论文信息 - An Ultra-Efficient Key Recovery Attack on the Lightweight Stream Cipher A2U2

An Ultra-Efficient Key Recovery Attack on the Lightweight Stream Cipher A2U2

In this letter we report on an ultra-efficient key recovery attack under the chosen-plaintext-attack model against the stream cipher A2U2, which is the most lightweight cryptographic primitive (i.e., it costs only 284 GE in hardware implementation) proposed so far for low-cost Radio Frequency Identification (RFID) tags. Our attack can fully recover the secret key of the A2U2 cipher by only querying the A2U2 encryption twice on the victim tag and solving 32 sparse systems of linear equations (where each system has 56 unknowns and around 28 unknowns can be directly obtained without computation) in the worst case, which takes around 0.16 second on a Thinkpad T410 laptop.

Guang Gong | Xinxin Fan | Qi Chai

[1] Andrey Bogdanov,et al. PRESENT: An Ultra-Lightweight Block Cipher , 2007, CHES.

[2] Matthew J. B. Robshaw,et al. PRINTcipher: A Block Cipher for IC-Printing , 2010, CHES.

[3] Guang Gong,et al. Signal Design for Good Correlation: For Wireless Communication, Cryptography, and Radar , 2005 .

[4] Hugo Krawczyk,et al. The Shrinking Generator , 1994, CRYPTO.

[5] Martin Hell,et al. Grain: a stream cipher for constrained environments , 2007, Int. J. Wirel. Mob. Comput..

[6] Damith C. Ranasinghe,et al. A2U2: A stream cipher for printed electronics RFID tags , 2011, 2011 IEEE International Conference on RFID.

[7] Christophe De Cannière,et al. KATAN and KTANTAN - A Family of Small and Efficient Hardware-Oriented Block Ciphers , 2009, CHES.

[8] Thomas Beth,et al. The Stop-and-Go Generator , 1985, EUROCRYPT.

[9] Guang Gong,et al. Hummingbird: Ultra-Lightweight Cryptography for Resource-Constrained Devices , 2010, Financial Cryptography Workshops.