A Real-Time Key Recovery Attack on the Lightweight Stream Cipher A2U2
The stream cipher A2U2 proposed by David et al.  is one of lightweight cipher primitives. In this paper we present a real-time key recovery attack on A2U2 under the known-plaintext-attack model, which only needs at most 210 consecutive ciphertext bits and its corresponding plaintext with the time complexity about 224.7. Our result is much better than that of the attack proposed by M. Abdelraheem et al. in  whose complexity is O(249×C), where C is the complexity of solving a sparse quadratic equation system on 56 unknown key bits. Furthermore we provide a new approach to solving the above sparse quadratic equation system, which reduces the complexity C to a very small constant. Finally we do an entire experiment on a PC and recover all bits of a random key in a few seconds.
KeywordsStream ciphers A2U2 Lightweight ciphers Key recovery attacks
Unable to display preview. Download preview PDF.
- 1.Finkenzeller, K.: Introduction. In: RFID Handbook: Fundamentals and Applications in Contactless Smart Cards, Radio Frequency Identification and Near-Field Communication, 3rd edn., ch. 1 (2010)Google Scholar
- 4.Engels, D., Fan, X., Gong, G., Hu, H., Smith, E.M.: Hummingbird: Ultra-Lightweight Cryptography for Resource-Constrained Devices. In: Sion, R., Curtmola, R., Dietrich, S., Kiayias, A., Miret, J.M., Sako, K., Sebé, F. (eds.) FC 2010 Workshops. LNCS, vol. 6054, pp. 3–18. Springer, Heidelberg (2010)CrossRefGoogle Scholar
- 7.David, M., Ranasinghe, D.C., Larsen, T.: A2U2: a stream cipher for printed electronics RFID tags. In: IEEE International Conference on RFID 2011, pp. 173–183 (2011)Google Scholar
- 8.Chai, Q., Fan, X., Gong, G.: An Ultra-Efficient Key Recovery Attack on the Lightweight Stream Cipher A2U2, IACR Cryptology ePrint Archive, p. 247 (2011)Google Scholar
- 10.Coppersmith, D., Krawczyk, H., Mansour, Y.: The Shrinking Generator. In: Stinson, D.R. (ed.) CRYPTO 1993. LNCS, vol. 773, pp. 22–39. Springer, Heidelberg (1994)Google Scholar