Abstract
The Welch-Gong (WG) family of stream ciphers include two subfamilies, which we call WG-A and WG-B, of patented (ultra-)lightweight ciphers designed by Gong et al. The Waterloo Commercialization Office, Canada, has included the WG-A in an RFID anti-counterfeiting system and has proposed the WG-B for securing 4G networks. The WG-A and WG-B ciphers support 80- and 128-bit keys, respectively. In this paper, we detect input-output correlations in the nonlinear transformations used by these ciphers. Exploiting these, we show distinguishing attacks that require, to nearly ensure success, between \(2^{22.20}\) and \(2^{29.07}\) keystream samples for WG-A and not more than \(2^{56.84}\) keystream samples for WG-B. We are not aware of any prior attacks on these ciphers.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Notes
- 1.
We follow this nomenclature to distinguish between the patented and unpatented variants of WG-8 and WG-16.
- 2.
To facilitate comparisons, we reasonably assume that the success rates of the attacks on WG-16 and WG-B are equal.
- 3.
In this paper, to compute the time complexity of our distinguishing attacks we assume that the attacker collects one keystream sample per (K, IV) pair. It is reasonable to expect the results of our simulations to agree with simulations performed with \(2^{30}\) (K, IV) pairs chosen uniformly at random and one keystream sample per (K, IV) pair.
- 4.
An inherent assumption is that the decimation factor has no bearing on the run-time of the cipher.
References
Aagaard, M., Gong, G., Mota, R.K.: Hardware implementations of the WG-5 cipher for passive RFID tags. In: IEEE International Symposium on Hardware-Oriented Security and Trust, Proceedings of HOST 2013, pp. 29–34 (2013). doi:10.1109/HST.2013.6581561
Ding, L., Jin, C., Guan, J., Wang, Q.: Cryptanalysis of lightweight WG-8 stream cipher. IEEE Trans. Inf. Foren. Secur. 9(4), 645–652 (2014). doi:10.1109/TIFS.2014.2307202
Ding, L., Jin, C., Guan, J., Zhang, S., Cui, T., Han, D., Zhao, W.: Cryptanalysis of WG family of stream ciphers. Comput. J. 58(10), 2677–2685 (2015). doi:10.1093/comjnl/bxv024
ECRYPT: The eSTREAM project. http://www.ecrypt.eu.org/stream
Fan, X., Gong, G.: Specification of the stream cipher WG-16 based confidentiality and integrity algorithms. University of Waterloo Technical report, CACR 2013–06 (2013). http://cacr.uwaterloo.ca/techreports/2013/cacr2013-06.pdf
Fan, X., Mandal, K., Gong, G.: WG-8: a lightweight stream cipher for resource-constrained smart devices. In: Singh, K., Awasthi, A.K. (eds.) QShine 2013. LNICSSITE, vol. 115, pp. 617–632. Springer, Heidelberg (2013). doi:10.1007/978-3-642-37949-9_54
Gong, G., Aagaard, M., Fan, X.: Lightweight stream cipher cryptosystems. US Patent 8,953,784 (2015). https://www.google.com/patents/US8953784
Gong, G., Aagaard, M., Fan, X.: Resilience to distinguishing attacks on WG-7 cipher and their generalizations. Cryptogr. Commun. 5(4), 277–289 (2013). doi:10.1007/s12095-013-0089-7
Gong, G., Youssef, A.M.: Cryptographic properties of the Welch-Gong transformation sequence generators. IEEE Trans. Inf. Theory 48(11), 2837–2846 (2002). doi:10.1109/TIT.2002.804043
Luo, Y., Chai, Q., Gong, G., Lai, X.: A lightweight stream cipher WG-7 for RFID encryption and authentication. In: IEEE Global Telecommunications Conference, Proceedings of GLOBECOM 2010, pp. 1–6 (2010). doi:10.1109/GLOCOM.2010.5684215
