^{1}

^{2}

^{3}

^{1}

^{2}

^{3}

In order to adopt the restricted environment, such as radio frequency identification technology or sensor networking, which are the important components of the Internet of Things, lightweight block ciphers are designed. NUX is a 31-round iterative ultralightweight cipher proposed by Bansod

The Internet of Things is defined as a variety of devices and technologies such as sensors, radio frequency identification (RFID) technology, global positioning systems, infrared sensors, laser scanners, and gas sensors. Its essence is to use RFID technology to realize the automatic identification of items, the interconnection, and sharing of information through the computer Internet. In this kind of new cryptography environment, RFID technology and sensor networking have similar properties, such as weak computation abilities, small storage spaces, and strict power constraints. Therefore, traditional block ciphers are not suitable for this kind of extremely constrained environment. Hence, lightweight block ciphers are put forward for restricted environment and have shown importance in various applications. Recently, copious lightweight block ciphers are designed to maintain security under limited resource conditions, such as PRESENT [

Differential analysis, which is a chosen-plaintext attack, is proposed by Biham and Shamir to analyze DES [

NUX is a 31-round iterative lightweight block cipher proposed by Bansod

1

The resistance to the linear analysis for

For full NUX, the probability of the best differential characteristic is

Using 22-round differential characteristic with probability

Utilizing the property of difference propagation through NUX, distinguishing attack can be implemented on full NUX with data complexity 8, which is depicted in Table

Comparison of tails on NUX.

Method | Rounds | Probability/bias | Reference |
---|---|---|---|

Differential | 25 | | [ |

25 | | Section | |

31 | | Section | |

| |||

Linear | 25 | | [ |

25 | | Section | |

31 | | Section |

Summary of attacks on NUX.

Attack type | Rounds | Time | Date | Memory (Bytes) | Reference |
---|---|---|---|---|---|

Differential | 25 | - | | - | [ |

29 | | | | Section | |

| |||||

Linear | 25 | - | | - | [ |

25 | | | | Section | |

| |||||

Distinguishing | 31 | 8 | 8 | 0 | Section |

The organization of the paper is as follows. The notations and description of NUX are given in Section

This section will list notations and operations used in this paper and describe NUX.

NUX is a 31-round ultralightweight cipher based on generalized Feistel network. It supports a key length of 128/80 bits and a block length of 64 bits. The round function is illustrated in Figure

The round function of NUX.

There are two F-functions

S-box used in NUX.

x | 0 | 1 | 2 | 3 | 4 | 5 | 6 | 7 | 8 | 9 | a | b | c | d | e | f |

| ||||||||||||||||

S(x) | e | 7 | 8 | 4 | 1 | 9 | 2 | f | 5 | a | b | 0 | 6 | c | d | 3 |

The 64-bit input of the

Bit permutation table P in NUX.

i | 0 | 1 | 2 | 3 | 4 | 5 | 6 | 7 | 8 | 9 | 10 | 11 | 12 | 13 | 14 | 15 |

| ||||||||||||||||

P(i) | 15 | 11 | 7 | 3 | 2 | 14 | 10 | 6 | 5 | 1 | 13 | 9 | 8 | 4 | 0 | 12 |

After 31 rounds, the ciphertext will be acquired as

In this section, how to search for differential characteristics of NUX will be described. And then a key-recovery attack is conducted on 29-round NUX.

To search for the differential characteristic of NUX, the different propagation between round functions should be considered. And how differences propagate through S-boxes should also be taken into account. When a difference passes through an S-box, the output difference and probability are determined by looking up the XOR difference distribution table (DDT) of the S-box.

Algorithm

Differential characteristics of NUX.

Rounds | Probability | Number of tails |
---|---|---|

2 | | 192 |

3 | | 56 |

4 | | 4 |

5 | | 1 |

6 | | 2 |

7 | | 2 |

8 | | 8 |

9 | | 1 |

10 | | 16 |

11 | | 24 |

12 | | 4 |

13 | | 8 |

14 | | 4 |

15 | | 18 |

16 | | 2 |

17 | | 1 |

18 | | 4 |

19 | | 4 |

20 | | 2 |

21 | | 48 |

22 | | 2 |

23 | | 32 |

24 | | 49 |

25 | | 10 |

26 | | 4 |

27 | | 4 |

28 | | 16 |

29 | | 2 |

30 | | 32 |

31 | | 48 |

Differential representation of NUX.

Furthermore, the minimal numbers of active S-boxes of 1

Minimal number of active S-boxes from differential characteristic.

