输出差异来恢复S-box的输入；内部状态值可以通过S-box输入的交集来唯一确定。该技术用于改进Deike Priemuth-Schmid提出的七轮算法的密钥恢复攻击。其次，通过引入猜测差异位，找到密钥流方程与未知差异之间的约束关系，并通过约束关系消除不可能的差异。因此，我们将密钥恢复攻击从七轮扩展到了九轮。攻击的时间复杂度为| $ \ boldsymbol {O} \ boldsymbol {（2 ^ {113.93}）} $ |⁠，数据复杂度为| $ \ boldsymbol {O} \ boldsymbol {（2 ^ {8.71}）} $ | 并且成功率为| $ \ textbf {99.07 \％} $ |⁠。