security cryptanalysis of nux for the internet of...
TRANSCRIPT
Research ArticleSecurity Cryptanalysis of NUX for the Internet of Things
Yu Liu 1 Xiaolei Liu 2 and Yanmin Zhao3
1School of Computer Engineering Weifang University Weifang 261061 China2Key Laboratory of Cryptologic Technology and Information Security Ministry of Education Shandong UniversityJinan 250100 China3Department of Computer Science Faculty of Engineering e University of Hong Kong 999077 Hong Kong
Correspondence should be addressed to Yu Liu yuliuwfueducn and Xiaolei Liu lxlmathmailsdueducn
Received 15 November 2018 Revised 13 May 2019 Accepted 23 May 2019 Published 12 June 2019
Guest Editor Fagen Li
Copyright copy 2019 Yu Liu et al This is an open access article distributed under the Creative Commons Attribution License whichpermits unrestricted use distribution and reproduction in any medium provided the original work is properly cited
In order to adopt the restricted environment such as radio frequency identification technology or sensor networking which are theimportant components of the Internet ofThings lightweight block ciphers are designedNUX is a 31-round iterative ultralightweightcipher proposed by Bansod et al In this paper we examine the resistance of NUX to differential and linear analysis and search for1 sim 31-round differential characteristics and linear approximations In design specification authors claimed that 25-round NUXis resistant to differential and linear attack However we can successfully perform 29-round differential attack on NUX with the22-round differential characteristic found in this paper which is 4 rounds more than the limitation given by authors Furthermorewe present the key recovery attack on 22-round NUX using a 19-round linear approximation determined in this paper Besidesdistinguishing attack whose distinguisher is built utilizing the property of differential propagation through NUX is implementedon full NUX with data complexity 8
1 Introduction
The Internet of Things is defined as a variety of devicesand technologies such as sensors radio frequency identifica-tion (RFID) technology global positioning systems infraredsensors laser scanners and gas sensors Its essence is touse RFID technology to realize the automatic identificationof items the interconnection and sharing of informationthrough the computer Internet In this kind of new cryptog-raphy environment RFID technology and sensor networkinghave similar properties such as weak computation abilitiessmall storage spaces and strict power constraints There-fore traditional block ciphers are not suitable for this kindof extremely constrained environment Hence lightweightblock ciphers are put forward for restricted environment andhave shown importance in various applications Recentlycopious lightweight block ciphers are designed to main-tain security under limited resource conditions such asPRESENT [1] LBlock [2] and PRINCE [3] And many cryp-tographers are concerned about the security of lightweightblock ciphers
Differential analysis which is a chosen-plaintext attackis proposed by Biham and Shamir to analyze DES [4]Differential analysis studies probability propagation propertyin the encryptiondecryption process This method seeksfor high probability differential characteristics to perform adistinguishing attack or a key-recovery attack Later linearanalysis which is the duality of differential analysis and isa known-plaintext attack is presented by Matsui in EURO-CRYPTrsquo93 [5] Similarly linear analysis studies the linearrelationship between plaintexts and ciphertexts and findslinear approximations with high probability to build a distin-guisher or carry out a key-recovery attack In addition thesetwo methods are the most popular cryptanalysis methodsnowadays They have been used to analyze many ciphers andshould be taken into consideration for designing a new cipherscheme [6ndash11]
NUX is a 31-round iterative lightweight block cipher pro-posed by Bansod et al [12] which adopts generalized Feistelstructure And it supports 64-bit blocks and 80128-bit keysFor the version with 128-bit key the author pointed out thatNUX needs 1022 GEs which is less than all existing ciphers
HindawiSecurity and Communication NetworksVolume 2019 Article ID 2062697 12 pageshttpsdoiorg10115520192062697
2 Security and Communication Networks
Table 1 Comparison of tails on NUX
Method Rounds Probabilitybias Reference
Differential25 2minus90 [12]25 2minus71 Section 3131 2minus88 Section 31
Linear25 2minus66 [12]25 2minus41 Section 4131 2minus50 Section 41
Table 2 Summary of attacks on NUX
Attack type Rounds Time Date Memory (Bytes) Reference
Differential 25 - 290 - [12]29 212173 261 296 Section 32
Linear 25 - 2132 - [12]25 2126 2637 270 Section 42
Distinguishing 31 8 8 0 Section 5
In terms of security they expected that NUX could resistdifferentiallinear analysis They examined the resistance ofNUX against differentiallinear cryptanalysis At last theyshowed thatNUXcipherwith no less than 25 round is enoughto resist linear or differential attack Besides a biclique attackon NUX is presented in [12]
Our Contribution
(i) 1sim31-round differential characteristics of NUX aresearched for and 10 25-round differential characteris-tics are found with probability 2minus71 which are betterthan the one with probability limitation 2minus90 given inthe design script shown in Table 1
(ii) The resistance to the linear analysis for 1 sim 31-round NUX is examined and 48 25-round linearapproximations are presented with absolute value ofbias to be 2minus41 better than the limitation on biaspresented in the design script which is 2minus66 depictedin Table 1
(iii) For full NUX the probability of the best differentialcharacteristic is 2minus88 and the absolute value of biasfor the best linear approximation is 2minus50 which aredescribed in Table 1
(iv) Using 22-round differential characteristic with prob-ability 2minus58 obtained in this paper 29-round differen-tial attack is performed with time data and memorycomplexity to be 212173 29-round encryptions and 261and 296 bytes respectively Furthermore based on a19-round linear approximation with bias to be 2minus3025-round linear attack is executed with time complex-ity 2126 25-round encryptions data complexity 2637andmemory complexity 270 bytes Till now these twoattacks are the best differential attack and best linearattack respectively A summary of our attacks is givenin Table 2
(v) Utilizing the property of difference propagationthrough NUX distinguishing attack can be imple-mented on full NUX with data complexity 8 whichis depicted in Table 2
The organization of the paper is as follows The notationsand description of NUX are given in Section 2 Section 3shows the differential characteristics and differential attackon 29-round NUX In Section 4 the linear approximationsand linear attack on 25-roundNUX are introduced Section 5describes distinguishing attacks between full NUX and ran-dom permutations Finally Section 6 concludes the paper
2 Preliminaries
This section will list notations and operations used in thispaper and describe NUX
21 Notations and Operations
(i) 0 1119899 The set of strings with 119899 bits length(ii) 119909[119894] The 119894-th bit of 119909 if 119909 isin 0 1119899(iii) 119909[119894 119895] The 119895-th bit to 119894-th bit of 119909 if 119909 isin 0 1119899(iv) 119909[119894 119895] The 119894-th and 119895-th bits of 119909 if 119909 isin 0 1119899(v) 119909 119910 Concatenation of 119909 and 119910 if 119909 119910 isin 0 1119899(vi) ⋙ Right cyclic shift operation(vii) ⋘ Left cyclic shift operation(viii) oplus XOR operation
22 Description of NUX NUX is a 31-round ultralightweightcipher based on generalized Feistel network It supports a keylength of 12880 bits and a block length of 64 bits The roundfunction is illustrated in Figure 1
There are two F-functions 1198651 and 1198652 which are con-structed by four 4 times 4 S-boxes and a circular shift operator
Security and Communication Networks 3
Table 3 S-box used in NUX
x 0 1 2 3 4 5 6 7 8 9 a b c d e fS(x) e 7 8 4 1 9 2 f 5 a b 0 6 c d 3
Table 4 Bit permutation table P in NUX
i 0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15P(i) 15 11 7 3 2 14 10 6 5 1 13 9 8 4 0 12
ltltlt 8
S-Box gtgtgt3
gtgtgt3
S-Boxltltlt8
P P P P
rki
X4i
F2
X3i
X2i
F1
X1i
X4i+1 X
3i+1 X
2i+1 X
1i+1
rkrsquoi
Figure 1 The round function of NUX
The S-box is represented in Table 3 Then 1198651 and 1198652 can bedepicted as follows
1198651 (119909) = 119878 (119909 [7 4]) 119878 (119909 [3 0]) 119878 (119909 [15 12])
119878 (119909 [11 8])
1198652 (119909) = 119878 (119909 [2 0] 119909 [15]) 119878 (119909 [14 11])
119878 (119909 [10 7]) 119878 (119909 [6 3])
(1)
The 64-bit input of the 119894-th round 119883119894 is divided into 4blocks of 16 bits named 1198834119894 119883
3119894 1198832119894 and 119883
1119894 respectively
119883119894 = 1198834119894 1198833119894 1198832119894 1198831119894 (2)
and then there are the following formulas
1198834119894+1 = 119875 (1198832119894 )
1198833119894+1 = 119875 ((1198831119894 ⋙ 3) oplus 1198651 (119883
2119894 ) oplus 119903119896
1015840119894)
1198832119894+1 = 119875 ((1198834119894 ⋘ 8) oplus 1198652 (119883
3119894 ) oplus 119903119896119894)
1198831119894+1 = 119875 (1198833119894 )
(3)
where 119875 is a 16-bit permutation which is depicted in Table 4After 31 rounds the ciphertext will be acquired as 119883431
119883331 119883231 119883
131 The key schedule is omitted and interested
readers are referred to [12] for more details about NUX
3 Differential Attack on 29-Round NUX
In this section how to search for differential characteristicsof NUX will be described And then a key-recovery attack isconducted on 29-round NUX
31 Differential Characteristics of NUX To search for thedifferential characteristic of NUX the different propagationbetween round functions should be considered And howdifferences propagate through S-boxes should also be takeninto account When a difference passes through an S-box theoutput difference and probability are determined by lookingup the XOR difference distribution table (DDT) of theS-box
Algorithm 1 is designed to search for differential char-acteristics of NUX and notations used in this algorithmare depicted in Figure 2 From the structure of NUX it isobvious that the probability of one round can be 1 thatis all the 8 S-boxes are passive So a special 119899 minus 1-rounddifferential characteristic (Δ30 = Δ
20 = 0) is chosen and one-
round differential characteristic with probability 1 is addedto catch 119899-round differential characteristics Meanwhile Δ4119894and Δ3119894 which lie in the two branches on the left side will notaffect Δ2119894 and Δ
1119894 the two branches on the right side during
propagation in NUX So differences of two branches on theleft or right are set to 0 and the difference propagation in theother two branches will be focused on during the encryptionprocess In this way the number of active S-boxes is always no
4 Security and Communication Networks
ltltlt 8
S-Box gtgtgt3
gtgtgt3
S-Boxltltlt8
P P P P
rki
Δ4
i
F1F2
Δ3
i Δ2
iΔ
1
i
Δ9l
iΔ8
l
iΔ9
ℎ
iΔ8
ℎ
i
Δ4
i+1Δ
3
i+1Δ
2
i+1Δ
1
i+1
rkrsquoi
Figure 2 Differential representation of NUX
Input S-box 119878 Probability threshold 119875119903119871119894119898[30]Output A differential trail with the best probability(1) Generate the DDT of S-box(2) Store all 2 4 and the corresponding inputoutput differences in DDT in the table 119863119863119879119875(3) for Each of 8 S-boxes in the first round do(4) for all non-zero entities in DDT do(5) if S-box is in 1198652 then(6) Δ31 = Δ119883
ℎ1 ⋘ 3 Δ41 = Δ
21 = Δ
11 = 0
(7) Store them in 119877119894119899[1](8) else(9) Δ21 = Δ119883
1198971⋙ 8 Δ41 = Δ
31 = Δ
11 = 0
(10) Store them in 119877119894119899[1](11) CalculateΔ40 Δ
30 Δ20 Δ10 and store them in 119877119894119899[0]
(12) CalculateΔ42 Δ32 Δ22 Δ12 and store them in 119877119894119899[2]
(13) The probability is recorded as 119875119903[1](14) for 119894 larr997888 2 to 30 do(15) if Δ4119894 = Δ
3119894 = 0 then
(16) Δ119883119897119894 = Δ2119894 ⋘ 8
(17) Travel119863119863119879119875 to get Δ119884119897119894 and its corresponding probability 119875119903119877119899119889
(18) else if Δ2119894 = Δ1119894 = 0 then
(19) Δ119883ℎ119894 = Δ3119894 ⋙ 3
(20) Travel119863119863119879119875 to get Δ119884ℎ119894 and the corresponding probability 119875119903119877119899119889
(21) Keep 119875119903[119894 minus 1] times 119875119903119877119899119889 which greater than threshold 119875119903119871119894119898[119894](22) CalculateΔ4119894+1 Δ
3119894+1 Δ2119894+1 Δ1119894+1 and store them in 119877119894119899[119894 + 1]
(23) 119875119903[119894] lArr997904 119875119903[119894 minus 1] times 119875119903119877119899119889(24) for Each of 8 S-boxes in the first round do(25) for all non-zero entities in DDT do(26) Find the largest 119875119903[119894] and store it in 119875119903119872119886119909[119894](27) Output different characteristics with probability 119875119903119872119886119909[119894]
Algorithm 1 Algorithm for differential characteristic on NUX
more than 4 in one round which can make the probability ofthe differential characteristic as large as possible The resultsof our search algorithm are listed in Table 5
Furthermore the minimal numbers of active S-boxes of1sim5-round differential characteristics are shown in the designmanuscript [12] So the minimal number of active S-boxes isalso studied and the minimum active S-boxes of 4 5-round
differential characteristics are less than the ones given in [12]which are presented in Table 6
32 Differential Attack on NUX A 22-round differentialcharacteristic is chosen with probability to be 2minus58 which isshown in Table 7 and 7 rounds are extended forward Thedescription is given in Figure 3 There are Δ40 = 01199090400
Security and Communication Networks 5
Table 5 Differential characteristics of NUX
Rounds Probability Number of tails2 2minus2 1923 2minus4 564 2minus6 45 2minus7 16 2minus9 27 2minus11 28 2minus15 89 2minus15 110 2minus20 1611 2minus24 2412 2minus28 413 2minus31 814 2minus37 415 2minus41 1816 2minus45 217 2minus46 118 2minus49 419 2minus52 420 2minus53 221 2minus58 4822 2minus58 223 2minus63 3224 2minus67 4925 2minus71 1026 2minus73 427 2minus75 428 2minus79 1629 2minus79 230 2minus84 3231 2minus88 48
Table 6 Minimal number of active S-boxes from differentialcharacteristic
Number of active S-boxesReference Rounds
1 2 3 4 5[12] 0 1 2 5 9Section 31 0 1 2 3 3
Δ322 = 01199092080 and Δ30 = Δ20 = Δ10 = Δ422 = Δ222 = Δ122 =01199090000 according to the 22-round differential distinguisherThen Δ423 = Δ323 = 01199090000 Δ123 = 01199090050 and Δ223 satisfythe form as (00 lowast lowast lowast 00 lowast lowastlowast 000 lowast lowast0) where lowast isin 0 1 canbe deduced And the output difference of the 28-th round isΔ429 = Δ329 = 01199090000 119883223 119883
21015840
23 119883123 and 119883
11015840
23 can be gottenby 6-round decryption So 119903119896101584023 11990311989624 119903119896
101584025 11990311989626 119903119896
101584027 and 11990311989628
should be guessed and denoted by 119870119892119906119890119904119904 The attack processis described as follows
(1) Collect119873 pairs of plaintext (119875 1198751015840) satisfying 119875oplus1198751015840 =(Δ40 Δ
30 Δ20 Δ10) and their corresponding ciphertext
pairs (119862 1198621015840)(2) Initialize 232 countersV[0]V[1] V[232minus1] and
reset them(3) For each plaintext pair (119875 1198751015840) check whether its
ciphertext pair (119862 1198621015840) satisfies (119862 oplus 1198621015840)[63 32] =011990900000000 If the ciphertext pair meets the formula119909 = (119862 oplus 1198621015840)[31 0] andV[119909] + +
(4) Initialize 296 counters V119896[0]V119896[1] V119896[296 minus 1]
and reset them(5) Guess 96-bit key 119870119892119906119890119904119904 and decrypt 119909 to obtain 119883223
11988321015840
23119883123 and119883
11015840
23 Checkwhether119883223oplus11988321015840
23 and119883123oplus
11988311015840
23 are equal to Δ223 and Δ123 If the conditions are
met then let 119910 = 119883223 11988321015840
23 119883123 119883
11015840
23
(6) Use 119910 to calculate 119883422 oplus 11988341015840
22 and 119883322 oplus 119883
31015840
22 If 119883422 oplus
11988341015840
22 = Δ422 and 119883
322 oplus 119883
31015840
22 = Δ322V119896[119870119892119906119890119904119904] + +
(7) Set advantage 119886 to be 51 which implies that thetop 245 absolute values in V119896 are kept For eachremaining key we guess the remaining 58-bit subkeyand calculate the master key Finally we test the keyby trail encryptions
If set 119873 = 260 then about 228 pieces of data enter step(5) which means 2124 6-round encryptions that is 21217 29-round encryptions The complexity of step (7) is 2103 29-round encryptions So the total time complexity of this attackis about 212173 29-round encryptions
The countersV119896 require storing 296 bytes so the memory
complexity for the attack is 296 bytes The data complexity is261
The success rate 119875119878 = Φ((radic119901119873119878119873 minus Φminus1(1 minus2minus119886))radic119878119873 + 1) = 9871 by [13]
4 Linear Attack on 25-Round NUX
Linear approximations of NUX are searched for in thissection and the 25-round key-recovery attack is performedon NUX using a 19-round linear approximation
41 Linear Approximations of NUX To search for linearapproximations of NUX how masks propagate through S-boxes should be taken into account When a mask passesthrough an S-box the linear approximation table (LAT) ofthe S-box is looked up to determine the outputmask and biasAlgorithm 2 searches for linear approximations of NUX andnotations used in this algorithm are depicted in Figure 4
The bias of one round can be 12 which can be obtainedfrom the structure of NUX that is all the 8 S-boxes arepassive So special (119899 minus 1)-round linear approximations arechosen which satisfy (Γ40 = Γ10 = 0) and one-roundlinear approximation with bias 1 is added to catch 119899-roundlinear approximations Similar to searching for differentialcharacteristics there is only one active S-box in the first
6 Security and Communication Networks
Table 7 22-Round differential characteristic of NUX
Rounds 119894 Δ4119894 Δ3119894 Δ2119894 Δ1119894 Probability0 0400 0000 0000 0000 11 0000 0000 0080 0000 2minus3
2 0040 0001 0000 0000 2minus2
3 0000 0000 0010 8000 2minus3
4 0004 1000 0000 0000 2minus2
5 0000 0000 0002 0100 2minus2
6 0800 6002 0000 0000 2minus5
7 0000 0000 003b 0811 2minus5
8 c80c 2b30 0000 0000 2minus7
9 0000 0000 0480 4236 2minus5
10 2040 0600 0000 0000 2minus3
11 0000 0000 0005 2002 2minus2
12 8080 0003 0000 0000 2minus2
13 0000 0000 0040 8800 2minus2
14 0400 0030 0000 0000 2minus2
15 0000 0000 0008 4004 2minus3
16 0008 3000 0000 0000 2minus2
17 0000 0000 0000 0110 118 0000 4800 0000 0000 2minus3
19 0000 0000 0020 0201 2minus2
20 4000 0500 0000 0000 2minus3
21 0000 0000 0000 2020 122 0000 2080 0000 0000 lowast
round of 119899 minus 1 rounds Meanwhile Γ4119894 and Γ3119894 which liein the two branches on the left side will not affect Γ2119894 andΓ1119894 the two branches on the right side during propagationin NUX So the linear propagation on the left or right istaken into consideration and differences of the other twobranches are set to 0 In this way the number of active S-boxes is always nomore than 4 in one round which canmakethe absolute value of the linear approximation bias as largeas possible The results of the search algorithm are listed inTable 8
Moreover the minimal numbers of active S-boxes of1sim5-round linear approximations are shown in the designmanuscript [12] And the minimal number of active S-boxesis also considered and the minimum active S-boxes of 3sim5-round linear approximations are less than the ones given in[12] which are presented in Table 9
42 Linear Attack on NUX Utilizing obtained linear approx-imations a key-recovery attack can be applied to 25-roundNUX using a 19-round linear approximation with bias 2minus30which is described in Table 10 The 19-round linear approx-imation is put from the 4th to the 22th round of NUXextending 3 rounds both backward and forward The 25-round key-recovery attack is shown in Figure 5
According to the linear approximation there are Γ43 =Γ23 = Γ
13 = Γ
422 = Γ322 = 01199090000 Γ
33 = 01199091040 Γ
222 = 0119909044119888
and Γ122 = 011990924119886119891 Furthermore the following formula canbe gotten
Γ43 sdot 11988343 oplus Γ33 sdot 11988333 oplus Γ22 sdot 11988323 oplus Γ13 sdot 11988313 oplus Γ422 sdot 119883422 oplus Γ
322
sdot 119883322 oplus Γ222 sdot 119883222 oplus Γ
122 sdot 119883122 = Γ
33 sdot 11988333 oplus Γ222 sdot 119883222
oplus Γ122 sdot 119883122 = 120581
(4)
where 11988333 can be calculated through 3-round encryptionby guessing 26-bit subkeys which are denoted by 119870119887119890119891119900119903119890including 11990311989610158400 1199031198961[15 13 10 8 7 5 2 0] and 11990311989610158402[15 7]Besides 119883222 and 119883
122 are obtained by 3-round decryption
which involves 40-bit subkeys namely 119903119896101584022[15 1413 10 7 4 2 0] 11990311989623 and 119903119896101584024 For the sake of simplicity119903119896101584022[15 14 13 10 7 4 2 0] and 11990311989623 are denoted by 119870119898119894119889 Inthe following the attack process is depicted
(1) Collect119873 plaintextciphertext pairs(2) Initialize 266 counters V0[0]V0[1] V0[2
66 minus 1]and reset them
(3) Guess 26-bit key 119870119887119890119891119900119903119890(4) For each plaintextciphertext pair calculate 119909 =
11988333[12 6] 1198624 1198623 1198622 1198621 ThenV0[119909] + +
(5) Initialize 234 counters V1[0]V1[1] V1[234 minus 1]and reset them
Security and Communication Networks 7
gtgtgt3 ltltlt8
P P P P
ltltlt8 gtgtgt3
S-Box gtgtgt3 S-Boxltltlt8
P P P P
ltltlt8 gtgtgt3
S-Box gtgtgt3 S-Boxltltlt8
P P P P
ltltlt8 gtgtgt3
S-Box gtgtgt3 S-Boxltltlt8
P P P P
ltltlt8 gtgtgt3
S-Box gtgtgt3 S-Boxltltlt8
P P P P
ltltlt8 gtgtgt3
S-Box gtgtgt3 S-Boxltltlt8
P P P P
ltltlt8 gtgtgt3
S-Box gtgtgt3 S-Boxltltlt8
P P P P
ltltlt8 gtgtgt3
22-round Differential Distinguisher
S-BoxS-Box
X30 X
20 X
10X
40
X322 X
222 X
122X
422
X323 X
223 X
123X
423
X324 X
224 X
124X
424
X325 X
225 X
125X
425
X326 X
226 X
126X
426
X327 X
227 X
127X
427
X328 X
228 X
128X
428
X329 X
229 X
129X
429
rk22
rk23
rk24
rk25
rk26
rk27
rk28
rkrsquo22
rkrsquo23
rkrsquo24
rkrsquo25
rkrsquo26
rkrsquo27
rkrsquo28
Figure 3 Differential attack of 29-round NUX
(6) Guess 16-bit key 119903119896101584024(7) For every 119909 calculate 119910 = 11988333[12 6] 119883
224 119883
124
ThenV1[119910]+ = V0[119909](8) Initialize 266 counters V119896[0]V119896[1] V119896[266 minus 1]
and reset them
(9) Guess 24-bit key 119870119898119894119889
(10) For every 119910 calculate 119883222[10 6 3 2] and 119883222[13 10
7 5 3 2 1 0] Then compute 119911 = Γ33 sdot 11988333 oplus Γ222 sdot 119883222 oplus
Γ122 sdot 119883122 If 119911 = 0 thenV119896[119870119887119890119891119900119903119890 119903119896101584024 119870119898119894119889]+ =
V1[119910] otherwise decrease the counter byV1[119910]
8 Security and Communication Networks
Input S-box 119878 Bias threshold 120598119871119894119898[30]Output A linear approximation with the best biasDataThe number of active S-boxes in i rounds 119878119886119888119905119894V119890[119894]
The number of active S-boxes of the i-th round 119878119894119886119888119905119894V119890(1) Generate the LAT of S-box(2) Store all 2 4 and the corresponding inputoutput masks in LAT in the table 119871119860119879119875(3) for Each of 8 S-boxes in the first round do(4) for all non-zero entities in LAT do(5) if S-box is in 1198652 then(6) Γ41 = Γ119884
ℎ1 ⋙ 8 Γ31 = Γ
21 = Γ11 = 0
(7) Store them in 119877119894119899[1](8) else(9) Γ11 = Γ119884
1198971⋘ 3 Γ41 = Γ
31 = Γ21 = 0
(10) Store them in 119877119894119899[1](11) Calculate Γ40 Γ
30 Γ20 Γ10 and store them in 119877119894119899[0]
(12) Calculate Γ42 Γ32 Γ22 Γ12 and store them in 119877119894119899[2]
(13) Update 119878119886119888119905119894V119890[1] to be 1(14) The bias is recorded as 120598[1](15) for 119894 larr997888 2 to 30 do(16) if Γ4119894 = Γ
3119894 = 0 then
(17) Γ119884119897119894 = Γ1119894 ⋙ 3
(18) Travel 119871119860119879119875 to get Γ119883119897119894 119878119894119886119888119905119894V119890 and its corresponding bias 120598119877119899119889
(19) else if Γ2119894 = Γ1119894 = 0 then
(20) Γ119884ℎ119894 = Γ4119894 ⋘ 8
(21) Travel 119871119860119879119875 to get Γ119883ℎ119894 119878119894119886119888119905119894V119890 and the corresponding bias 120598119877119899119889
(22) Compute the total bias and keep ones greater than threshold 120598119871119894119898[119894](23) Calculate Γ4119894+1 Γ
3119894+1 Γ2119894+1 Γ1119894+1 and store them in 119877119894119899[119894 + 1]
(24) Update the number of active S-boxes 119878119886119888119905119894V119890[119894] and bias 120598[119894](25) for Each of 8 S-boxes in the first round do(26) for all non-zero entities in DDT do(27) Find the largest 120598[119894] and store it in 120598119872119886119909[119894](28) Output linear approximations with bias 120598119872119886119909[119894]
Algorithm 2 Algorithm for linear approximations on NUX
ltltlt 8
S-Box gtgtgt3
gtgtgt3
S-Boxltltlt8
P P P P
rki
Γ4
i
F1F2
Γ3
iΓ2
iΓ1
i
ΓYℎ
iΓX
ℎ
i
Γ4
i+1Γ3
i+1Γ2
i+1Γ1
i+1
rkrsquoi
ΓXl
iΓY
l
i
Figure 4 Linear representation of NUX
(11) Set the advantage 119886 to be 17 which means that the top249 absolute values inV119896 are kept For each remainingkey we guess 77-bit subkey to determine the masterkey And then we test the key by trail encryptions
If 119873 = 2637 then the time complexity of step (3)step (5) and step (7) is about 2897 3-round encryption 21081-round decryption and 2100 2-round encryption respec-tively Besides the complexity of step (11) is 2126 25-round
Security and Communication Networks 9
gtgtgt3 ltltlt8
P P P P
ltltlt8 gtgtgt3
S-Box gtgtgt3 S-Boxltltlt8
P P P P
ltltlt8 gtgtgt3
S-Box gtgtgt3 S-Boxltltlt8
P P P P
ltltlt8 gtgtgt3
19-round Linear Distinguisher
S-BoxS-Box
S-Box gtgtgt3 S-Boxltltlt8
P P P P
ltltlt8 gtgtgt3
S-Box gtgtgt3 S-Boxltltlt8
P P P P
ltltlt8 gtgtgt3
S-Box gtgtgt3 S-Boxltltlt8
P P P P
ltltlt8 gtgtgt3
X30 X
20 X
10X
40
X322 X
222 X
122
X422
X323 X
223 X
123X
423
X324 X
224 X
124X
424
X325 X
225 X
125X
425
X33 X
23 X
13X
43
X32 X
22 X
12X
42
X31 X
21 X
11X
41
rk0
rk1
rkrsquo0
rkrsquo1
rk2 rkrsquo2
rk22 rkrsquo22
rk23 rkrsquo23
rk24 rkrsquo24
Figure 5 Linear attack of 25-round NUX
encryption Hence the total time complexity of this attack isabout 2126 25-round encryption
Both the counters V0 and V119896 need 269 bytes to store sothe memory complexity for the attack is 270 bytes The datacomplexity is 2637
The success rate 119875119878 = Φ(2radic119873 sdot |120598| minus radic1 + 1198732119899Φminus1(1 minus2minus119886minus1)) = 8821 by [14]
5 Distinguishing Attack on NUX
Generally speaking the distinguishing attack is a kind of testalgorithm which tries to perform the nonrandom behavior
in cryptographic system A distinguishing attack needs tofind a distinguisher which makes cryptographic algorithmdifferent from random permutation When analyzing NUXwe find a distinguisher with probability 1 that is a deter-ministic distinguisher to distinguish NUX from a randompermutation
In Section 3 it has been pointed out that the two brancheson the right side will not affect the two on the right sideduring difference propagation in NUX Then for the full-round NUX when the input difference (Δ40 Δ
30 Δ20 Δ10) is
(0 0 lowast lowast) the output difference (Δ431 Δ331 Δ231 Δ131) sat-
isfies the form of (lowast lowast 0 0) shown in Figure 6 that is
10 Security and Communication Networks
lowast lowast
lowast lowast00
00
31-round distinguisher
Figure 6 31-Round differential distinguisher of NUX
Table 8 Linear approximations of NUX
