#### Abstract

In order to adopt the restricted environment, such as radio frequency identification technology or sensor networking, which are the important components of the Internet of Things, lightweight block ciphers are designed. NUX is a 31-round iterative ultralightweight cipher proposed by Bansod* et al*. In this paper, we examine the resistance of NUX to differential and linear analysis and search for -round differential characteristics and linear approximations. In design specification, authors claimed that 25-round NUX is resistant to differential and linear attack. However, we can successfully perform 29-round differential attack on NUX with the 22-round differential characteristic found in this paper, which is 4 rounds more than the limitation given by authors. Furthermore, we present the key recovery attack on 22-round NUX using a 19-round linear approximation determined in this paper. Besides, distinguishing attack, whose distinguisher is built utilizing the property of differential propagation through NUX, is implemented on full NUX with data complexity 8.

#### 1. Introduction

The Internet of Things is defined as a variety of devices and technologies such as sensors, radio frequency identification (RFID) technology, global positioning systems, infrared sensors, laser scanners, and gas sensors. Its essence is to use RFID technology to realize the automatic identification of items, the interconnection, and sharing of information through the computer Internet. In this kind of new cryptography environment, RFID technology and sensor networking have similar properties, such as weak computation abilities, small storage spaces, and strict power constraints. Therefore, traditional block ciphers are not suitable for this kind of extremely constrained environment. Hence, lightweight block ciphers are put forward for restricted environment and have shown importance in various applications. Recently, copious lightweight block ciphers are designed to maintain security under limited resource conditions, such as PRESENT [1], LBlock [2], and PRINCE [3]. And many cryptographers are concerned about the security of lightweight block ciphers.

Differential analysis, which is a chosen-plaintext attack, is proposed by Biham and Shamir to analyze DES [4]. Differential analysis studies probability propagation property in the encryption/decryption process. This method seeks for high probability differential characteristics to perform a distinguishing attack or a key-recovery attack. Later, linear analysis, which is the duality of differential analysis and is a known-plaintext attack, is presented by Matsui in EUROCRYPT’93 [5]. Similarly, linear analysis studies the linear relationship between plaintexts and ciphertexts and finds linear approximations with high probability to build a distinguisher or carry out a key-recovery attack. In addition, these two methods are the most popular cryptanalysis methods nowadays. They have been used to analyze many ciphers and should be taken into consideration for designing a new cipher scheme [6–11].

NUX is a 31-round iterative lightweight block cipher proposed by Bansod* et al.* [12] which adopts generalized Feistel structure. And it supports 64-bit blocks and 80/128-bit keys. For the version with 128-bit key, the author pointed out that NUX needs 1022 GEs, which is less than all existing ciphers. In terms of security, they expected that NUX could resist differential/linear analysis. They examined the resistance of NUX against differential/linear cryptanalysis. At last, they showed that NUX cipher with no less than 25 round is enough to resist linear or differential attack. Besides, a biclique attack on NUX is presented in [12].

*Our Contribution*(i)131-round differential characteristics of NUX are searched for, and 10 25-round differential characteristics are found with probability , which are better than the one with probability limitation given in the design script, shown in Table 1.(ii)The resistance to the linear analysis for -round NUX is examined, and 48 25-round linear approximations are presented with absolute value of bias to be better than the limitation on bias presented in the design script, which is , depicted in Table 1.(iii)For full NUX, the probability of the best differential characteristic is , and the absolute value of bias for the best linear approximation is , which are described in Table 1.(iv)Using 22-round differential characteristic with probability obtained in this paper, 29-round differential attack is performed with time, data, and memory complexity to be 29-round encryptions and and bytes, respectively. Furthermore, based on a 19-round linear approximation with bias to be , 25-round linear attack is executed with time complexity 25-round encryptions, data complexity , and memory complexity bytes. Till now, these two attacks are the best differential attack and best linear attack, respectively. A summary of our attacks is given in Table 2.(v)Utilizing the property of difference propagation through NUX, distinguishing attack can be implemented on full NUX with data complexity 8, which is depicted in Table 2.

The organization of the paper is as follows. The notations and description of NUX are given in Section 2. Section 3 shows the differential characteristics and differential attack on 29-round NUX. In Section 4, the linear approximations and linear attack on 25-round NUX are introduced. Section 5 describes distinguishing attacks between full NUX and random permutations. Finally, Section 6 concludes the paper.

#### 2. Preliminaries

This section will list notations and operations used in this paper and describe NUX.