Number of active S-boxes | |||||
---|---|---|---|---|---|

Reference | Rounds | ||||

1 | 2 | 3 | 4 | 5 | |

[ | 0 | 1 | 2 | 5 | 9 |

Section | 0 | 1 | 2 | 3 | 3 |

A 22-round differential characteristic is chosen with probability to be

Collect

Initialize

For each plaintext pair

Initialize

Guess 96-bit key

Use

Set advantage

22-Round differential characteristic of NUX.

Rounds | | | | | Probability |
---|---|---|---|---|---|

0 | | | | | 1 |

1 | | | | | |

2 | | | | | |

3 | | | | | |

4 | | | | | |

5 | | | | | |

6 | | | | | |

7 | | | | | |

8 | | | | | |

9 | | | | | |

10 | | | | | |

11 | | | | | |

12 | | | | | |

13 | | | | | |

14 | | | | | |

15 | | | | | |

16 | | | | | |

17 | | | | | 1 |

18 | | | | | |

19 | | | | | |

20 | | | | | |

21 | | | | | 1 |

22 | | | | | |

Differential attack of 29-round NUX.

If set

The counters

The success rate

Linear approximations of NUX are searched for in this section, and the 25-round key-recovery attack is performed on NUX using a 19-round linear approximation.

To search for linear approximations of NUX, how masks propagate through S-boxes should be taken into account. When a mask passes through an S-box, the linear approximation table (LAT) of the S-box is looked up to determine the output mask and bias. Algorithm

The number of active S-boxes of the i-th round

Linear representation of NUX.

The bias of one round can be

Linear approximations of NUX.

Rounds | Bias | Number of tails |
---|---|---|

2 | | 288 |

3 | | 300 |

4 | | 13 |

5 | | 2 |

6 | | 4 |

7 | | 13 |

8 | | 62 |

9 | | 6 |

10 | | 70 |

11 | | 11 |

12 | | 70 |

13 | | 4 |

14 | | 2 |

15 | | 4 |

16 | | 16 |

17 | | 4 |

18 | | 4 |

19 | | 16 |

20 | | 4 |

21 | | 8 |

22 | | 60 |

23 | | 21 |

24 | | 25 |

25 | | 48 |

26 | | 103 |

27 | | 4 |

28 | | 7 |

29 | | 54 |

30 | | 4 |

31 | | 2 |

Moreover, the minimal numbers of active S-boxes of 1

Minimal number of active S-boxes from linear approximation.

Number of active S-boxes | |||||
---|---|---|---|---|---|

Reference | Rounds | ||||

1 | 2 | 3 | 4 | 5 | |

[ | 0 | 1 | 4 | 9 | 13 |

Section | 0 | 1 | 2 | 3 | 3 |

Utilizing obtained linear approximations, a key-recovery attack can be applied to 25-round NUX using a 19-round linear approximation with bias

19-Round linear approximation of NUX.

Rounds | | | | | Bias |
---|---|---|---|---|---|

0 | | | | | |

1 | | | | | |

2 | | | | | |

3 | | | | | |

4 | | | | | |

5 | | | | | |

6 | | | | | |

7 | | | | | |

8 | | | | | |

9 | | | | | |

10 | | | | | |

11 | | | | | |

12 | | | | | |

13 | | | | | |

14 | | | | | |

15 | | | | | |

16 | | | | | |

17 | | | | | |

18 | | | | | |

19 | | | | | |

Linear attack of 25-round NUX.

According to the linear approximation, there are

Collect

Initialize

Guess 26-bit key

For each plaintext/ciphertext pair, calculate

Initialize

Guess 16-bit key

For every

Initialize

Guess 24-bit key

For every

Set the advantage

If

Both the counters

The success rate

Generally speaking, the distinguishing attack is a kind of test algorithm, which tries to perform the nonrandom behavior in cryptographic system. A distinguishing attack needs to find a distinguisher, which makes cryptographic algorithm different from random permutation. When analyzing NUX, we find a distinguisher with probability 1, that is, a deterministic distinguisher to distinguish NUX from a random permutation.

In Section

31-Round differential distinguisher of NUX.

Since only 4 pairs of plaintexts are used in the distinguishing attack, the data complexity is

NUX is a 31-round iterative ultralightweight cipher, which is suitable for extremely constrained environment and is applied to the Internet of Things. In this paper, differential and linear trails are searched for 1

All the data are obtained by our programs and can be provided to interested readers by email.

The authors declare that there are no conflicts of interest regarding the publication of this paper.

This work has been supported by National Cryptography Development Fund (no. MMJJ20170102), the National Natural Science Foundation of China (nos. 61572293, 61502276, and 61692276), the National Natural Science Foundation of Shandong Province, China (ZR2016FM22), Major Scientific and Technological Innovation Projects of Shandong Province, China (2017CXGC0704), and Fundamental Research Fund of Shandong Academy of Sciences (no. 2018:12-16).