A Real-Time Key Recovery Attack on the Lightweight Stream Cipher A2U2

  • Zhenqing Shi
  • Xiutao Feng
  • Dengguo Feng
  • Chuankun Wu
Part of the Lecture Notes in Computer Science book series (LNCS, volume 7712)


The stream cipher A2U2 proposed by David et al. [7] is one of lightweight cipher primitives. In this paper we present a real-time key recovery attack on A2U2 under the known-plaintext-attack model, which only needs at most 210 consecutive ciphertext bits and its corresponding plaintext with the time complexity about 224.7. Our result is much better than that of the attack proposed by M. Abdelraheem et al. in [9] whose complexity is O(249×C), where C is the complexity of solving a sparse quadratic equation system on 56 unknown key bits. Furthermore we provide a new approach to solving the above sparse quadratic equation system, which reduces the complexity C to a very small constant. Finally we do an entire experiment on a PC and recover all bits of a random key in a few seconds.


Stream ciphers A2U2 Lightweight ciphers Key recovery attacks 


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    Finkenzeller, K.: Introduction. In: RFID Handbook: Fundamentals and Applications in Contactless Smart Cards, Radio Frequency Identification and Near-Field Communication, 3rd edn., ch. 1 (2010)Google Scholar
  2. 2.
    Bogdanov, A., Knudsen, L.R., Leander, G., Paar, C., Poschmann, A., Robshaw, M., Seurin, Y., Vikkelsoe, C.: PRESENT: An Ultra-Lightweight Block Cipher. In: Paillier, P., Verbauwhede, I. (eds.) CHES 2007. LNCS, vol. 4727, pp. 450–466. Springer, Heidelberg (2007)CrossRefGoogle Scholar
  3. 3.
    De Cannière, C., Dunkelman, O., Knežević, M.: KATAN and KTANTAN — A Family of Small and Efficient Hardware-Oriented Block Ciphers. In: Clavier, C., Gaj, K. (eds.) CHES 2009. LNCS, vol. 5747, pp. 272–288. Springer, Heidelberg (2009)CrossRefGoogle Scholar
  4. 4.
    Engels, D., Fan, X., Gong, G., Hu, H., Smith, E.M.: Hummingbird: Ultra-Lightweight Cryptography for Resource-Constrained Devices. In: Sion, R., Curtmola, R., Dietrich, S., Kiayias, A., Miret, J.M., Sako, K., Sebé, F. (eds.) FC 2010 Workshops. LNCS, vol. 6054, pp. 3–18. Springer, Heidelberg (2010)CrossRefGoogle Scholar
  5. 5.
    Knudsen, L., Leander, G., Poschmann, A., Robshaw, M.J.B.: PRINTcipher: A Block Cipher for IC-Printing. In: Mangard, S., Standaert, F.-X. (eds.) CHES 2010. LNCS, vol. 6225, pp. 16–32. Springer, Heidelberg (2010)CrossRefGoogle Scholar
  6. 6.
    Hell, M., Johansson, T., Meier, W.: Grain: a stream cipher for constrained environments. International Journal of Wireless and Mobile Computing 2(1), 86–93 (2007)CrossRefGoogle Scholar
  7. 7.
    David, M., Ranasinghe, D.C., Larsen, T.: A2U2: a stream cipher for printed electronics RFID tags. In: IEEE International Conference on RFID 2011, pp. 173–183 (2011)Google Scholar
  8. 8.
    Chai, Q., Fan, X., Gong, G.: An Ultra-Efficient Key Recovery Attack on the Lightweight Stream Cipher A2U2, IACR Cryptology ePrint Archive, p. 247 (2011)Google Scholar
  9. 9.
    Abdelraheem, M.A., Borghoff, J., Zenner, E., David, M.: Cryptanalysis of the Light-Weight Cipher A2U2. In: Chen, L. (ed.) Cryptography and Coding 2011. LNCS, vol. 7089, pp. 375–390. Springer, Heidelberg (2011)CrossRefGoogle Scholar
  10. 10.
    Coppersmith, D., Krawczyk, H., Mansour, Y.: The Shrinking Generator. In: Stinson, D.R. (ed.) CRYPTO 1993. LNCS, vol. 773, pp. 22–39. Springer, Heidelberg (1994)Google Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2012

Authors and Affiliations

  • Zhenqing Shi
    • 1
  • Xiutao Feng
    • 2
  • Dengguo Feng
    • 1
  • Chuankun Wu
    • 3
  1. 1.Institute of SoftwareChinese Academy of SciencesBeijingChina
  2. 2.Key Laboratory of Mathematics MechanizationAcademy of Mathematics and Systems Science, Chinese Academy of SciencesBeijingChina
  3. 3.Institute of Information EngineeringChinese Academy of SciencesBeijingChina

Personalised recommendations