Rounds Bias Number of tails2 2minus2 2883 2minus3 3004 2minus4 135 2minus5 26 2minus6 47 2minus10 138 2minus11 629 2minus12 610 2minus15 7011 2minus16 1112 2minus18 7013 2minus19 414 2minus20 215 2minus22 416 2minus24 1617 2minus26 418 2minus27 419 2minus30 1620 2minus31 421 2minus33 822 2minus35 6023 2minus37 2124 2minus39 2525 2minus41 4826 2minus43 10327 2minus44 428 2minus46 729 2minus48 5430 2minus49 431 2minus50 2
Table 9Minimal number of active S-boxes from linear approxima-tion
Number of active S-boxesReference Rounds
1 2 3 4 5[12] 0 1 4 9 13Section 41 0 1 2 3 3
(0 0 lowast lowast) 119875119903=1997888rarr31-119903119900119906119899119889
(lowast lowast 0 0) However the probabilityof the output difference to be (lowast lowast 0 0) is 119875119903119903119886119899119889119900119898 =
2minus32 for random permutations when the input differenceis (0 0 lowast lowast) So 4 pairs of plaintexts are chosen which are(119875119894 1198751015840119894 ) (0 le 119894 le 3) and 119875119894 oplus 1198751015840119894 = (0 0 lowast lowast) and thecorresponding ciphertexts (119862119894 119862
1015840119894 ) are checked to determine
whether they satisfy 119862119894 oplus 1198621015840119894 = (lowast lowast 0 0) The probabilityof obtaining such inputoutput differences is 1 for NUXwhile it is 2minus128 for a random permutation Therefore wecan distinguish NUX from a random permutation Besidesthere is another distinguisher with probability 1 which is(lowast lowast 0 0) 119875119903=1997888rarr
31-119903119900119906119899119889(0 0 lowast lowast) and can be used to perform a
distinguishing attack like the one described before So we willnot explore it here
Since only 4 pairs of plaintexts are used in the distinguish-ing attack the data complexity is 8 And the attack needs nostorage In other words the complexity of memory is 0 Thetime complexity is 8 31-round encryptions
6 Conclusions
NUX is a 31-round iterative ultralightweight cipher whichis suitable for extremely constrained environment and isapplied to the Internet of Things In this paper differentialand linear trails are searched for 1sim31-round NUX which arebetter than those proposed in design specification Moreovera key-recovery attack on 29-round NUX is given with the 22-round differential characteristic found in the paper whosetime data and memory complexities are 212173 29-roundencryptions and 261 and 296 bytes respectively Meanwhileusing 22-round differential characteristic obtained in thepaper 29-round differential attack is performed with timedata and memory complexities to be 2126 25-round encryp-tions and 2637 and 270 bytes respectively Furthermore adistinguishing attack can be implemented on full NUX withdata complexity 8 Results in this paper are the best ones onNUX till now
Data Availability
All the data are obtained by our programs and can beprovided to interested readers by email
Conflicts of Interest
The authors declare that there are no conflicts of interestregarding the publication of this paper
Acknowledgments
This work has been supported by National CryptographyDevelopment Fund (no MMJJ20170102) the National
Security and Communication Networks 11
Table 10 19-Round linear approximation of NUX
Rounds 119894 Γ4119894 Γ3119894 Γ2119894 Γ1119894 Bias0 0000 1040 0000 0000 2minus1
1 0000 0000 0000 0500 2minus2
2 0001 4040 0000 0000 2minus2
3 0000 0000 0020 0600 2minus2
4 5100 0440 0000 0000 2minus4
5 0000 0000 8404 2028 2minus3
6 100a a080 0000 0000 2minus3
7 0000 0000 0206 3000 2minus3
8 000a 2002 0000 0000 2minus2
9 0000 0000 0202 0800 2minus2
10 000a 0020 0000 0000 2minus2
11 0000 0000 0202 4010 2minus3
12 a000 0a00 0000 0000 2minus2
13 0000 0000 4040 0200 2minus2
14 1400 0400 0000 0000 2minus3
15 0000 0000 0084 0448 2minus3
16 01c3 8048 0000 0000 2minus4
17 0000 0000 9023 0180 2minus2
18 d800 4004 0000 0000 2minus3
19 0000 0000 044c 24af lowast
Natural Science Foundation of China (nos 6157229361502276 and 61692276) the National Natural ScienceFoundation of Shandong Province China (ZR2016FM22)Major Scientific and Technological Innovation Projectsof Shandong Province China (2017CXGC0704) andFundamental Research Fund of Shandong Academy ofSciences (no 201812-16)
References
[1] A A Bogdanov L R Knudsen G Leander et al ldquoAn ultra-lightweight block cipherrdquo in Proceedings of the CryptographicHardware and Embedded Systems (CHES 2007) P Paillier andI Verbauwhede Eds vol 4727 of Lecture Notes in ComputerScience LNCS pp 450ndash466 Springer 2007
[2] W Wu and L Zhang ldquoLBlock a lightweight block cipherrdquoin Proceedings of the 9th International Conference on AppliedCryptography and Network Security (ACNS 2011) J Lopez andG Tsudik Eds vol 6715 of Lecture Notes in Computer Sciencepp 327ndash344 Springer Heidelberg Germany 2011
[3] J Borghoff A Canteaut T Guneysu et al ldquoPRINCE-A lowlatency block cipher for pervasive computing applicationsrdquo inProceedings of the the 25th Annual International Conferenceon the eory and Application of Cryptology and InformationSecurity (ASIACRYPT 2012) X Wang and K Sako Edsvol 7658 of Lecture Notes in Computer Science pp 208ndash225Springer Heidelberg Germany 2012
[4] E Biham and A Shamir ldquoDifferential cryptanalysis of DES-likecryptosystemsrdquo Journal of Cryptology vol 4 no 1 pp 3ndash721991
[5] M Matsui ldquoLinear cryptanalysis method for DES cipherrdquo inProceedings of the Workshop on the eory and Application ofof Cryptographic Techniques (EUROCRYPT 1993) T Helleseth
Ed vol 765 of Lecture Notes in Computer Science pp 386ndash397Springer 1993
[6] A G Bafghi R Safabakhsh and B Sadeghiyan ldquoFindingthe differential characteristics of block ciphers with neuralnetworksrdquo Information Sciences vol 178 no 15 pp 3117ndash31312008
[7] H M Heys and S E Tavares ldquoSubstitution-permutation net-works resistant to differential and linear cryptanalysisrdquo Journalof Cryptology e Journal of the International Association forCryptologic Research vol 9 no 1 pp 1ndash19 1996
[8] G Jakimoski and L Kocarev ldquoDifferential and linear probabili-ties of a block-encryption cipherrdquo IEEE Transactions on Circuitsand Systems I Fundamentaleory andApplications vol 50 no1 pp 121ndash123 2003
[9] J Kim and R C-W Phan ldquoAdvanced differential-style crypt-analysis of the NSArsquos Skipjack block Cipherrdquo Cryptologia vol33 no 3 pp 246ndash270 2009
[10] F Sano K Ohkuma H Shimizu and S Kawamura ldquoOnthe security of nested SPN cipher against the differential andlinear cryptanalysisrdquo IEICE Transactions on Fundamentals ofElectronics Communications andComputer Sciences vol 86 no1 pp 37ndash46 2003
[11] B-Z Su W-L Wu and W-T Zhang ldquoSecurity of the SMS4block cipher against differential cryptanalysisrdquo Journal of Com-puter Science and Technology vol 26 no 1 pp 130ndash138 2011
[12] G Bansod S Sutar A Patil and J Patil ldquoNUX a lightweightblock cipher for security at wireless sensor node level Worldacademy of science engineering and technologyrdquo InternationalJournal of Bioengineering and Life Sciences vol 5 no 1 2018
[13] AA Selcuk ldquoOn probability of success in linear anddifferentialcryptanalysisrdquo Journal of Cryptology e Journal of the Interna-tional Association for Cryptologic Research vol 21 no 1 pp 131ndash147 2008
12 Security and Communication Networks
[14] A Bogdanov and E Tischhauser ldquoOn the wrong key randomi-sation and key equivalence hypotheses in Matsuirsquos algorithm 2rdquoin Proceedings of the International Workshop on Fast So13wareEncryption (FSE 2013) S Moriai Ed vol 8424 of Lecture Notesin Computer Science pp 19ndash38 Springer 2014
International Journal of
AerospaceEngineeringHindawiwwwhindawicom Volume 2018
RoboticsJournal of
Hindawiwwwhindawicom Volume 2018
Hindawiwwwhindawicom Volume 2018
Active and Passive Electronic Components
VLSI Design
Hindawiwwwhindawicom Volume 2018
Hindawiwwwhindawicom Volume 2018
Shock and Vibration
Hindawiwwwhindawicom Volume 2018
Civil EngineeringAdvances in
Acoustics and VibrationAdvances in
Hindawiwwwhindawicom Volume 2018
Hindawiwwwhindawicom Volume 2018
Electrical and Computer Engineering
Journal of
Advances inOptoElectronics
Hindawiwwwhindawicom
Volume 2018
Hindawi Publishing Corporation httpwwwhindawicom Volume 2013Hindawiwwwhindawicom
The Scientific World Journal
Volume 2018
Control Scienceand Engineering
Journal of
Hindawiwwwhindawicom Volume 2018
Hindawiwwwhindawicom
Journal ofEngineeringVolume 2018
SensorsJournal of
Hindawiwwwhindawicom Volume 2018
International Journal of
RotatingMachinery
Hindawiwwwhindawicom Volume 2018
Modelling ampSimulationin EngineeringHindawiwwwhindawicom Volume 2018
Hindawiwwwhindawicom Volume 2018
Chemical EngineeringInternational Journal of Antennas and
Propagation
International Journal of
Hindawiwwwhindawicom Volume 2018
Hindawiwwwhindawicom Volume 2018
Navigation and Observation
International Journal of
Hindawi
wwwhindawicom Volume 2018
Advances in
Multimedia
Submit your manuscripts atwwwhindawicom
2 Security and Communication Networks
Table 1 Comparison of tails on NUX
Method Rounds Probabilitybias Reference
Differential25 2minus90 [12]25 2minus71 Section 3131 2minus88 Section 31
Linear25 2minus66 [12]25 2minus41 Section 4131 2minus50 Section 41
Table 2 Summary of attacks on NUX
Attack type Rounds Time Date Memory (Bytes) Reference
Differential 25 - 290 - [12]29 212173 261 296 Section 32
Linear 25 - 2132 - [12]25 2126 2637 270 Section 42
Distinguishing 31 8 8 0 Section 5
In terms of security they expected that NUX could resistdifferentiallinear analysis They examined the resistance ofNUX against differentiallinear cryptanalysis At last theyshowed thatNUXcipherwith no less than 25 round is enoughto resist linear or differential attack Besides a biclique attackon NUX is presented in [12]
Our Contribution
(i) 1sim31-round differential characteristics of NUX aresearched for and 10 25-round differential characteris-tics are found with probability 2minus71 which are betterthan the one with probability limitation 2minus90 given inthe design script shown in Table 1
(ii) The resistance to the linear analysis for 1 sim 31-round NUX is examined and 48 25-round linearapproximations are presented with absolute value ofbias to be 2minus41 better than the limitation on biaspresented in the design script which is 2minus66 depictedin Table 1
(iii) For full NUX the probability of the best differentialcharacteristic is 2minus88 and the absolute value of biasfor the best linear approximation is 2minus50 which aredescribed in Table 1
(iv) Using 22-round differential characteristic with prob-ability 2minus58 obtained in this paper 29-round differen-tial attack is performed with time data and memorycomplexity to be 212173 29-round encryptions and 261and 296 bytes respectively Furthermore based on a19-round linear approximation with bias to be 2minus3025-round linear attack is executed with time complex-ity 2126 25-round encryptions data complexity 2637andmemory complexity 270 bytes Till now these twoattacks are the best differential attack and best linearattack respectively A summary of our attacks is givenin Table 2
(v) Utilizing the property of difference propagationthrough NUX distinguishing attack can be imple-mented on full NUX with data complexity 8 whichis depicted in Table 2
The organization of the paper is as follows The notationsand description of NUX are given in Section 2 Section 3shows the differential characteristics and differential attackon 29-round NUX In Section 4 the linear approximationsand linear attack on 25-roundNUX are introduced Section 5describes distinguishing attacks between full NUX and ran-dom permutations Finally Section 6 concludes the paper
2 Preliminaries
This section will list notations and operations used in thispaper and describe NUX
21 Notations and Operations
(i) 0 1119899 The set of strings with 119899 bits length(ii) 119909[119894] The 119894-th bit of 119909 if 119909 isin 0 1119899(iii) 119909[119894 119895] The 119895-th bit to 119894-th bit of 119909 if 119909 isin 0 1119899(iv) 119909[119894 119895] The 119894-th and 119895-th bits of 119909 if 119909 isin 0 1119899(v) 119909 119910 Concatenation of 119909 and 119910 if 119909 119910 isin 0 1119899(vi) ⋙ Right cyclic shift operation(vii) ⋘ Left cyclic shift operation(viii) oplus XOR operation
22 Description of NUX NUX is a 31-round ultralightweightcipher based on generalized Feistel network It supports a keylength of 12880 bits and a block length of 64 bits The roundfunction is illustrated in Figure 1
There are two F-functions 1198651 and 1198652 which are con-structed by four 4 times 4 S-boxes and a circular shift operator
Security and Communication Networks 3
Table 3 S-box used in NUX
x 0 1 2 3 4 5 6 7 8 9 a b c d e fS(x) e 7 8 4 1 9 2 f 5 a b 0 6 c d 3
Table 4 Bit permutation table P in NUX
i 0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15P(i) 15 11 7 3 2 14 10 6 5 1 13 9 8 4 0 12
ltltlt 8
S-Box gtgtgt3
gtgtgt3
S-Boxltltlt8
P P P P
rki
X4i
F2
X3i
X2i
F1
X1i
X4i+1 X
3i+1 X
2i+1 X
1i+1
rkrsquoi
Figure 1 The round function of NUX
The S-box is represented in Table 3 Then 1198651 and 1198652 can bedepicted as follows
1198651 (119909) = 119878 (119909 [7 4]) 119878 (119909 [3 0]) 119878 (119909 [15 12])
119878 (119909 [11 8])
1198652 (119909) = 119878 (119909 [2 0] 119909 [15]) 119878 (119909 [14 11])
119878 (119909 [10 7]) 119878 (119909 [6 3])
(1)
The 64-bit input of the 119894-th round 119883119894 is divided into 4blocks of 16 bits named 1198834119894 119883
3119894 1198832119894 and 119883
1119894 respectively
119883119894 = 1198834119894 1198833119894 1198832119894 1198831119894 (2)
and then there are the following formulas
1198834119894+1 = 119875 (1198832119894 )
1198833119894+1 = 119875 ((1198831119894 ⋙ 3) oplus 1198651 (119883
2119894 ) oplus 119903119896
1015840119894)
1198832119894+1 = 119875 ((1198834119894 ⋘ 8) oplus 1198652 (119883
3119894 ) oplus 119903119896119894)
1198831119894+1 = 119875 (1198833119894 )
(3)
where 119875 is a 16-bit permutation which is depicted in Table 4After 31 rounds the ciphertext will be acquired as 119883431
119883331 119883231 119883
131 The key schedule is omitted and interested
readers are referred to [12] for more details about NUX
3 Differential Attack on 29-Round NUX
In this section how to search for differential characteristicsof NUX will be described And then a key-recovery attack isconducted on 29-round NUX
31 Differential Characteristics of NUX To search for thedifferential characteristic of NUX the different propagationbetween round functions should be considered And howdifferences propagate through S-boxes should also be takeninto account When a difference passes through an S-box theoutput difference and probability are determined by lookingup the XOR difference distribution table (DDT) of theS-box
Algorithm 1 is designed to search for differential char-acteristics of NUX and notations used in this algorithmare depicted in Figure 2 From the structure of NUX it isobvious that the probability of one round can be 1 thatis all the 8 S-boxes are passive So a special 119899 minus 1-rounddifferential characteristic (Δ30 = Δ
20 = 0) is chosen and one-
round differential characteristic with probability 1 is addedto catch 119899-round differential characteristics Meanwhile Δ4119894and Δ3119894 which lie in the two branches on the left side will notaffect Δ2119894 and Δ
1119894 the two branches on the right side during
propagation in NUX So differences of two branches on theleft or right are set to 0 and the difference propagation in theother two branches will be focused on during the encryptionprocess In this way the number of active S-boxes is always no
4 Security and Communication Networks
ltltlt 8
S-Box gtgtgt3
gtgtgt3
S-Boxltltlt8
P P P P
rki
Δ4
i
F1F2
Δ3
i Δ2
iΔ
1
i
Δ9l
iΔ8
l
iΔ9
ℎ
iΔ8
ℎ
i
Δ4
i+1Δ
3
i+1Δ
2
i+1Δ
1
i+1
rkrsquoi
Figure 2 Differential representation of NUX
Input S-box 119878 Probability threshold 119875119903119871119894119898[30]Output A differential trail with the best probability(1) Generate the DDT of S-box(2) Store all 2 4 and the corresponding inputoutput differences in DDT in the table 119863119863119879119875(3) for Each of 8 S-boxes in the first round do(4) for all non-zero entities in DDT do(5) if S-box is in 1198652 then(6) Δ31 = Δ119883
ℎ1 ⋘ 3 Δ41 = Δ
21 = Δ
11 = 0
(7) Store them in 119877119894119899[1](8) else(9) Δ21 = Δ119883
1198971⋙ 8 Δ41 = Δ
31 = Δ
11 = 0
(10) Store them in 119877119894119899[1](11) CalculateΔ40 Δ
30 Δ20 Δ10 and store them in 119877119894119899[0]
(12) CalculateΔ42 Δ32 Δ22 Δ12 and store them in 119877119894119899[2]
(13) The probability is recorded as 119875119903[1](14) for 119894 larr997888 2 to 30 do(15) if Δ4119894 = Δ
3119894 = 0 then
(16) Δ119883119897119894 = Δ2119894 ⋘ 8
(17) Travel119863119863119879119875 to get Δ119884119897119894 and its corresponding probability 119875119903119877119899119889
(18) else if Δ2119894 = Δ1119894 = 0 then
(19) Δ119883ℎ119894 = Δ3119894 ⋙ 3
(20) Travel119863119863119879119875 to get Δ119884ℎ119894 and the corresponding probability 119875119903119877119899119889
(21) Keep 119875119903[119894 minus 1] times 119875119903119877119899119889 which greater than threshold 119875119903119871119894119898[119894](22) CalculateΔ4119894+1 Δ
3119894+1 Δ2119894+1 Δ1119894+1 and store them in 119877119894119899[119894 + 1]
(23) 119875119903[119894] lArr997904 119875119903[119894 minus 1] times 119875119903119877119899119889(24) for Each of 8 S-boxes in the first round do(25) for all non-zero entities in DDT do(26) Find the largest 119875119903[119894] and store it in 119875119903119872119886119909[119894](27) Output different characteristics with probability 119875119903119872119886119909[119894]
Algorithm 1 Algorithm for differential characteristic on NUX
more than 4 in one round which can make the probability ofthe differential characteristic as large as possible The resultsof our search algorithm are listed in Table 5
Furthermore the minimal numbers of active S-boxes of1sim5-round differential characteristics are shown in the designmanuscript [12] So the minimal number of active S-boxes isalso studied and the minimum active S-boxes of 4 5-round
differential characteristics are less than the ones given in [12]which are presented in Table 6
32 Differential Attack on NUX A 22-round differentialcharacteristic is chosen with probability to be 2minus58 which isshown in Table 7 and 7 rounds are extended forward Thedescription is given in Figure 3 There are Δ40 = 01199090400
Security and Communication Networks 5
Table 5 Differential characteristics of NUX
Rounds Probability Number of tails2 2minus2 1923 2minus4 564 2minus6 45 2minus7 16 2minus9 27 2minus11 28 2minus15 89 2minus15 110 2minus20 1611 2minus24 2412 2minus28 413 2minus31 814 2minus37 415 2minus41 1816 2minus45 217 2minus46 118 2minus49 419 2minus52 420 2minus53 221 2minus58 4822 2minus58 223 2minus63 3224 2minus67 4925 2minus71 1026 2minus73 427 2minus75 428 2minus79 1629 2minus79 230 2minus84 3231 2minus88 48
Table 6 Minimal number of active S-boxes from differentialcharacteristic
Number of active S-boxesReference Rounds
1 2 3 4 5[12] 0 1 2 5 9Section 31 0 1 2 3 3
Δ322 = 01199092080 and Δ30 = Δ20 = Δ10 = Δ422 = Δ222 = Δ122 =01199090000 according to the 22-round differential distinguisherThen Δ423 = Δ323 = 01199090000 Δ123 = 01199090050 and Δ223 satisfythe form as (00 lowast lowast lowast 00 lowast lowastlowast 000 lowast lowast0) where lowast isin 0 1 canbe deduced And the output difference of the 28-th round isΔ429 = Δ329 = 01199090000 119883223 119883
21015840
23 119883123 and 119883
11015840
23 can be gottenby 6-round decryption So 119903119896101584023 11990311989624 119903119896
101584025 11990311989626 119903119896
101584027 and 11990311989628
should be guessed and denoted by 119870119892119906119890119904119904 The attack processis described as follows
(1) Collect119873 pairs of plaintext (119875 1198751015840) satisfying 119875oplus1198751015840 =(Δ40 Δ
30 Δ20 Δ10) and their corresponding ciphertext
pairs (119862 1198621015840)(2) Initialize 232 countersV[0]V[1] V[232minus1] and
reset them(3) For each plaintext pair (119875 1198751015840) check whether its
ciphertext pair (119862 1198621015840) satisfies (119862 oplus 1198621015840)[63 32] =011990900000000 If the ciphertext pair meets the formula119909 = (119862 oplus 1198621015840)[31 0] andV[119909] + +
(4) Initialize 296 counters V119896[0]V119896[1] V119896[296 minus 1]
and reset them(5) Guess 96-bit key 119870119892119906119890119904119904 and decrypt 119909 to obtain 119883223
11988321015840
23119883123 and119883
11015840
23 Checkwhether119883223oplus11988321015840
23 and119883123oplus
11988311015840
23 are equal to Δ223 and Δ123 If the conditions are
met then let 119910 = 119883223 11988321015840
23 119883123 119883
11015840
23
(6) Use 119910 to calculate 119883422 oplus 11988341015840
22 and 119883322 oplus 119883
31015840
22 If 119883422 oplus
11988341015840
22 = Δ422 and 119883
322 oplus 119883
31015840
22 = Δ322V119896[119870119892119906119890119904119904] + +
(7) Set advantage 119886 to be 51 which implies that thetop 245 absolute values in V119896 are kept For eachremaining key we guess the remaining 58-bit subkeyand calculate the master key Finally we test the keyby trail encryptions
If set 119873 = 260 then about 228 pieces of data enter step(5) which means 2124 6-round encryptions that is 21217 29-round encryptions The complexity of step (7) is 2103 29-round encryptions So the total time complexity of this attackis about 212173 29-round encryptions
The countersV119896 require storing 296 bytes so the memory
complexity for the attack is 296 bytes The data complexity is261
The success rate 119875119878 = Φ((radic119901119873119878119873 minus Φminus1(1 minus2minus119886))radic119878119873 + 1) = 9871 by [13]
4 Linear Attack on 25-Round NUX
Linear approximations of NUX are searched for in thissection and the 25-round key-recovery attack is performedon NUX using a 19-round linear approximation
41 Linear Approximations of NUX To search for linearapproximations of NUX how masks propagate through S-boxes should be taken into account When a mask passesthrough an S-box the linear approximation table (LAT) ofthe S-box is looked up to determine the outputmask and biasAlgorithm 2 searches for linear approximations of NUX andnotations used in this algorithm are depicted in Figure 4
The bias of one round can be 12 which can be obtainedfrom the structure of NUX that is all the 8 S-boxes arepassive So special (119899 minus 1)-round linear approximations arechosen which satisfy (Γ40 = Γ10 = 0) and one-roundlinear approximation with bias 1 is added to catch 119899-roundlinear approximations Similar to searching for differentialcharacteristics there is only one active S-box in the first
6 Security and Communication Networks
Table 7 22-Round differential characteristic of NUX
Rounds 119894 Δ4119894 Δ3119894 Δ2119894 Δ1119894 Probability0 0400 0000 0000 0000 11 0000 0000 0080 0000 2minus3
2 0040 0001 0000 0000 2minus2
3 0000 0000 0010 8000 2minus3
4 0004 1000 0000 0000 2minus2
5 0000 0000 0002 0100 2minus2
6 0800 6002 0000 0000 2minus5
7 0000 0000 003b 0811 2minus5
8 c80c 2b30 0000 0000 2minus7
9 0000 0000 0480 4236 2minus5
10 2040 0600 0000 0000 2minus3
11 0000 0000 0005 2002 2minus2
12 8080 0003 0000 0000 2minus2
13 0000 0000 0040 8800 2minus2
14 0400 0030 0000 0000 2minus2
15 0000 0000 0008 4004 2minus3
16 0008 3000 0000 0000 2minus2
17 0000 0000 0000 0110 118 0000 4800 0000 0000 2minus3
19 0000 0000 0020 0201 2minus2
20 4000 0500 0000 0000 2minus3
21 0000 0000 0000 2020 122 0000 2080 0000 0000 lowast
round of 119899 minus 1 rounds Meanwhile Γ4119894 and Γ3119894 which liein the two branches on the left side will not affect Γ2119894 andΓ1119894 the two branches on the right side during propagationin NUX So the linear propagation on the left or right istaken into consideration and differences of the other twobranches are set to 0 In this way the number of active S-boxes is always nomore than 4 in one round which canmakethe absolute value of the linear approximation bias as largeas possible The results of the search algorithm are listed inTable 8
Moreover the minimal numbers of active S-boxes of1sim5-round linear approximations are shown in the designmanuscript [12] And the minimal number of active S-boxesis also considered and the minimum active S-boxes of 3sim5-round linear approximations are less than the ones given in[12] which are presented in Table 9
42 Linear Attack on NUX Utilizing obtained linear approx-imations a key-recovery attack can be applied to 25-roundNUX using a 19-round linear approximation with bias 2minus30which is described in Table 10 The 19-round linear approx-imation is put from the 4th to the 22th round of NUXextending 3 rounds both backward and forward The 25-round key-recovery attack is shown in Figure 5
According to the linear approximation there are Γ43 =Γ23 = Γ
13 = Γ
422 = Γ322 = 01199090000 Γ
33 = 01199091040 Γ
222 = 0119909044119888
and Γ122 = 011990924119886119891 Furthermore the following formula canbe gotten
Γ43 sdot 11988343 oplus Γ33 sdot 11988333 oplus Γ22 sdot 11988323 oplus Γ13 sdot 11988313 oplus Γ422 sdot 119883422 oplus Γ
322
sdot 119883322 oplus Γ222 sdot 119883222 oplus Γ
122 sdot 119883122 = Γ
33 sdot 11988333 oplus Γ222 sdot 119883222
oplus Γ122 sdot 119883122 = 120581
(4)
where 11988333 can be calculated through 3-round encryptionby guessing 26-bit subkeys which are denoted by 119870119887119890119891119900119903119890including 11990311989610158400 1199031198961[15 13 10 8 7 5 2 0] and 11990311989610158402[15 7]Besides 119883222 and 119883
122 are obtained by 3-round decryption
which involves 40-bit subkeys namely 119903119896101584022[15 1413 10 7 4 2 0] 11990311989623 and 119903119896101584024 For the sake of simplicity119903119896101584022[15 14 13 10 7 4 2 0] and 11990311989623 are denoted by 119870119898119894119889 Inthe following the attack process is depicted
(1) Collect119873 plaintextciphertext pairs(2) Initialize 266 counters V0[0]V0[1] V0[2
66 minus 1]and reset them
(3) Guess 26-bit key 119870119887119890119891119900119903119890(4) For each plaintextciphertext pair calculate 119909 =
11988333[12 6] 1198624 1198623 1198622 1198621 ThenV0[119909] + +
(5) Initialize 234 counters V1[0]V1[1] V1[234 minus 1]and reset them
Security and Communication Networks 7
gtgtgt3 ltltlt8
P P P P
ltltlt8 gtgtgt3
S-Box gtgtgt3 S-Boxltltlt8
P P P P
ltltlt8 gtgtgt3
S-Box gtgtgt3 S-Boxltltlt8
P P P P
ltltlt8 gtgtgt3
S-Box gtgtgt3 S-Boxltltlt8
P P P P
ltltlt8 gtgtgt3
S-Box gtgtgt3 S-Boxltltlt8
P P P P
ltltlt8 gtgtgt3
S-Box gtgtgt3 S-Boxltltlt8
P P P P
ltltlt8 gtgtgt3
S-Box gtgtgt3 S-Boxltltlt8
P P P P
ltltlt8 gtgtgt3
22-round Differential Distinguisher
S-BoxS-Box
X30 X
20 X
10X
40
X322 X
222 X
122X
422
X323 X
223 X
123X
423
X324 X
224 X
124X
424
X325 X
225 X
125X
425
X326 X
226 X
126X
426
X327 X
227 X
127X
427
X328 X
228 X
128X
428
X329 X
229 X
129X
429
rk22
rk23
rk24
rk25
rk26
rk27
rk28
rkrsquo22
rkrsquo23
rkrsquo24
rkrsquo25
rkrsquo26
rkrsquo27
rkrsquo28
Figure 3 Differential attack of 29-round NUX
(6) Guess 16-bit key 119903119896101584024(7) For every 119909 calculate 119910 = 11988333[12 6] 119883
224 119883
124
ThenV1[119910]+ = V0[119909](8) Initialize 266 counters V119896[0]V119896[1] V119896[266 minus 1]
and reset them
(9) Guess 24-bit key 119870119898119894119889
(10) For every 119910 calculate 119883222[10 6 3 2] and 119883222[13 10
7 5 3 2 1 0] Then compute 119911 = Γ33 sdot 11988333 oplus Γ222 sdot 119883222 oplus
Γ122 sdot 119883122 If 119911 = 0 thenV119896[119870119887119890119891119900119903119890 119903119896101584024 119870119898119894119889]+ =
V1[119910] otherwise decrease the counter byV1[119910]
8 Security and Communication Networks
Input S-box 119878 Bias threshold 120598119871119894119898[30]Output A linear approximation with the best biasDataThe number of active S-boxes in i rounds 119878119886119888119905119894V119890[119894]
