Related-Key Chosen IV Attack on K2

K2 is a secure and high-performance clock controlled stream cipher developed by the Information Security Laboratory of the KDDI R&D Laboratories Inc., Japan. Its initial key length is 128-bit or 256-bit. In this paper, a related-key chosen IV attack on K2 is presented. The computational complexity of our attack is 2¹²⁸, requiring 2⁹⁷ chosens IV s, 2¹⁰¹ keystream words and 2¹⁰⁰ words of memory. The result shows that when the initial key length is 256-bit, our attack needs much less computational effort than an exhaustive key search to break K2. Thus, K2 does not have 256-bit security claimed by its designers.