PRESENT: An Ultra-Lightweight Block Cipher
CHES '07 Proceedings of the 9th international workshop on Cryptographic Hardware and Embedded Systems
KATAN and KTANTAN -- A Family of Small and Efficient Hardware-Oriented Block Ciphers
CHES '09 Proceedings of the 11th International Workshop on Cryptographic Hardware and Embedded Systems
Bivium as a Mixed-Integer Linear Programming Problem
Cryptography and Coding '09 Proceedings of the 12th IMA International Conference on Cryptography and Coding
PRINTcipher: a block cipher for IC-printing
CHES'10 Proceedings of the 12th international conference on Cryptographic hardware and embedded systems
ARMADILLO: a multi-purpose cryptographic primitive dedicated to hardware
CHES'10 Proceedings of the 12th international conference on Cryptographic hardware and embedded systems
A 3-subset meet-in-the-middle attack: cryptanalysis of the lightweight block cipher KTANTAN
SAC'10 Proceedings of the 17th international conference on Selected areas in cryptography
Cold boot key recovery by solving polynomial systems with noise
ACNS'11 Proceedings of the 9th international conference on Applied cryptography and network security
A cryptanalysis of PRINTcipher: the invariant subspace attack
CRYPTO'11 Proceedings of the 31st annual conference on Advances in cryptology
ASIACRYPT'11 Proceedings of the 17th international conference on The Theory and Application of Cryptology and Information Security
Hi-index | 0.00 |
In recent years, light-weight cryptography has received a lot of attention. Many primitives suitable for resource-restricted hardware platforms have been proposed. In this paper, we present a cryptanalysis of the new stream cipher A2U2 presented at IEEE RFID 2011 [9] that has a key length of 56 bit. We start by disproving and then repairing an extremely efficient attack presented by Chai et al. [8], showing that A2U2 can be broken in less than a second in the chosen-plaintext case. We then turn our attention to the more challenging known-plaintext case and propose a number of attacks. A guess-and-determine approach combined with algebraic cryptanalysis yields an attack that requires about 249 internal guesses. We also show how to determine the 5-bit counter key and how to reconstruct the 56-bit key in about 238 steps if the attacker can freely choose the IV. Furthermore, we investigate the possibility of exploiting the knowledge of a "noisy keystream" by solving a Max-PoSSo problem. We conclude that the cipher needs to be repaired and point out a number of simple measures that would prevent the above attacks.