Published: September 18, 2013
Author(s)
Meltem Sönmez Turan
Conference
Name: Second International Workshop on Lightweight Cryptography for Security and Privacy (LightSec 2013)
Dates: 05/06/2013 - 05/07/2013
Location: Gebze, Turkey
Citation: Lightweight Cryptography for Security and Privacy, vol. 4162, pp. 28-42
Lightweight cryptography aims to provide sufficient security with low area/power/energy requirements for constrained devices. In this paper, we focus on the lightweight encryption algorithm specified and approved in NRS 009-6-7:2002 by Electricity Suppliers Liaison Committee to be used with tokens in prepayment electricity dispensing systems in South Africa. The algorithm is a 16-round SP network with two 4-to-4 bit S-boxes and a 64-bit permutation. The S-boxes and the permutation are kept secret and provided only to the manufacturers of the system under license conditions. We present related-key slide attacks to recover the secret key and secret components using four scenarios; (i) known S-box and permutation with 2^48 time complexity using 2^16 + 1 chosen plaintexts; (ii) unknown S-box and known permutation with 2^55 time complexity using 2^22.71 + 1 chosen plaintexts; (iii) known S-box and unknown permutation with 2^48 time complexity using 2^16 + 1 chosen plaintexts and 2^12.28 adaptively chosen plaintexts; and finally, (iv) unknown S-box and permutation, with 2^48 time complexity using 2^22.71 + 1 chosen plaintexts and 2^31.29 adaptively chosen plaintexts. We also extend these attacks to recover the secret components in a chosen-key setting with practical complexities.
Lightweight cryptography aims to provide sufficient security with low area/power/energy requirements for constrained devices. In this paper, we focus on the lightweight encryption algorithm specified and approved in NRS 009-6-7:2002 by Electricity Suppliers Liaison Committee to be used with tokens...
See full abstract
Lightweight cryptography aims to provide sufficient security with low area/power/energy requirements for constrained devices. In this paper, we focus on the lightweight encryption algorithm specified and approved in NRS 009-6-7:2002 by Electricity Suppliers Liaison Committee to be used with tokens in prepayment electricity dispensing systems in South Africa. The algorithm is a 16-round SP network with two 4-to-4 bit S-boxes and a 64-bit permutation. The S-boxes and the permutation are kept secret and provided only to the manufacturers of the system under license conditions. We present related-key slide attacks to recover the secret key and secret components using four scenarios; (i) known S-box and permutation with 2^48 time complexity using 2^16 + 1 chosen plaintexts; (ii) unknown S-box and known permutation with 2^55 time complexity using 2^22.71 + 1 chosen plaintexts; (iii) known S-box and unknown permutation with 2^48 time complexity using 2^16 + 1 chosen plaintexts and 2^12.28 adaptively chosen plaintexts; and finally, (iv) unknown S-box and permutation, with 2^48 time complexity using 2^22.71 + 1 chosen plaintexts and 2^31.29 adaptively chosen plaintexts. We also extend these attacks to recover the secret components in a chosen-key setting with practical complexities.
Hide full abstract
Keywords
lightweight block ciphers; related-key slide attacks; secret components
Control Families
None selected