Related-Key Slide Attacks on Block Ciphers with Secret Components

  • Meltem Sönmez Turan
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 8162)


Lightweight cryptography aims to provide sufficient security with low area/power/energy requirements for constrained devices. In this paper, we focus on the lightweight encryption algorithm specified and approved in NRS 009-6-7:2002 by Electricity Suppliers Liaison Committee to be used with tokens in prepayment electricity dispensing systems in South Africa. The algorithm is a 16-round SP network with 64-bit key using two 4-to-4 bit S-boxes and a 64-bit permutation. The S-boxes and the permutation are kept secret and provided only to the manufacturers of the system under license conditions. We present related-key slide attacks to recover the secret key and secret components using four scenarios; (i) known S-box and permutation with 248 time complexity using 216 + 1 chosen plaintexts; (ii) unknown S-box and known permutation with 255 time complexity using 222.71 + 1 chosen plaintexts; (iii) known S-box and unknown permutation with 248 time complexity using 216 + 1 chosen plaintexts and 212.28 adaptively chosen plaintexts; and finally, (iv) unknown S-box and permutation, with 248 time complexity using 222.71 + 1 chosen plaintexts and 231.29 adaptively chosen plaintexts. We also extend these attacks to recover the secret components in a chosen-key setting with practical complexities.


Lightweight Block Ciphers Related-Key Slide Attacks Secret Components 


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    Feldhofer, M., Wolkerstorfer, J., Rijmen, V.: AES Implementation on a Grain of Sand. IEE Proceedings / Information Security 152, 13–20 (2005)CrossRefGoogle Scholar
  2. 2.
    Hamalainen, P., Alho, T., Hannikainen, M., Hamalainen, T.D.: Design and Implementation of Low-Area and Low-Power AES Encryption Hardware Core. In: Proceedings of the 9th EUROMICRO Conference on Digital System Design, DSD 2006, pp. 577–583. IEEE Computer Society, Washington, DC (2006)Google Scholar
  3. 3.
    Moradi, A., Poschmann, A., Ling, S., Paar, C., Wang, H.: Pushing the Limits: A Very Compact and a Threshold Implementation of AES. In: Paterson, K.G. (ed.) EUROCRYPT 2011. LNCS, vol. 6632, pp. 69–88. Springer, Heidelberg (2011)CrossRefGoogle Scholar
  4. 4.
    Bogdanov, A., Knudsen, L.R., Leander, G., Paar, C., Poschmann, A., Robshaw, M., Seurin, Y., Vikkelsoe, C.: PRESENT: An Ultra-Lightweight Block Cipher. In: Paillier, P., Verbauwhede, I. (eds.) CHES 2007. LNCS, vol. 4727, pp. 450–466. Springer, Heidelberg (2007)CrossRefGoogle Scholar
  5. 5.
    Hong, D., Sung, J., Hong, S., Lim, J., Lee, S., Koo, B., Lee, C., Chang, D., Lee, J., Jeong, K., Kim, H., Kim, J., Chee, S.: HIGHT: A New Block Cipher Suitable for Low-Resource Device. In: Goubin, L., Matsui, M. (eds.) CHES 2006. LNCS, vol. 4249, pp. 46–59. Springer, Heidelberg (2006)CrossRefGoogle Scholar
  6. 6.
    Leander, G., Paar, C., Poschmann, A., Schramm, K.: New Lightweight DES Variants. In: Biryukov, A. (ed.) FSE 2007. LNCS, vol. 4593, pp. 196–210. Springer, Heidelberg (2007)CrossRefGoogle Scholar
  7. 7.
    Knudsen, L.R., Leander, G., Poschmann, A., Robshaw, M.J.B.: PRINTcipher: A Block Cipher for IC-Printing. In: Mangard, S., Standaert, F.-X. (eds.) CHES 2010. LNCS, vol. 6225, pp. 16–32. Springer, Heidelberg (2010)CrossRefGoogle Scholar
  8. 8.
    Wagner, D., Briceno, M., Goldberg, I.: A Pedagogical Implementation of the GSM A5/1 and A5/2 ”voice privacy” encryption algorithms, (accessed January 23, 2013)
  9. 9.
    4C Entity. C2 Block Cipher Specification, Revision 1.0,
  10. 10.
    Borghoff, J., Knudsen, L.R., Leander, G., Matusiewicz, K.: Cryptanalysis of C2. In: Halevi, S. (ed.) CRYPTO 2009. LNCS, vol. 5677, pp. 250–266. Springer, Heidelberg (2009)CrossRefGoogle Scholar
  11. 11.
    NRS 009-6-7:2002. Rationalized User Specification, Electricity Sales Systems, Part 6: Interface standards Section 7: Standard Transfer Specification/Credit Dispensing Unit – Electricity dispenser – Token Encoding and Data Encryption and Decryption (2002)Google Scholar
  12. 12.
    Borghoff, J., Knudsen, L.R., Leander, G., Thomsen, S.S.: Cryptanalysis of PRESENT-Like Ciphers with Secret S-Boxes. In: Joux, A. (ed.) FSE 2011. LNCS, vol. 6733, pp. 270–289. Springer, Heidelberg (2011)CrossRefGoogle Scholar
  13. 13.
    Borghoff, J., Knudsen, L.R., Leander, G., Thomsen, S.S.: Slender-Set Differential Cryptanalysis. J. Cryptology 26(1), 11–38 (2013)MathSciNetzbMATHCrossRefGoogle Scholar
  14. 14.
    Biryukov, A., Wagner, D.: Slide Attacks. In: Knudsen, L.R. (ed.) FSE 1999. LNCS, vol. 1636, pp. 245–259. Springer, Heidelberg (1999)CrossRefGoogle Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2013

Authors and Affiliations

  • Meltem Sönmez Turan
    • 1
  1. 1.National Institute of Standards and TechnologyGaithersburgUSA

Personalised recommendations