In order to adopt the restricted environment, such as radio frequency identification technology or sensor networking, which are the important components of the Internet of Things, lightweight block ciphers are designed. NUX is a 31-round iterative ultralightweight cipher proposed by Bansod
The Internet of Things is defined as a variety of devices and technologies such as sensors, radio frequency identification (RFID) technology, global positioning systems, infrared sensors, laser scanners, and gas sensors. Its essence is to use RFID technology to realize the automatic identification of items, the interconnection, and sharing of information through the computer Internet. In this kind of new cryptography environment, RFID technology and sensor networking have similar properties, such as weak computation abilities, small storage spaces, and strict power constraints. Therefore, traditional block ciphers are not suitable for this kind of extremely constrained environment. Hence, lightweight block ciphers are put forward for restricted environment and have shown importance in various applications. Recently, copious lightweight block ciphers are designed to maintain security under limited resource conditions, such as PRESENT [
Differential analysis, which is a chosen-plaintext attack, is proposed by Biham and Shamir to analyze DES [
NUX is a 31-round iterative lightweight block cipher proposed by Bansod
1 The resistance to the linear analysis for For full NUX, the probability of the best differential characteristic is Using 22-round differential characteristic with probability Utilizing the property of difference propagation through NUX, distinguishing attack can be implemented on full NUX with data complexity 8, which is depicted in Table
Comparison of tails on NUX.
Method | Rounds | Probability/bias | Reference |
---|---|---|---|
Differential | 25 | | [ |
25 | | Section | |
31 | | Section | |
| |||
Linear | 25 | | [ |
25 | | Section | |
31 | | Section |
Summary of attacks on NUX.
Attack type | Rounds | Time | Date | Memory (Bytes) | Reference |
---|---|---|---|---|---|
Differential | 25 | - | | - | [ |
29 | | | | Section | |
| |||||
Linear | 25 | - | | - | [ |
25 | | | | Section | |
| |||||
Distinguishing | 31 | 8 | 8 | 0 | Section |
The organization of the paper is as follows. The notations and description of NUX are given in Section
This section will list notations and operations used in this paper and describe NUX.
NUX is a 31-round ultralightweight cipher based on generalized Feistel network. It supports a key length of 128/80 bits and a block length of 64 bits. The round function is illustrated in Figure
The round function of NUX.
There are two F-functions
S-box used in NUX.
x | 0 | 1 | 2 | 3 | 4 | 5 | 6 | 7 | 8 | 9 | a | b | c | d | e | f |
| ||||||||||||||||
S(x) | e | 7 | 8 | 4 | 1 | 9 | 2 | f | 5 | a | b | 0 | 6 | c | d | 3 |
The 64-bit input of the
Bit permutation table P in NUX.
i | 0 | 1 | 2 | 3 | 4 | 5 | 6 | 7 | 8 | 9 | 10 | 11 | 12 | 13 | 14 | 15 |
| ||||||||||||||||
P(i) | 15 | 11 | 7 | 3 | 2 | 14 | 10 | 6 | 5 | 1 | 13 | 9 | 8 | 4 | 0 | 12 |
After 31 rounds, the ciphertext will be acquired as
In this section, how to search for differential characteristics of NUX will be described. And then a key-recovery attack is conducted on 29-round NUX.
To search for the differential characteristic of NUX, the different propagation between round functions should be considered. And how differences propagate through S-boxes should also be taken into account. When a difference passes through an S-box, the output difference and probability are determined by looking up the XOR difference distribution table (DDT) of the S-box.
Algorithm
Differential characteristics of NUX.
Rounds | Probability | Number of tails |
---|---|---|
2 | | 192 |
3 | | 56 |
4 | | 4 |
5 | | 1 |
6 | | 2 |
7 | | 2 |
8 | | 8 |
9 | | 1 |
10 | | 16 |
11 | | 24 |
12 | | 4 |
13 | | 8 |
14 | | 4 |
15 | | 18 |
16 | | 2 |
17 | | 1 |
18 | | 4 |
19 | | 4 |
20 | | 2 |
21 | | 48 |
22 | | 2 |
23 | | 32 |
24 | | 49 |
25 | | 10 |
26 | | 4 |
27 | | 4 |
28 | | 16 |
29 | | 2 |
30 | | 32 |
31 | | 48 |
Differential representation of NUX.
Furthermore, the minimal numbers of active S-boxes of 1
Minimal number of active S-boxes from differential characteristic.