The number of active S-boxes of the i-th round 119878119894119886119888119905119894V119890(1) Generate the LAT of S-box(2) Store all 2 4 and the corresponding inputoutput masks in LAT in the table 119871119860119879119875(3) for Each of 8 S-boxes in the first round do(4) for all non-zero entities in LAT do(5) if S-box is in 1198652 then(6) Γ41 = Γ119884
ℎ1 ⋙ 8 Γ31 = Γ
21 = Γ11 = 0
(7) Store them in 119877119894119899[1](8) else(9) Γ11 = Γ119884
1198971⋘ 3 Γ41 = Γ
31 = Γ21 = 0
(10) Store them in 119877119894119899[1](11) Calculate Γ40 Γ
30 Γ20 Γ10 and store them in 119877119894119899[0]
(12) Calculate Γ42 Γ32 Γ22 Γ12 and store them in 119877119894119899[2]
(13) Update 119878119886119888119905119894V119890[1] to be 1(14) The bias is recorded as 120598[1](15) for 119894 larr997888 2 to 30 do(16) if Γ4119894 = Γ
3119894 = 0 then
(17) Γ119884119897119894 = Γ1119894 ⋙ 3
(18) Travel 119871119860119879119875 to get Γ119883119897119894 119878119894119886119888119905119894V119890 and its corresponding bias 120598119877119899119889
(19) else if Γ2119894 = Γ1119894 = 0 then
(20) Γ119884ℎ119894 = Γ4119894 ⋘ 8
(21) Travel 119871119860119879119875 to get Γ119883ℎ119894 119878119894119886119888119905119894V119890 and the corresponding bias 120598119877119899119889
(22) Compute the total bias and keep ones greater than threshold 120598119871119894119898[119894](23) Calculate Γ4119894+1 Γ
3119894+1 Γ2119894+1 Γ1119894+1 and store them in 119877119894119899[119894 + 1]
(24) Update the number of active S-boxes 119878119886119888119905119894V119890[119894] and bias 120598[119894](25) for Each of 8 S-boxes in the first round do(26) for all non-zero entities in DDT do(27) Find the largest 120598[119894] and store it in 120598119872119886119909[119894](28) Output linear approximations with bias 120598119872119886119909[119894]
Algorithm 2 Algorithm for linear approximations on NUX
ltltlt 8
S-Box gtgtgt3
gtgtgt3
S-Boxltltlt8
P P P P
rki
Γ4
i
F1F2
Γ3
iΓ2
iΓ1
i
ΓYℎ
iΓX
ℎ
i
Γ4
i+1Γ3
i+1Γ2
i+1Γ1
i+1
rkrsquoi
ΓXl
iΓY
l
i
Figure 4 Linear representation of NUX
(11) Set the advantage 119886 to be 17 which means that the top249 absolute values inV119896 are kept For each remainingkey we guess 77-bit subkey to determine the masterkey And then we test the key by trail encryptions
If 119873 = 2637 then the time complexity of step (3)step (5) and step (7) is about 2897 3-round encryption 21081-round decryption and 2100 2-round encryption respec-tively Besides the complexity of step (11) is 2126 25-round
Security and Communication Networks 9
gtgtgt3 ltltlt8
P P P P
ltltlt8 gtgtgt3
S-Box gtgtgt3 S-Boxltltlt8
P P P P
ltltlt8 gtgtgt3
S-Box gtgtgt3 S-Boxltltlt8
P P P P
ltltlt8 gtgtgt3
19-round Linear Distinguisher
S-BoxS-Box
S-Box gtgtgt3 S-Boxltltlt8
P P P P
ltltlt8 gtgtgt3
S-Box gtgtgt3 S-Boxltltlt8
P P P P
ltltlt8 gtgtgt3
S-Box gtgtgt3 S-Boxltltlt8
P P P P
ltltlt8 gtgtgt3
X30 X
20 X
10X
40
X322 X
222 X
122
X422
X323 X
223 X
123X
423
X324 X
224 X
124X
424
X325 X
225 X
125X
425
X33 X
23 X
13X
43
X32 X
22 X
12X
42
X31 X
21 X
11X
41
rk0
rk1
rkrsquo0
rkrsquo1
rk2 rkrsquo2
rk22 rkrsquo22
rk23 rkrsquo23
rk24 rkrsquo24
Figure 5 Linear attack of 25-round NUX
encryption Hence the total time complexity of this attack isabout 2126 25-round encryption
Both the counters V0 and V119896 need 269 bytes to store sothe memory complexity for the attack is 270 bytes The datacomplexity is 2637
The success rate 119875119878 = Φ(2radic119873 sdot |120598| minus radic1 + 1198732119899Φminus1(1 minus2minus119886minus1)) = 8821 by [14]
5 Distinguishing Attack on NUX
Generally speaking the distinguishing attack is a kind of testalgorithm which tries to perform the nonrandom behavior
in cryptographic system A distinguishing attack needs tofind a distinguisher which makes cryptographic algorithmdifferent from random permutation When analyzing NUXwe find a distinguisher with probability 1 that is a deter-ministic distinguisher to distinguish NUX from a randompermutation
In Section 3 it has been pointed out that the two brancheson the right side will not affect the two on the right sideduring difference propagation in NUX Then for the full-round NUX when the input difference (Δ40 Δ
30 Δ20 Δ10) is
(0 0 lowast lowast) the output difference (Δ431 Δ331 Δ231 Δ131) sat-
isfies the form of (lowast lowast 0 0) shown in Figure 6 that is
10 Security and Communication Networks
lowast lowast
lowast lowast00
00
31-round distinguisher
Figure 6 31-Round differential distinguisher of NUX
Table 8 Linear approximations of NUX
Rounds Bias Number of tails2 2minus2 2883 2minus3 3004 2minus4 135 2minus5 26 2minus6 47 2minus10 138 2minus11 629 2minus12 610 2minus15 7011 2minus16 1112 2minus18 7013 2minus19 414 2minus20 215 2minus22 416 2minus24 1617 2minus26 418 2minus27 419 2minus30 1620 2minus31 421 2minus33 822 2minus35 6023 2minus37 2124 2minus39 2525 2minus41 4826 2minus43 10327 2minus44 428 2minus46 729 2minus48 5430 2minus49 431 2minus50 2
Table 9Minimal number of active S-boxes from linear approxima-tion
Number of active S-boxesReference Rounds
1 2 3 4 5[12] 0 1 4 9 13Section 41 0 1 2 3 3
(0 0 lowast lowast) 119875119903=1997888rarr31-119903119900119906119899119889
(lowast lowast 0 0) However the probabilityof the output difference to be (lowast lowast 0 0) is 119875119903119903119886119899119889119900119898 =
2minus32 for random permutations when the input differenceis (0 0 lowast lowast) So 4 pairs of plaintexts are chosen which are(119875119894 1198751015840119894 ) (0 le 119894 le 3) and 119875119894 oplus 1198751015840119894 = (0 0 lowast lowast) and thecorresponding ciphertexts (119862119894 119862
1015840119894 ) are checked to determine
whether they satisfy 119862119894 oplus 1198621015840119894 = (lowast lowast 0 0) The probabilityof obtaining such inputoutput differences is 1 for NUXwhile it is 2minus128 for a random permutation Therefore wecan distinguish NUX from a random permutation Besidesthere is another distinguisher with probability 1 which is(lowast lowast 0 0) 119875119903=1997888rarr
31-119903119900119906119899119889(0 0 lowast lowast) and can be used to perform a
distinguishing attack like the one described before So we willnot explore it here
Since only 4 pairs of plaintexts are used in the distinguish-ing attack the data complexity is 8 And the attack needs nostorage In other words the complexity of memory is 0 Thetime complexity is 8 31-round encryptions
6 Conclusions
NUX is a 31-round iterative ultralightweight cipher whichis suitable for extremely constrained environment and isapplied to the Internet of Things In this paper differentialand linear trails are searched for 1sim31-round NUX which arebetter than those proposed in design specification Moreovera key-recovery attack on 29-round NUX is given with the 22-round differential characteristic found in the paper whosetime data and memory complexities are 212173 29-roundencryptions and 261 and 296 bytes respectively Meanwhileusing 22-round differential characteristic obtained in thepaper 29-round differential attack is performed with timedata and memory complexities to be 2126 25-round encryp-tions and 2637 and 270 bytes respectively Furthermore adistinguishing attack can be implemented on full NUX withdata complexity 8 Results in this paper are the best ones onNUX till now
Data Availability
All the data are obtained by our programs and can beprovided to interested readers by email
Conflicts of Interest
The authors declare that there are no conflicts of interestregarding the publication of this paper
Acknowledgments
This work has been supported by National CryptographyDevelopment Fund (no MMJJ20170102) the National
Security and Communication Networks 11
Table 10 19-Round linear approximation of NUX
Rounds 119894 Γ4119894 Γ3119894 Γ2119894 Γ1119894 Bias0 0000 1040 0000 0000 2minus1
1 0000 0000 0000 0500 2minus2
2 0001 4040 0000 0000 2minus2
3 0000 0000 0020 0600 2minus2
4 5100 0440 0000 0000 2minus4
5 0000 0000 8404 2028 2minus3
6 100a a080 0000 0000 2minus3
7 0000 0000 0206 3000 2minus3
8 000a 2002 0000 0000 2minus2
9 0000 0000 0202 0800 2minus2
10 000a 0020 0000 0000 2minus2
11 0000 0000 0202 4010 2minus3
12 a000 0a00 0000 0000 2minus2
13 0000 0000 4040 0200 2minus2
14 1400 0400 0000 0000 2minus3
15 0000 0000 0084 0448 2minus3
16 01c3 8048 0000 0000 2minus4
17 0000 0000 9023 0180 2minus2
18 d800 4004 0000 0000 2minus3
19 0000 0000 044c 24af lowast
Natural Science Foundation of China (nos 6157229361502276 and 61692276) the National Natural ScienceFoundation of Shandong Province China (ZR2016FM22)Major Scientific and Technological Innovation Projectsof Shandong Province China (2017CXGC0704) andFundamental Research Fund of Shandong Academy ofSciences (no 201812-16)
References
[1] A A Bogdanov L R Knudsen G Leander et al ldquoAn ultra-lightweight block cipherrdquo in Proceedings of the CryptographicHardware and Embedded Systems (CHES 2007) P Paillier andI Verbauwhede Eds vol 4727 of Lecture Notes in ComputerScience LNCS pp 450ndash466 Springer 2007
[2] W Wu and L Zhang ldquoLBlock a lightweight block cipherrdquoin Proceedings of the 9th International Conference on AppliedCryptography and Network Security (ACNS 2011) J Lopez andG Tsudik Eds vol 6715 of Lecture Notes in Computer Sciencepp 327ndash344 Springer Heidelberg Germany 2011
[3] J Borghoff A Canteaut T Guneysu et al ldquoPRINCE-A lowlatency block cipher for pervasive computing applicationsrdquo inProceedings of the the 25th Annual International Conferenceon the eory and Application of Cryptology and InformationSecurity (ASIACRYPT 2012) X Wang and K Sako Edsvol 7658 of Lecture Notes in Computer Science pp 208ndash225Springer Heidelberg Germany 2012
[4] E Biham and A Shamir ldquoDifferential cryptanalysis of DES-likecryptosystemsrdquo Journal of Cryptology vol 4 no 1 pp 3ndash721991
[5] M Matsui ldquoLinear cryptanalysis method for DES cipherrdquo inProceedings of the Workshop on the eory and Application ofof Cryptographic Techniques (EUROCRYPT 1993) T Helleseth
Ed vol 765 of Lecture Notes in Computer Science pp 386ndash397Springer 1993
[6] A G Bafghi R Safabakhsh and B Sadeghiyan ldquoFindingthe differential characteristics of block ciphers with neuralnetworksrdquo Information Sciences vol 178 no 15 pp 3117ndash31312008
[7] H M Heys and S E Tavares ldquoSubstitution-permutation net-works resistant to differential and linear cryptanalysisrdquo Journalof Cryptology e Journal of the International Association forCryptologic Research vol 9 no 1 pp 1ndash19 1996
[8] G Jakimoski and L Kocarev ldquoDifferential and linear probabili-ties of a block-encryption cipherrdquo IEEE Transactions on Circuitsand Systems I Fundamentaleory andApplications vol 50 no1 pp 121ndash123 2003
[9] J Kim and R C-W Phan ldquoAdvanced differential-style crypt-analysis of the NSArsquos Skipjack block Cipherrdquo Cryptologia vol33 no 3 pp 246ndash270 2009
[10] F Sano K Ohkuma H Shimizu and S Kawamura ldquoOnthe security of nested SPN cipher against the differential andlinear cryptanalysisrdquo IEICE Transactions on Fundamentals ofElectronics Communications andComputer Sciences vol 86 no1 pp 37ndash46 2003
[11] B-Z Su W-L Wu and W-T Zhang ldquoSecurity of the SMS4block cipher against differential cryptanalysisrdquo Journal of Com-puter Science and Technology vol 26 no 1 pp 130ndash138 2011
[12] G Bansod S Sutar A Patil and J Patil ldquoNUX a lightweightblock cipher for security at wireless sensor node level Worldacademy of science engineering and technologyrdquo InternationalJournal of Bioengineering and Life Sciences vol 5 no 1 2018
[13] AA Selcuk ldquoOn probability of success in linear anddifferentialcryptanalysisrdquo Journal of Cryptology e Journal of the Interna-tional Association for Cryptologic Research vol 21 no 1 pp 131ndash147 2008
12 Security and Communication Networks
[14] A Bogdanov and E Tischhauser ldquoOn the wrong key randomi-sation and key equivalence hypotheses in Matsuirsquos algorithm 2rdquoin Proceedings of the International Workshop on Fast So13wareEncryption (FSE 2013) S Moriai Ed vol 8424 of Lecture Notesin Computer Science pp 19ndash38 Springer 2014
International Journal of
AerospaceEngineeringHindawiwwwhindawicom Volume 2018
RoboticsJournal of
Hindawiwwwhindawicom Volume 2018
Hindawiwwwhindawicom Volume 2018
Active and Passive Electronic Components
VLSI Design
Hindawiwwwhindawicom Volume 2018
Hindawiwwwhindawicom Volume 2018
Shock and Vibration
Hindawiwwwhindawicom Volume 2018
Civil EngineeringAdvances in
Acoustics and VibrationAdvances in
Hindawiwwwhindawicom Volume 2018
Hindawiwwwhindawicom Volume 2018
Electrical and Computer Engineering
Journal of
Advances inOptoElectronics
Hindawiwwwhindawicom
Volume 2018
Hindawi Publishing Corporation httpwwwhindawicom Volume 2013Hindawiwwwhindawicom
The Scientific World Journal
Volume 2018
Control Scienceand Engineering
Journal of
Hindawiwwwhindawicom Volume 2018
Hindawiwwwhindawicom
Journal ofEngineeringVolume 2018
SensorsJournal of
Hindawiwwwhindawicom Volume 2018
International Journal of
RotatingMachinery
Hindawiwwwhindawicom Volume 2018
Modelling ampSimulationin EngineeringHindawiwwwhindawicom Volume 2018
Hindawiwwwhindawicom Volume 2018
Chemical EngineeringInternational Journal of Antennas and
Propagation
International Journal of
Hindawiwwwhindawicom Volume 2018
Hindawiwwwhindawicom Volume 2018
Navigation and Observation
International Journal of
Hindawi
wwwhindawicom Volume 2018
Advances in
Multimedia
Submit your manuscripts atwwwhindawicom
Security and Communication Networks 3
Table 3 S-box used in NUX
x 0 1 2 3 4 5 6 7 8 9 a b c d e fS(x) e 7 8 4 1 9 2 f 5 a b 0 6 c d 3
Table 4 Bit permutation table P in NUX
i 0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15P(i) 15 11 7 3 2 14 10 6 5 1 13 9 8 4 0 12
ltltlt 8
S-Box gtgtgt3
gtgtgt3
S-Boxltltlt8
P P P P
rki
X4i
F2
X3i
X2i
F1
X1i
X4i+1 X
3i+1 X
2i+1 X
1i+1
rkrsquoi
Figure 1 The round function of NUX
The S-box is represented in Table 3 Then 1198651 and 1198652 can bedepicted as follows
1198651 (119909) = 119878 (119909 [7 4]) 119878 (119909 [3 0]) 119878 (119909 [15 12])
119878 (119909 [11 8])
1198652 (119909) = 119878 (119909 [2 0] 119909 [15]) 119878 (119909 [14 11])
119878 (119909 [10 7]) 119878 (119909 [6 3])
(1)
The 64-bit input of the 119894-th round 119883119894 is divided into 4blocks of 16 bits named 1198834119894 119883
3119894 1198832119894 and 119883
1119894 respectively
119883119894 = 1198834119894 1198833119894 1198832119894 1198831119894 (2)
and then there are the following formulas
1198834119894+1 = 119875 (1198832119894 )
1198833119894+1 = 119875 ((1198831119894 ⋙ 3) oplus 1198651 (119883
2119894 ) oplus 119903119896
1015840119894)
1198832119894+1 = 119875 ((1198834119894 ⋘ 8) oplus 1198652 (119883
3119894 ) oplus 119903119896119894)
1198831119894+1 = 119875 (1198833119894 )
(3)
where 119875 is a 16-bit permutation which is depicted in Table 4After 31 rounds the ciphertext will be acquired as 119883431
119883331 119883231 119883
131 The key schedule is omitted and interested
readers are referred to [12] for more details about NUX
3 Differential Attack on 29-Round NUX
In this section how to search for differential characteristicsof NUX will be described And then a key-recovery attack isconducted on 29-round NUX
31 Differential Characteristics of NUX To search for thedifferential characteristic of NUX the different propagationbetween round functions should be considered And howdifferences propagate through S-boxes should also be takeninto account When a difference passes through an S-box theoutput difference and probability are determined by lookingup the XOR difference distribution table (DDT) of theS-box
Algorithm 1 is designed to search for differential char-acteristics of NUX and notations used in this algorithmare depicted in Figure 2 From the structure of NUX it isobvious that the probability of one round can be 1 thatis all the 8 S-boxes are passive So a special 119899 minus 1-rounddifferential characteristic (Δ30 = Δ
20 = 0) is chosen and one-
round differential characteristic with probability 1 is addedto catch 119899-round differential characteristics Meanwhile Δ4119894and Δ3119894 which lie in the two branches on the left side will notaffect Δ2119894 and Δ
1119894 the two branches on the right side during
propagation in NUX So differences of two branches on theleft or right are set to 0 and the difference propagation in theother two branches will be focused on during the encryptionprocess In this way the number of active S-boxes is always no
4 Security and Communication Networks
ltltlt 8
S-Box gtgtgt3
gtgtgt3
S-Boxltltlt8
P P P P
rki
Δ4
i
F1F2
Δ3
i Δ2
iΔ
1
i
Δ9l
iΔ8
l
iΔ9
ℎ
iΔ8
ℎ
i
Δ4
i+1Δ
3
i+1Δ
2
i+1Δ
1
i+1
rkrsquoi
Figure 2 Differential representation of NUX
Input S-box 119878 Probability threshold 119875119903119871119894119898[30]Output A differential trail with the best probability(1) Generate the DDT of S-box(2) Store all 2 4 and the corresponding inputoutput differences in DDT in the table 119863119863119879119875(3) for Each of 8 S-boxes in the first round do(4) for all non-zero entities in DDT do(5) if S-box is in 1198652 then(6) Δ31 = Δ119883
ℎ1 ⋘ 3 Δ41 = Δ
21 = Δ
11 = 0
(7) Store them in 119877119894119899[1](8) else(9) Δ21 = Δ119883
1198971⋙ 8 Δ41 = Δ
31 = Δ
11 = 0
(10) Store them in 119877119894119899[1](11) CalculateΔ40 Δ
30 Δ20 Δ10 and store them in 119877119894119899[0]
(12) CalculateΔ42 Δ32 Δ22 Δ12 and store them in 119877119894119899[2]
(13) The probability is recorded as 119875119903[1](14) for 119894 larr997888 2 to 30 do(15) if Δ4119894 = Δ
3119894 = 0 then
(16) Δ119883119897119894 = Δ2119894 ⋘ 8
(17) Travel119863119863119879119875 to get Δ119884119897119894 and its corresponding probability 119875119903119877119899119889
(18) else if Δ2119894 = Δ1119894 = 0 then
(19) Δ119883ℎ119894 = Δ3119894 ⋙ 3
(20) Travel119863119863119879119875 to get Δ119884ℎ119894 and the corresponding probability 119875119903119877119899119889
(21) Keep 119875119903[119894 minus 1] times 119875119903119877119899119889 which greater than threshold 119875119903119871119894119898[119894](22) CalculateΔ4119894+1 Δ
3119894+1 Δ2119894+1 Δ1119894+1 and store them in 119877119894119899[119894 + 1]
(23) 119875119903[119894] lArr997904 119875119903[119894 minus 1] times 119875119903119877119899119889(24) for Each of 8 S-boxes in the first round do(25) for all non-zero entities in DDT do(26) Find the largest 119875119903[119894] and store it in 119875119903119872119886119909[119894](27) Output different characteristics with probability 119875119903119872119886119909[119894]
Algorithm 1 Algorithm for differential characteristic on NUX
more than 4 in one round which can make the probability ofthe differential characteristic as large as possible The resultsof our search algorithm are listed in Table 5
Furthermore the minimal numbers of active S-boxes of1sim5-round differential characteristics are shown in the designmanuscript [12] So the minimal number of active S-boxes isalso studied and the minimum active S-boxes of 4 5-round
differential characteristics are less than the ones given in [12]which are presented in Table 6
32 Differential Attack on NUX A 22-round differentialcharacteristic is chosen with probability to be 2minus58 which isshown in Table 7 and 7 rounds are extended forward Thedescription is given in Figure 3 There are Δ40 = 01199090400
Security and Communication Networks 5
Table 5 Differential characteristics of NUX
Rounds Probability Number of tails2 2minus2 1923 2minus4 564 2minus6 45 2minus7 16 2minus9 27 2minus11 28 2minus15 89 2minus15 110 2minus20 1611 2minus24 2412 2minus28 413 2minus31 814 2minus37 415 2minus41 1816 2minus45 217 2minus46 118 2minus49 419 2minus52 420 2minus53 221 2minus58 4822 2minus58 223 2minus63 3224 2minus67 4925 2minus71 1026 2minus73 427 2minus75 428 2minus79 1629 2minus79 230 2minus84 3231 2minus88 48
Table 6 Minimal number of active S-boxes from differentialcharacteristic
Number of active S-boxesReference Rounds
1 2 3 4 5[12] 0 1 2 5 9Section 31 0 1 2 3 3
Δ322 = 01199092080 and Δ30 = Δ20 = Δ10 = Δ422 = Δ222 = Δ122 =01199090000 according to the 22-round differential distinguisherThen Δ423 = Δ323 = 01199090000 Δ123 = 01199090050 and Δ223 satisfythe form as (00 lowast lowast lowast 00 lowast lowastlowast 000 lowast lowast0) where lowast isin 0 1 canbe deduced And the output difference of the 28-th round isΔ429 = Δ329 = 01199090000 119883223 119883
21015840
23 119883123 and 119883
11015840
23 can be gottenby 6-round decryption So 119903119896101584023 11990311989624 119903119896
101584025 11990311989626 119903119896
101584027 and 11990311989628
should be guessed and denoted by 119870119892119906119890119904119904 The attack processis described as follows
(1) Collect119873 pairs of plaintext (119875 1198751015840) satisfying 119875oplus1198751015840 =(Δ40 Δ
30 Δ20 Δ10) and their corresponding ciphertext
pairs (119862 1198621015840)(2) Initialize 232 countersV[0]V[1] V[232minus1] and
reset them(3) For each plaintext pair (119875 1198751015840) check whether its
ciphertext pair (119862 1198621015840) satisfies (119862 oplus 1198621015840)[63 32] =011990900000000 If the ciphertext pair meets the formula119909 = (119862 oplus 1198621015840)[31 0] andV[119909] + +
(4) Initialize 296 counters V119896[0]V119896[1] V119896[296 minus 1]
and reset them(5) Guess 96-bit key 119870119892119906119890119904119904 and decrypt 119909 to obtain 119883223
11988321015840
23119883123 and119883
11015840
23 Checkwhether119883223oplus11988321015840
23 and119883123oplus
11988311015840
23 are equal to Δ223 and Δ123 If the conditions are
met then let 119910 = 119883223 11988321015840
23 119883123 119883
11015840
23
(6) Use 119910 to calculate 119883422 oplus 11988341015840
22 and 119883322 oplus 119883
31015840
22 If 119883422 oplus
11988341015840
22 = Δ422 and 119883
322 oplus 119883
31015840
22 = Δ322V119896[119870119892119906119890119904119904] + +
(7) Set advantage 119886 to be 51 which implies that thetop 245 absolute values in V119896 are kept For eachremaining key we guess the remaining 58-bit subkeyand calculate the master key Finally we test the keyby trail encryptions
If set 119873 = 260 then about 228 pieces of data enter step(5) which means 2124 6-round encryptions that is 21217 29-round encryptions The complexity of step (7) is 2103 29-round encryptions So the total time complexity of this attackis about 212173 29-round encryptions
The countersV119896 require storing 296 bytes so the memory
complexity for the attack is 296 bytes The data complexity is261
The success rate 119875119878 = Φ((radic119901119873119878119873 minus Φminus1(1 minus2minus119886))radic119878119873 + 1) = 9871 by [13]
4 Linear Attack on 25-Round NUX
Linear approximations of NUX are searched for in thissection and the 25-round key-recovery attack is performedon NUX using a 19-round linear approximation
41 Linear Approximations of NUX To search for linearapproximations of NUX how masks propagate through S-boxes should be taken into account When a mask passesthrough an S-box the linear approximation table (LAT) ofthe S-box is looked up to determine the outputmask and biasAlgorithm 2 searches for linear approximations of NUX andnotations used in this algorithm are depicted in Figure 4
The bias of one round can be 12 which can be obtainedfrom the structure of NUX that is all the 8 S-boxes arepassive So special (119899 minus 1)-round linear approximations arechosen which satisfy (Γ40 = Γ10 = 0) and one-roundlinear approximation with bias 1 is added to catch 119899-roundlinear approximations Similar to searching for differentialcharacteristics there is only one active S-box in the first
6 Security and Communication Networks
Table 7 22-Round differential characteristic of NUX
Rounds 119894 Δ4119894 Δ3119894 Δ2119894 Δ1119894 Probability0 0400 0000 0000 0000 11 0000 0000 0080 0000 2minus3
2 0040 0001 0000 0000 2minus2
3 0000 0000 0010 8000 2minus3
4 0004 1000 0000 0000 2minus2
5 0000 0000 0002 0100 2minus2
6 0800 6002 0000 0000 2minus5
7 0000 0000 003b 0811 2minus5
8 c80c 2b30 0000 0000 2minus7
9 0000 0000 0480 4236 2minus5
10 2040 0600 0000 0000 2minus3
11 0000 0000 0005 2002 2minus2
12 8080 0003 0000 0000 2minus2
13 0000 0000 0040 8800 2minus2
14 0400 0030 0000 0000 2minus2
15 0000 0000 0008 4004 2minus3
16 0008 3000 0000 0000 2minus2
17 0000 0000 0000 0110 118 0000 4800 0000 0000 2minus3
19 0000 0000 0020 0201 2minus2
20 4000 0500 0000 0000 2minus3
21 0000 0000 0000 2020 122 0000 2080 0000 0000 lowast
round of 119899 minus 1 rounds Meanwhile Γ4119894 and Γ3119894 which liein the two branches on the left side will not affect Γ2119894 andΓ1119894 the two branches on the right side during propagationin NUX So the linear propagation on the left or right istaken into consideration and differences of the other twobranches are set to 0 In this way the number of active S-boxes is always nomore than 4 in one round which canmakethe absolute value of the linear approximation bias as largeas possible The results of the search algorithm are listed inTable 8
Moreover the minimal numbers of active S-boxes of1sim5-round linear approximations are shown in the designmanuscript [12] And the minimal number of active S-boxesis also considered and the minimum active S-boxes of 3sim5-round linear approximations are less than the ones given in[12] which are presented in Table 9
42 Linear Attack on NUX Utilizing obtained linear approx-imations a key-recovery attack can be applied to 25-roundNUX using a 19-round linear approximation with bias 2minus30which is described in Table 10 The 19-round linear approx-imation is put from the 4th to the 22th round of NUXextending 3 rounds both backward and forward The 25-round key-recovery attack is shown in Figure 5
According to the linear approximation there are Γ43 =Γ23 = Γ
13 = Γ
422 = Γ322 = 01199090000 Γ
33 = 01199091040 Γ
222 = 0119909044119888
and Γ122 = 011990924119886119891 Furthermore the following formula canbe gotten
Γ43 sdot 11988343 oplus Γ33 sdot 11988333 oplus Γ22 sdot 11988323 oplus Γ13 sdot 11988313 oplus Γ422 sdot 119883422 oplus Γ
322
sdot 119883322 oplus Γ222 sdot 119883222 oplus Γ
122 sdot 119883122 = Γ
33 sdot 11988333 oplus Γ222 sdot 119883222
oplus Γ122 sdot 119883122 = 120581
(4)
where 11988333 can be calculated through 3-round encryptionby guessing 26-bit subkeys which are denoted by 119870119887119890119891119900119903119890including 11990311989610158400 1199031198961[15 13 10 8 7 5 2 0] and 11990311989610158402[15 7]Besides 119883222 and 119883
122 are obtained by 3-round decryption
which involves 40-bit subkeys namely 119903119896101584022[15 1413 10 7 4 2 0] 11990311989623 and 119903119896101584024 For the sake of simplicity119903119896101584022[15 14 13 10 7 4 2 0] and 11990311989623 are denoted by 119870119898119894119889 Inthe following the attack process is depicted
(1) Collect119873 plaintextciphertext pairs(2) Initialize 266 counters V0[0]V0[1] V0[2
66 minus 1]and reset them
(3) Guess 26-bit key 119870119887119890119891119900119903119890(4) For each plaintextciphertext pair calculate 119909 =
11988333[12 6] 1198624 1198623 1198622 1198621 ThenV0[119909] + +
(5) Initialize 234 counters V1[0]V1[1] V1[234 minus 1]and reset them
Security and Communication Networks 7
gtgtgt3 ltltlt8
P P P P
ltltlt8 gtgtgt3
S-Box gtgtgt3 S-Boxltltlt8
P P P P
ltltlt8 gtgtgt3
S-Box gtgtgt3 S-Boxltltlt8
P P P P
ltltlt8 gtgtgt3
S-Box gtgtgt3 S-Boxltltlt8
P P P P
ltltlt8 gtgtgt3
S-Box gtgtgt3 S-Boxltltlt8
P P P P
ltltlt8 gtgtgt3
S-Box gtgtgt3 S-Boxltltlt8
P P P P
ltltlt8 gtgtgt3
S-Box gtgtgt3 S-Boxltltlt8
P P P P
ltltlt8 gtgtgt3
22-round Differential Distinguisher
S-BoxS-Box
X30 X
20 X
10X
40
X322 X
222 X
122X
422
X323 X
223 X
123X
423
X324 X
224 X
124X
424
X325 X
225 X
125X
425
X326 X
226 X
126X
426
X327 X
227 X
127X
427
X328 X
228 X
128X
428
X329 X
229 X
129X
429
rk22
rk23
rk24
rk25
rk26
rk27
rk28
rkrsquo22
rkrsquo23
rkrsquo24
rkrsquo25
