Cryptology ePrint Archive: Report 2011/262
Cryptanalysis of the Light-Weight Cipher A2U2 - Reduced draft version
Mohamed Ahmed Abdelraheem and Julia Borghoff and Erik Zenner
Abstract: At IEEE RFID 2011, David et al. proposed a new cryptographic primitive for use
with RFID . The design is a stream cipher called A2U2. Shortly afterwards, an
attack was published on IACR Eprint by Chai et al. , claiming to break the cipher
in a chosen-plaintext attack using extremely little computational resources.
Regrettably, this attack is wrong since it works with an erroneous description of
the cipher. In this paper, we show why the attack is wrong and how it can be repaired.
Furthermore, we describe a guess-and-determine attack which
applies in a known plaintext scenario.
A special design feature of A2U2 is that the number of initialization rounds
varies and depends on an internal counter. The number of rounds varies from 9
to 126. We proposed a differential-style attack which enables
us to find the counter value determining the number of initialization rounds.
Moreover, we present an attack that recovers the masterkey in the case that only
9 initialization rounds are used.
Category / Keywords: secret-key cryptography / light-weight cipher, cryptanalysis, A2U2
Date: received 25 May 2011, last revised 27 May 2011
Contact author: j borghoff at mat dtu dk
Available formats: PDF | BibTeX Citation
Note: First draft version
Version: 20110528:040949 (All versions of this report)
Discussion forum: Show discussion | Start new discussion
[ Cryptology ePrint archive ]