##### 2.1. Notations and Operations

(i): The set of strings with bits length.(ii): The -th bit of , if .(iii): The -th bit to -th bit of , if .(iv): The -th and -th bits of , if .(v): Concatenation of and , if .(vi): Right cyclic shift operation.(vii): Left cyclic shift operation.(viii): XOR operation.

##### 2.2. Description of NUX

NUX is a 31-round ultralightweight cipher based on generalized Feistel network. It supports a key length of 128/80 bits and a block length of 64 bits. The round function is illustrated in Figure 1.

There are two F-functions and , which are constructed by four S-boxes and a circular shift operator. The S-box is represented in Table 3. Then and can be depicted as follows:

The 64-bit input of the -th round, , is divided into 4 blocks of 16 bits, named , , , and , respectively. and then there are the following formulas: where is a 16-bit permutation, which is depicted in Table 4.

After 31 rounds, the ciphertext will be acquired as . The key schedule is omitted and interested readers are referred to [12] for more details about NUX.

#### 3. Differential Attack on 29-Round NUX

In this section, how to search for differential characteristics of NUX will be described. And then a key-recovery attack is conducted on 29-round NUX.

##### 3.1. Differential Characteristics of NUX

To search for the differential characteristic of NUX, the different propagation between round functions should be considered. And how differences propagate through S-boxes should also be taken into account. When a difference passes through an S-box, the output difference and probability are determined by looking up the XOR difference distribution table (DDT) of the S-box.

Algorithm 1 is designed to search for differential characteristics of NUX, and notations used in this algorithm are depicted in Figure 2. From the structure of NUX, it is obvious that the probability of one round can be 1; that is, all the 8 S-boxes are passive. So a special -round differential characteristic, , is chosen, and one-round differential characteristic with probability 1 is added to catch -round differential characteristics. Meanwhile, and , which lie in the two branches on the left side, will not affect and , the two branches on the right side, during propagation in NUX. So differences of two branches on the left or right are set to 0, and the difference propagation in the other two branches will be focused on during the encryption process. In this way, the number of active S-boxes is always no more than 4 in one round, which can make the probability of the differential characteristic as large as possible. The results of our search algorithm are listed in Table 5.

Input: S-box , Probability threshold . | |

Output: A differential trail with the best probability. | |

Generate the DDT of S-box. | |

Store all 2, 4 and the corresponding input/output differences in DDT in the table | |

for Each of 8 S-boxes in the first round do | |

for all non-zero entities in DDT do | |

if S-box is in then | |

, . | |

Store them in . | |

else | |

, . | |

Store them in . | |

Calculate , , , , and store them in . | |

Calculate , , , , and store them in . | |

The probability is recorded as . | |

for to do | |

if then | |

Travel to get and its corresponding probability | |

else if then | |

Travel to get and the corresponding probability | |

Keep , which greater than threshold | |

Calculate , , , , and store them in . | |

for Each of 8 S-boxes in the first round do | |

for all non-zero entities in DDT do | |

Find the largest and store it in | |

Output different characteristics with probability |

Furthermore, the minimal numbers of active S-boxes of 15-round differential characteristics are shown in the design manuscript [12]. So the minimal number of active S-boxes is also studied, and the minimum active S-boxes of 4 5-round differential characteristics are less than the ones given in [12], which are presented in Table 6.

##### 3.2. Differential Attack on NUX

A 22-round differential characteristic is chosen with probability to be , which is shown in Table 7, and 7 rounds are extended forward. The description is given in Figure 3. There are , , and according to the 22-round differential distinguisher. Then , , and satisfy the form as , where can be deduced. And the output difference of the 28-th round is . , , , and can be gotten by 6-round decryption. So , , , , , and should be guessed and denoted by . The attack process is described as follows:(1)Collect pairs of plaintext satisfying and their corresponding ciphertext pairs .(2)Initialize counters and reset them.(3)For each plaintext pair , check whether its ciphertext pair satisfies . If the ciphertext pair meets the formula, and .(4)Initialize counters and reset them.(5)Guess 96-bit key , and decrypt to obtain , , , and . Check whether and are equal to and . If the conditions are met, then let .(6)Use to calculate and . If and , .(7)Set advantage to be 51, which implies that the top absolute values in are kept. For each remaining key, we guess the remaining 58-bit subkey and calculate the master key. Finally, we test the key by trail encryptions.

If set , then about pieces of data enter step , which means 6-round encryptions, that is, 29-round encryptions. The complexity of step is 29-round encryptions. So the total time complexity of this attack is about 29-round encryptions.

The counters require storing bytes, so the memory complexity for the attack is bytes. The data complexity is .

The success rate by [13].

