Distinguishing Attacks on (Ultra-)Lightweight WG Ciphers

Abstract

The Welch-Gong (WG) family of stream ciphers include two subfamilies, which we call WG-A and WG-B, of patented (ultra-)lightweight ciphers designed by Gong et al. The Waterloo Commercialization Office, Canada, has included the WG-A in an RFID anti-counterfeiting system and has proposed the WG-B for securing 4G networks. The WG-A and WG-B ciphers support 80- and 128-bit keys, respectively. In this paper, we detect input-output correlations in the nonlinear transformations used by these ciphers. Exploiting these, we show distinguishing attacks that require, to nearly ensure success, between \(2^{22.20}\) and \(2^{29.07}\) keystream samples for WG-A and not more than \(2^{56.84}\) keystream samples for WG-B. We are not aware of any prior attacks on these ciphers.

A Derivation of the Probability \(\Pr (\hat{z}_{\scriptscriptstyle \text {A}} = 0)\)

Let us define the Boolean variables \(Y_1, Y_2, Y_3, Y_4\) and \(Y_5\) as follows:

$$\begin{aligned} Y_1= & {} W_{\scriptscriptstyle \text {A}}((s_{\scriptscriptstyle \text {A}}[t+20])^{d}) \oplus s_{\scriptscriptstyle \text {A}}[t+20]_{(i)}\,,\\ Y_2= & {} W_{\scriptscriptstyle \text {A}}((s_{\scriptscriptstyle \text {A}}[t+11])^{d}) \oplus s_{\scriptscriptstyle \text {A}}[t+11]_{(i)}\,,\\ Y_3= & {} W_{\scriptscriptstyle \text {A}}((s_{\scriptscriptstyle \text {A}}[t+9])^{d}) \oplus s_{\scriptscriptstyle \text {A}}[t+9]_{(i)}\,,\\ Y_4= & {} W_{\scriptscriptstyle \text {A}}((s_{\scriptscriptstyle \text {A}}[t])^{d}) \oplus (s_{\scriptscriptstyle \text {A}}[t] \boxdot _{\scriptscriptstyle 8} \omega ^{38})_{(i)}\,,\\ Y_5= & {} {z_{\scriptscriptstyle \text {A}}}_{(t+1)} \oplus {z_{\scriptscriptstyle \text {A}}}_{(t-8)}\oplus {z_{\scriptscriptstyle \text {A}}}_{(t-10)} \oplus {z_{\scriptscriptstyle \text {A}}}_{(t-19)}\,, \end{aligned}$$

for any \(i \in \{0,1,\ldots ,7\}\), \(t \ge 19\). From Theorem 1, we construct the Boolean truth table given in Table 7.

Table 7. Truth table that satisfies the relation between the Boolean variables \(Y_1, Y_2, Y_3, Y_4\) and \(Y_5\)

From Sect. 4.1, we get:

$$\begin{aligned} \Pr (Y_1=0)= & {} p_i\,,\end{aligned}$$

(16)

$$\begin{aligned} \Pr (Y_2=0)= & {} p_i\,,\end{aligned}$$

(17)

$$\begin{aligned} \Pr (Y_3=0)= & {} p_i\,,\end{aligned}$$

(18)

$$\begin{aligned} \Pr (Y_4=0)= & {} q_i\,, \end{aligned}$$

(19)

$$\begin{aligned} \Pr (Y_5=0)= & {} \Pr (\hat{z}_{\scriptscriptstyle \text {A}} = 0)\,. \end{aligned}$$

(20)

We assume that the events corresponding to \(Y_1, Y_2, Y_3\) and \(Y_4\) are independent and the events corresponding to the rows of the truth table given in Table 7 are mutually exclusive. Then, the truth table given in Table 7 and (16)–(20) yield:

$$\begin{aligned} \Pr (\hat{z}_{\scriptscriptstyle \text {A}} = 0) = p_i^3q_i + 3(1-p_i)^2p_iq_i + 3p_i^2(1-p_i)(1-q_i) + (1-p_i)^3(1-q_i)\,. \qquad \qquad \square \end{aligned}$$