Number of active S-boxes | |||||
---|---|---|---|---|---|
Reference | Rounds | ||||
1 | 2 | 3 | 4 | 5 | |
[ | 0 | 1 | 2 | 5 | 9 |
Section | 0 | 1 | 2 | 3 | 3 |
A 22-round differential characteristic is chosen with probability to be Collect Initialize For each plaintext pair Initialize Guess 96-bit key Use Set advantage
22-Round differential characteristic of NUX.
Rounds | | | | | Probability |
---|---|---|---|---|---|
0 | | | | | 1 |
1 | | | | | |
2 | | | | | |
3 | | | | | |
4 | | | | | |
5 | | | | | |
6 | | | | | |
7 | | | | | |
8 | | | | | |
9 | | | | | |
10 | | | | | |
11 | | | | | |
12 | | | | | |
13 | | | | | |
14 | | | | | |
15 | | | | | |
16 | | | | | |
17 | | | | | 1 |
18 | | | | | |
19 | | | | | |
20 | | | | | |
21 | | | | | 1 |
22 | | | | | |
Differential attack of 29-round NUX.
If set
The counters
The success rate
Linear approximations of NUX are searched for in this section, and the 25-round key-recovery attack is performed on NUX using a 19-round linear approximation.
To search for linear approximations of NUX, how masks propagate through S-boxes should be taken into account. When a mask passes through an S-box, the linear approximation table (LAT) of the S-box is looked up to determine the output mask and bias. Algorithm
The number of active S-boxes of the i-th round
Linear representation of NUX.
The bias of one round can be
Linear approximations of NUX.
Rounds | Bias | Number of tails |
---|---|---|
2 | | 288 |
3 | | 300 |
4 | | 13 |
5 | | 2 |
6 | | 4 |
7 | | 13 |
8 | | 62 |
9 | | 6 |
10 | | 70 |
11 | | 11 |
12 | | 70 |
13 | | 4 |
14 | | 2 |
15 | | 4 |
16 | | 16 |
17 | | 4 |
18 | | 4 |
19 | | 16 |
20 | | 4 |
21 | | 8 |
22 | | 60 |
23 | | 21 |
24 | | 25 |
25 | | 48 |
26 | | 103 |
27 | | 4 |
28 | | 7 |
29 | | 54 |
30 | | 4 |
31 | | 2 |
Moreover, the minimal numbers of active S-boxes of 1
Minimal number of active S-boxes from linear approximation.
Number of active S-boxes | |||||
---|---|---|---|---|---|
Reference | Rounds | ||||
1 | 2 | 3 | 4 | 5 | |
[ | 0 | 1 | 4 | 9 | 13 |
Section | 0 | 1 | 2 | 3 | 3 |
Utilizing obtained linear approximations, a key-recovery attack can be applied to 25-round NUX using a 19-round linear approximation with bias
19-Round linear approximation of NUX.
Rounds | | | | | Bias |
---|---|---|---|---|---|
0 | | | | | |
1 | | | | | |
2 | | | | | |
3 | | | | | |
4 | | | | | |
5 | | | | | |
6 | | | | | |
7 | | | | | |
8 | | | | | |
9 | | | | | |
10 | | | | | |
11 | | | | | |
12 | | | | | |
13 | | | | | |
14 | | | | | |
15 | | | | | |
16 | | | | | |
17 | | | | | |
18 | | | | | |
19 | | | | | |
Linear attack of 25-round NUX.
According to the linear approximation, there are Collect Initialize Guess 26-bit key For each plaintext/ciphertext pair, calculate Initialize Guess 16-bit key For every Initialize Guess 24-bit key For every Set the advantage
If
Both the counters
The success rate
Generally speaking, the distinguishing attack is a kind of test algorithm, which tries to perform the nonrandom behavior in cryptographic system. A distinguishing attack needs to find a distinguisher, which makes cryptographic algorithm different from random permutation. When analyzing NUX, we find a distinguisher with probability 1, that is, a deterministic distinguisher to distinguish NUX from a random permutation.
In Section
31-Round differential distinguisher of NUX.
Since only 4 pairs of plaintexts are used in the distinguishing attack, the data complexity is
NUX is a 31-round iterative ultralightweight cipher, which is suitable for extremely constrained environment and is applied to the Internet of Things. In this paper, differential and linear trails are searched for 1
All the data are obtained by our programs and can be provided to interested readers by email.
The authors declare that there are no conflicts of interest regarding the publication of this paper.
This work has been supported by National Cryptography Development Fund (no. MMJJ20170102), the National Natural Science Foundation of China (nos. 61572293, 61502276, and 61692276), the National Natural Science Foundation of Shandong Province, China (ZR2016FM22), Major Scientific and Technological Innovation Projects of Shandong Province, China (2017CXGC0704), and Fundamental Research Fund of Shandong Academy of Sciences (no. 2018:12-16).