rkrsquo26
rkrsquo27
rkrsquo28
Figure 3 Differential attack of 29-round NUX
(6) Guess 16-bit key 119903119896101584024(7) For every 119909 calculate 119910 = 11988333[12 6] 119883
224 119883
124
ThenV1[119910]+ = V0[119909](8) Initialize 266 counters V119896[0]V119896[1] V119896[266 minus 1]
and reset them
(9) Guess 24-bit key 119870119898119894119889
(10) For every 119910 calculate 119883222[10 6 3 2] and 119883222[13 10
7 5 3 2 1 0] Then compute 119911 = Γ33 sdot 11988333 oplus Γ222 sdot 119883222 oplus
Γ122 sdot 119883122 If 119911 = 0 thenV119896[119870119887119890119891119900119903119890 119903119896101584024 119870119898119894119889]+ =
V1[119910] otherwise decrease the counter byV1[119910]
8 Security and Communication Networks
Input S-box 119878 Bias threshold 120598119871119894119898[30]Output A linear approximation with the best biasDataThe number of active S-boxes in i rounds 119878119886119888119905119894V119890[119894]
The number of active S-boxes of the i-th round 119878119894119886119888119905119894V119890(1) Generate the LAT of S-box(2) Store all 2 4 and the corresponding inputoutput masks in LAT in the table 119871119860119879119875(3) for Each of 8 S-boxes in the first round do(4) for all non-zero entities in LAT do(5) if S-box is in 1198652 then(6) Γ41 = Γ119884
ℎ1 ⋙ 8 Γ31 = Γ
21 = Γ11 = 0
(7) Store them in 119877119894119899[1](8) else(9) Γ11 = Γ119884
1198971⋘ 3 Γ41 = Γ
31 = Γ21 = 0
(10) Store them in 119877119894119899[1](11) Calculate Γ40 Γ
30 Γ20 Γ10 and store them in 119877119894119899[0]
(12) Calculate Γ42 Γ32 Γ22 Γ12 and store them in 119877119894119899[2]
(13) Update 119878119886119888119905119894V119890[1] to be 1(14) The bias is recorded as 120598[1](15) for 119894 larr997888 2 to 30 do(16) if Γ4119894 = Γ
3119894 = 0 then
(17) Γ119884119897119894 = Γ1119894 ⋙ 3
(18) Travel 119871119860119879119875 to get Γ119883119897119894 119878119894119886119888119905119894V119890 and its corresponding bias 120598119877119899119889
(19) else if Γ2119894 = Γ1119894 = 0 then
(20) Γ119884ℎ119894 = Γ4119894 ⋘ 8
(21) Travel 119871119860119879119875 to get Γ119883ℎ119894 119878119894119886119888119905119894V119890 and the corresponding bias 120598119877119899119889
(22) Compute the total bias and keep ones greater than threshold 120598119871119894119898[119894](23) Calculate Γ4119894+1 Γ
3119894+1 Γ2119894+1 Γ1119894+1 and store them in 119877119894119899[119894 + 1]
(24) Update the number of active S-boxes 119878119886119888119905119894V119890[119894] and bias 120598[119894](25) for Each of 8 S-boxes in the first round do(26) for all non-zero entities in DDT do(27) Find the largest 120598[119894] and store it in 120598119872119886119909[119894](28) Output linear approximations with bias 120598119872119886119909[119894]
Algorithm 2 Algorithm for linear approximations on NUX
ltltlt 8
S-Box gtgtgt3
gtgtgt3
S-Boxltltlt8
P P P P
rki
Γ4
i
F1F2
Γ3
iΓ2
iΓ1
i
ΓYℎ
iΓX
ℎ
i
Γ4
i+1Γ3
i+1Γ2
i+1Γ1
i+1
rkrsquoi
ΓXl
iΓY
l
i
Figure 4 Linear representation of NUX
(11) Set the advantage 119886 to be 17 which means that the top249 absolute values inV119896 are kept For each remainingkey we guess 77-bit subkey to determine the masterkey And then we test the key by trail encryptions
If 119873 = 2637 then the time complexity of step (3)step (5) and step (7) is about 2897 3-round encryption 21081-round decryption and 2100 2-round encryption respec-tively Besides the complexity of step (11) is 2126 25-round
Security and Communication Networks 9
gtgtgt3 ltltlt8
P P P P
ltltlt8 gtgtgt3
S-Box gtgtgt3 S-Boxltltlt8
P P P P
ltltlt8 gtgtgt3
S-Box gtgtgt3 S-Boxltltlt8
P P P P
ltltlt8 gtgtgt3
19-round Linear Distinguisher
S-BoxS-Box
S-Box gtgtgt3 S-Boxltltlt8
P P P P
ltltlt8 gtgtgt3
S-Box gtgtgt3 S-Boxltltlt8
P P P P
ltltlt8 gtgtgt3
S-Box gtgtgt3 S-Boxltltlt8
P P P P
ltltlt8 gtgtgt3
X30 X
20 X
10X
40
X322 X
222 X
122
X422
X323 X
223 X
123X
423
X324 X
224 X
124X
424
X325 X
225 X
125X
425
X33 X
23 X
13X
43
X32 X
22 X
12X
42
X31 X
21 X
11X
41
rk0
rk1
rkrsquo0
rkrsquo1
rk2 rkrsquo2
rk22 rkrsquo22
rk23 rkrsquo23
rk24 rkrsquo24
Figure 5 Linear attack of 25-round NUX
encryption Hence the total time complexity of this attack isabout 2126 25-round encryption
Both the counters V0 and V119896 need 269 bytes to store sothe memory complexity for the attack is 270 bytes The datacomplexity is 2637
The success rate 119875119878 = Φ(2radic119873 sdot |120598| minus radic1 + 1198732119899Φminus1(1 minus2minus119886minus1)) = 8821 by [14]
5 Distinguishing Attack on NUX
Generally speaking the distinguishing attack is a kind of testalgorithm which tries to perform the nonrandom behavior
in cryptographic system A distinguishing attack needs tofind a distinguisher which makes cryptographic algorithmdifferent from random permutation When analyzing NUXwe find a distinguisher with probability 1 that is a deter-ministic distinguisher to distinguish NUX from a randompermutation
In Section 3 it has been pointed out that the two brancheson the right side will not affect the two on the right sideduring difference propagation in NUX Then for the full-round NUX when the input difference (Δ40 Δ
30 Δ20 Δ10) is
(0 0 lowast lowast) the output difference (Δ431 Δ331 Δ231 Δ131) sat-
isfies the form of (lowast lowast 0 0) shown in Figure 6 that is
10 Security and Communication Networks
lowast lowast
lowast lowast00
00
31-round distinguisher
Figure 6 31-Round differential distinguisher of NUX
Table 8 Linear approximations of NUX
Rounds Bias Number of tails2 2minus2 2883 2minus3 3004 2minus4 135 2minus5 26 2minus6 47 2minus10 138 2minus11 629 2minus12 610 2minus15 7011 2minus16 1112 2minus18 7013 2minus19 414 2minus20 215 2minus22 416 2minus24 1617 2minus26 418 2minus27 419 2minus30 1620 2minus31 421 2minus33 822 2minus35 6023 2minus37 2124 2minus39 2525 2minus41 4826 2minus43 10327 2minus44 428 2minus46 729 2minus48 5430 2minus49 431 2minus50 2
Table 9Minimal number of active S-boxes from linear approxima-tion
Number of active S-boxesReference Rounds
1 2 3 4 5[12] 0 1 4 9 13Section 41 0 1 2 3 3
(0 0 lowast lowast) 119875119903=1997888rarr31-119903119900119906119899119889
(lowast lowast 0 0) However the probabilityof the output difference to be (lowast lowast 0 0) is 119875119903119903119886119899119889119900119898 =
2minus32 for random permutations when the input differenceis (0 0 lowast lowast) So 4 pairs of plaintexts are chosen which are(119875119894 1198751015840119894 ) (0 le 119894 le 3) and 119875119894 oplus 1198751015840119894 = (0 0 lowast lowast) and thecorresponding ciphertexts (119862119894 119862
1015840119894 ) are checked to determine
whether they satisfy 119862119894 oplus 1198621015840119894 = (lowast lowast 0 0) The probabilityof obtaining such inputoutput differences is 1 for NUXwhile it is 2minus128 for a random permutation Therefore wecan distinguish NUX from a random permutation Besidesthere is another distinguisher with probability 1 which is(lowast lowast 0 0) 119875119903=1997888rarr
31-119903119900119906119899119889(0 0 lowast lowast) and can be used to perform a
distinguishing attack like the one described before So we willnot explore it here
Since only 4 pairs of plaintexts are used in the distinguish-ing attack the data complexity is 8 And the attack needs nostorage In other words the complexity of memory is 0 Thetime complexity is 8 31-round encryptions
6 Conclusions
NUX is a 31-round iterative ultralightweight cipher whichis suitable for extremely constrained environment and isapplied to the Internet of Things In this paper differentialand linear trails are searched for 1sim31-round NUX which arebetter than those proposed in design specification Moreovera key-recovery attack on 29-round NUX is given with the 22-round differential characteristic found in the paper whosetime data and memory complexities are 212173 29-roundencryptions and 261 and 296 bytes respectively Meanwhileusing 22-round differential characteristic obtained in thepaper 29-round differential attack is performed with timedata and memory complexities to be 2126 25-round encryp-tions and 2637 and 270 bytes respectively Furthermore adistinguishing attack can be implemented on full NUX withdata complexity 8 Results in this paper are the best ones onNUX till now
Data Availability
All the data are obtained by our programs and can beprovided to interested readers by email
Conflicts of Interest
The authors declare that there are no conflicts of interestregarding the publication of this paper
Acknowledgments
This work has been supported by National CryptographyDevelopment Fund (no MMJJ20170102) the National
Security and Communication Networks 11
Table 10 19-Round linear approximation of NUX
Rounds 119894 Γ4119894 Γ3119894 Γ2119894 Γ1119894 Bias0 0000 1040 0000 0000 2minus1
1 0000 0000 0000 0500 2minus2
2 0001 4040 0000 0000 2minus2
3 0000 0000 0020 0600 2minus2
4 5100 0440 0000 0000 2minus4
5 0000 0000 8404 2028 2minus3
6 100a a080 0000 0000 2minus3
7 0000 0000 0206 3000 2minus3
8 000a 2002 0000 0000 2minus2
9 0000 0000 0202 0800 2minus2
10 000a 0020 0000 0000 2minus2
11 0000 0000 0202 4010 2minus3
12 a000 0a00 0000 0000 2minus2
13 0000 0000 4040 0200 2minus2
14 1400 0400 0000 0000 2minus3
15 0000 0000 0084 0448 2minus3
16 01c3 8048 0000 0000 2minus4
17 0000 0000 9023 0180 2minus2
18 d800 4004 0000 0000 2minus3
19 0000 0000 044c 24af lowast
Natural Science Foundation of China (nos 6157229361502276 and 61692276) the National Natural ScienceFoundation of Shandong Province China (ZR2016FM22)Major Scientific and Technological Innovation Projectsof Shandong Province China (2017CXGC0704) andFundamental Research Fund of Shandong Academy ofSciences (no 201812-16)
References
[1] A A Bogdanov L R Knudsen G Leander et al ldquoAn ultra-lightweight block cipherrdquo in Proceedings of the CryptographicHardware and Embedded Systems (CHES 2007) P Paillier andI Verbauwhede Eds vol 4727 of Lecture Notes in ComputerScience LNCS pp 450ndash466 Springer 2007
[2] W Wu and L Zhang ldquoLBlock a lightweight block cipherrdquoin Proceedings of the 9th International Conference on AppliedCryptography and Network Security (ACNS 2011) J Lopez andG Tsudik Eds vol 6715 of Lecture Notes in Computer Sciencepp 327ndash344 Springer Heidelberg Germany 2011
[3] J Borghoff A Canteaut T Guneysu et al ldquoPRINCE-A lowlatency block cipher for pervasive computing applicationsrdquo inProceedings of the the 25th Annual International Conferenceon the eory and Application of Cryptology and InformationSecurity (ASIACRYPT 2012) X Wang and K Sako Edsvol 7658 of Lecture Notes in Computer Science pp 208ndash225Springer Heidelberg Germany 2012
[4] E Biham and A Shamir ldquoDifferential cryptanalysis of DES-likecryptosystemsrdquo Journal of Cryptology vol 4 no 1 pp 3ndash721991
[5] M Matsui ldquoLinear cryptanalysis method for DES cipherrdquo inProceedings of the Workshop on the eory and Application ofof Cryptographic Techniques (EUROCRYPT 1993) T Helleseth
Ed vol 765 of Lecture Notes in Computer Science pp 386ndash397Springer 1993
[6] A G Bafghi R Safabakhsh and B Sadeghiyan ldquoFindingthe differential characteristics of block ciphers with neuralnetworksrdquo Information Sciences vol 178 no 15 pp 3117ndash31312008
[7] H M Heys and S E Tavares ldquoSubstitution-permutation net-works resistant to differential and linear cryptanalysisrdquo Journalof Cryptology e Journal of the International Association forCryptologic Research vol 9 no 1 pp 1ndash19 1996
[8] G Jakimoski and L Kocarev ldquoDifferential and linear probabili-ties of a block-encryption cipherrdquo IEEE Transactions on Circuitsand Systems I Fundamentaleory andApplications vol 50 no1 pp 121ndash123 2003
[9] J Kim and R C-W Phan ldquoAdvanced differential-style crypt-analysis of the NSArsquos Skipjack block Cipherrdquo Cryptologia vol33 no 3 pp 246ndash270 2009
[10] F Sano K Ohkuma H Shimizu and S Kawamura ldquoOnthe security of nested SPN cipher against the differential andlinear cryptanalysisrdquo IEICE Transactions on Fundamentals ofElectronics Communications andComputer Sciences vol 86 no1 pp 37ndash46 2003
[11] B-Z Su W-L Wu and W-T Zhang ldquoSecurity of the SMS4block cipher against differential cryptanalysisrdquo Journal of Com-puter Science and Technology vol 26 no 1 pp 130ndash138 2011
[12] G Bansod S Sutar A Patil and J Patil ldquoNUX a lightweightblock cipher for security at wireless sensor node level Worldacademy of science engineering and technologyrdquo InternationalJournal of Bioengineering and Life Sciences vol 5 no 1 2018
[13] AA Selcuk ldquoOn probability of success in linear anddifferentialcryptanalysisrdquo Journal of Cryptology e Journal of the Interna-tional Association for Cryptologic Research vol 21 no 1 pp 131ndash147 2008
12 Security and Communication Networks
[14] A Bogdanov and E Tischhauser ldquoOn the wrong key randomi-sation and key equivalence hypotheses in Matsuirsquos algorithm 2rdquoin Proceedings of the International Workshop on Fast So13wareEncryption (FSE 2013) S Moriai Ed vol 8424 of Lecture Notesin Computer Science pp 19ndash38 Springer 2014
International Journal of
AerospaceEngineeringHindawiwwwhindawicom Volume 2018
RoboticsJournal of
Hindawiwwwhindawicom Volume 2018
Hindawiwwwhindawicom Volume 2018
Active and Passive Electronic Components
VLSI Design
Hindawiwwwhindawicom Volume 2018
Hindawiwwwhindawicom Volume 2018
Shock and Vibration
Hindawiwwwhindawicom Volume 2018
Civil EngineeringAdvances in
Acoustics and VibrationAdvances in
Hindawiwwwhindawicom Volume 2018
Hindawiwwwhindawicom Volume 2018
Electrical and Computer Engineering
Journal of
Advances inOptoElectronics
Hindawiwwwhindawicom
Volume 2018
Hindawi Publishing Corporation httpwwwhindawicom Volume 2013Hindawiwwwhindawicom
The Scientific World Journal
Volume 2018
Control Scienceand Engineering
Journal of
Hindawiwwwhindawicom Volume 2018
Hindawiwwwhindawicom
Journal ofEngineeringVolume 2018
SensorsJournal of
Hindawiwwwhindawicom Volume 2018
International Journal of
RotatingMachinery
Hindawiwwwhindawicom Volume 2018
Modelling ampSimulationin EngineeringHindawiwwwhindawicom Volume 2018
Hindawiwwwhindawicom Volume 2018
Chemical EngineeringInternational Journal of Antennas and
Propagation
International Journal of
Hindawiwwwhindawicom Volume 2018
Hindawiwwwhindawicom Volume 2018
Navigation and Observation
International Journal of
Hindawi
wwwhindawicom Volume 2018
Advances in
Multimedia
Submit your manuscripts atwwwhindawicom
4 Security and Communication Networks
ltltlt 8
S-Box gtgtgt3
gtgtgt3
S-Boxltltlt8
P P P P
rki
Δ4
i
F1F2
Δ3
i Δ2
iΔ
1
i
Δ9l
iΔ8
l
iΔ9
ℎ
iΔ8
ℎ
i
Δ4
i+1Δ
3
i+1Δ
2
i+1Δ
1
i+1
rkrsquoi
Figure 2 Differential representation of NUX
Input S-box 119878 Probability threshold 119875119903119871119894119898[30]Output A differential trail with the best probability(1) Generate the DDT of S-box(2) Store all 2 4 and the corresponding inputoutput differences in DDT in the table 119863119863119879119875(3) for Each of 8 S-boxes in the first round do(4) for all non-zero entities in DDT do(5) if S-box is in 1198652 then(6) Δ31 = Δ119883
ℎ1 ⋘ 3 Δ41 = Δ
21 = Δ
11 = 0
(7) Store them in 119877119894119899[1](8) else(9) Δ21 = Δ119883
1198971⋙ 8 Δ41 = Δ
31 = Δ
11 = 0
(10) Store them in 119877119894119899[1](11) CalculateΔ40 Δ
30 Δ20 Δ10 and store them in 119877119894119899[0]
(12) CalculateΔ42 Δ32 Δ22 Δ12 and store them in 119877119894119899[2]
(13) The probability is recorded as 119875119903[1](14) for 119894 larr997888 2 to 30 do(15) if Δ4119894 = Δ
3119894 = 0 then
(16) Δ119883119897119894 = Δ2119894 ⋘ 8
(17) Travel119863119863119879119875 to get Δ119884119897119894 and its corresponding probability 119875119903119877119899119889
(18) else if Δ2119894 = Δ1119894 = 0 then
(19) Δ119883ℎ119894 = Δ3119894 ⋙ 3
(20) Travel119863119863119879119875 to get Δ119884ℎ119894 and the corresponding probability 119875119903119877119899119889
(21) Keep 119875119903[119894 minus 1] times 119875119903119877119899119889 which greater than threshold 119875119903119871119894119898[119894](22) CalculateΔ4119894+1 Δ
3119894+1 Δ2119894+1 Δ1119894+1 and store them in 119877119894119899[119894 + 1]
(23) 119875119903[119894] lArr997904 119875119903[119894 minus 1] times 119875119903119877119899119889(24) for Each of 8 S-boxes in the first round do(25) for all non-zero entities in DDT do(26) Find the largest 119875119903[119894] and store it in 119875119903119872119886119909[119894](27) Output different characteristics with probability 119875119903119872119886119909[119894]
Algorithm 1 Algorithm for differential characteristic on NUX
more than 4 in one round which can make the probability ofthe differential characteristic as large as possible The resultsof our search algorithm are listed in Table 5
Furthermore the minimal numbers of active S-boxes of1sim5-round differential characteristics are shown in the designmanuscript [12] So the minimal number of active S-boxes isalso studied and the minimum active S-boxes of 4 5-round
differential characteristics are less than the ones given in [12]which are presented in Table 6
32 Differential Attack on NUX A 22-round differentialcharacteristic is chosen with probability to be 2minus58 which isshown in Table 7 and 7 rounds are extended forward Thedescription is given in Figure 3 There are Δ40 = 01199090400
Security and Communication Networks 5
Table 5 Differential characteristics of NUX
Rounds Probability Number of tails2 2minus2 1923 2minus4 564 2minus6 45 2minus7 16 2minus9 27 2minus11 28 2minus15 89 2minus15 110 2minus20 1611 2minus24 2412 2minus28 413 2minus31 814 2minus37 415 2minus41 1816 2minus45 217 2minus46 118 2minus49 419 2minus52 420 2minus53 221 2minus58 4822 2minus58 223 2minus63 3224 2minus67 4925 2minus71 1026 2minus73 427 2minus75 428 2minus79 1629 2minus79 230 2minus84 3231 2minus88 48
Table 6 Minimal number of active S-boxes from differentialcharacteristic
Number of active S-boxesReference Rounds
1 2 3 4 5[12] 0 1 2 5 9Section 31 0 1 2 3 3
Δ322 = 01199092080 and Δ30 = Δ20 = Δ10 = Δ422 = Δ222 = Δ122 =01199090000 according to the 22-round differential distinguisherThen Δ423 = Δ323 = 01199090000 Δ123 = 01199090050 and Δ223 satisfythe form as (00 lowast lowast lowast 00 lowast lowastlowast 000 lowast lowast0) where lowast isin 0 1 canbe deduced And the output difference of the 28-th round isΔ429 = Δ329 = 01199090000 119883223 119883
21015840
23 119883123 and 119883
11015840
23 can be gottenby 6-round decryption So 119903119896101584023 11990311989624 119903119896
101584025 11990311989626 119903119896
101584027 and 11990311989628
should be guessed and denoted by 119870119892119906119890119904119904 The attack processis described as follows
(1) Collect119873 pairs of plaintext (119875 1198751015840) satisfying 119875oplus1198751015840 =(Δ40 Δ
30 Δ20 Δ10) and their corresponding ciphertext
pairs (119862 1198621015840)(2) Initialize 232 countersV[0]V[1] V[232minus1] and
reset them(3) For each plaintext pair (119875 1198751015840) check whether its
ciphertext pair (119862 1198621015840) satisfies (119862 oplus 1198621015840)[63 32] =011990900000000 If the ciphertext pair meets the formula119909 = (119862 oplus 1198621015840)[31 0] andV[119909] + +
(4) Initialize 296 counters V119896[0]V119896[1] V119896[296 minus 1]
and reset them(5) Guess 96-bit key 119870119892119906119890119904119904 and decrypt 119909 to obtain 119883223
11988321015840
23119883123 and119883
11015840
23 Checkwhether119883223oplus11988321015840
23 and119883123oplus
11988311015840
23 are equal to Δ223 and Δ123 If the conditions are
met then let 119910 = 119883223 11988321015840
23 119883123 119883
11015840
23
(6) Use 119910 to calculate 119883422 oplus 11988341015840
22 and 119883322 oplus 119883
31015840
22 If 119883422 oplus
11988341015840
22 = Δ422 and 119883
322 oplus 119883
31015840
22 = Δ322V119896[119870119892119906119890119904119904] + +
(7) Set advantage 119886 to be 51 which implies that thetop 245 absolute values in V119896 are kept For eachremaining key we guess the remaining 58-bit subkeyand calculate the master key Finally we test the keyby trail encryptions
If set 119873 = 260 then about 228 pieces of data enter step(5) which means 2124 6-round encryptions that is 21217 29-round encryptions The complexity of step (7) is 2103 29-round encryptions So the total time complexity of this attackis about 212173 29-round encryptions
The countersV119896 require storing 296 bytes so the memory
complexity for the attack is 296 bytes The data complexity is261
The success rate 119875119878 = Φ((radic119901119873119878119873 minus Φminus1(1 minus2minus119886))radic119878119873 + 1) = 9871 by [13]
4 Linear Attack on 25-Round NUX
Linear approximations of NUX are searched for in thissection and the 25-round key-recovery attack is performedon NUX using a 19-round linear approximation
41 Linear Approximations of NUX To search for linearapproximations of NUX how masks propagate through S-boxes should be taken into account When a mask passesthrough an S-box the linear approximation table (LAT) ofthe S-box is looked up to determine the outputmask and biasAlgorithm 2 searches for linear approximations of NUX andnotations used in this algorithm are depicted in Figure 4
The bias of one round can be 12 which can be obtainedfrom the structure of NUX that is all the 8 S-boxes arepassive So special (119899 minus 1)-round linear approximations arechosen which satisfy (Γ40 = Γ10 = 0) and one-roundlinear approximation with bias 1 is added to catch 119899-roundlinear approximations Similar to searching for differentialcharacteristics there is only one active S-box in the first
6 Security and Communication Networks
Table 7 22-Round differential characteristic of NUX
Rounds 119894 Δ4119894 Δ3119894 Δ2119894 Δ1119894 Probability0 0400 0000 0000 0000 11 0000 0000 0080 0000 2minus3
2 0040 0001 0000 0000 2minus2
3 0000 0000 0010 8000 2minus3
4 0004 1000 0000 0000 2minus2
5 0000 0000 0002 0100 2minus2
6 0800 6002 0000 0000 2minus5
7 0000 0000 003b 0811 2minus5
8 c80c 2b30 0000 0000 2minus7
9 0000 0000 0480 4236 2minus5
10 2040 0600 0000 0000 2minus3
11 0000 0000 0005 2002 2minus2
12 8080 0003 0000 0000 2minus2
13 0000 0000 0040 8800 2minus2
14 0400 0030 0000 0000 2minus2
15 0000 0000 0008 4004 2minus3
16 0008 3000 0000 0000 2minus2
17 0000 0000 0000 0110 118 0000 4800 0000 0000 2minus3
19 0000 0000 0020 0201 2minus2
20 4000 0500 0000 0000 2minus3
21 0000 0000 0000 2020 122 0000 2080 0000 0000 lowast
round of 119899 minus 1 rounds Meanwhile Γ4119894 and Γ3119894 which liein the two branches on the left side will not affect Γ2119894 andΓ1119894 the two branches on the right side during propagationin NUX So the linear propagation on the left or right istaken into consideration and differences of the other twobranches are set to 0 In this way the number of active S-boxes is always nomore than 4 in one round which canmakethe absolute value of the linear approximation bias as largeas possible The results of the search algorithm are listed inTable 8
Moreover the minimal numbers of active S-boxes of1sim5-round linear approximations are shown in the designmanuscript [12] And the minimal number of active S-boxesis also considered and the minimum active S-boxes of 3sim5-round linear approximations are less than the ones given in[12] which are presented in Table 9
42 Linear Attack on NUX Utilizing obtained linear approx-imations a key-recovery attack can be applied to 25-roundNUX using a 19-round linear approximation with bias 2minus30which is described in Table 10 The 19-round linear approx-imation is put from the 4th to the 22th round of NUXextending 3 rounds both backward and forward The 25-round key-recovery attack is shown in Figure 5
According to the linear approximation there are Γ43 =Γ23 = Γ
13 = Γ
422 = Γ322 = 01199090000 Γ
33 = 01199091040 Γ
222 = 0119909044119888
and Γ122 = 011990924119886119891 Furthermore the following formula canbe gotten
Γ43 sdot 11988343 oplus Γ33 sdot 11988333 oplus Γ22 sdot 11988323 oplus Γ13 sdot 11988313 oplus Γ422 sdot 119883422 oplus Γ
322
sdot 119883322 oplus Γ222 sdot 119883222 oplus Γ
122 sdot 119883122 = Γ
33 sdot 11988333 oplus Γ222 sdot 119883222
oplus Γ122 sdot 119883122 = 120581
(4)
where 11988333 can be calculated through 3-round encryptionby guessing 26-bit subkeys which are denoted by 119870119887119890119891119900119903119890including 11990311989610158400 1199031198961[15 13 10 8 7 5 2 0] and 11990311989610158402[15 7]Besides 119883222 and 119883
122 are obtained by 3-round decryption
which involves 40-bit subkeys namely 119903119896101584022[15 1413 10 7 4 2 0] 11990311989623 and 119903119896101584024 For the sake of simplicity119903119896101584022[15 14 13 10 7 4 2 0] and 11990311989623 are denoted by 119870119898119894119889 Inthe following the attack process is depicted
(1) Collect119873 plaintextciphertext pairs(2) Initialize 266 counters V0[0]V0[1] V0[2
66 minus 1]and reset them
(3) Guess 26-bit key 119870119887119890119891119900119903119890(4) For each plaintextciphertext pair calculate 119909 =
11988333[12 6] 1198624 1198623 1198622 1198621 ThenV0[119909] + +
(5) Initialize 234 counters V1[0]V1[1] V1[234 minus 1]and reset them
Security and Communication Networks 7
gtgtgt3 ltltlt8
P P P P
ltltlt8 gtgtgt3
S-Box gtgtgt3 S-Boxltltlt8
P P P P
ltltlt8 gtgtgt3
S-Box gtgtgt3 S-Boxltltlt8
P P P P
ltltlt8 gtgtgt3
S-Box gtgtgt3 S-Boxltltlt8
P P P P
ltltlt8 gtgtgt3
S-Box gtgtgt3 S-Boxltltlt8
P P P P
ltltlt8 gtgtgt3
S-Box gtgtgt3 S-Boxltltlt8
P P P P
ltltlt8 gtgtgt3
S-Box gtgtgt3 S-Boxltltlt8
P P P P
ltltlt8 gtgtgt3
22-round Differential Distinguisher
S-BoxS-Box
X30 X
20 X
10X
40
X322 X
222 X
122X
422
X323 X
223 X
123X
423
X324 X
224 X
124X
424
X325 X
225 X
125X
425
X326 X
226 X
126X
426
X327 X
227 X
127X
427
X328 X
228 X
128X
428
X329 X
229 X
129X
429
rk22
rk23
rk24
rk25
rk26
rk27
rk28
rkrsquo22
rkrsquo23
rkrsquo24
rkrsquo25
rkrsquo26
rkrsquo27
rkrsquo28
Figure 3 Differential attack of 29-round NUX
(6) Guess 16-bit key 119903119896101584024(7) For every 119909 calculate 119910 = 11988333[12 6] 119883
224 119883
124
ThenV1[119910]+ = V0[119909](8) Initialize 266 counters V119896[0]V119896[1] V119896[266 minus 1]
and reset them
(9) Guess 24-bit key 119870119898119894119889
(10) For every 119910 calculate 119883222[10 6 3 2] and 119883222[13 10
7 5 3 2 1 0] Then compute 119911 = Γ33 sdot 11988333 oplus Γ222 sdot 119883222 oplus
Γ122 sdot 119883122 If 119911 = 0 thenV119896[119870119887119890119891119900119903119890 119903119896101584024 119870119898119894119889]+ =
V1[119910] otherwise decrease the counter byV1[119910]
8 Security and Communication Networks
Input S-box 119878 Bias threshold 120598119871119894119898[30]Output A linear approximation with the best biasDataThe number of active S-boxes in i rounds 119878119886119888119905119894V119890[119894]
The number of active S-boxes of the i-th round 119878119894119886119888119905119894V119890(1) Generate the LAT of S-box(2) Store all 2 4 and the corresponding inputoutput masks in LAT in the table 119871119860119879119875(3) for Each of 8 S-boxes in the first round do(4) for all non-zero entities in LAT do(5) if S-box is in 1198652 then(6) Γ41 = Γ119884
ℎ1 ⋙ 8 Γ31 = Γ
21 = Γ11 = 0
(7) Store them in 119877119894119899[1](8) else(9) Γ11 = Γ119884
1198971⋘ 3 Γ41 = Γ
31 = Γ21 = 0
(10) Store them in 119877119894119899[1](11) Calculate Γ40 Γ
30 Γ20 Γ10 and store them in 119877119894119899[0]
(12) Calculate Γ42 Γ32 Γ22 Γ12 and store them in 119877119894119899[2]
(13) Update 119878119886119888119905119894V119890[1] to be 1(14) The bias is recorded as 120598[1](15) for 119894 larr997888 2 to 30 do(16) if Γ4119894 = Γ
3119894 = 0 then
(17) Γ119884119897119894 = Γ1119894 ⋙ 3
(18) Travel 119871119860119879119875 to get Γ119883119897119894 119878119894119886119888119905119894V119890 and its corresponding bias 120598119877119899119889
(19) else if Γ2119894 = Γ1119894 = 0 then
(20) Γ119884ℎ119894 = Γ4119894 ⋘ 8