Mandal, K., Gong, G., Fan, X., Aagaard, M.: Optimal parameters for the WG stream cipher family. Cryptogr. Commun. 6(2), 117–135 (2013). doi:10.1007/s12095-013-0091-0
Matsui, M.: Linear cryptanalysis method for DES cipher. In: Helleseth, T. (ed.) EUROCRYPT 1993. LNCS, vol. 765, pp. 386–397. Springer, Heidelberg (1994). doi:10.1007/3-540-48285-7_33
Nawaz, Y., Gong, G.: WG: a family of stream ciphers with designed randomness properties. Inf. Sci. 178(7), 1903–1916 (2008). doi:10.1016/j.ins.2007.12.002
Orumiehchiha, M.A., Pieprzyk, J., Steinfeld, R.: Cryptanalysis of WG-7: a lightweight stream cipher. Cryptogr. Commun. 4(3), 277–285 (2012). doi:10.1007/s12095-012-0070-x
Rønjom, S.: Powers of subfield polynomials, cyclic codes and algebraic attacks with applications to the WG stream ciphers. In: International Workshop on Coding and Cryptography, WCC 2015 (2015). https://hal.inria.fr/hal-01276274
Rønjom, S., Helleseth, T.: Attacking the filter generator over GF(2m). In: Carlet, C., Sunar, B. (eds.) WAIFI 2007. LNCS, vol. 4547, pp. 264–275. Springer, Heidelberg (2007). doi:10.1007/978-3-540-73074-3_20
Seon, N.J., Golomb, S.W., Gong, G., Lee, H.K., Gaal, P.: Binary pseudorandom sequences of period \(2^n-1\) with ideal autocorrelation. IEEE Trans. Inf. Theory 44(2), 814–817 (1998). doi:10.1109/18.661528
Waterloo Commericalization Office: Lightweight Security Algorithm for 4G Networks. https://uwaterloo.ca/research/waterloo-commercialization-office-watco/business-opportunities-industry/lightweight-security-algorithm-4g-networks
TechConnect World, Innovation Conference, Expo: A Secure RFID System for Product Anti-Counterfeiting. http://www.techconnectworld.com/World2015/participate/innovation/pop.html?id=205
Wu, H., Preneel, B.: Resynchronization attacks on WG and LEX. In: Robshaw, M. (ed.) FSE 2006. LNCS, vol. 4047, pp. 422–432. Springer, Heidelberg (2006). doi:10.1007/11799313_27
Acknowledgements
The authors would like to thank the anonymous reviewers of LightSec 2016 for their comments and suggestions.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
A Derivation of the Probability \(\Pr (\hat{z}_{\scriptscriptstyle \text {A}} = 0)\)
A Derivation of the Probability \(\Pr (\hat{z}_{\scriptscriptstyle \text {A}} = 0)\)
Let us define the Boolean variables \(Y_1, Y_2, Y_3, Y_4\) and \(Y_5\) as follows:
for any \(i \in \{0,1,\ldots ,7\}\), \(t \ge 19\). From Theorem 1, we construct the Boolean truth table given in Table 7.
From Sect. 4.1, we get:
We assume that the events corresponding to \(Y_1, Y_2, Y_3\) and \(Y_4\) are independent and the events corresponding to the rows of the truth table given in Table 7 are mutually exclusive. Then, the truth table given in Table 7 and (16)–(20) yield:
Rights and permissions
Copyright information
© 2017 Springer International Publishing AG
About this paper
Cite this paper
Joseph, M., Sekar, G., Balasubramanian, R. (2017). Distinguishing Attacks on (Ultra-)Lightweight WG Ciphers. In: Bogdanov, A. (eds) Lightweight Cryptography for Security and Privacy. LightSec 2016. Lecture Notes in Computer Science(), vol 10098. Springer, Cham. https://doi.org/10.1007/978-3-319-55714-4_4
Download citation
DOI: https://doi.org/10.1007/978-3-319-55714-4_4
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-55713-7
Online ISBN: 978-3-319-55714-4
eBook Packages: Computer ScienceComputer Science (R0)