A Cryptanalysis of HummingBird-2: The Differential Sequence Analysis

Hummingbird-2 is one recent design of lightweight block ciphers targeting constraint devices, which not only enables a compact hardware implementation and ultra-low power consumption but also meets the stringent response time as specified in ISO18000-6C. In this paper, we present the first cryptanalytic result on the full version of this cipher using two pairs of related keys, i.e., four keys. We discover that the differential sequences for the last invocation of the round function can be computed by running the full cipher, due to which the search space for the key can be reduced. Base upon this observation, we propose a probabilistic attack encompassing two phases, preparation phase and key recovery phase. The preparation phase, requiring 2 effort in time, aims to reach an internal state, with 0.5 success probability, that satisfies particular conditions. In the key recovery phase, by attacking the last invocation of the round function of the encryption (decryption resp.) using the proposed differential sequence analysis (DSA), we are able to recover 36 bits (another 44 bits resp.) of the 128-bit key. In addition, the remaining 48 bits of the key can be exhaustively searched and the overall time complexity of the key recovery phase is 2. Note that the proposed attack, though exhibiting an interesting tradeoff between the success probability and time complexity, is only of a theoretical interest at the moment and does not affect the security of the Hummingbird-2 in practice.

[1]  Guang Gong,et al.  An Ultra-Efficient Key Recovery Attack on the Lightweight Stream Cipher A2U2 , 2011, IACR Cryptol. ePrint Arch..

[2]  Sangjin Lee,et al.  Saturation Attacks on Reduced Round Skipjack , 2002, FSE.

[3]  Guang Gong,et al.  On the Security of Hummingbird-2 against Side Channel Cube Attacks , 2011, WEWoRC.

[4]  María Naya-Plasencia,et al.  Practical Attack on 8 Rounds of the Lightweight Block Cipher KLEIN , 2011, INDOCRYPT.

[5]  Aggelos Kiayias,et al.  Cryptographic Hardness Based on the Decoding of Reed-Solomon Codes , 2008, IEEE Trans. Inf. Theory.

[6]  Guang Gong,et al.  Hummingbird: Ultra-Lightweight Cryptography for Resource-Constrained Devices , 2010, Financial Cryptography Workshops.

[7]  Christof Paar,et al.  Ultra-Lightweight Implementations for Smart Devices - Security for 1000 Gate Equivalents , 2008, CARDIS.

[8]  Gregor Leander,et al.  Differential Cryptanalysis of Round-Reduced PRINTcipher: Computing Roots of Permutations , 2011, FSE.

[9]  David Evans,et al.  Reverse-Engineering a Cryptographic RFID Tag , 2008, USENIX Security Symposium.

[10]  Gregor Leander,et al.  A Cryptanalysis of PRINTcipher: The Invariant Subspace Attack , 2011, CRYPTO.

[11]  Markku-Juhani O. Saarinen Cryptanalysis of Hummingbird-1 , 2010, FSE.

[12]  Kyoji Shibutani,et al.  Piccolo: An Ultra-Lightweight Blockcipher , 2011, CHES.

[13]  Eli Biham,et al.  Differential cryptanalysis of DES-like cryptosystems , 1990, Journal of Cryptology.

[14]  Stefan Lucks The Saturation Attack - A Bait for Twofish , 2000, FSE.

[15]  Bin Zhang,et al.  Cryptanalysis of the Atmel Cipher in SecureMemory, CryptoMemory and CryptoRF , 2011, ACNS.

[16]  Yee Wei Law,et al.  KLEIN: A New Family of Lightweight Block Ciphers , 2010, RFIDSec.

[17]  Gregor Leander,et al.  On the Classification of 4 Bit S-Boxes , 2007, WAIFI.

[18]  François-Xavier Standaert,et al.  A Statistical Saturation Attack against the Block Cipher PRESENT , 2009, CT-RSA.

[19]  Flavio D. Garcia,et al.  Dismantling SecureMemory, CryptoMemory and CryptoRF , 2010, CCS '10.

[20]  Huaxiong Wang,et al.  256 Bit Standardized Crypto for 650 GE - GOST Revisited , 2010, CHES.

[21]  Jongsung Kim,et al.  Improving the Efficiency of Impossible Differential Cryptanalysis of Reduced Camellia and MISTY 1 , 2007 .

[22]  Eli Biham,et al.  Cryptanalysis of Skipjack Reduced to 31 Rounds Using Impossible Differentials , 1999, Journal of Cryptology.

[23]  Céline Blondeau,et al.  Multiple Differential Cryptanalysis: Theory and Practice , 2011, FSE.

[24]  Alex Biryukov,et al.  Structural Cryptanalysis of SASAS , 2001, Journal of Cryptology.

[25]  Daniel W. Engels,et al.  The Hummingbird-2 Lightweight Authenticated Encryption Algorithm , 2011, RFIDSec.

[26]  Lars R. Knudsen,et al.  Truncated and Higher Order Differentials , 1994, FSE.

[27]  Xuejia Lai Higher Order Derivatives and Differential Cryptanalysis , 1994 .

[28]  Joo Yeon Cho,et al.  Linear Cryptanalysis of Reduced-Round PRESENT , 2010, CT-RSA.

[29]  Gregory V. Bard,et al.  Algebraic and Slide Attacks on KeeLoq , 2008, FSE.

[30]  Christophe De Cannière,et al.  KATAN and KTANTAN - A Family of Small and Efficient Hardware-Oriented Block Ciphers , 2009, CHES.

[31]  Vincent Rijmen,et al.  AES implementation on a grain of sand , 2005 .

[32]  Qi Chai Design and Analysis of Security Schemes for Low-cost RFID Systems , 2012 .

[33]  Martin Ågren Some Instant- and Practical-Time Related-Key Attacks on KTANTAN32/48/64 , 2011, Selected Areas in Cryptography.

[34]  Paul Erdös,et al.  Some Problems on Random Walk in Space , 1951 .

[35]  Andrey Bogdanov,et al.  A 3-Subset Meet-in-the-Middle Attack: Cryptanalysis of the Lightweight Block Cipher KTANTAN , 2010, IACR Cryptol. ePrint Arch..

[36]  Matthew J. B. Robshaw,et al.  PRINTcipher: A Block Cipher for IC-Printing , 2010, CHES.