(21) Travel 119871119860119879119875 to get Γ119883ℎ119894 119878119894119886119888119905119894V119890 and the corresponding bias 120598119877119899119889
(22) Compute the total bias and keep ones greater than threshold 120598119871119894119898[119894](23) Calculate Γ4119894+1 Γ
3119894+1 Γ2119894+1 Γ1119894+1 and store them in 119877119894119899[119894 + 1]
(24) Update the number of active S-boxes 119878119886119888119905119894V119890[119894] and bias 120598[119894](25) for Each of 8 S-boxes in the first round do(26) for all non-zero entities in DDT do(27) Find the largest 120598[119894] and store it in 120598119872119886119909[119894](28) Output linear approximations with bias 120598119872119886119909[119894]
Algorithm 2 Algorithm for linear approximations on NUX
ltltlt 8
S-Box gtgtgt3
gtgtgt3
S-Boxltltlt8
P P P P
rki
Γ4
i
F1F2
Γ3
iΓ2
iΓ1
i
ΓYℎ
iΓX
ℎ
i
Γ4
i+1Γ3
i+1Γ2
i+1Γ1
i+1
rkrsquoi
ΓXl
iΓY
l
i
Figure 4 Linear representation of NUX
(11) Set the advantage 119886 to be 17 which means that the top249 absolute values inV119896 are kept For each remainingkey we guess 77-bit subkey to determine the masterkey And then we test the key by trail encryptions
If 119873 = 2637 then the time complexity of step (3)step (5) and step (7) is about 2897 3-round encryption 21081-round decryption and 2100 2-round encryption respec-tively Besides the complexity of step (11) is 2126 25-round
Security and Communication Networks 9
gtgtgt3 ltltlt8
P P P P
ltltlt8 gtgtgt3
S-Box gtgtgt3 S-Boxltltlt8
P P P P
ltltlt8 gtgtgt3
S-Box gtgtgt3 S-Boxltltlt8
P P P P
ltltlt8 gtgtgt3
19-round Linear Distinguisher
S-BoxS-Box
S-Box gtgtgt3 S-Boxltltlt8
P P P P
ltltlt8 gtgtgt3
S-Box gtgtgt3 S-Boxltltlt8
P P P P
ltltlt8 gtgtgt3
S-Box gtgtgt3 S-Boxltltlt8
P P P P
ltltlt8 gtgtgt3
X30 X
20 X
10X
40
X322 X
222 X
122
X422
X323 X
223 X
123X
423
X324 X
224 X
124X
424
X325 X
225 X
125X
425
X33 X
23 X
13X
43
X32 X
22 X
12X
42
X31 X
21 X
11X
41
rk0
rk1
rkrsquo0
rkrsquo1
rk2 rkrsquo2
rk22 rkrsquo22
rk23 rkrsquo23
rk24 rkrsquo24
Figure 5 Linear attack of 25-round NUX
encryption Hence the total time complexity of this attack isabout 2126 25-round encryption
Both the counters V0 and V119896 need 269 bytes to store sothe memory complexity for the attack is 270 bytes The datacomplexity is 2637
The success rate 119875119878 = Φ(2radic119873 sdot |120598| minus radic1 + 1198732119899Φminus1(1 minus2minus119886minus1)) = 8821 by [14]
5 Distinguishing Attack on NUX
Generally speaking the distinguishing attack is a kind of testalgorithm which tries to perform the nonrandom behavior
in cryptographic system A distinguishing attack needs tofind a distinguisher which makes cryptographic algorithmdifferent from random permutation When analyzing NUXwe find a distinguisher with probability 1 that is a deter-ministic distinguisher to distinguish NUX from a randompermutation
In Section 3 it has been pointed out that the two brancheson the right side will not affect the two on the right sideduring difference propagation in NUX Then for the full-round NUX when the input difference (Δ40 Δ
30 Δ20 Δ10) is
(0 0 lowast lowast) the output difference (Δ431 Δ331 Δ231 Δ131) sat-
isfies the form of (lowast lowast 0 0) shown in Figure 6 that is
10 Security and Communication Networks
lowast lowast
lowast lowast00
00
31-round distinguisher
Figure 6 31-Round differential distinguisher of NUX
Table 8 Linear approximations of NUX
Rounds Bias Number of tails2 2minus2 2883 2minus3 3004 2minus4 135 2minus5 26 2minus6 47 2minus10 138 2minus11 629 2minus12 610 2minus15 7011 2minus16 1112 2minus18 7013 2minus19 414 2minus20 215 2minus22 416 2minus24 1617 2minus26 418 2minus27 419 2minus30 1620 2minus31 421 2minus33 822 2minus35 6023 2minus37 2124 2minus39 2525 2minus41 4826 2minus43 10327 2minus44 428 2minus46 729 2minus48 5430 2minus49 431 2minus50 2
Table 9Minimal number of active S-boxes from linear approxima-tion
Number of active S-boxesReference Rounds
1 2 3 4 5[12] 0 1 4 9 13Section 41 0 1 2 3 3
(0 0 lowast lowast) 119875119903=1997888rarr31-119903119900119906119899119889
(lowast lowast 0 0) However the probabilityof the output difference to be (lowast lowast 0 0) is 119875119903119903119886119899119889119900119898 =
2minus32 for random permutations when the input differenceis (0 0 lowast lowast) So 4 pairs of plaintexts are chosen which are(119875119894 1198751015840119894 ) (0 le 119894 le 3) and 119875119894 oplus 1198751015840119894 = (0 0 lowast lowast) and thecorresponding ciphertexts (119862119894 119862
1015840119894 ) are checked to determine
whether they satisfy 119862119894 oplus 1198621015840119894 = (lowast lowast 0 0) The probabilityof obtaining such inputoutput differences is 1 for NUXwhile it is 2minus128 for a random permutation Therefore wecan distinguish NUX from a random permutation Besidesthere is another distinguisher with probability 1 which is(lowast lowast 0 0) 119875119903=1997888rarr
31-119903119900119906119899119889(0 0 lowast lowast) and can be used to perform a
distinguishing attack like the one described before So we willnot explore it here
Since only 4 pairs of plaintexts are used in the distinguish-ing attack the data complexity is 8 And the attack needs nostorage In other words the complexity of memory is 0 Thetime complexity is 8 31-round encryptions
6 Conclusions
NUX is a 31-round iterative ultralightweight cipher whichis suitable for extremely constrained environment and isapplied to the Internet of Things In this paper differentialand linear trails are searched for 1sim31-round NUX which arebetter than those proposed in design specification Moreovera key-recovery attack on 29-round NUX is given with the 22-round differential characteristic found in the paper whosetime data and memory complexities are 212173 29-roundencryptions and 261 and 296 bytes respectively Meanwhileusing 22-round differential characteristic obtained in thepaper 29-round differential attack is performed with timedata and memory complexities to be 2126 25-round encryp-tions and 2637 and 270 bytes respectively Furthermore adistinguishing attack can be implemented on full NUX withdata complexity 8 Results in this paper are the best ones onNUX till now
Data Availability
All the data are obtained by our programs and can beprovided to interested readers by email
Conflicts of Interest
The authors declare that there are no conflicts of interestregarding the publication of this paper
Acknowledgments
This work has been supported by National CryptographyDevelopment Fund (no MMJJ20170102) the National
Security and Communication Networks 11
Table 10 19-Round linear approximation of NUX
Rounds 119894 Γ4119894 Γ3119894 Γ2119894 Γ1119894 Bias0 0000 1040 0000 0000 2minus1
1 0000 0000 0000 0500 2minus2
2 0001 4040 0000 0000 2minus2
3 0000 0000 0020 0600 2minus2
4 5100 0440 0000 0000 2minus4
5 0000 0000 8404 2028 2minus3
6 100a a080 0000 0000 2minus3
7 0000 0000 0206 3000 2minus3
8 000a 2002 0000 0000 2minus2
9 0000 0000 0202 0800 2minus2
10 000a 0020 0000 0000 2minus2
11 0000 0000 0202 4010 2minus3
12 a000 0a00 0000 0000 2minus2
13 0000 0000 4040 0200 2minus2
14 1400 0400 0000 0000 2minus3
15 0000 0000 0084 0448 2minus3
16 01c3 8048 0000 0000 2minus4
17 0000 0000 9023 0180 2minus2
18 d800 4004 0000 0000 2minus3
19 0000 0000 044c 24af lowast
Natural Science Foundation of China (nos 6157229361502276 and 61692276) the National Natural ScienceFoundation of Shandong Province China (ZR2016FM22)Major Scientific and Technological Innovation Projectsof Shandong Province China (2017CXGC0704) andFundamental Research Fund of Shandong Academy ofSciences (no 201812-16)
References
[1] A A Bogdanov L R Knudsen G Leander et al ldquoAn ultra-lightweight block cipherrdquo in Proceedings of the CryptographicHardware and Embedded Systems (CHES 2007) P Paillier andI Verbauwhede Eds vol 4727 of Lecture Notes in ComputerScience LNCS pp 450ndash466 Springer 2007
[2] W Wu and L Zhang ldquoLBlock a lightweight block cipherrdquoin Proceedings of the 9th International Conference on AppliedCryptography and Network Security (ACNS 2011) J Lopez andG Tsudik Eds vol 6715 of Lecture Notes in Computer Sciencepp 327ndash344 Springer Heidelberg Germany 2011
[3] J Borghoff A Canteaut T Guneysu et al ldquoPRINCE-A lowlatency block cipher for pervasive computing applicationsrdquo inProceedings of the the 25th Annual International Conferenceon the eory and Application of Cryptology and InformationSecurity (ASIACRYPT 2012) X Wang and K Sako Edsvol 7658 of Lecture Notes in Computer Science pp 208ndash225Springer Heidelberg Germany 2012
[4] E Biham and A Shamir ldquoDifferential cryptanalysis of DES-likecryptosystemsrdquo Journal of Cryptology vol 4 no 1 pp 3ndash721991
[5] M Matsui ldquoLinear cryptanalysis method for DES cipherrdquo inProceedings of the Workshop on the eory and Application ofof Cryptographic Techniques (EUROCRYPT 1993) T Helleseth
Ed vol 765 of Lecture Notes in Computer Science pp 386ndash397Springer 1993
[6] A G Bafghi R Safabakhsh and B Sadeghiyan ldquoFindingthe differential characteristics of block ciphers with neuralnetworksrdquo Information Sciences vol 178 no 15 pp 3117ndash31312008
[7] H M Heys and S E Tavares ldquoSubstitution-permutation net-works resistant to differential and linear cryptanalysisrdquo Journalof Cryptology e Journal of the International Association forCryptologic Research vol 9 no 1 pp 1ndash19 1996
[8] G Jakimoski and L Kocarev ldquoDifferential and linear probabili-ties of a block-encryption cipherrdquo IEEE Transactions on Circuitsand Systems I Fundamentaleory andApplications vol 50 no1 pp 121ndash123 2003
[9] J Kim and R C-W Phan ldquoAdvanced differential-style crypt-analysis of the NSArsquos Skipjack block Cipherrdquo Cryptologia vol33 no 3 pp 246ndash270 2009
[10] F Sano K Ohkuma H Shimizu and S Kawamura ldquoOnthe security of nested SPN cipher against the differential andlinear cryptanalysisrdquo IEICE Transactions on Fundamentals ofElectronics Communications andComputer Sciences vol 86 no1 pp 37ndash46 2003
[11] B-Z Su W-L Wu and W-T Zhang ldquoSecurity of the SMS4block cipher against differential cryptanalysisrdquo Journal of Com-puter Science and Technology vol 26 no 1 pp 130ndash138 2011
[12] G Bansod S Sutar A Patil and J Patil ldquoNUX a lightweightblock cipher for security at wireless sensor node level Worldacademy of science engineering and technologyrdquo InternationalJournal of Bioengineering and Life Sciences vol 5 no 1 2018
[13] AA Selcuk ldquoOn probability of success in linear anddifferentialcryptanalysisrdquo Journal of Cryptology e Journal of the Interna-tional Association for Cryptologic Research vol 21 no 1 pp 131ndash147 2008
12 Security and Communication Networks
[14] A Bogdanov and E Tischhauser ldquoOn the wrong key randomi-sation and key equivalence hypotheses in Matsuirsquos algorithm 2rdquoin Proceedings of the International Workshop on Fast So13wareEncryption (FSE 2013) S Moriai Ed vol 8424 of Lecture Notesin Computer Science pp 19ndash38 Springer 2014
International Journal of
AerospaceEngineeringHindawiwwwhindawicom Volume 2018
RoboticsJournal of
Hindawiwwwhindawicom Volume 2018
Hindawiwwwhindawicom Volume 2018
Active and Passive Electronic Components
VLSI Design
Hindawiwwwhindawicom Volume 2018
Hindawiwwwhindawicom Volume 2018
Shock and Vibration
Hindawiwwwhindawicom Volume 2018
Civil EngineeringAdvances in
Acoustics and VibrationAdvances in
Hindawiwwwhindawicom Volume 2018
Hindawiwwwhindawicom Volume 2018
Electrical and Computer Engineering
Journal of
Advances inOptoElectronics
Hindawiwwwhindawicom
Volume 2018
Hindawi Publishing Corporation httpwwwhindawicom Volume 2013Hindawiwwwhindawicom
The Scientific World Journal
Volume 2018
Control Scienceand Engineering
Journal of
Hindawiwwwhindawicom Volume 2018
Hindawiwwwhindawicom
Journal ofEngineeringVolume 2018
SensorsJournal of
Hindawiwwwhindawicom Volume 2018
International Journal of
RotatingMachinery
Hindawiwwwhindawicom Volume 2018
Modelling ampSimulationin EngineeringHindawiwwwhindawicom Volume 2018
Hindawiwwwhindawicom Volume 2018
Chemical EngineeringInternational Journal of Antennas and
Propagation
International Journal of
Hindawiwwwhindawicom Volume 2018
Hindawiwwwhindawicom Volume 2018
Navigation and Observation
International Journal of
Hindawi
wwwhindawicom Volume 2018
Advances in
Multimedia
Submit your manuscripts atwwwhindawicom
Security and Communication Networks 5
Table 5 Differential characteristics of NUX
Rounds Probability Number of tails2 2minus2 1923 2minus4 564 2minus6 45 2minus7 16 2minus9 27 2minus11 28 2minus15 89 2minus15 110 2minus20 1611 2minus24 2412 2minus28 413 2minus31 814 2minus37 415 2minus41 1816 2minus45 217 2minus46 118 2minus49 419 2minus52 420 2minus53 221 2minus58 4822 2minus58 223 2minus63 3224 2minus67 4925 2minus71 1026 2minus73 427 2minus75 428 2minus79 1629 2minus79 230 2minus84 3231 2minus88 48
Table 6 Minimal number of active S-boxes from differentialcharacteristic
Number of active S-boxesReference Rounds
1 2 3 4 5[12] 0 1 2 5 9Section 31 0 1 2 3 3
Δ322 = 01199092080 and Δ30 = Δ20 = Δ10 = Δ422 = Δ222 = Δ122 =01199090000 according to the 22-round differential distinguisherThen Δ423 = Δ323 = 01199090000 Δ123 = 01199090050 and Δ223 satisfythe form as (00 lowast lowast lowast 00 lowast lowastlowast 000 lowast lowast0) where lowast isin 0 1 canbe deduced And the output difference of the 28-th round isΔ429 = Δ329 = 01199090000 119883223 119883
21015840
23 119883123 and 119883
11015840
23 can be gottenby 6-round decryption So 119903119896101584023 11990311989624 119903119896
101584025 11990311989626 119903119896
101584027 and 11990311989628
should be guessed and denoted by 119870119892119906119890119904119904 The attack processis described as follows
(1) Collect119873 pairs of plaintext (119875 1198751015840) satisfying 119875oplus1198751015840 =(Δ40 Δ
30 Δ20 Δ10) and their corresponding ciphertext
pairs (119862 1198621015840)(2) Initialize 232 countersV[0]V[1] V[232minus1] and
reset them(3) For each plaintext pair (119875 1198751015840) check whether its
ciphertext pair (119862 1198621015840) satisfies (119862 oplus 1198621015840)[63 32] =011990900000000 If the ciphertext pair meets the formula119909 = (119862 oplus 1198621015840)[31 0] andV[119909] + +
(4) Initialize 296 counters V119896[0]V119896[1] V119896[296 minus 1]
and reset them(5) Guess 96-bit key 119870119892119906119890119904119904 and decrypt 119909 to obtain 119883223
11988321015840
23119883123 and119883
11015840
23 Checkwhether119883223oplus11988321015840
23 and119883123oplus
11988311015840
23 are equal to Δ223 and Δ123 If the conditions are
met then let 119910 = 119883223 11988321015840
23 119883123 119883
11015840
23
(6) Use 119910 to calculate 119883422 oplus 11988341015840
22 and 119883322 oplus 119883
31015840
22 If 119883422 oplus
11988341015840
22 = Δ422 and 119883
322 oplus 119883
31015840
22 = Δ322V119896[119870119892119906119890119904119904] + +
(7) Set advantage 119886 to be 51 which implies that thetop 245 absolute values in V119896 are kept For eachremaining key we guess the remaining 58-bit subkeyand calculate the master key Finally we test the keyby trail encryptions
If set 119873 = 260 then about 228 pieces of data enter step(5) which means 2124 6-round encryptions that is 21217 29-round encryptions The complexity of step (7) is 2103 29-round encryptions So the total time complexity of this attackis about 212173 29-round encryptions
The countersV119896 require storing 296 bytes so the memory
complexity for the attack is 296 bytes The data complexity is261
The success rate 119875119878 = Φ((radic119901119873119878119873 minus Φminus1(1 minus2minus119886))radic119878119873 + 1) = 9871 by [13]
4 Linear Attack on 25-Round NUX
Linear approximations of NUX are searched for in thissection and the 25-round key-recovery attack is performedon NUX using a 19-round linear approximation
41 Linear Approximations of NUX To search for linearapproximations of NUX how masks propagate through S-boxes should be taken into account When a mask passesthrough an S-box the linear approximation table (LAT) ofthe S-box is looked up to determine the outputmask and biasAlgorithm 2 searches for linear approximations of NUX andnotations used in this algorithm are depicted in Figure 4
The bias of one round can be 12 which can be obtainedfrom the structure of NUX that is all the 8 S-boxes arepassive So special (119899 minus 1)-round linear approximations arechosen which satisfy (Γ40 = Γ10 = 0) and one-roundlinear approximation with bias 1 is added to catch 119899-roundlinear approximations Similar to searching for differentialcharacteristics there is only one active S-box in the first
6 Security and Communication Networks
Table 7 22-Round differential characteristic of NUX
Rounds 119894 Δ4119894 Δ3119894 Δ2119894 Δ1119894 Probability0 0400 0000 0000 0000 11 0000 0000 0080 0000 2minus3
2 0040 0001 0000 0000 2minus2
3 0000 0000 0010 8000 2minus3
4 0004 1000 0000 0000 2minus2
5 0000 0000 0002 0100 2minus2
6 0800 6002 0000 0000 2minus5
7 0000 0000 003b 0811 2minus5
8 c80c 2b30 0000 0000 2minus7
9 0000 0000 0480 4236 2minus5
10 2040 0600 0000 0000 2minus3
11 0000 0000 0005 2002 2minus2
12 8080 0003 0000 0000 2minus2
13 0000 0000 0040 8800 2minus2
14 0400 0030 0000 0000 2minus2
15 0000 0000 0008 4004 2minus3
16 0008 3000 0000 0000 2minus2
17 0000 0000 0000 0110 118 0000 4800 0000 0000 2minus3
19 0000 0000 0020 0201 2minus2
20 4000 0500 0000 0000 2minus3
21 0000 0000 0000 2020 122 0000 2080 0000 0000 lowast
round of 119899 minus 1 rounds Meanwhile Γ4119894 and Γ3119894 which liein the two branches on the left side will not affect Γ2119894 andΓ1119894 the two branches on the right side during propagationin NUX So the linear propagation on the left or right istaken into consideration and differences of the other twobranches are set to 0 In this way the number of active S-boxes is always nomore than 4 in one round which canmakethe absolute value of the linear approximation bias as largeas possible The results of the search algorithm are listed inTable 8
Moreover the minimal numbers of active S-boxes of1sim5-round linear approximations are shown in the designmanuscript [12] And the minimal number of active S-boxesis also considered and the minimum active S-boxes of 3sim5-round linear approximations are less than the ones given in[12] which are presented in Table 9
42 Linear Attack on NUX Utilizing obtained linear approx-imations a key-recovery attack can be applied to 25-roundNUX using a 19-round linear approximation with bias 2minus30which is described in Table 10 The 19-round linear approx-imation is put from the 4th to the 22th round of NUXextending 3 rounds both backward and forward The 25-round key-recovery attack is shown in Figure 5
According to the linear approximation there are Γ43 =Γ23 = Γ
13 = Γ
422 = Γ322 = 01199090000 Γ
33 = 01199091040 Γ
222 = 0119909044119888
and Γ122 = 011990924119886119891 Furthermore the following formula canbe gotten
Γ43 sdot 11988343 oplus Γ33 sdot 11988333 oplus Γ22 sdot 11988323 oplus Γ13 sdot 11988313 oplus Γ422 sdot 119883422 oplus Γ
322
sdot 119883322 oplus Γ222 sdot 119883222 oplus Γ
122 sdot 119883122 = Γ
33 sdot 11988333 oplus Γ222 sdot 119883222
oplus Γ122 sdot 119883122 = 120581
(4)
where 11988333 can be calculated through 3-round encryptionby guessing 26-bit subkeys which are denoted by 119870119887119890119891119900119903119890including 11990311989610158400 1199031198961[15 13 10 8 7 5 2 0] and 11990311989610158402[15 7]Besides 119883222 and 119883
122 are obtained by 3-round decryption
which involves 40-bit subkeys namely 119903119896101584022[15 1413 10 7 4 2 0] 11990311989623 and 119903119896101584024 For the sake of simplicity119903119896101584022[15 14 13 10 7 4 2 0] and 11990311989623 are denoted by 119870119898119894119889 Inthe following the attack process is depicted
(1) Collect119873 plaintextciphertext pairs(2) Initialize 266 counters V0[0]V0[1] V0[2
66 minus 1]and reset them
(3) Guess 26-bit key 119870119887119890119891119900119903119890(4) For each plaintextciphertext pair calculate 119909 =
11988333[12 6] 1198624 1198623 1198622 1198621 ThenV0[119909] + +
(5) Initialize 234 counters V1[0]V1[1] V1[234 minus 1]and reset them
Security and Communication Networks 7
gtgtgt3 ltltlt8
P P P P
ltltlt8 gtgtgt3
S-Box gtgtgt3 S-Boxltltlt8
P P P P
ltltlt8 gtgtgt3
S-Box gtgtgt3 S-Boxltltlt8
P P P P
ltltlt8 gtgtgt3
S-Box gtgtgt3 S-Boxltltlt8
P P P P
ltltlt8 gtgtgt3
S-Box gtgtgt3 S-Boxltltlt8
P P P P
ltltlt8 gtgtgt3
S-Box gtgtgt3 S-Boxltltlt8
P P P P
ltltlt8 gtgtgt3
S-Box gtgtgt3 S-Boxltltlt8
P P P P
ltltlt8 gtgtgt3
22-round Differential Distinguisher
S-BoxS-Box
X30 X
20 X
10X
40
X322 X
222 X
122X
422
X323 X
223 X
123X
423
X324 X
224 X
124X
424
X325 X
225 X
125X
425
X326 X
226 X
126X
426
X327 X
227 X
127X
427
X328 X
228 X
128X
428
X329 X
229 X
129X
429
rk22
rk23
rk24
rk25
rk26
rk27
rk28
rkrsquo22
rkrsquo23
rkrsquo24
rkrsquo25
rkrsquo26
rkrsquo27
rkrsquo28
Figure 3 Differential attack of 29-round NUX
(6) Guess 16-bit key 119903119896101584024(7) For every 119909 calculate 119910 = 11988333[12 6] 119883
224 119883
124
ThenV1[119910]+ = V0[119909](8) Initialize 266 counters V119896[0]V119896[1] V119896[266 minus 1]
and reset them
(9) Guess 24-bit key 119870119898119894119889
(10) For every 119910 calculate 119883222[10 6 3 2] and 119883222[13 10
7 5 3 2 1 0] Then compute 119911 = Γ33 sdot 11988333 oplus Γ222 sdot 119883222 oplus
Γ122 sdot 119883122 If 119911 = 0 thenV119896[119870119887119890119891119900119903119890 119903119896101584024 119870119898119894119889]+ =
V1[119910] otherwise decrease the counter byV1[119910]
8 Security and Communication Networks
Input S-box 119878 Bias threshold 120598119871119894119898[30]Output A linear approximation with the best biasDataThe number of active S-boxes in i rounds 119878119886119888119905119894V119890[119894]
The number of active S-boxes of the i-th round 119878119894119886119888119905119894V119890(1) Generate the LAT of S-box(2) Store all 2 4 and the corresponding inputoutput masks in LAT in the table 119871119860119879119875(3) for Each of 8 S-boxes in the first round do(4) for all non-zero entities in LAT do(5) if S-box is in 1198652 then(6) Γ41 = Γ119884
ℎ1 ⋙ 8 Γ31 = Γ
21 = Γ11 = 0
(7) Store them in 119877119894119899[1](8) else(9) Γ11 = Γ119884
1198971⋘ 3 Γ41 = Γ
31 = Γ21 = 0
(10) Store them in 119877119894119899[1](11) Calculate Γ40 Γ
30 Γ20 Γ10 and store them in 119877119894119899[0]
(12) Calculate Γ42 Γ32 Γ22 Γ12 and store them in 119877119894119899[2]
(13) Update 119878119886119888119905119894V119890[1] to be 1(14) The bias is recorded as 120598[1](15) for 119894 larr997888 2 to 30 do(16) if Γ4119894 = Γ
3119894 = 0 then
(17) Γ119884119897119894 = Γ1119894 ⋙ 3
(18) Travel 119871119860119879119875 to get Γ119883119897119894 119878119894119886119888119905119894V119890 and its corresponding bias 120598119877119899119889
(19) else if Γ2119894 = Γ1119894 = 0 then
(20) Γ119884ℎ119894 = Γ4119894 ⋘ 8
(21) Travel 119871119860119879119875 to get Γ119883ℎ119894 119878119894119886119888119905119894V119890 and the corresponding bias 120598119877119899119889
(22) Compute the total bias and keep ones greater than threshold 120598119871119894119898[119894](23) Calculate Γ4119894+1 Γ
3119894+1 Γ2119894+1 Γ1119894+1 and store them in 119877119894119899[119894 + 1]
(24) Update the number of active S-boxes 119878119886119888119905119894V119890[119894] and bias 120598[119894](25) for Each of 8 S-boxes in the first round do(26) for all non-zero entities in DDT do(27) Find the largest 120598[119894] and store it in 120598119872119886119909[119894](28) Output linear approximations with bias 120598119872119886119909[119894]
Algorithm 2 Algorithm for linear approximations on NUX
ltltlt 8
S-Box gtgtgt3
gtgtgt3
S-Boxltltlt8
P P P P
rki
Γ4
i
F1F2
Γ3
iΓ2
iΓ1
i
ΓYℎ
iΓX
ℎ
i
Γ4
i+1Γ3
i+1Γ2
i+1Γ1
i+1
rkrsquoi
ΓXl
iΓY
l
i
Figure 4 Linear representation of NUX
(11) Set the advantage 119886 to be 17 which means that the top249 absolute values inV119896 are kept For each remainingkey we guess 77-bit subkey to determine the masterkey And then we test the key by trail encryptions
If 119873 = 2637 then the time complexity of step (3)step (5) and step (7) is about 2897 3-round encryption 21081-round decryption and 2100 2-round encryption respec-tively Besides the complexity of step (11) is 2126 25-round
Security and Communication Networks 9
gtgtgt3 ltltlt8
P P P P
ltltlt8 gtgtgt3
S-Box gtgtgt3 S-Boxltltlt8
P P P P
ltltlt8 gtgtgt3
S-Box gtgtgt3 S-Boxltltlt8
P P P P
ltltlt8 gtgtgt3
19-round Linear Distinguisher
S-BoxS-Box
S-Box gtgtgt3 S-Boxltltlt8
P P P P
ltltlt8 gtgtgt3
S-Box gtgtgt3 S-Boxltltlt8
P P P P
ltltlt8 gtgtgt3
S-Box gtgtgt3 S-Boxltltlt8
P P P P
ltltlt8 gtgtgt3
X30 X
20 X
10X
40
X322 X
222 X
122
X422
X323 X
223 X
123X
423
X324 X
224 X
124X
424
X325 X
225 X
125X
425
X33 X
23 X
13X
43
X32 X
22 X
12X
42
X31 X
21 X
11X
41
rk0
rk1
rkrsquo0
rkrsquo1
rk2 rkrsquo2
rk22 rkrsquo22
rk23 rkrsquo23
rk24 rkrsquo24
Figure 5 Linear attack of 25-round NUX
encryption Hence the total time complexity of this attack isabout 2126 25-round encryption
Both the counters V0 and V119896 need 269 bytes to store sothe memory complexity for the attack is 270 bytes The datacomplexity is 2637
The success rate 119875119878 = Φ(2radic119873 sdot |120598| minus radic1 + 1198732119899Φminus1(1 minus2minus119886minus1)) = 8821 by [14]
5 Distinguishing Attack on NUX
Generally speaking the distinguishing attack is a kind of testalgorithm which tries to perform the nonrandom behavior
in cryptographic system A distinguishing attack needs tofind a distinguisher which makes cryptographic algorithmdifferent from random permutation When analyzing NUXwe find a distinguisher with probability 1 that is a deter-ministic distinguisher to distinguish NUX from a randompermutation
In Section 3 it has been pointed out that the two brancheson the right side will not affect the two on the right sideduring difference propagation in NUX Then for the full-round NUX when the input difference (Δ40 Δ
30 Δ20 Δ10) is
(0 0 lowast lowast) the output difference (Δ431 Δ331 Δ231 Δ131) sat-
isfies the form of (lowast lowast 0 0) shown in Figure 6 that is
10 Security and Communication Networks
lowast lowast
lowast lowast00
00
31-round distinguisher
Figure 6 31-Round differential distinguisher of NUX
Table 8 Linear approximations of NUX
Rounds Bias Number of tails2 2minus2 2883 2minus3 3004 2minus4 135 2minus5 26 2minus6 47 2minus10 138 2minus11 629 2minus12 610 2minus15 7011 2minus16 1112 2minus18 7013 2minus19 414 2minus20 215 2minus22 416 2minus24 1617 2minus26 418 2minus27 419 2minus30 1620 2minus31 421 2minus33 822 2minus35 6023 2minus37 2124 2minus39 2525 2minus41 4826 2minus43 10327 2minus44 428 2minus46 729 2minus48 5430 2minus49 431 2minus50 2
Table 9Minimal number of active S-boxes from linear approxima-tion
Number of active S-boxesReference Rounds
1 2 3 4 5[12] 0 1 4 9 13Section 41 0 1 2 3 3
(0 0 lowast lowast) 119875119903=1997888rarr31-119903119900119906119899119889
(lowast lowast 0 0) However the probabilityof the output difference to be (lowast lowast 0 0) is 119875119903119903119886119899119889119900119898 =
2minus32 for random permutations when the input differenceis (0 0 lowast lowast) So 4 pairs of plaintexts are chosen which are(119875119894 1198751015840119894 ) (0 le 119894 le 3) and 119875119894 oplus 1198751015840119894 = (0 0 lowast lowast) and thecorresponding ciphertexts (119862119894 119862
1015840119894 ) are checked to determine
whether they satisfy 119862119894 oplus 1198621015840119894 = (lowast lowast 0 0) The probabilityof obtaining such inputoutput differences is 1 for NUXwhile it is 2minus128 for a random permutation Therefore wecan distinguish NUX from a random permutation Besidesthere is another distinguisher with probability 1 which is(lowast lowast 0 0) 119875119903=1997888rarr
31-119903119900119906119899119889(0 0 lowast lowast) and can be used to perform a
