Paper 2011/262

Cryptanalysis of the Light-Weight Cipher A2U2 - Reduced draft version

Mohamed Ahmed Abdelraheem, Julia Borghoff, and Erik Zenner

Abstract

At IEEE RFID 2011, David et al. proposed a new cryptographic primitive for use with RFID [2]. The design is a stream cipher called A2U2. Shortly afterwards, an attack was published on IACR Eprint by Chai et al. [1], claiming to break the cipher in a chosen-plaintext attack using extremely little computational resources. Regrettably, this attack is wrong since it works with an erroneous description of the cipher. In this paper, we show why the attack is wrong and how it can be repaired. Furthermore, we describe a guess-and-determine attack which applies in a known plaintext scenario. A special design feature of A2U2 is that the number of initialization rounds varies and depends on an internal counter. The number of rounds varies from 9 to 126. We proposed a differential-style attack which enables us to find the counter value determining the number of initialization rounds. Moreover, we present an attack that recovers the masterkey in the case that only 9 initialization rounds are used.

Note: First draft version

Metadata
Available format(s)
PDF
Category
Secret-key cryptography
Publication info
Published elsewhere. Unknown where it was published
Keywords
light-weight ciphercryptanalysisA2U2
Contact author(s)
j borghoff @ mat dtu dk
History
2011-05-28: received
Short URL
https://ia.cr/2011/262
License
Creative Commons Attribution
CC BY

BibTeX

@misc{cryptoeprint:2011/262,
      author = {Mohamed Ahmed Abdelraheem and Julia Borghoff and Erik Zenner},
      title = {Cryptanalysis of the Light-Weight Cipher A2U2 - Reduced draft version},
      howpublished = {Cryptology ePrint Archive, Paper 2011/262},
      year = {2011},
      note = {\url{https://eprint.iacr.org/2011/262}},
      url = {https://eprint.iacr.org/2011/262}
}
Note: In order to protect the privacy of readers, eprint.iacr.org does not use cookies or embedded third party content.