Related-Key Attacks Against Full Hummingbird-2

  • Markku-Juhani O. SaarinenEmail author
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 8424)


We present attacks on full Hummingbird-2 which are able to recover the 128-bit secret keys of two black box cipher instances that have a certain type of low-weight XOR difference in their keys. We call these highly correlated keys as they produce the same ciphertext with a significant probability. The complexity of our main chosen-IV key-recovery attack is \(2^{64}\). The first 64 bits of the key can be independently recovered with only \(2^{36}\) effort. This is the first sub-exhaustive attack on the full cipher under two related keys. Our attacks use some novel tricks and techniques which are made possible by Hummingbird-2’s unique word-based structure. We have verified the correctness and complexity of our attacks by fully implementing them. We also discuss enabling factors of these attacks and describe an alternative design for the WD16 nonlinear keyed function which is resistant to attacks of this type. The new experimental function replaces S-boxes with simple \(\chi \) functions.


Hummingbird-2 Related-key cryptanalysis Lightweight cryptography Authenticated encryption Hummingbird-2nu 

Supplementary material


  1. 1.
    Engels, D., Saarinen, M.-J.O., Schweitzer, P., Smith, E.M.: The hummingbird-2 lightweight authenticated encryption algorithm. In: Juels, A., Paar, C. (eds.) RFIDSec 2011. LNCS, vol. 7055, pp. 19–31. Springer, Heidelberg (2012) Google Scholar
  2. 2.
    Engels, D.: HB2-128 crypto-suite proposal. Technical report, Revere Security, December 2011 Version 1.1Google Scholar
  3. 3.
    Saarinen, M.-J.O.: Cryptanalysis of hummingbird-1. In: Joux, A. (ed.) FSE 2011. LNCS, vol. 6733, pp. 328–341. Springer, Heidelberg (2011) CrossRefGoogle Scholar
  4. 4.
    Engels, D., Fan, X., Gong, G., Hu, H., Smith, E.M.: Ultra-lightweight cryptography for low-cost RFID tags: hummingbird algorithm and protocol. Technical report CACR-2009-29, University of Waterloo (2009).
  5. 5.
    Engels, D., Fan, X., Gong, G., Hu, H., Smith, E.M.: \(\sf Hummingbird\): Ultra-Lightweight Cryptography for Resource-Constrained Devices. In: Sion, R., Curtmola, R., Dietrich, S., Kiayias, A., Miret, J.M., Sako, K., Sebé, F. (eds.) FC 2010 Workshops. LNCS, vol. 6054, pp. 3–18. Springer, Heidelberg (2010) CrossRefGoogle Scholar
  6. 6.
    Fan, X., Hu, H., Gong, G., Smith, E.M., Engels, D.: Lightweight implementation of Hummingbird cryptographic algorithm on 4-bit microcontroller. In: The 1st International Workshop on RFID Security and Cryptography (RISC’09), pp. 838–844 (2009)Google Scholar
  7. 7.
    Chai, Q., Gong, G.: A cryptanalysis of hummingbird-2: the differential sequence analysis. IACR ePrint 2012/233, April 2012.
  8. 8.
    Fan, X., Gong, G.: On the security of \(\sf {hummingbird-2}\) against side channel cube attacks. In: Armknecht, F., Lucks, S. (eds.) WEWoRC 2011. LNCS, vol. 7242, pp. 18–29. Springer, Heidelberg (2012) CrossRefGoogle Scholar
  9. 9.
    Zhu, B., Gong, G.: Multidimensional meet-in-the-middle attack and its applications to GOST, KTANTAN and Hummingbird-2. IACR ePrint 2011/619, November 2011.
  10. 10.
    Zhang, K., Ding, L., Guan, J.: Cryptanalysis of hummingbird-2. IACR ePrint 2012/207, April 2012.
  11. 11.
    Ferguson, N., Whiting, D., Schneier, B., Kelsey, J., Lucks, S., Kohno, T.: Helix: fast encryption and authentication in a single cryptographic primitive. In: Johansson, T. (ed.) FSE 2003. LNCS, vol. 2887, pp. 330–346. Springer, Heidelberg (2003) CrossRefGoogle Scholar
  12. 12.
    Whiting, D., Schneier, B., Lucks, S., Muller, F.: Phelix - fast encryption and authentication in a single cryptographic primitive. ECRYPT Stream Cipher Project Report 2005/027 (2005).
  13. 13.
    Vaudenay, S.: On the need for multipermutations: cryptanalysis of MD4 and SAFER. In: Preneel, B. (ed.) FSE 1994. LNCS, vol. 1008, pp. 286–297. Springer, Heidelberg (1995) CrossRefGoogle Scholar
  14. 14.
    Rijmen, V., Daemen, J., Preneel, B., Bosselaers, A., Win, E.D.: The cipher SHARK. In: Gollmann, D. (ed.) FSE 1996. LNCS, vol. 1039, pp. 99–111. Springer, Heidelberg (1996) CrossRefGoogle Scholar
  15. 15.
    NIST: Advanced Encryption Standard (AES). Federal Information Processing Standards 197 (2001)Google Scholar
  16. 16.
    Daemen, J.: Cipher and hash function design strategies based on linear and differential cryptanalysis. Ph.D. thesis (1995)Google Scholar
  17. 17.
    Bertoni, G., Daemen, J., Peeters, M., Assche, G.V.: The Keccak reference, version 3.0. NIST SHA3 Submission Document, January 2011Google Scholar
  18. 18.
    Saarinen, M.-J.O.: Cryptographic analysis of all \(4 \times 4\)-bit S-boxes. In: Miri, A., Vaudenay, S. (eds.) SAC 2011. LNCS, vol. 7118, pp. 118–133. Springer, Heidelberg (2012) CrossRefGoogle Scholar
  19. 19.
    Ehrenfeucht, A., Mycielski, J.: A pseudorandom sequence - how random is it. Amer. Math. Mon. 99, 373–375 (1992)CrossRefzbMATHMathSciNetGoogle Scholar
  20. 20.
    Sutner, K.: The Ehrenfeucht-Mycielski sequence. In: Ibarra, O.H., Dang, Z. (eds.) CIAA 2003. LNCS, vol. 2759, pp. 282–293. Springer, Heidelberg (2003) CrossRefGoogle Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2014

Authors and Affiliations

  1. 1.Revere Security (now defunct)HelsinkiFinland

Personalised recommendations