distinguishing attack like the one described before So we willnot explore it here
Since only 4 pairs of plaintexts are used in the distinguish-ing attack the data complexity is 8 And the attack needs nostorage In other words the complexity of memory is 0 Thetime complexity is 8 31-round encryptions
6 Conclusions
NUX is a 31-round iterative ultralightweight cipher whichis suitable for extremely constrained environment and isapplied to the Internet of Things In this paper differentialand linear trails are searched for 1sim31-round NUX which arebetter than those proposed in design specification Moreovera key-recovery attack on 29-round NUX is given with the 22-round differential characteristic found in the paper whosetime data and memory complexities are 212173 29-roundencryptions and 261 and 296 bytes respectively Meanwhileusing 22-round differential characteristic obtained in thepaper 29-round differential attack is performed with timedata and memory complexities to be 2126 25-round encryp-tions and 2637 and 270 bytes respectively Furthermore adistinguishing attack can be implemented on full NUX withdata complexity 8 Results in this paper are the best ones onNUX till now
Data Availability
All the data are obtained by our programs and can beprovided to interested readers by email
Conflicts of Interest
The authors declare that there are no conflicts of interestregarding the publication of this paper
Acknowledgments
This work has been supported by National CryptographyDevelopment Fund (no MMJJ20170102) the National
Security and Communication Networks 11
Table 10 19-Round linear approximation of NUX
Rounds 119894 Γ4119894 Γ3119894 Γ2119894 Γ1119894 Bias0 0000 1040 0000 0000 2minus1
1 0000 0000 0000 0500 2minus2
2 0001 4040 0000 0000 2minus2
3 0000 0000 0020 0600 2minus2
4 5100 0440 0000 0000 2minus4
5 0000 0000 8404 2028 2minus3
6 100a a080 0000 0000 2minus3
7 0000 0000 0206 3000 2minus3
8 000a 2002 0000 0000 2minus2
9 0000 0000 0202 0800 2minus2
10 000a 0020 0000 0000 2minus2
11 0000 0000 0202 4010 2minus3
12 a000 0a00 0000 0000 2minus2
13 0000 0000 4040 0200 2minus2
14 1400 0400 0000 0000 2minus3
15 0000 0000 0084 0448 2minus3
16 01c3 8048 0000 0000 2minus4
17 0000 0000 9023 0180 2minus2
18 d800 4004 0000 0000 2minus3
19 0000 0000 044c 24af lowast
Natural Science Foundation of China (nos 6157229361502276 and 61692276) the National Natural ScienceFoundation of Shandong Province China (ZR2016FM22)Major Scientific and Technological Innovation Projectsof Shandong Province China (2017CXGC0704) andFundamental Research Fund of Shandong Academy ofSciences (no 201812-16)
References
[1] A A Bogdanov L R Knudsen G Leander et al ldquoAn ultra-lightweight block cipherrdquo in Proceedings of the CryptographicHardware and Embedded Systems (CHES 2007) P Paillier andI Verbauwhede Eds vol 4727 of Lecture Notes in ComputerScience LNCS pp 450ndash466 Springer 2007
[2] W Wu and L Zhang ldquoLBlock a lightweight block cipherrdquoin Proceedings of the 9th International Conference on AppliedCryptography and Network Security (ACNS 2011) J Lopez andG Tsudik Eds vol 6715 of Lecture Notes in Computer Sciencepp 327ndash344 Springer Heidelberg Germany 2011
[3] J Borghoff A Canteaut T Guneysu et al ldquoPRINCE-A lowlatency block cipher for pervasive computing applicationsrdquo inProceedings of the the 25th Annual International Conferenceon the eory and Application of Cryptology and InformationSecurity (ASIACRYPT 2012) X Wang and K Sako Edsvol 7658 of Lecture Notes in Computer Science pp 208ndash225Springer Heidelberg Germany 2012
[4] E Biham and A Shamir ldquoDifferential cryptanalysis of DES-likecryptosystemsrdquo Journal of Cryptology vol 4 no 1 pp 3ndash721991
[5] M Matsui ldquoLinear cryptanalysis method for DES cipherrdquo inProceedings of the Workshop on the eory and Application ofof Cryptographic Techniques (EUROCRYPT 1993) T Helleseth
Ed vol 765 of Lecture Notes in Computer Science pp 386ndash397Springer 1993
[6] A G Bafghi R Safabakhsh and B Sadeghiyan ldquoFindingthe differential characteristics of block ciphers with neuralnetworksrdquo Information Sciences vol 178 no 15 pp 3117ndash31312008
[7] H M Heys and S E Tavares ldquoSubstitution-permutation net-works resistant to differential and linear cryptanalysisrdquo Journalof Cryptology e Journal of the International Association forCryptologic Research vol 9 no 1 pp 1ndash19 1996
[8] G Jakimoski and L Kocarev ldquoDifferential and linear probabili-ties of a block-encryption cipherrdquo IEEE Transactions on Circuitsand Systems I Fundamentaleory andApplications vol 50 no1 pp 121ndash123 2003
[9] J Kim and R C-W Phan ldquoAdvanced differential-style crypt-analysis of the NSArsquos Skipjack block Cipherrdquo Cryptologia vol33 no 3 pp 246ndash270 2009
[10] F Sano K Ohkuma H Shimizu and S Kawamura ldquoOnthe security of nested SPN cipher against the differential andlinear cryptanalysisrdquo IEICE Transactions on Fundamentals ofElectronics Communications andComputer Sciences vol 86 no1 pp 37ndash46 2003
[11] B-Z Su W-L Wu and W-T Zhang ldquoSecurity of the SMS4block cipher against differential cryptanalysisrdquo Journal of Com-puter Science and Technology vol 26 no 1 pp 130ndash138 2011
[12] G Bansod S Sutar A Patil and J Patil ldquoNUX a lightweightblock cipher for security at wireless sensor node level Worldacademy of science engineering and technologyrdquo InternationalJournal of Bioengineering and Life Sciences vol 5 no 1 2018
[13] AA Selcuk ldquoOn probability of success in linear anddifferentialcryptanalysisrdquo Journal of Cryptology e Journal of the Interna-tional Association for Cryptologic Research vol 21 no 1 pp 131ndash147 2008
12 Security and Communication Networks
[14] A Bogdanov and E Tischhauser ldquoOn the wrong key randomi-sation and key equivalence hypotheses in Matsuirsquos algorithm 2rdquoin Proceedings of the International Workshop on Fast So13wareEncryption (FSE 2013) S Moriai Ed vol 8424 of Lecture Notesin Computer Science pp 19ndash38 Springer 2014
International Journal of
AerospaceEngineeringHindawiwwwhindawicom Volume 2018
RoboticsJournal of
Hindawiwwwhindawicom Volume 2018
Hindawiwwwhindawicom Volume 2018
Active and Passive Electronic Components
VLSI Design
Hindawiwwwhindawicom Volume 2018
Hindawiwwwhindawicom Volume 2018
Shock and Vibration
Hindawiwwwhindawicom Volume 2018
Civil EngineeringAdvances in
Acoustics and VibrationAdvances in
Hindawiwwwhindawicom Volume 2018
Hindawiwwwhindawicom Volume 2018
Electrical and Computer Engineering
Journal of
Advances inOptoElectronics
Hindawiwwwhindawicom
Volume 2018
Hindawi Publishing Corporation httpwwwhindawicom Volume 2013Hindawiwwwhindawicom
The Scientific World Journal
Volume 2018
Control Scienceand Engineering
Journal of
Hindawiwwwhindawicom Volume 2018
Hindawiwwwhindawicom
Journal ofEngineeringVolume 2018
SensorsJournal of
Hindawiwwwhindawicom Volume 2018
International Journal of
RotatingMachinery
Hindawiwwwhindawicom Volume 2018
Modelling ampSimulationin EngineeringHindawiwwwhindawicom Volume 2018
Hindawiwwwhindawicom Volume 2018
Chemical EngineeringInternational Journal of Antennas and
Propagation
International Journal of
Hindawiwwwhindawicom Volume 2018
Hindawiwwwhindawicom Volume 2018
Navigation and Observation
International Journal of
Hindawi
wwwhindawicom Volume 2018
Advances in
Multimedia
Submit your manuscripts atwwwhindawicom
6 Security and Communication Networks
Table 7 22-Round differential characteristic of NUX
Rounds 119894 Δ4119894 Δ3119894 Δ2119894 Δ1119894 Probability0 0400 0000 0000 0000 11 0000 0000 0080 0000 2minus3
2 0040 0001 0000 0000 2minus2
3 0000 0000 0010 8000 2minus3
4 0004 1000 0000 0000 2minus2
5 0000 0000 0002 0100 2minus2
6 0800 6002 0000 0000 2minus5
7 0000 0000 003b 0811 2minus5
8 c80c 2b30 0000 0000 2minus7
9 0000 0000 0480 4236 2minus5
10 2040 0600 0000 0000 2minus3
11 0000 0000 0005 2002 2minus2
12 8080 0003 0000 0000 2minus2
13 0000 0000 0040 8800 2minus2
14 0400 0030 0000 0000 2minus2
15 0000 0000 0008 4004 2minus3
16 0008 3000 0000 0000 2minus2
17 0000 0000 0000 0110 118 0000 4800 0000 0000 2minus3
19 0000 0000 0020 0201 2minus2
20 4000 0500 0000 0000 2minus3
21 0000 0000 0000 2020 122 0000 2080 0000 0000 lowast
round of 119899 minus 1 rounds Meanwhile Γ4119894 and Γ3119894 which liein the two branches on the left side will not affect Γ2119894 andΓ1119894 the two branches on the right side during propagationin NUX So the linear propagation on the left or right istaken into consideration and differences of the other twobranches are set to 0 In this way the number of active S-boxes is always nomore than 4 in one round which canmakethe absolute value of the linear approximation bias as largeas possible The results of the search algorithm are listed inTable 8
Moreover the minimal numbers of active S-boxes of1sim5-round linear approximations are shown in the designmanuscript [12] And the minimal number of active S-boxesis also considered and the minimum active S-boxes of 3sim5-round linear approximations are less than the ones given in[12] which are presented in Table 9
42 Linear Attack on NUX Utilizing obtained linear approx-imations a key-recovery attack can be applied to 25-roundNUX using a 19-round linear approximation with bias 2minus30which is described in Table 10 The 19-round linear approx-imation is put from the 4th to the 22th round of NUXextending 3 rounds both backward and forward The 25-round key-recovery attack is shown in Figure 5
According to the linear approximation there are Γ43 =Γ23 = Γ
13 = Γ
422 = Γ322 = 01199090000 Γ
33 = 01199091040 Γ
222 = 0119909044119888
and Γ122 = 011990924119886119891 Furthermore the following formula canbe gotten
Γ43 sdot 11988343 oplus Γ33 sdot 11988333 oplus Γ22 sdot 11988323 oplus Γ13 sdot 11988313 oplus Γ422 sdot 119883422 oplus Γ
322
sdot 119883322 oplus Γ222 sdot 119883222 oplus Γ
122 sdot 119883122 = Γ
33 sdot 11988333 oplus Γ222 sdot 119883222
oplus Γ122 sdot 119883122 = 120581
(4)
where 11988333 can be calculated through 3-round encryptionby guessing 26-bit subkeys which are denoted by 119870119887119890119891119900119903119890including 11990311989610158400 1199031198961[15 13 10 8 7 5 2 0] and 11990311989610158402[15 7]Besides 119883222 and 119883
122 are obtained by 3-round decryption
which involves 40-bit subkeys namely 119903119896101584022[15 1413 10 7 4 2 0] 11990311989623 and 119903119896101584024 For the sake of simplicity119903119896101584022[15 14 13 10 7 4 2 0] and 11990311989623 are denoted by 119870119898119894119889 Inthe following the attack process is depicted
(1) Collect119873 plaintextciphertext pairs(2) Initialize 266 counters V0[0]V0[1] V0[2
66 minus 1]and reset them
(3) Guess 26-bit key 119870119887119890119891119900119903119890(4) For each plaintextciphertext pair calculate 119909 =
11988333[12 6] 1198624 1198623 1198622 1198621 ThenV0[119909] + +
(5) Initialize 234 counters V1[0]V1[1] V1[234 minus 1]and reset them
Security and Communication Networks 7
gtgtgt3 ltltlt8
P P P P
ltltlt8 gtgtgt3
S-Box gtgtgt3 S-Boxltltlt8
P P P P
ltltlt8 gtgtgt3
S-Box gtgtgt3 S-Boxltltlt8
P P P P
ltltlt8 gtgtgt3
S-Box gtgtgt3 S-Boxltltlt8
P P P P
ltltlt8 gtgtgt3
S-Box gtgtgt3 S-Boxltltlt8
P P P P
ltltlt8 gtgtgt3
S-Box gtgtgt3 S-Boxltltlt8
P P P P
ltltlt8 gtgtgt3
S-Box gtgtgt3 S-Boxltltlt8
P P P P
ltltlt8 gtgtgt3
22-round Differential Distinguisher
S-BoxS-Box
X30 X
20 X
10X
40
X322 X
222 X
122X
422
X323 X
223 X
123X
423
X324 X
224 X
124X
424
X325 X
225 X
125X
425
X326 X
226 X
126X
426
X327 X
227 X
127X
427
X328 X
228 X
128X
428
X329 X
229 X
129X
429
rk22
rk23
rk24
rk25
rk26
rk27
rk28
rkrsquo22
rkrsquo23
rkrsquo24
rkrsquo25
rkrsquo26
rkrsquo27
rkrsquo28
Figure 3 Differential attack of 29-round NUX
(6) Guess 16-bit key 119903119896101584024(7) For every 119909 calculate 119910 = 11988333[12 6] 119883
224 119883
124
ThenV1[119910]+ = V0[119909](8) Initialize 266 counters V119896[0]V119896[1] V119896[266 minus 1]
and reset them
(9) Guess 24-bit key 119870119898119894119889
(10) For every 119910 calculate 119883222[10 6 3 2] and 119883222[13 10
7 5 3 2 1 0] Then compute 119911 = Γ33 sdot 11988333 oplus Γ222 sdot 119883222 oplus
Γ122 sdot 119883122 If 119911 = 0 thenV119896[119870119887119890119891119900119903119890 119903119896101584024 119870119898119894119889]+ =
V1[119910] otherwise decrease the counter byV1[119910]
8 Security and Communication Networks
Input S-box 119878 Bias threshold 120598119871119894119898[30]Output A linear approximation with the best biasDataThe number of active S-boxes in i rounds 119878119886119888119905119894V119890[119894]
The number of active S-boxes of the i-th round 119878119894119886119888119905119894V119890(1) Generate the LAT of S-box(2) Store all 2 4 and the corresponding inputoutput masks in LAT in the table 119871119860119879119875(3) for Each of 8 S-boxes in the first round do(4) for all non-zero entities in LAT do(5) if S-box is in 1198652 then(6) Γ41 = Γ119884
ℎ1 ⋙ 8 Γ31 = Γ
21 = Γ11 = 0
(7) Store them in 119877119894119899[1](8) else(9) Γ11 = Γ119884
1198971⋘ 3 Γ41 = Γ
31 = Γ21 = 0
(10) Store them in 119877119894119899[1](11) Calculate Γ40 Γ
30 Γ20 Γ10 and store them in 119877119894119899[0]
(12) Calculate Γ42 Γ32 Γ22 Γ12 and store them in 119877119894119899[2]
(13) Update 119878119886119888119905119894V119890[1] to be 1(14) The bias is recorded as 120598[1](15) for 119894 larr997888 2 to 30 do(16) if Γ4119894 = Γ
3119894 = 0 then
(17) Γ119884119897119894 = Γ1119894 ⋙ 3
(18) Travel 119871119860119879119875 to get Γ119883119897119894 119878119894119886119888119905119894V119890 and its corresponding bias 120598119877119899119889
(19) else if Γ2119894 = Γ1119894 = 0 then
(20) Γ119884ℎ119894 = Γ4119894 ⋘ 8
(21) Travel 119871119860119879119875 to get Γ119883ℎ119894 119878119894119886119888119905119894V119890 and the corresponding bias 120598119877119899119889
(22) Compute the total bias and keep ones greater than threshold 120598119871119894119898[119894](23) Calculate Γ4119894+1 Γ
3119894+1 Γ2119894+1 Γ1119894+1 and store them in 119877119894119899[119894 + 1]
(24) Update the number of active S-boxes 119878119886119888119905119894V119890[119894] and bias 120598[119894](25) for Each of 8 S-boxes in the first round do(26) for all non-zero entities in DDT do(27) Find the largest 120598[119894] and store it in 120598119872119886119909[119894](28) Output linear approximations with bias 120598119872119886119909[119894]
Algorithm 2 Algorithm for linear approximations on NUX
ltltlt 8
S-Box gtgtgt3
gtgtgt3
S-Boxltltlt8
P P P P
rki
Γ4
i
F1F2
Γ3
iΓ2
iΓ1
i
ΓYℎ
iΓX
ℎ
i
Γ4
i+1Γ3
i+1Γ2
i+1Γ1
i+1
rkrsquoi
ΓXl
iΓY
l
i
Figure 4 Linear representation of NUX
(11) Set the advantage 119886 to be 17 which means that the top249 absolute values inV119896 are kept For each remainingkey we guess 77-bit subkey to determine the masterkey And then we test the key by trail encryptions
If 119873 = 2637 then the time complexity of step (3)step (5) and step (7) is about 2897 3-round encryption 21081-round decryption and 2100 2-round encryption respec-tively Besides the complexity of step (11) is 2126 25-round
Security and Communication Networks 9
gtgtgt3 ltltlt8
P P P P
ltltlt8 gtgtgt3
S-Box gtgtgt3 S-Boxltltlt8
P P P P
ltltlt8 gtgtgt3
S-Box gtgtgt3 S-Boxltltlt8
P P P P
ltltlt8 gtgtgt3
19-round Linear Distinguisher
S-BoxS-Box
S-Box gtgtgt3 S-Boxltltlt8
P P P P
ltltlt8 gtgtgt3
S-Box gtgtgt3 S-Boxltltlt8
P P P P
ltltlt8 gtgtgt3
S-Box gtgtgt3 S-Boxltltlt8
P P P P
ltltlt8 gtgtgt3
X30 X
20 X
10X
40
X322 X
222 X
122
X422
X323 X
223 X
123X
423
X324 X
224 X
124X
424
X325 X
225 X
125X
425
X33 X
23 X
13X
43
X32 X
22 X
12X
42
X31 X
21 X
11X
41
rk0
rk1
rkrsquo0
rkrsquo1
rk2 rkrsquo2
rk22 rkrsquo22
rk23 rkrsquo23
rk24 rkrsquo24
Figure 5 Linear attack of 25-round NUX
encryption Hence the total time complexity of this attack isabout 2126 25-round encryption
Both the counters V0 and V119896 need 269 bytes to store sothe memory complexity for the attack is 270 bytes The datacomplexity is 2637
The success rate 119875119878 = Φ(2radic119873 sdot |120598| minus radic1 + 1198732119899Φminus1(1 minus2minus119886minus1)) = 8821 by [14]
5 Distinguishing Attack on NUX
Generally speaking the distinguishing attack is a kind of testalgorithm which tries to perform the nonrandom behavior
in cryptographic system A distinguishing attack needs tofind a distinguisher which makes cryptographic algorithmdifferent from random permutation When analyzing NUXwe find a distinguisher with probability 1 that is a deter-ministic distinguisher to distinguish NUX from a randompermutation
In Section 3 it has been pointed out that the two brancheson the right side will not affect the two on the right sideduring difference propagation in NUX Then for the full-round NUX when the input difference (Δ40 Δ
30 Δ20 Δ10) is
(0 0 lowast lowast) the output difference (Δ431 Δ331 Δ231 Δ131) sat-
isfies the form of (lowast lowast 0 0) shown in Figure 6 that is
10 Security and Communication Networks
lowast lowast
lowast lowast00
00
31-round distinguisher
Figure 6 31-Round differential distinguisher of NUX
Table 8 Linear approximations of NUX
Rounds Bias Number of tails2 2minus2 2883 2minus3 3004 2minus4 135 2minus5 26 2minus6 47 2minus10 138 2minus11 629 2minus12 610 2minus15 7011 2minus16 1112 2minus18 7013 2minus19 414 2minus20 215 2minus22 416 2minus24 1617 2minus26 418 2minus27 419 2minus30 1620 2minus31 421 2minus33 822 2minus35 6023 2minus37 2124 2minus39 2525 2minus41 4826 2minus43 10327 2minus44 428 2minus46 729 2minus48 5430 2minus49 431 2minus50 2
Table 9Minimal number of active S-boxes from linear approxima-tion
Number of active S-boxesReference Rounds
1 2 3 4 5[12] 0 1 4 9 13Section 41 0 1 2 3 3
(0 0 lowast lowast) 119875119903=1997888rarr31-119903119900119906119899119889
(lowast lowast 0 0) However the probabilityof the output difference to be (lowast lowast 0 0) is 119875119903119903119886119899119889119900119898 =
2minus32 for random permutations when the input differenceis (0 0 lowast lowast) So 4 pairs of plaintexts are chosen which are(119875119894 1198751015840119894 ) (0 le 119894 le 3) and 119875119894 oplus 1198751015840119894 = (0 0 lowast lowast) and thecorresponding ciphertexts (119862119894 119862
1015840119894 ) are checked to determine
whether they satisfy 119862119894 oplus 1198621015840119894 = (lowast lowast 0 0) The probabilityof obtaining such inputoutput differences is 1 for NUXwhile it is 2minus128 for a random permutation Therefore wecan distinguish NUX from a random permutation Besidesthere is another distinguisher with probability 1 which is(lowast lowast 0 0) 119875119903=1997888rarr
31-119903119900119906119899119889(0 0 lowast lowast) and can be used to perform a
distinguishing attack like the one described before So we willnot explore it here
Since only 4 pairs of plaintexts are used in the distinguish-ing attack the data complexity is 8 And the attack needs nostorage In other words the complexity of memory is 0 Thetime complexity is 8 31-round encryptions
6 Conclusions
NUX is a 31-round iterative ultralightweight cipher whichis suitable for extremely constrained environment and isapplied to the Internet of Things In this paper differentialand linear trails are searched for 1sim31-round NUX which arebetter than those proposed in design specification Moreovera key-recovery attack on 29-round NUX is given with the 22-round differential characteristic found in the paper whosetime data and memory complexities are 212173 29-roundencryptions and 261 and 296 bytes respectively Meanwhileusing 22-round differential characteristic obtained in thepaper 29-round differential attack is performed with timedata and memory complexities to be 2126 25-round encryp-tions and 2637 and 270 bytes respectively Furthermore adistinguishing attack can be implemented on full NUX withdata complexity 8 Results in this paper are the best ones onNUX till now
Data Availability
All the data are obtained by our programs and can beprovided to interested readers by email
Conflicts of Interest
The authors declare that there are no conflicts of interestregarding the publication of this paper
Acknowledgments
This work has been supported by National CryptographyDevelopment Fund (no MMJJ20170102) the National
Security and Communication Networks 11
Table 10 19-Round linear approximation of NUX
Rounds 119894 Γ4119894 Γ3119894 Γ2119894 Γ1119894 Bias0 0000 1040 0000 0000 2minus1
1 0000 0000 0000 0500 2minus2
2 0001 4040 0000 0000 2minus2
3 0000 0000 0020 0600 2minus2
4 5100 0440 0000 0000 2minus4
5 0000 0000 8404 2028 2minus3
6 100a a080 0000 0000 2minus3
7 0000 0000 0206 3000 2minus3
8 000a 2002 0000 0000 2minus2
9 0000 0000 0202 0800 2minus2
10 000a 0020 0000 0000 2minus2
11 0000 0000 0202 4010 2minus3
12 a000 0a00 0000 0000 2minus2
13 0000 0000 4040 0200 2minus2
14 1400 0400 0000 0000 2minus3
15 0000 0000 0084 0448 2minus3
16 01c3 8048 0000 0000 2minus4
17 0000 0000 9023 0180 2minus2
18 d800 4004 0000 0000 2minus3
19 0000 0000 044c 24af lowast
Natural Science Foundation of China (nos 6157229361502276 and 61692276) the National Natural ScienceFoundation of Shandong Province China (ZR2016FM22)Major Scientific and Technological Innovation Projectsof Shandong Province China (2017CXGC0704) andFundamental Research Fund of Shandong Academy ofSciences (no 201812-16)
References
[1] A A Bogdanov L R Knudsen G Leander et al ldquoAn ultra-lightweight block cipherrdquo in Proceedings of the CryptographicHardware and Embedded Systems (CHES 2007) P Paillier andI Verbauwhede Eds vol 4727 of Lecture Notes in ComputerScience LNCS pp 450ndash466 Springer 2007
[2] W Wu and L Zhang ldquoLBlock a lightweight block cipherrdquoin Proceedings of the 9th International Conference on AppliedCryptography and Network Security (ACNS 2011) J Lopez andG Tsudik Eds vol 6715 of Lecture Notes in Computer Sciencepp 327ndash344 Springer Heidelberg Germany 2011
[3] J Borghoff A Canteaut T Guneysu et al ldquoPRINCE-A lowlatency block cipher for pervasive computing applicationsrdquo inProceedings of the the 25th Annual International Conferenceon the eory and Application of Cryptology and InformationSecurity (ASIACRYPT 2012) X Wang and K Sako Edsvol 7658 of Lecture Notes in Computer Science pp 208ndash225Springer Heidelberg Germany 2012
[4] E Biham and A Shamir ldquoDifferential cryptanalysis of DES-likecryptosystemsrdquo Journal of Cryptology vol 4 no 1 pp 3ndash721991
[5] M Matsui ldquoLinear cryptanalysis method for DES cipherrdquo inProceedings of the Workshop on the eory and Application ofof Cryptographic Techniques (EUROCRYPT 1993) T Helleseth
Ed vol 765 of Lecture Notes in Computer Science pp 386ndash397Springer 1993
[6] A G Bafghi R Safabakhsh and B Sadeghiyan ldquoFindingthe differential characteristics of block ciphers with neuralnetworksrdquo Information Sciences vol 178 no 15 pp 3117ndash31312008
[7] H M Heys and S E Tavares ldquoSubstitution-permutation net-works resistant to differential and linear cryptanalysisrdquo Journalof Cryptology e Journal of the International Association forCryptologic Research vol 9 no 1 pp 1ndash19 1996
[8] G Jakimoski and L Kocarev ldquoDifferential and linear probabili-ties of a block-encryption cipherrdquo IEEE Transactions on Circuitsand Systems I Fundamentaleory andApplications vol 50 no1 pp 121ndash123 2003
[9] J Kim and R C-W Phan ldquoAdvanced differential-style crypt-analysis of the NSArsquos Skipjack block Cipherrdquo Cryptologia vol33 no 3 pp 246ndash270 2009
[10] F Sano K Ohkuma H Shimizu and S Kawamura ldquoOnthe security of nested SPN cipher against the differential andlinear cryptanalysisrdquo IEICE Transactions on Fundamentals ofElectronics Communications andComputer Sciences vol 86 no1 pp 37ndash46 2003
[11] B-Z Su W-L Wu and W-T Zhang ldquoSecurity of the SMS4block cipher against differential cryptanalysisrdquo Journal of Com-puter Science and Technology vol 26 no 1 pp 130ndash138 2011
[12] G Bansod S Sutar A Patil and J Patil ldquoNUX a lightweightblock cipher for security at wireless sensor node level Worldacademy of science engineering and technologyrdquo InternationalJournal of Bioengineering and Life Sciences vol 5 no 1 2018
[13] AA Selcuk ldquoOn probability of success in linear anddifferentialcryptanalysisrdquo Journal of Cryptology e Journal of the Interna-tional Association for Cryptologic Research vol 21 no 1 pp 131ndash147 2008
12 Security and Communication Networks
[14] A Bogdanov and E Tischhauser ldquoOn the wrong key randomi-sation and key equivalence hypotheses in Matsuirsquos algorithm 2rdquoin Proceedings of the International Workshop on Fast So13wareEncryption (FSE 2013) S Moriai Ed vol 8424 of Lecture Notesin Computer Science pp 19ndash38 Springer 2014
International Journal of
AerospaceEngineeringHindawiwwwhindawicom Volume 2018
RoboticsJournal of
Hindawiwwwhindawicom Volume 2018
Hindawiwwwhindawicom Volume 2018
Active and Passive Electronic Components
VLSI Design
Hindawiwwwhindawicom Volume 2018
Hindawiwwwhindawicom Volume 2018
Shock and Vibration
Hindawiwwwhindawicom Volume 2018
Civil EngineeringAdvances in
Acoustics and VibrationAdvances in
Hindawiwwwhindawicom Volume 2018
Hindawiwwwhindawicom Volume 2018
Electrical and Computer Engineering
Journal of
Advances inOptoElectronics
Hindawiwwwhindawicom
Volume 2018
Hindawi Publishing Corporation httpwwwhindawicom Volume 2013Hindawiwwwhindawicom
The Scientific World Journal
Volume 2018
Control Scienceand Engineering
Journal of
Hindawiwwwhindawicom Volume 2018
Hindawiwwwhindawicom
Journal ofEngineeringVolume 2018
SensorsJournal of
Hindawiwwwhindawicom Volume 2018
International Journal of
RotatingMachinery
Hindawiwwwhindawicom Volume 2018
Modelling ampSimulationin EngineeringHindawiwwwhindawicom Volume 2018
Hindawiwwwhindawicom Volume 2018
Chemical EngineeringInternational Journal of Antennas and
Propagation
International Journal of
Hindawiwwwhindawicom Volume 2018
Hindawiwwwhindawicom Volume 2018
Navigation and Observation
International Journal of
Hindawi
wwwhindawicom Volume 2018
Advances in
Multimedia
Submit your manuscripts atwwwhindawicom
Security and Communication Networks 7
gtgtgt3 ltltlt8
P P P P
ltltlt8 gtgtgt3
S-Box gtgtgt3 S-Boxltltlt8
P P P P
ltltlt8 gtgtgt3
S-Box gtgtgt3 S-Boxltltlt8
P P P P
ltltlt8 gtgtgt3
S-Box gtgtgt3 S-Boxltltlt8
P P P P
ltltlt8 gtgtgt3
S-Box gtgtgt3 S-Boxltltlt8
P P P P
ltltlt8 gtgtgt3
S-Box gtgtgt3 S-Boxltltlt8
P P P P
ltltlt8 gtgtgt3
S-Box gtgtgt3 S-Boxltltlt8
P P P P
ltltlt8 gtgtgt3
22-round Differential Distinguisher
S-BoxS-Box
X30 X
20 X
10X
40
X322 X
222 X
122X
422
X323 X
223 X
123X
423
X324 X
224 X
124X
424
X325 X
225 X
125X
425
X326 X
226 X
126X
426
X327 X
227 X
127X
427
X328 X
228 X
128X
428
X329 X
229 X
129X
429
rk22
rk23
rk24
rk25
rk26
rk27
rk28
rkrsquo22
rkrsquo23
rkrsquo24
rkrsquo25
rkrsquo26
rkrsquo27
rkrsquo28
Figure 3 Differential attack of 29-round NUX
(6) Guess 16-bit key 119903119896101584024(7) For every 119909 calculate 119910 = 11988333[12 6] 119883
224 119883
124
ThenV1[119910]+ = V0[119909](8) Initialize 266 counters V119896[0]V119896[1] V119896[266 minus 1]
and reset them
(9) Guess 24-bit key 119870119898119894119889
(10) For every 119910 calculate 119883222[10 6 3 2] and 119883222[13 10
7 5 3 2 1 0] Then compute 119911 = Γ33 sdot 11988333 oplus Γ222 sdot 119883222 oplus
Γ122 sdot 119883122 If 119911 = 0 thenV119896[119870119887119890119891119900119903119890 119903119896101584024 119870119898119894119889]+ =
V1[119910] otherwise decrease the counter byV1[119910]
8 Security and Communication Networks
Input S-box 119878 Bias threshold 120598119871119894119898[30]Output A linear approximation with the best biasDataThe number of active S-boxes in i rounds 119878119886119888119905119894V119890[119894]
The number of active S-boxes of the i-th round 119878119894119886119888119905119894V119890(1) Generate the LAT of S-box(2) Store all 2 4 and the corresponding inputoutput masks in LAT in the table 119871119860119879119875(3) for Each of 8 S-boxes in the first round do(4) for all non-zero entities in LAT do(5) if S-box is in 1198652 then(6) Γ41 = Γ119884
