Cryptanalysis of the light-weight cipher a2u2

Authors:
Mohamed Ahmed Abdelraheem;Julia Borghoff;Erik Zenner;Mathieu David
Affiliations:
Technical University of Denmark, Denmark;Technical University of Denmark, Denmark;University of Applied Sciences Offenburg, Germany;Aalborg University, Denmark
Venue:
IMACC'11 Proceedings of the 13th IMA international conference on Cryptography and Coding
Year:
2011

Citing 9
Cited 0

PRESENT: An Ultra-Lightweight Block Cipher

CHES '07 Proceedings of the 9th international workshop on Cryptographic Hardware and Embedded Systems
KATAN and KTANTAN -- A Family of Small and Efficient Hardware-Oriented Block Ciphers

CHES '09 Proceedings of the 11th International Workshop on Cryptographic Hardware and Embedded Systems
Bivium as a Mixed-Integer Linear Programming Problem

Cryptography and Coding '09 Proceedings of the 12th IMA International Conference on Cryptography and Coding
PRINTcipher: a block cipher for IC-printing

CHES'10 Proceedings of the 12th international conference on Cryptographic hardware and embedded systems
ARMADILLO: a multi-purpose cryptographic primitive dedicated to hardware

CHES'10 Proceedings of the 12th international conference on Cryptographic hardware and embedded systems
A 3-subset meet-in-the-middle attack: cryptanalysis of the lightweight block cipher KTANTAN

SAC'10 Proceedings of the 17th international conference on Selected areas in cryptography
Cold boot key recovery by solving polynomial systems with noise

ACNS'11 Proceedings of the 9th international conference on Applied cryptography and network security
A cryptanalysis of PRINTcipher: the invariant subspace attack

CRYPTO'11 Proceedings of the 31st annual conference on Advances in cryptology
Cryptanalysis of ARMADILLO2

ASIACRYPT'11 Proceedings of the 17th international conference on The Theory and Application of Cryptology and Information Security

Quantified Score

Hi-index	0.00

Visualization

Abstract

In recent years, light-weight cryptography has received a lot of attention. Many primitives suitable for resource-restricted hardware platforms have been proposed. In this paper, we present a cryptanalysis of the new stream cipher A2U2 presented at IEEE RFID 2011 [9] that has a key length of 56 bit. We start by disproving and then repairing an extremely efficient attack presented by Chai et al. [8], showing that A2U2 can be broken in less than a second in the chosen-plaintext case. We then turn our attention to the more challenging known-plaintext case and propose a number of attacks. A guess-and-determine approach combined with algebraic cryptanalysis yields an attack that requires about 249 internal guesses. We also show how to determine the 5-bit counter key and how to reconstruct the 56-bit key in about 238 steps if the attacker can freely choose the IV. Furthermore, we investigate the possibility of exploiting the knowledge of a "noisy keystream" by solving a Max-PoSSo problem. We conclude that the cipher needs to be repaired and point out a number of simple measures that would prevent the above attacks.