[Resource Topic] 2011/262: Cryptanalysis of the Light-Weight Cipher A2U2 - Reduced draft version

Welcome to the resource topic for 2011/262

Cryptanalysis of the Light-Weight Cipher A2U2 - Reduced draft version

Authors: Mohamed Ahmed Abdelraheem, Julia Borghoff, Erik Zenner


At IEEE RFID 2011, David et al. proposed a new cryptographic primitive for use with RFID [2]. The design is a stream cipher called A2U2. Shortly afterwards, an attack was published on IACR Eprint by Chai et al. [1], claiming to break the cipher in a chosen-plaintext attack using extremely little computational resources. Regrettably, this attack is wrong since it works with an erroneous description of the cipher. In this paper, we show why the attack is wrong and how it can be repaired. Furthermore, we describe a guess-and-determine attack which applies in a known plaintext scenario. A special design feature of A2U2 is that the number of initialization rounds varies and depends on an internal counter. The number of rounds varies from 9 to 126. We proposed a differential-style attack which enables us to find the counter value determining the number of initialization rounds. Moreover, we present an attack that recovers the masterkey in the case that only 9 initialization rounds are used.

ePrint: https://eprint.iacr.org/2011/262

See all topics related to this paper.

Feel free to post resources that are related to this paper below.

Example resources include: implementations, explanation materials, talks, slides, links to previous discussions on other websites.

For more information, see the rules for Resource Topics .