ℎ1 ⋙ 8 Γ31 = Γ
21 = Γ11 = 0
(7) Store them in 119877119894119899[1](8) else(9) Γ11 = Γ119884
1198971⋘ 3 Γ41 = Γ
31 = Γ21 = 0
(10) Store them in 119877119894119899[1](11) Calculate Γ40 Γ
30 Γ20 Γ10 and store them in 119877119894119899[0]
(12) Calculate Γ42 Γ32 Γ22 Γ12 and store them in 119877119894119899[2]
(13) Update 119878119886119888119905119894V119890[1] to be 1(14) The bias is recorded as 120598[1](15) for 119894 larr997888 2 to 30 do(16) if Γ4119894 = Γ
3119894 = 0 then
(17) Γ119884119897119894 = Γ1119894 ⋙ 3
(18) Travel 119871119860119879119875 to get Γ119883119897119894 119878119894119886119888119905119894V119890 and its corresponding bias 120598119877119899119889
(19) else if Γ2119894 = Γ1119894 = 0 then
(20) Γ119884ℎ119894 = Γ4119894 ⋘ 8
(21) Travel 119871119860119879119875 to get Γ119883ℎ119894 119878119894119886119888119905119894V119890 and the corresponding bias 120598119877119899119889
(22) Compute the total bias and keep ones greater than threshold 120598119871119894119898[119894](23) Calculate Γ4119894+1 Γ
3119894+1 Γ2119894+1 Γ1119894+1 and store them in 119877119894119899[119894 + 1]
(24) Update the number of active S-boxes 119878119886119888119905119894V119890[119894] and bias 120598[119894](25) for Each of 8 S-boxes in the first round do(26) for all non-zero entities in DDT do(27) Find the largest 120598[119894] and store it in 120598119872119886119909[119894](28) Output linear approximations with bias 120598119872119886119909[119894]
Algorithm 2 Algorithm for linear approximations on NUX
ltltlt 8
S-Box gtgtgt3
gtgtgt3
S-Boxltltlt8
P P P P
rki
Γ4
i
F1F2
Γ3
iΓ2
iΓ1
i
ΓYℎ
iΓX
ℎ
i
Γ4
i+1Γ3
i+1Γ2
i+1Γ1
i+1
rkrsquoi
ΓXl
iΓY
l
i
Figure 4 Linear representation of NUX
(11) Set the advantage 119886 to be 17 which means that the top249 absolute values inV119896 are kept For each remainingkey we guess 77-bit subkey to determine the masterkey And then we test the key by trail encryptions
If 119873 = 2637 then the time complexity of step (3)step (5) and step (7) is about 2897 3-round encryption 21081-round decryption and 2100 2-round encryption respec-tively Besides the complexity of step (11) is 2126 25-round
Security and Communication Networks 9
gtgtgt3 ltltlt8
P P P P
ltltlt8 gtgtgt3
S-Box gtgtgt3 S-Boxltltlt8
P P P P
ltltlt8 gtgtgt3
S-Box gtgtgt3 S-Boxltltlt8
P P P P
ltltlt8 gtgtgt3
19-round Linear Distinguisher
S-BoxS-Box
S-Box gtgtgt3 S-Boxltltlt8
P P P P
ltltlt8 gtgtgt3
S-Box gtgtgt3 S-Boxltltlt8
P P P P
ltltlt8 gtgtgt3
S-Box gtgtgt3 S-Boxltltlt8
P P P P
ltltlt8 gtgtgt3
X30 X
20 X
10X
40
X322 X
222 X
122
X422
X323 X
223 X
123X
423
X324 X
224 X
124X
424
X325 X
225 X
125X
425
X33 X
23 X
13X
43
X32 X
22 X
12X
42
X31 X
21 X
11X
41
rk0
rk1
rkrsquo0
rkrsquo1
rk2 rkrsquo2
rk22 rkrsquo22
rk23 rkrsquo23
rk24 rkrsquo24
Figure 5 Linear attack of 25-round NUX
encryption Hence the total time complexity of this attack isabout 2126 25-round encryption
Both the counters V0 and V119896 need 269 bytes to store sothe memory complexity for the attack is 270 bytes The datacomplexity is 2637
The success rate 119875119878 = Φ(2radic119873 sdot |120598| minus radic1 + 1198732119899Φminus1(1 minus2minus119886minus1)) = 8821 by [14]
5 Distinguishing Attack on NUX
Generally speaking the distinguishing attack is a kind of testalgorithm which tries to perform the nonrandom behavior
in cryptographic system A distinguishing attack needs tofind a distinguisher which makes cryptographic algorithmdifferent from random permutation When analyzing NUXwe find a distinguisher with probability 1 that is a deter-ministic distinguisher to distinguish NUX from a randompermutation
In Section 3 it has been pointed out that the two brancheson the right side will not affect the two on the right sideduring difference propagation in NUX Then for the full-round NUX when the input difference (Δ40 Δ
30 Δ20 Δ10) is
(0 0 lowast lowast) the output difference (Δ431 Δ331 Δ231 Δ131) sat-
isfies the form of (lowast lowast 0 0) shown in Figure 6 that is
10 Security and Communication Networks
lowast lowast
lowast lowast00
00
31-round distinguisher
Figure 6 31-Round differential distinguisher of NUX
Table 8 Linear approximations of NUX
Rounds Bias Number of tails2 2minus2 2883 2minus3 3004 2minus4 135 2minus5 26 2minus6 47 2minus10 138 2minus11 629 2minus12 610 2minus15 7011 2minus16 1112 2minus18 7013 2minus19 414 2minus20 215 2minus22 416 2minus24 1617 2minus26 418 2minus27 419 2minus30 1620 2minus31 421 2minus33 822 2minus35 6023 2minus37 2124 2minus39 2525 2minus41 4826 2minus43 10327 2minus44 428 2minus46 729 2minus48 5430 2minus49 431 2minus50 2
Table 9Minimal number of active S-boxes from linear approxima-tion
Number of active S-boxesReference Rounds
1 2 3 4 5[12] 0 1 4 9 13Section 41 0 1 2 3 3
(0 0 lowast lowast) 119875119903=1997888rarr31-119903119900119906119899119889
(lowast lowast 0 0) However the probabilityof the output difference to be (lowast lowast 0 0) is 119875119903119903119886119899119889119900119898 =
2minus32 for random permutations when the input differenceis (0 0 lowast lowast) So 4 pairs of plaintexts are chosen which are(119875119894 1198751015840119894 ) (0 le 119894 le 3) and 119875119894 oplus 1198751015840119894 = (0 0 lowast lowast) and thecorresponding ciphertexts (119862119894 119862
1015840119894 ) are checked to determine
whether they satisfy 119862119894 oplus 1198621015840119894 = (lowast lowast 0 0) The probabilityof obtaining such inputoutput differences is 1 for NUXwhile it is 2minus128 for a random permutation Therefore wecan distinguish NUX from a random permutation Besidesthere is another distinguisher with probability 1 which is(lowast lowast 0 0) 119875119903=1997888rarr
31-119903119900119906119899119889(0 0 lowast lowast) and can be used to perform a
distinguishing attack like the one described before So we willnot explore it here
Since only 4 pairs of plaintexts are used in the distinguish-ing attack the data complexity is 8 And the attack needs nostorage In other words the complexity of memory is 0 Thetime complexity is 8 31-round encryptions
6 Conclusions
NUX is a 31-round iterative ultralightweight cipher whichis suitable for extremely constrained environment and isapplied to the Internet of Things In this paper differentialand linear trails are searched for 1sim31-round NUX which arebetter than those proposed in design specification Moreovera key-recovery attack on 29-round NUX is given with the 22-round differential characteristic found in the paper whosetime data and memory complexities are 212173 29-roundencryptions and 261 and 296 bytes respectively Meanwhileusing 22-round differential characteristic obtained in thepaper 29-round differential attack is performed with timedata and memory complexities to be 2126 25-round encryp-tions and 2637 and 270 bytes respectively Furthermore adistinguishing attack can be implemented on full NUX withdata complexity 8 Results in this paper are the best ones onNUX till now
Data Availability
All the data are obtained by our programs and can beprovided to interested readers by email
Conflicts of Interest
The authors declare that there are no conflicts of interestregarding the publication of this paper
Acknowledgments
This work has been supported by National CryptographyDevelopment Fund (no MMJJ20170102) the National
Security and Communication Networks 11
Table 10 19-Round linear approximation of NUX
Rounds 119894 Γ4119894 Γ3119894 Γ2119894 Γ1119894 Bias0 0000 1040 0000 0000 2minus1
1 0000 0000 0000 0500 2minus2
2 0001 4040 0000 0000 2minus2
3 0000 0000 0020 0600 2minus2
4 5100 0440 0000 0000 2minus4
5 0000 0000 8404 2028 2minus3
6 100a a080 0000 0000 2minus3
7 0000 0000 0206 3000 2minus3
8 000a 2002 0000 0000 2minus2
9 0000 0000 0202 0800 2minus2
10 000a 0020 0000 0000 2minus2
11 0000 0000 0202 4010 2minus3
12 a000 0a00 0000 0000 2minus2
13 0000 0000 4040 0200 2minus2
14 1400 0400 0000 0000 2minus3
15 0000 0000 0084 0448 2minus3
16 01c3 8048 0000 0000 2minus4
17 0000 0000 9023 0180 2minus2
18 d800 4004 0000 0000 2minus3
19 0000 0000 044c 24af lowast
Natural Science Foundation of China (nos 6157229361502276 and 61692276) the National Natural ScienceFoundation of Shandong Province China (ZR2016FM22)Major Scientific and Technological Innovation Projectsof Shandong Province China (2017CXGC0704) andFundamental Research Fund of Shandong Academy ofSciences (no 201812-16)
References
[1] A A Bogdanov L R Knudsen G Leander et al ldquoAn ultra-lightweight block cipherrdquo in Proceedings of the CryptographicHardware and Embedded Systems (CHES 2007) P Paillier andI Verbauwhede Eds vol 4727 of Lecture Notes in ComputerScience LNCS pp 450ndash466 Springer 2007
[2] W Wu and L Zhang ldquoLBlock a lightweight block cipherrdquoin Proceedings of the 9th International Conference on AppliedCryptography and Network Security (ACNS 2011) J Lopez andG Tsudik Eds vol 6715 of Lecture Notes in Computer Sciencepp 327ndash344 Springer Heidelberg Germany 2011
[3] J Borghoff A Canteaut T Guneysu et al ldquoPRINCE-A lowlatency block cipher for pervasive computing applicationsrdquo inProceedings of the the 25th Annual International Conferenceon the eory and Application of Cryptology and InformationSecurity (ASIACRYPT 2012) X Wang and K Sako Edsvol 7658 of Lecture Notes in Computer Science pp 208ndash225Springer Heidelberg Germany 2012
[4] E Biham and A Shamir ldquoDifferential cryptanalysis of DES-likecryptosystemsrdquo Journal of Cryptology vol 4 no 1 pp 3ndash721991
[5] M Matsui ldquoLinear cryptanalysis method for DES cipherrdquo inProceedings of the Workshop on the eory and Application ofof Cryptographic Techniques (EUROCRYPT 1993) T Helleseth
Ed vol 765 of Lecture Notes in Computer Science pp 386ndash397Springer 1993
[6] A G Bafghi R Safabakhsh and B Sadeghiyan ldquoFindingthe differential characteristics of block ciphers with neuralnetworksrdquo Information Sciences vol 178 no 15 pp 3117ndash31312008
[7] H M Heys and S E Tavares ldquoSubstitution-permutation net-works resistant to differential and linear cryptanalysisrdquo Journalof Cryptology e Journal of the International Association forCryptologic Research vol 9 no 1 pp 1ndash19 1996
[8] G Jakimoski and L Kocarev ldquoDifferential and linear probabili-ties of a block-encryption cipherrdquo IEEE Transactions on Circuitsand Systems I Fundamentaleory andApplications vol 50 no1 pp 121ndash123 2003
[9] J Kim and R C-W Phan ldquoAdvanced differential-style crypt-analysis of the NSArsquos Skipjack block Cipherrdquo Cryptologia vol33 no 3 pp 246ndash270 2009
[10] F Sano K Ohkuma H Shimizu and S Kawamura ldquoOnthe security of nested SPN cipher against the differential andlinear cryptanalysisrdquo IEICE Transactions on Fundamentals ofElectronics Communications andComputer Sciences vol 86 no1 pp 37ndash46 2003
[11] B-Z Su W-L Wu and W-T Zhang ldquoSecurity of the SMS4block cipher against differential cryptanalysisrdquo Journal of Com-puter Science and Technology vol 26 no 1 pp 130ndash138 2011
[12] G Bansod S Sutar A Patil and J Patil ldquoNUX a lightweightblock cipher for security at wireless sensor node level Worldacademy of science engineering and technologyrdquo InternationalJournal of Bioengineering and Life Sciences vol 5 no 1 2018
[13] AA Selcuk ldquoOn probability of success in linear anddifferentialcryptanalysisrdquo Journal of Cryptology e Journal of the Interna-tional Association for Cryptologic Research vol 21 no 1 pp 131ndash147 2008
12 Security and Communication Networks
[14] A Bogdanov and E Tischhauser ldquoOn the wrong key randomi-sation and key equivalence hypotheses in Matsuirsquos algorithm 2rdquoin Proceedings of the International Workshop on Fast So13wareEncryption (FSE 2013) S Moriai Ed vol 8424 of Lecture Notesin Computer Science pp 19ndash38 Springer 2014
International Journal of
AerospaceEngineeringHindawiwwwhindawicom Volume 2018
RoboticsJournal of
Hindawiwwwhindawicom Volume 2018
Hindawiwwwhindawicom Volume 2018
Active and Passive Electronic Components
VLSI Design
Hindawiwwwhindawicom Volume 2018
Hindawiwwwhindawicom Volume 2018
Shock and Vibration
Hindawiwwwhindawicom Volume 2018
Civil EngineeringAdvances in
Acoustics and VibrationAdvances in
Hindawiwwwhindawicom Volume 2018
Hindawiwwwhindawicom Volume 2018
Electrical and Computer Engineering
Journal of
Advances inOptoElectronics
Hindawiwwwhindawicom
Volume 2018
Hindawi Publishing Corporation httpwwwhindawicom Volume 2013Hindawiwwwhindawicom
The Scientific World Journal
Volume 2018
Control Scienceand Engineering
Journal of
Hindawiwwwhindawicom Volume 2018
Hindawiwwwhindawicom
Journal ofEngineeringVolume 2018
SensorsJournal of
Hindawiwwwhindawicom Volume 2018
International Journal of
RotatingMachinery
Hindawiwwwhindawicom Volume 2018
Modelling ampSimulationin EngineeringHindawiwwwhindawicom Volume 2018
Hindawiwwwhindawicom Volume 2018
Chemical EngineeringInternational Journal of Antennas and
Propagation
International Journal of
Hindawiwwwhindawicom Volume 2018
Hindawiwwwhindawicom Volume 2018
Navigation and Observation
International Journal of
Hindawi
wwwhindawicom Volume 2018
Advances in
Multimedia
Submit your manuscripts atwwwhindawicom
8 Security and Communication Networks
Input S-box 119878 Bias threshold 120598119871119894119898[30]Output A linear approximation with the best biasDataThe number of active S-boxes in i rounds 119878119886119888119905119894V119890[119894]
The number of active S-boxes of the i-th round 119878119894119886119888119905119894V119890(1) Generate the LAT of S-box(2) Store all 2 4 and the corresponding inputoutput masks in LAT in the table 119871119860119879119875(3) for Each of 8 S-boxes in the first round do(4) for all non-zero entities in LAT do(5) if S-box is in 1198652 then(6) Γ41 = Γ119884
ℎ1 ⋙ 8 Γ31 = Γ
21 = Γ11 = 0
(7) Store them in 119877119894119899[1](8) else(9) Γ11 = Γ119884
1198971⋘ 3 Γ41 = Γ
31 = Γ21 = 0
(10) Store them in 119877119894119899[1](11) Calculate Γ40 Γ
30 Γ20 Γ10 and store them in 119877119894119899[0]
(12) Calculate Γ42 Γ32 Γ22 Γ12 and store them in 119877119894119899[2]
(13) Update 119878119886119888119905119894V119890[1] to be 1(14) The bias is recorded as 120598[1](15) for 119894 larr997888 2 to 30 do(16) if Γ4119894 = Γ
3119894 = 0 then
(17) Γ119884119897119894 = Γ1119894 ⋙ 3
(18) Travel 119871119860119879119875 to get Γ119883119897119894 119878119894119886119888119905119894V119890 and its corresponding bias 120598119877119899119889
(19) else if Γ2119894 = Γ1119894 = 0 then
(20) Γ119884ℎ119894 = Γ4119894 ⋘ 8
(21) Travel 119871119860119879119875 to get Γ119883ℎ119894 119878119894119886119888119905119894V119890 and the corresponding bias 120598119877119899119889
(22) Compute the total bias and keep ones greater than threshold 120598119871119894119898[119894](23) Calculate Γ4119894+1 Γ
3119894+1 Γ2119894+1 Γ1119894+1 and store them in 119877119894119899[119894 + 1]
(24) Update the number of active S-boxes 119878119886119888119905119894V119890[119894] and bias 120598[119894](25) for Each of 8 S-boxes in the first round do(26) for all non-zero entities in DDT do(27) Find the largest 120598[119894] and store it in 120598119872119886119909[119894](28) Output linear approximations with bias 120598119872119886119909[119894]
Algorithm 2 Algorithm for linear approximations on NUX
ltltlt 8
S-Box gtgtgt3
gtgtgt3
S-Boxltltlt8
P P P P
rki
Γ4
i
F1F2
Γ3
iΓ2
iΓ1
i
ΓYℎ
iΓX
ℎ
i
Γ4
i+1Γ3
i+1Γ2
i+1Γ1
i+1
rkrsquoi
ΓXl
iΓY
l
i
Figure 4 Linear representation of NUX
(11) Set the advantage 119886 to be 17 which means that the top249 absolute values inV119896 are kept For each remainingkey we guess 77-bit subkey to determine the masterkey And then we test the key by trail encryptions
If 119873 = 2637 then the time complexity of step (3)step (5) and step (7) is about 2897 3-round encryption 21081-round decryption and 2100 2-round encryption respec-tively Besides the complexity of step (11) is 2126 25-round
Security and Communication Networks 9
gtgtgt3 ltltlt8
P P P P
ltltlt8 gtgtgt3
S-Box gtgtgt3 S-Boxltltlt8
P P P P
ltltlt8 gtgtgt3
S-Box gtgtgt3 S-Boxltltlt8
P P P P
ltltlt8 gtgtgt3
19-round Linear Distinguisher
S-BoxS-Box
S-Box gtgtgt3 S-Boxltltlt8
P P P P
ltltlt8 gtgtgt3
S-Box gtgtgt3 S-Boxltltlt8
P P P P
ltltlt8 gtgtgt3
S-Box gtgtgt3 S-Boxltltlt8
P P P P
ltltlt8 gtgtgt3
X30 X
20 X
10X
40
X322 X
222 X
122
X422
X323 X
223 X
123X
423
X324 X
224 X
124X
424
X325 X
225 X
125X
425
X33 X
23 X
13X
43
X32 X
22 X
12X
42
X31 X
21 X
11X
41
rk0
rk1
rkrsquo0
rkrsquo1
rk2 rkrsquo2
rk22 rkrsquo22
rk23 rkrsquo23
rk24 rkrsquo24
Figure 5 Linear attack of 25-round NUX
encryption Hence the total time complexity of this attack isabout 2126 25-round encryption
Both the counters V0 and V119896 need 269 bytes to store sothe memory complexity for the attack is 270 bytes The datacomplexity is 2637
The success rate 119875119878 = Φ(2radic119873 sdot |120598| minus radic1 + 1198732119899Φminus1(1 minus2minus119886minus1)) = 8821 by [14]
5 Distinguishing Attack on NUX
Generally speaking the distinguishing attack is a kind of testalgorithm which tries to perform the nonrandom behavior
in cryptographic system A distinguishing attack needs tofind a distinguisher which makes cryptographic algorithmdifferent from random permutation When analyzing NUXwe find a distinguisher with probability 1 that is a deter-ministic distinguisher to distinguish NUX from a randompermutation
In Section 3 it has been pointed out that the two brancheson the right side will not affect the two on the right sideduring difference propagation in NUX Then for the full-round NUX when the input difference (Δ40 Δ
30 Δ20 Δ10) is
(0 0 lowast lowast) the output difference (Δ431 Δ331 Δ231 Δ131) sat-
isfies the form of (lowast lowast 0 0) shown in Figure 6 that is
10 Security and Communication Networks
lowast lowast
lowast lowast00
00
31-round distinguisher
Figure 6 31-Round differential distinguisher of NUX
Table 8 Linear approximations of NUX
Rounds Bias Number of tails2 2minus2 2883 2minus3 3004 2minus4 135 2minus5 26 2minus6 47 2minus10 138 2minus11 629 2minus12 610 2minus15 7011 2minus16 1112 2minus18 7013 2minus19 414 2minus20 215 2minus22 416 2minus24 1617 2minus26 418 2minus27 419 2minus30 1620 2minus31 421 2minus33 822 2minus35 6023 2minus37 2124 2minus39 2525 2minus41 4826 2minus43 10327 2minus44 428 2minus46 729 2minus48 5430 2minus49 431 2minus50 2
Table 9Minimal number of active S-boxes from linear approxima-tion
Number of active S-boxesReference Rounds
1 2 3 4 5[12] 0 1 4 9 13Section 41 0 1 2 3 3
(0 0 lowast lowast) 119875119903=1997888rarr31-119903119900119906119899119889
(lowast lowast 0 0) However the probabilityof the output difference to be (lowast lowast 0 0) is 119875119903119903119886119899119889119900119898 =
2minus32 for random permutations when the input differenceis (0 0 lowast lowast) So 4 pairs of plaintexts are chosen which are(119875119894 1198751015840119894 ) (0 le 119894 le 3) and 119875119894 oplus 1198751015840119894 = (0 0 lowast lowast) and thecorresponding ciphertexts (119862119894 119862
1015840119894 ) are checked to determine
whether they satisfy 119862119894 oplus 1198621015840119894 = (lowast lowast 0 0) The probabilityof obtaining such inputoutput differences is 1 for NUXwhile it is 2minus128 for a random permutation Therefore wecan distinguish NUX from a random permutation Besidesthere is another distinguisher with probability 1 which is(lowast lowast 0 0) 119875119903=1997888rarr
31-119903119900119906119899119889(0 0 lowast lowast) and can be used to perform a
distinguishing attack like the one described before So we willnot explore it here
Since only 4 pairs of plaintexts are used in the distinguish-ing attack the data complexity is 8 And the attack needs nostorage In other words the complexity of memory is 0 Thetime complexity is 8 31-round encryptions
6 Conclusions
NUX is a 31-round iterative ultralightweight cipher whichis suitable for extremely constrained environment and isapplied to the Internet of Things In this paper differentialand linear trails are searched for 1sim31-round NUX which arebetter than those proposed in design specification Moreovera key-recovery attack on 29-round NUX is given with the 22-round differential characteristic found in the paper whosetime data and memory complexities are 212173 29-roundencryptions and 261 and 296 bytes respectively Meanwhileusing 22-round differential characteristic obtained in thepaper 29-round differential attack is performed with timedata and memory complexities to be 2126 25-round encryp-tions and 2637 and 270 bytes respectively Furthermore adistinguishing attack can be implemented on full NUX withdata complexity 8 Results in this paper are the best ones onNUX till now
Data Availability
All the data are obtained by our programs and can beprovided to interested readers by email
Conflicts of Interest
The authors declare that there are no conflicts of interestregarding the publication of this paper
Acknowledgments
This work has been supported by National CryptographyDevelopment Fund (no MMJJ20170102) the National
Security and Communication Networks 11
Table 10 19-Round linear approximation of NUX
Rounds 119894 Γ4119894 Γ3119894 Γ2119894 Γ1119894 Bias0 0000 1040 0000 0000 2minus1
1 0000 0000 0000 0500 2minus2
2 0001 4040 0000 0000 2minus2
3 0000 0000 0020 0600 2minus2
4 5100 0440 0000 0000 2minus4
5 0000 0000 8404 2028 2minus3
6 100a a080 0000 0000 2minus3
7 0000 0000 0206 3000 2minus3
8 000a 2002 0000 0000 2minus2
9 0000 0000 0202 0800 2minus2
10 000a 0020 0000 0000 2minus2
11 0000 0000 0202 4010 2minus3
12 a000 0a00 0000 0000 2minus2
13 0000 0000 4040 0200 2minus2
14 1400 0400 0000 0000 2minus3
15 0000 0000 0084 0448 2minus3
16 01c3 8048 0000 0000 2minus4
17 0000 0000 9023 0180 2minus2
18 d800 4004 0000 0000 2minus3
19 0000 0000 044c 24af lowast
Natural Science Foundation of China (nos 6157229361502276 and 61692276) the National Natural ScienceFoundation of Shandong Province China (ZR2016FM22)Major Scientific and Technological Innovation Projectsof Shandong Province China (2017CXGC0704) andFundamental Research Fund of Shandong Academy ofSciences (no 201812-16)
References
[1] A A Bogdanov L R Knudsen G Leander et al ldquoAn ultra-lightweight block cipherrdquo in Proceedings of the CryptographicHardware and Embedded Systems (CHES 2007) P Paillier andI Verbauwhede Eds vol 4727 of Lecture Notes in ComputerScience LNCS pp 450ndash466 Springer 2007
[2] W Wu and L Zhang ldquoLBlock a lightweight block cipherrdquoin Proceedings of the 9th International Conference on AppliedCryptography and Network Security (ACNS 2011) J Lopez andG Tsudik Eds vol 6715 of Lecture Notes in Computer Sciencepp 327ndash344 Springer Heidelberg Germany 2011
[3] J Borghoff A Canteaut T Guneysu et al ldquoPRINCE-A lowlatency block cipher for pervasive computing applicationsrdquo inProceedings of the the 25th Annual International Conferenceon the eory and Application of Cryptology and InformationSecurity (ASIACRYPT 2012) X Wang and K Sako Edsvol 7658 of Lecture Notes in Computer Science pp 208ndash225Springer Heidelberg Germany 2012
[4] E Biham and A Shamir ldquoDifferential cryptanalysis of DES-likecryptosystemsrdquo Journal of Cryptology vol 4 no 1 pp 3ndash721991
[5] M Matsui ldquoLinear cryptanalysis method for DES cipherrdquo inProceedings of the Workshop on the eory and Application ofof Cryptographic Techniques (EUROCRYPT 1993) T Helleseth
Ed vol 765 of Lecture Notes in Computer Science pp 386ndash397Springer 1993
[6] A G Bafghi R Safabakhsh and B Sadeghiyan ldquoFindingthe differential characteristics of block ciphers with neuralnetworksrdquo Information Sciences vol 178 no 15 pp 3117ndash31312008
[7] H M Heys and S E Tavares ldquoSubstitution-permutation net-works resistant to differential and linear cryptanalysisrdquo Journalof Cryptology e Journal of the International Association forCryptologic Research vol 9 no 1 pp 1ndash19 1996
[8] G Jakimoski and L Kocarev ldquoDifferential and linear probabili-ties of a block-encryption cipherrdquo IEEE Transactions on Circuitsand Systems I Fundamentaleory andApplications vol 50 no1 pp 121ndash123 2003
[9] J Kim and R C-W Phan ldquoAdvanced differential-style crypt-analysis of the NSArsquos Skipjack block Cipherrdquo Cryptologia vol33 no 3 pp 246ndash270 2009
[10] F Sano K Ohkuma H Shimizu and S Kawamura ldquoOnthe security of nested SPN cipher against the differential andlinear cryptanalysisrdquo IEICE Transactions on Fundamentals ofElectronics Communications andComputer Sciences vol 86 no1 pp 37ndash46 2003
[11] B-Z Su W-L Wu and W-T Zhang ldquoSecurity of the SMS4block cipher against differential cryptanalysisrdquo Journal of Com-puter Science and Technology vol 26 no 1 pp 130ndash138 2011
[12] G Bansod S Sutar A Patil and J Patil ldquoNUX a lightweightblock cipher for security at wireless sensor node level Worldacademy of science engineering and technologyrdquo InternationalJournal of Bioengineering and Life Sciences vol 5 no 1 2018
[13] AA Selcuk ldquoOn probability of success in linear anddifferentialcryptanalysisrdquo Journal of Cryptology e Journal of the Interna-tional Association for Cryptologic Research vol 21 no 1 pp 131ndash147 2008
12 Security and Communication Networks
[14] A Bogdanov and E Tischhauser ldquoOn the wrong key randomi-sation and key equivalence hypotheses in Matsuirsquos algorithm 2rdquoin Proceedings of the International Workshop on Fast So13wareEncryption (FSE 2013) S Moriai Ed vol 8424 of Lecture Notesin Computer Science pp 19ndash38 Springer 2014
International Journal of
AerospaceEngineeringHindawiwwwhindawicom Volume 2018
RoboticsJournal of
Hindawiwwwhindawicom Volume 2018
Hindawiwwwhindawicom Volume 2018
Active and Passive Electronic Components
VLSI Design
Hindawiwwwhindawicom Volume 2018
Hindawiwwwhindawicom Volume 2018
Shock and Vibration
Hindawiwwwhindawicom Volume 2018
Civil EngineeringAdvances in
Acoustics and VibrationAdvances in
Hindawiwwwhindawicom Volume 2018
Hindawiwwwhindawicom Volume 2018
Electrical and Computer Engineering
Journal of
Advances inOptoElectronics
Hindawiwwwhindawicom
Volume 2018
Hindawi Publishing Corporation httpwwwhindawicom Volume 2013Hindawiwwwhindawicom
The Scientific World Journal
Volume 2018
Control Scienceand Engineering
Journal of
Hindawiwwwhindawicom Volume 2018
Hindawiwwwhindawicom
Journal ofEngineeringVolume 2018
SensorsJournal of
Hindawiwwwhindawicom Volume 2018
International Journal of
RotatingMachinery
Hindawiwwwhindawicom Volume 2018
Modelling ampSimulationin EngineeringHindawiwwwhindawicom Volume 2018
Hindawiwwwhindawicom Volume 2018
Chemical EngineeringInternational Journal of Antennas and
Propagation
International Journal of
Hindawiwwwhindawicom Volume 2018
Hindawiwwwhindawicom Volume 2018
Navigation and Observation
International Journal of
Hindawi
wwwhindawicom Volume 2018
Advances in
Multimedia
Submit your manuscripts atwwwhindawicom
Security and Communication Networks 9
gtgtgt3 ltltlt8
P P P P
ltltlt8 gtgtgt3
S-Box gtgtgt3 S-Boxltltlt8
P P P P
ltltlt8 gtgtgt3
S-Box gtgtgt3 S-Boxltltlt8
P P P P
ltltlt8 gtgtgt3
19-round Linear Distinguisher
S-BoxS-Box
S-Box gtgtgt3 S-Boxltltlt8
P P P P
ltltlt8 gtgtgt3
S-Box gtgtgt3 S-Boxltltlt8
P P P P
ltltlt8 gtgtgt3
S-Box gtgtgt3 S-Boxltltlt8
P P P P
ltltlt8 gtgtgt3
X30 X
20 X
10X
40
X322 X
222 X
122
X422
X323 X
223 X
123X
423
X324 X
224 X
124X
424
X325 X
225 X
125X
425
X33 X
23 X
13X
43
X32 X
22 X
12X
42
X31 X
21 X
11X
41
rk0
rk1
rkrsquo0
rkrsquo1
rk2 rkrsquo2
rk22 rkrsquo22
rk23 rkrsquo23
rk24 rkrsquo24
Figure 5 Linear attack of 25-round NUX
encryption Hence the total time complexity of this attack isabout 2126 25-round encryption
Both the counters V0 and V119896 need 269 bytes to store sothe memory complexity for the attack is 270 bytes The datacomplexity is 2637
The success rate 119875119878 = Φ(2radic119873 sdot |120598| minus radic1 + 1198732119899Φminus1(1 minus2minus119886minus1)) = 8821 by [14]
5 Distinguishing Attack on NUX
