Cryptology ePrint Archive: Report 2011/262

Cryptanalysis of the Light-Weight Cipher A2U2 - Reduced draft version

Mohamed Ahmed Abdelraheem and Julia Borghoff and Erik Zenner

Abstract: At IEEE RFID 2011, David et al. proposed a new cryptographic primitive for use with RFID [2]. The design is a stream cipher called A2U2. Shortly afterwards, an attack was published on IACR Eprint by Chai et al. [1], claiming to break the cipher in a chosen-plaintext attack using extremely little computational resources. Regrettably, this attack is wrong since it works with an erroneous description of the cipher. In this paper, we show why the attack is wrong and how it can be repaired. Furthermore, we describe a guess-and-determine attack which applies in a known plaintext scenario. A special design feature of A2U2 is that the number of initialization rounds varies and depends on an internal counter. The number of rounds varies from 9 to 126. We proposed a di fferential-style attack which enables us to fi nd the counter value determining the number of initialization rounds. Moreover, we present an attack that recovers the masterkey in the case that only 9 initialization rounds are used.

Category / Keywords: secret-key cryptography / light-weight cipher, cryptanalysis, A2U2

Date: received 25 May 2011, last revised 27 May 2011

Contact author: j borghoff at mat dtu dk

Available format(s): PDF | BibTeX Citation

Note: First draft version

Version: 20110528:040949 (All versions of this report)

Short URL:

[ Cryptology ePrint archive ]