Generally speaking the distinguishing attack is a kind of testalgorithm which tries to perform the nonrandom behavior
in cryptographic system A distinguishing attack needs tofind a distinguisher which makes cryptographic algorithmdifferent from random permutation When analyzing NUXwe find a distinguisher with probability 1 that is a deter-ministic distinguisher to distinguish NUX from a randompermutation
In Section 3 it has been pointed out that the two brancheson the right side will not affect the two on the right sideduring difference propagation in NUX Then for the full-round NUX when the input difference (Δ40 Δ
30 Δ20 Δ10) is
(0 0 lowast lowast) the output difference (Δ431 Δ331 Δ231 Δ131) sat-
isfies the form of (lowast lowast 0 0) shown in Figure 6 that is
10 Security and Communication Networks
lowast lowast
lowast lowast00
00
31-round distinguisher
Figure 6 31-Round differential distinguisher of NUX
Table 8 Linear approximations of NUX
Rounds Bias Number of tails2 2minus2 2883 2minus3 3004 2minus4 135 2minus5 26 2minus6 47 2minus10 138 2minus11 629 2minus12 610 2minus15 7011 2minus16 1112 2minus18 7013 2minus19 414 2minus20 215 2minus22 416 2minus24 1617 2minus26 418 2minus27 419 2minus30 1620 2minus31 421 2minus33 822 2minus35 6023 2minus37 2124 2minus39 2525 2minus41 4826 2minus43 10327 2minus44 428 2minus46 729 2minus48 5430 2minus49 431 2minus50 2
Table 9Minimal number of active S-boxes from linear approxima-tion
Number of active S-boxesReference Rounds
1 2 3 4 5[12] 0 1 4 9 13Section 41 0 1 2 3 3
(0 0 lowast lowast) 119875119903=1997888rarr31-119903119900119906119899119889
(lowast lowast 0 0) However the probabilityof the output difference to be (lowast lowast 0 0) is 119875119903119903119886119899119889119900119898 =
2minus32 for random permutations when the input differenceis (0 0 lowast lowast) So 4 pairs of plaintexts are chosen which are(119875119894 1198751015840119894 ) (0 le 119894 le 3) and 119875119894 oplus 1198751015840119894 = (0 0 lowast lowast) and thecorresponding ciphertexts (119862119894 119862
1015840119894 ) are checked to determine
whether they satisfy 119862119894 oplus 1198621015840119894 = (lowast lowast 0 0) The probabilityof obtaining such inputoutput differences is 1 for NUXwhile it is 2minus128 for a random permutation Therefore wecan distinguish NUX from a random permutation Besidesthere is another distinguisher with probability 1 which is(lowast lowast 0 0) 119875119903=1997888rarr
31-119903119900119906119899119889(0 0 lowast lowast) and can be used to perform a
distinguishing attack like the one described before So we willnot explore it here
Since only 4 pairs of plaintexts are used in the distinguish-ing attack the data complexity is 8 And the attack needs nostorage In other words the complexity of memory is 0 Thetime complexity is 8 31-round encryptions
6 Conclusions
NUX is a 31-round iterative ultralightweight cipher whichis suitable for extremely constrained environment and isapplied to the Internet of Things In this paper differentialand linear trails are searched for 1sim31-round NUX which arebetter than those proposed in design specification Moreovera key-recovery attack on 29-round NUX is given with the 22-round differential characteristic found in the paper whosetime data and memory complexities are 212173 29-roundencryptions and 261 and 296 bytes respectively Meanwhileusing 22-round differential characteristic obtained in thepaper 29-round differential attack is performed with timedata and memory complexities to be 2126 25-round encryp-tions and 2637 and 270 bytes respectively Furthermore adistinguishing attack can be implemented on full NUX withdata complexity 8 Results in this paper are the best ones onNUX till now
Data Availability
All the data are obtained by our programs and can beprovided to interested readers by email
Conflicts of Interest
The authors declare that there are no conflicts of interestregarding the publication of this paper
Acknowledgments
This work has been supported by National CryptographyDevelopment Fund (no MMJJ20170102) the National
Security and Communication Networks 11
Table 10 19-Round linear approximation of NUX
Rounds 119894 Γ4119894 Γ3119894 Γ2119894 Γ1119894 Bias0 0000 1040 0000 0000 2minus1
1 0000 0000 0000 0500 2minus2
2 0001 4040 0000 0000 2minus2
3 0000 0000 0020 0600 2minus2
4 5100 0440 0000 0000 2minus4
5 0000 0000 8404 2028 2minus3
6 100a a080 0000 0000 2minus3
7 0000 0000 0206 3000 2minus3
8 000a 2002 0000 0000 2minus2
9 0000 0000 0202 0800 2minus2
10 000a 0020 0000 0000 2minus2
11 0000 0000 0202 4010 2minus3
12 a000 0a00 0000 0000 2minus2
13 0000 0000 4040 0200 2minus2
14 1400 0400 0000 0000 2minus3
15 0000 0000 0084 0448 2minus3
16 01c3 8048 0000 0000 2minus4
17 0000 0000 9023 0180 2minus2
18 d800 4004 0000 0000 2minus3
19 0000 0000 044c 24af lowast
Natural Science Foundation of China (nos 6157229361502276 and 61692276) the National Natural ScienceFoundation of Shandong Province China (ZR2016FM22)Major Scientific and Technological Innovation Projectsof Shandong Province China (2017CXGC0704) andFundamental Research Fund of Shandong Academy ofSciences (no 201812-16)
References
[1] A A Bogdanov L R Knudsen G Leander et al ldquoAn ultra-lightweight block cipherrdquo in Proceedings of the CryptographicHardware and Embedded Systems (CHES 2007) P Paillier andI Verbauwhede Eds vol 4727 of Lecture Notes in ComputerScience LNCS pp 450ndash466 Springer 2007
[2] W Wu and L Zhang ldquoLBlock a lightweight block cipherrdquoin Proceedings of the 9th International Conference on AppliedCryptography and Network Security (ACNS 2011) J Lopez andG Tsudik Eds vol 6715 of Lecture Notes in Computer Sciencepp 327ndash344 Springer Heidelberg Germany 2011
[3] J Borghoff A Canteaut T Guneysu et al ldquoPRINCE-A lowlatency block cipher for pervasive computing applicationsrdquo inProceedings of the the 25th Annual International Conferenceon the eory and Application of Cryptology and InformationSecurity (ASIACRYPT 2012) X Wang and K Sako Edsvol 7658 of Lecture Notes in Computer Science pp 208ndash225Springer Heidelberg Germany 2012
[4] E Biham and A Shamir ldquoDifferential cryptanalysis of DES-likecryptosystemsrdquo Journal of Cryptology vol 4 no 1 pp 3ndash721991
[5] M Matsui ldquoLinear cryptanalysis method for DES cipherrdquo inProceedings of the Workshop on the eory and Application ofof Cryptographic Techniques (EUROCRYPT 1993) T Helleseth
Ed vol 765 of Lecture Notes in Computer Science pp 386ndash397Springer 1993
[6] A G Bafghi R Safabakhsh and B Sadeghiyan ldquoFindingthe differential characteristics of block ciphers with neuralnetworksrdquo Information Sciences vol 178 no 15 pp 3117ndash31312008
[7] H M Heys and S E Tavares ldquoSubstitution-permutation net-works resistant to differential and linear cryptanalysisrdquo Journalof Cryptology e Journal of the International Association forCryptologic Research vol 9 no 1 pp 1ndash19 1996
[8] G Jakimoski and L Kocarev ldquoDifferential and linear probabili-ties of a block-encryption cipherrdquo IEEE Transactions on Circuitsand Systems I Fundamentaleory andApplications vol 50 no1 pp 121ndash123 2003
[9] J Kim and R C-W Phan ldquoAdvanced differential-style crypt-analysis of the NSArsquos Skipjack block Cipherrdquo Cryptologia vol33 no 3 pp 246ndash270 2009
[10] F Sano K Ohkuma H Shimizu and S Kawamura ldquoOnthe security of nested SPN cipher against the differential andlinear cryptanalysisrdquo IEICE Transactions on Fundamentals ofElectronics Communications andComputer Sciences vol 86 no1 pp 37ndash46 2003
[11] B-Z Su W-L Wu and W-T Zhang ldquoSecurity of the SMS4block cipher against differential cryptanalysisrdquo Journal of Com-puter Science and Technology vol 26 no 1 pp 130ndash138 2011
[12] G Bansod S Sutar A Patil and J Patil ldquoNUX a lightweightblock cipher for security at wireless sensor node level Worldacademy of science engineering and technologyrdquo InternationalJournal of Bioengineering and Life Sciences vol 5 no 1 2018
[13] AA Selcuk ldquoOn probability of success in linear anddifferentialcryptanalysisrdquo Journal of Cryptology e Journal of the Interna-tional Association for Cryptologic Research vol 21 no 1 pp 131ndash147 2008
12 Security and Communication Networks
[14] A Bogdanov and E Tischhauser ldquoOn the wrong key randomi-sation and key equivalence hypotheses in Matsuirsquos algorithm 2rdquoin Proceedings of the International Workshop on Fast So13wareEncryption (FSE 2013) S Moriai Ed vol 8424 of Lecture Notesin Computer Science pp 19ndash38 Springer 2014
International Journal of
AerospaceEngineeringHindawiwwwhindawicom Volume 2018
RoboticsJournal of
Hindawiwwwhindawicom Volume 2018
Hindawiwwwhindawicom Volume 2018
Active and Passive Electronic Components
VLSI Design
Hindawiwwwhindawicom Volume 2018
Hindawiwwwhindawicom Volume 2018
Shock and Vibration
Hindawiwwwhindawicom Volume 2018
Civil EngineeringAdvances in
Acoustics and VibrationAdvances in
Hindawiwwwhindawicom Volume 2018
Hindawiwwwhindawicom Volume 2018
Electrical and Computer Engineering
Journal of
Advances inOptoElectronics
Hindawiwwwhindawicom
Volume 2018
Hindawi Publishing Corporation httpwwwhindawicom Volume 2013Hindawiwwwhindawicom
The Scientific World Journal
Volume 2018
Control Scienceand Engineering
Journal of
Hindawiwwwhindawicom Volume 2018
Hindawiwwwhindawicom
Journal ofEngineeringVolume 2018
SensorsJournal of
Hindawiwwwhindawicom Volume 2018
International Journal of
RotatingMachinery
Hindawiwwwhindawicom Volume 2018
Modelling ampSimulationin EngineeringHindawiwwwhindawicom Volume 2018
Hindawiwwwhindawicom Volume 2018
Chemical EngineeringInternational Journal of Antennas and
Propagation
International Journal of
Hindawiwwwhindawicom Volume 2018
Hindawiwwwhindawicom Volume 2018
Navigation and Observation
International Journal of
Hindawi
wwwhindawicom Volume 2018
Advances in
Multimedia
Submit your manuscripts atwwwhindawicom
10 Security and Communication Networks
lowast lowast
lowast lowast00
00
31-round distinguisher
Figure 6 31-Round differential distinguisher of NUX
Table 8 Linear approximations of NUX
Rounds Bias Number of tails2 2minus2 2883 2minus3 3004 2minus4 135 2minus5 26 2minus6 47 2minus10 138 2minus11 629 2minus12 610 2minus15 7011 2minus16 1112 2minus18 7013 2minus19 414 2minus20 215 2minus22 416 2minus24 1617 2minus26 418 2minus27 419 2minus30 1620 2minus31 421 2minus33 822 2minus35 6023 2minus37 2124 2minus39 2525 2minus41 4826 2minus43 10327 2minus44 428 2minus46 729 2minus48 5430 2minus49 431 2minus50 2
Table 9Minimal number of active S-boxes from linear approxima-tion
Number of active S-boxesReference Rounds
1 2 3 4 5[12] 0 1 4 9 13Section 41 0 1 2 3 3
(0 0 lowast lowast) 119875119903=1997888rarr31-119903119900119906119899119889
(lowast lowast 0 0) However the probabilityof the output difference to be (lowast lowast 0 0) is 119875119903119903119886119899119889119900119898 =
2minus32 for random permutations when the input differenceis (0 0 lowast lowast) So 4 pairs of plaintexts are chosen which are(119875119894 1198751015840119894 ) (0 le 119894 le 3) and 119875119894 oplus 1198751015840119894 = (0 0 lowast lowast) and thecorresponding ciphertexts (119862119894 119862
1015840119894 ) are checked to determine
whether they satisfy 119862119894 oplus 1198621015840119894 = (lowast lowast 0 0) The probabilityof obtaining such inputoutput differences is 1 for NUXwhile it is 2minus128 for a random permutation Therefore wecan distinguish NUX from a random permutation Besidesthere is another distinguisher with probability 1 which is(lowast lowast 0 0) 119875119903=1997888rarr
31-119903119900119906119899119889(0 0 lowast lowast) and can be used to perform a
distinguishing attack like the one described before So we willnot explore it here
Since only 4 pairs of plaintexts are used in the distinguish-ing attack the data complexity is 8 And the attack needs nostorage In other words the complexity of memory is 0 Thetime complexity is 8 31-round encryptions
6 Conclusions
NUX is a 31-round iterative ultralightweight cipher whichis suitable for extremely constrained environment and isapplied to the Internet of Things In this paper differentialand linear trails are searched for 1sim31-round NUX which arebetter than those proposed in design specification Moreovera key-recovery attack on 29-round NUX is given with the 22-round differential characteristic found in the paper whosetime data and memory complexities are 212173 29-roundencryptions and 261 and 296 bytes respectively Meanwhileusing 22-round differential characteristic obtained in thepaper 29-round differential attack is performed with timedata and memory complexities to be 2126 25-round encryp-tions and 2637 and 270 bytes respectively Furthermore adistinguishing attack can be implemented on full NUX withdata complexity 8 Results in this paper are the best ones onNUX till now
Data Availability
All the data are obtained by our programs and can beprovided to interested readers by email
Conflicts of Interest
The authors declare that there are no conflicts of interestregarding the publication of this paper
Acknowledgments
This work has been supported by National CryptographyDevelopment Fund (no MMJJ20170102) the National
Security and Communication Networks 11
Table 10 19-Round linear approximation of NUX
Rounds 119894 Γ4119894 Γ3119894 Γ2119894 Γ1119894 Bias0 0000 1040 0000 0000 2minus1
1 0000 0000 0000 0500 2minus2
2 0001 4040 0000 0000 2minus2
3 0000 0000 0020 0600 2minus2
4 5100 0440 0000 0000 2minus4
5 0000 0000 8404 2028 2minus3
6 100a a080 0000 0000 2minus3
7 0000 0000 0206 3000 2minus3
8 000a 2002 0000 0000 2minus2
9 0000 0000 0202 0800 2minus2
10 000a 0020 0000 0000 2minus2
11 0000 0000 0202 4010 2minus3
12 a000 0a00 0000 0000 2minus2
13 0000 0000 4040 0200 2minus2
14 1400 0400 0000 0000 2minus3
15 0000 0000 0084 0448 2minus3
16 01c3 8048 0000 0000 2minus4
17 0000 0000 9023 0180 2minus2
18 d800 4004 0000 0000 2minus3
19 0000 0000 044c 24af lowast
Natural Science Foundation of China (nos 6157229361502276 and 61692276) the National Natural ScienceFoundation of Shandong Province China (ZR2016FM22)Major Scientific and Technological Innovation Projectsof Shandong Province China (2017CXGC0704) andFundamental Research Fund of Shandong Academy ofSciences (no 201812-16)
References
[1] A A Bogdanov L R Knudsen G Leander et al ldquoAn ultra-lightweight block cipherrdquo in Proceedings of the CryptographicHardware and Embedded Systems (CHES 2007) P Paillier andI Verbauwhede Eds vol 4727 of Lecture Notes in ComputerScience LNCS pp 450ndash466 Springer 2007
[2] W Wu and L Zhang ldquoLBlock a lightweight block cipherrdquoin Proceedings of the 9th International Conference on AppliedCryptography and Network Security (ACNS 2011) J Lopez andG Tsudik Eds vol 6715 of Lecture Notes in Computer Sciencepp 327ndash344 Springer Heidelberg Germany 2011
[3] J Borghoff A Canteaut T Guneysu et al ldquoPRINCE-A lowlatency block cipher for pervasive computing applicationsrdquo inProceedings of the the 25th Annual International Conferenceon the eory and Application of Cryptology and InformationSecurity (ASIACRYPT 2012) X Wang and K Sako Edsvol 7658 of Lecture Notes in Computer Science pp 208ndash225Springer Heidelberg Germany 2012
[4] E Biham and A Shamir ldquoDifferential cryptanalysis of DES-likecryptosystemsrdquo Journal of Cryptology vol 4 no 1 pp 3ndash721991
[5] M Matsui ldquoLinear cryptanalysis method for DES cipherrdquo inProceedings of the Workshop on the eory and Application ofof Cryptographic Techniques (EUROCRYPT 1993) T Helleseth
Ed vol 765 of Lecture Notes in Computer Science pp 386ndash397Springer 1993
[6] A G Bafghi R Safabakhsh and B Sadeghiyan ldquoFindingthe differential characteristics of block ciphers with neuralnetworksrdquo Information Sciences vol 178 no 15 pp 3117ndash31312008
[7] H M Heys and S E Tavares ldquoSubstitution-permutation net-works resistant to differential and linear cryptanalysisrdquo Journalof Cryptology e Journal of the International Association forCryptologic Research vol 9 no 1 pp 1ndash19 1996
[8] G Jakimoski and L Kocarev ldquoDifferential and linear probabili-ties of a block-encryption cipherrdquo IEEE Transactions on Circuitsand Systems I Fundamentaleory andApplications vol 50 no1 pp 121ndash123 2003
[9] J Kim and R C-W Phan ldquoAdvanced differential-style crypt-analysis of the NSArsquos Skipjack block Cipherrdquo Cryptologia vol33 no 3 pp 246ndash270 2009
[10] F Sano K Ohkuma H Shimizu and S Kawamura ldquoOnthe security of nested SPN cipher against the differential andlinear cryptanalysisrdquo IEICE Transactions on Fundamentals ofElectronics Communications andComputer Sciences vol 86 no1 pp 37ndash46 2003
[11] B-Z Su W-L Wu and W-T Zhang ldquoSecurity of the SMS4block cipher against differential cryptanalysisrdquo Journal of Com-puter Science and Technology vol 26 no 1 pp 130ndash138 2011
[12] G Bansod S Sutar A Patil and J Patil ldquoNUX a lightweightblock cipher for security at wireless sensor node level Worldacademy of science engineering and technologyrdquo InternationalJournal of Bioengineering and Life Sciences vol 5 no 1 2018
[13] AA Selcuk ldquoOn probability of success in linear anddifferentialcryptanalysisrdquo Journal of Cryptology e Journal of the Interna-tional Association for Cryptologic Research vol 21 no 1 pp 131ndash147 2008
12 Security and Communication Networks
[14] A Bogdanov and E Tischhauser ldquoOn the wrong key randomi-sation and key equivalence hypotheses in Matsuirsquos algorithm 2rdquoin Proceedings of the International Workshop on Fast So13wareEncryption (FSE 2013) S Moriai Ed vol 8424 of Lecture Notesin Computer Science pp 19ndash38 Springer 2014
International Journal of
AerospaceEngineeringHindawiwwwhindawicom Volume 2018
RoboticsJournal of
Hindawiwwwhindawicom Volume 2018
Hindawiwwwhindawicom Volume 2018
Active and Passive Electronic Components
VLSI Design
Hindawiwwwhindawicom Volume 2018
Hindawiwwwhindawicom Volume 2018
Shock and Vibration
Hindawiwwwhindawicom Volume 2018
Civil EngineeringAdvances in
Acoustics and VibrationAdvances in
Hindawiwwwhindawicom Volume 2018
Hindawiwwwhindawicom Volume 2018
Electrical and Computer Engineering
Journal of
Advances inOptoElectronics
Hindawiwwwhindawicom
Volume 2018
Hindawi Publishing Corporation httpwwwhindawicom Volume 2013Hindawiwwwhindawicom
The Scientific World Journal
Volume 2018
Control Scienceand Engineering
Journal of
Hindawiwwwhindawicom Volume 2018
Hindawiwwwhindawicom
Journal ofEngineeringVolume 2018
SensorsJournal of
Hindawiwwwhindawicom Volume 2018
International Journal of
RotatingMachinery
Hindawiwwwhindawicom Volume 2018
Modelling ampSimulationin EngineeringHindawiwwwhindawicom Volume 2018
Hindawiwwwhindawicom Volume 2018
Chemical EngineeringInternational Journal of Antennas and
Propagation
International Journal of
Hindawiwwwhindawicom Volume 2018
Hindawiwwwhindawicom Volume 2018
Navigation and Observation
International Journal of
Hindawi
wwwhindawicom Volume 2018
Advances in
Multimedia
Submit your manuscripts atwwwhindawicom
Security and Communication Networks 11
Table 10 19-Round linear approximation of NUX
Rounds 119894 Γ4119894 Γ3119894 Γ2119894 Γ1119894 Bias0 0000 1040 0000 0000 2minus1
1 0000 0000 0000 0500 2minus2
2 0001 4040 0000 0000 2minus2
3 0000 0000 0020 0600 2minus2
4 5100 0440 0000 0000 2minus4
5 0000 0000 8404 2028 2minus3
6 100a a080 0000 0000 2minus3
7 0000 0000 0206 3000 2minus3
8 000a 2002 0000 0000 2minus2
9 0000 0000 0202 0800 2minus2
10 000a 0020 0000 0000 2minus2
11 0000 0000 0202 4010 2minus3
12 a000 0a00 0000 0000 2minus2
13 0000 0000 4040 0200 2minus2
14 1400 0400 0000 0000 2minus3
15 0000 0000 0084 0448 2minus3
16 01c3 8048 0000 0000 2minus4
17 0000 0000 9023 0180 2minus2
18 d800 4004 0000 0000 2minus3
19 0000 0000 044c 24af lowast
Natural Science Foundation of China (nos 6157229361502276 and 61692276) the National Natural ScienceFoundation of Shandong Province China (ZR2016FM22)Major Scientific and Technological Innovation Projectsof Shandong Province China (2017CXGC0704) andFundamental Research Fund of Shandong Academy ofSciences (no 201812-16)
References
[1] A A Bogdanov L R Knudsen G Leander et al ldquoAn ultra-lightweight block cipherrdquo in Proceedings of the CryptographicHardware and Embedded Systems (CHES 2007) P Paillier andI Verbauwhede Eds vol 4727 of Lecture Notes in ComputerScience LNCS pp 450ndash466 Springer 2007
[2] W Wu and L Zhang ldquoLBlock a lightweight block cipherrdquoin Proceedings of the 9th International Conference on AppliedCryptography and Network Security (ACNS 2011) J Lopez andG Tsudik Eds vol 6715 of Lecture Notes in Computer Sciencepp 327ndash344 Springer Heidelberg Germany 2011
[3] J Borghoff A Canteaut T Guneysu et al ldquoPRINCE-A lowlatency block cipher for pervasive computing applicationsrdquo inProceedings of the the 25th Annual International Conferenceon the eory and Application of Cryptology and InformationSecurity (ASIACRYPT 2012) X Wang and K Sako Edsvol 7658 of Lecture Notes in Computer Science pp 208ndash225Springer Heidelberg Germany 2012
[4] E Biham and A Shamir ldquoDifferential cryptanalysis of DES-likecryptosystemsrdquo Journal of Cryptology vol 4 no 1 pp 3ndash721991
[5] M Matsui ldquoLinear cryptanalysis method for DES cipherrdquo inProceedings of the Workshop on the eory and Application ofof Cryptographic Techniques (EUROCRYPT 1993) T Helleseth
Ed vol 765 of Lecture Notes in Computer Science pp 386ndash397Springer 1993
[6] A G Bafghi R Safabakhsh and B Sadeghiyan ldquoFindingthe differential characteristics of block ciphers with neuralnetworksrdquo Information Sciences vol 178 no 15 pp 3117ndash31312008
[7] H M Heys and S E Tavares ldquoSubstitution-permutation net-works resistant to differential and linear cryptanalysisrdquo Journalof Cryptology e Journal of the International Association forCryptologic Research vol 9 no 1 pp 1ndash19 1996
[8] G Jakimoski and L Kocarev ldquoDifferential and linear probabili-ties of a block-encryption cipherrdquo IEEE Transactions on Circuitsand Systems I Fundamentaleory andApplications vol 50 no1 pp 121ndash123 2003
[9] J Kim and R C-W Phan ldquoAdvanced differential-style crypt-analysis of the NSArsquos Skipjack block Cipherrdquo Cryptologia vol33 no 3 pp 246ndash270 2009
[10] F Sano K Ohkuma H Shimizu and S Kawamura ldquoOnthe security of nested SPN cipher against the differential andlinear cryptanalysisrdquo IEICE Transactions on Fundamentals ofElectronics Communications andComputer Sciences vol 86 no1 pp 37ndash46 2003
[11] B-Z Su W-L Wu and W-T Zhang ldquoSecurity of the SMS4block cipher against differential cryptanalysisrdquo Journal of Com-puter Science and Technology vol 26 no 1 pp 130ndash138 2011
[12] G Bansod S Sutar A Patil and J Patil ldquoNUX a lightweightblock cipher for security at wireless sensor node level Worldacademy of science engineering and technologyrdquo InternationalJournal of Bioengineering and Life Sciences vol 5 no 1 2018
[13] AA Selcuk ldquoOn probability of success in linear anddifferentialcryptanalysisrdquo Journal of Cryptology e Journal of the Interna-tional Association for Cryptologic Research vol 21 no 1 pp 131ndash147 2008
12 Security and Communication Networks
[14] A Bogdanov and E Tischhauser ldquoOn the wrong key randomi-sation and key equivalence hypotheses in Matsuirsquos algorithm 2rdquoin Proceedings of the International Workshop on Fast So13wareEncryption (FSE 2013) S Moriai Ed vol 8424 of Lecture Notesin Computer Science pp 19ndash38 Springer 2014
International Journal of
AerospaceEngineeringHindawiwwwhindawicom Volume 2018
RoboticsJournal of
Hindawiwwwhindawicom Volume 2018
Hindawiwwwhindawicom Volume 2018
Active and Passive Electronic Components
VLSI Design
Hindawiwwwhindawicom Volume 2018
Hindawiwwwhindawicom Volume 2018
Shock and Vibration
Hindawiwwwhindawicom Volume 2018
Civil EngineeringAdvances in
Acoustics and VibrationAdvances in
Hindawiwwwhindawicom Volume 2018
Hindawiwwwhindawicom Volume 2018
Electrical and Computer Engineering
Journal of
Advances inOptoElectronics
Hindawiwwwhindawicom
Volume 2018
Hindawi Publishing Corporation httpwwwhindawicom Volume 2013Hindawiwwwhindawicom
The Scientific World Journal
Volume 2018
Control Scienceand Engineering
Journal of
Hindawiwwwhindawicom Volume 2018
Hindawiwwwhindawicom
Journal ofEngineeringVolume 2018
SensorsJournal of
Hindawiwwwhindawicom Volume 2018
International Journal of
RotatingMachinery
Hindawiwwwhindawicom Volume 2018
Modelling ampSimulationin EngineeringHindawiwwwhindawicom Volume 2018
Hindawiwwwhindawicom Volume 2018
Chemical EngineeringInternational Journal of Antennas and
Propagation
International Journal of
Hindawiwwwhindawicom Volume 2018
Hindawiwwwhindawicom Volume 2018
Navigation and Observation
International Journal of
Hindawi
wwwhindawicom Volume 2018
Advances in
Multimedia
Submit your manuscripts atwwwhindawicom
12 Security and Communication Networks
[14] A Bogdanov and E Tischhauser ldquoOn the wrong key randomi-sation and key equivalence hypotheses in Matsuirsquos algorithm 2rdquoin Proceedings of the International Workshop on Fast So13wareEncryption (FSE 2013) S Moriai Ed vol 8424 of Lecture Notesin Computer Science pp 19ndash38 Springer 2014
International Journal of
AerospaceEngineeringHindawiwwwhindawicom Volume 2018
RoboticsJournal of
Hindawiwwwhindawicom Volume 2018
Hindawiwwwhindawicom Volume 2018
Active and Passive Electronic Components
VLSI Design
Hindawiwwwhindawicom Volume 2018
Hindawiwwwhindawicom Volume 2018
Shock and Vibration
Hindawiwwwhindawicom Volume 2018
Civil EngineeringAdvances in
Acoustics and VibrationAdvances in
Hindawiwwwhindawicom Volume 2018
Hindawiwwwhindawicom Volume 2018
Electrical and Computer Engineering
Journal of
Advances inOptoElectronics
Hindawiwwwhindawicom
Volume 2018
Hindawi Publishing Corporation httpwwwhindawicom Volume 2013Hindawiwwwhindawicom
The Scientific World Journal
Volume 2018
Control Scienceand Engineering
Journal of
Hindawiwwwhindawicom Volume 2018
Hindawiwwwhindawicom
Journal ofEngineeringVolume 2018
SensorsJournal of
Hindawiwwwhindawicom Volume 2018
International Journal of
RotatingMachinery
Hindawiwwwhindawicom Volume 2018
Modelling ampSimulationin EngineeringHindawiwwwhindawicom Volume 2018
Hindawiwwwhindawicom Volume 2018
Chemical EngineeringInternational Journal of Antennas and
Propagation
International Journal of
Hindawiwwwhindawicom Volume 2018
Hindawiwwwhindawicom Volume 2018
Navigation and Observation
International Journal of
Hindawi
wwwhindawicom Volume 2018
Advances in
Multimedia
Submit your manuscripts atwwwhindawicom
International Journal of
AerospaceEngineeringHindawiwwwhindawicom Volume 2018
RoboticsJournal of
Hindawiwwwhindawicom Volume 2018
Hindawiwwwhindawicom Volume 2018
Active and Passive Electronic Components
VLSI Design
Hindawiwwwhindawicom Volume 2018
Hindawiwwwhindawicom Volume 2018
Shock and Vibration
Hindawiwwwhindawicom Volume 2018
Civil EngineeringAdvances in
Acoustics and VibrationAdvances in
Hindawiwwwhindawicom Volume 2018
Hindawiwwwhindawicom Volume 2018
Electrical and Computer Engineering
Journal of
Advances inOptoElectronics
Hindawiwwwhindawicom
Volume 2018
Hindawi Publishing Corporation httpwwwhindawicom Volume 2013Hindawiwwwhindawicom
The Scientific World Journal
Volume 2018
Control Scienceand Engineering
Journal of
Hindawiwwwhindawicom Volume 2018
Hindawiwwwhindawicom
Journal ofEngineeringVolume 2018
SensorsJournal of
Hindawiwwwhindawicom Volume 2018
International Journal of
RotatingMachinery
Hindawiwwwhindawicom Volume 2018
Modelling ampSimulationin EngineeringHindawiwwwhindawicom Volume 2018
Hindawiwwwhindawicom Volume 2018
Chemical EngineeringInternational Journal of Antennas and
Propagation
International Journal of
Hindawiwwwhindawicom Volume 2018
Hindawiwwwhindawicom Volume 2018
Navigation and Observation
International Journal of
Hindawi
wwwhindawicom Volume 2018
Advances in
Multimedia
Submit your manuscripts atwwwhindawicom