#### 4. Linear Attack on 25-Round NUX

Linear approximations of NUX are searched for in this section, and the 25-round key-recovery attack is performed on NUX using a 19-round linear approximation.

##### 4.1. Linear Approximations of NUX

To search for linear approximations of NUX, how masks propagate through S-boxes should be taken into account. When a mask passes through an S-box, the linear approximation table (LAT) of the S-box is looked up to determine the output mask and bias. Algorithm 2 searches for linear approximations of NUX and notations used in this algorithm are depicted in Figure 4.

Input: S-box , Bias threshold . | |

Output: A linear approximation with the best bias. | |

Data: The number of active S-boxes in i rounds . | |

The number of active S-boxes of the i-th round . | |

Generate the LAT of S-box. | |

Store all 2, 4 and the corresponding input/output masks in LAT in the table | |

for Each of 8 S-boxes in the first round do | |

for all non-zero entities in LAT do | |

if S-box is in then | |

, . | |

Store them in . | |

else | |

, . | |

Store them in . | |

Calculate , , , , and store them in . | |

Calculate , , , , and store them in . | |

Update to be 1. | |

The bias is recorded as . | |

for to do | |

if then | |

Travel to get , and its corresponding bias | |

else if then | |

Travel to get , and the corresponding bias | |

Compute the total bias, and keep ones greater than threshold | |

Calculate , , , , and store them in . | |

Update the number of active S-boxes and bias | |

for Each of 8 S-boxes in the first round do | |

for all non-zero entities in DDT do | |

Find the largest and store it in | |

Output linear approximations with bias |

The bias of one round can be , which can be obtained from the structure of NUX; that is, all the 8 S-boxes are passive. So special -round linear approximations are chosen, which satisfy (), and one-round linear approximation with bias 1 is added to catch -round linear approximations. Similar to searching for differential characteristics, there is only one active S-box in the first round of rounds. Meanwhile, and , which lie in the two branches on the left side, will not affect and , the two branches on the right side, during propagation in NUX. So the linear propagation on the left or right is taken into consideration, and differences of the other two branches are set to 0. In this way, the number of active S-boxes is always no more than 4 in one round, which can make the absolute value of the linear approximation bias as large as possible. The results of the search algorithm are listed in Table 8.

Moreover, the minimal numbers of active S-boxes of 15-round linear approximations are shown in the design manuscript [12]. And the minimal number of active S-boxes is also considered, and the minimum active S-boxes of 35-round linear approximations are less than the ones given in [12], which are presented in Table 9.

##### 4.2. Linear Attack on NUX

Utilizing obtained linear approximations, a key-recovery attack can be applied to 25-round NUX using a 19-round linear approximation with bias , which is described in Table 10. The 19-round linear approximation is put from the 4th to the 22th round of NUX, extending 3 rounds both backward and forward. The 25-round key-recovery attack is shown in Figure 5.

According to the linear approximation, there are , , , and . Furthermore, the following formula can be gotten: where can be calculated through 3-round encryption by guessing 26-bit subkeys, which are denoted by including , , and . Besides, and are obtained by 3-round decryption, which involves 40-bit subkeys, namely, , , and . For the sake of simplicity, and are denoted by . In the following, the attack process is depicted. (1)Collect plaintext/ciphertext pairs.(2)Initialize counters and reset them.(3)Guess 26-bit key .(4)For each plaintext/ciphertext pair, calculate . Then .(5)Initialize counters and reset them.(6)Guess 16-bit key .(7)For every , calculate . Then .(8)Initialize counters and reset them.(9)Guess 24-bit key .(10)For every , calculate and . Then compute . If , then ; otherwise, decrease the counter by .(11)Set the advantage to be 17, which means that the top absolute values in are kept. For each remaining key, we guess 77-bit subkey to determine the master key. And then we test the key by trail encryptions.

If , then the time complexity of step , step , and step is about 3-round encryption, 1-round decryption, and 2-round encryption, respectively. Besides, the complexity of step is 25-round encryption. Hence, the total time complexity of this attack is about 25-round encryption.

Both the counters and need bytes to store, so the memory complexity for the attack is bytes. The data complexity is .

The success rate by [14].

#### 5. Distinguishing Attack on NUX

Generally speaking, the distinguishing attack is a kind of test algorithm, which tries to perform the nonrandom behavior in cryptographic system. A distinguishing attack needs to find a distinguisher, which makes cryptographic algorithm different from random permutation. When analyzing NUX, we find a distinguisher with probability 1, that is, a deterministic distinguisher to distinguish NUX from a random permutation.

In Section 3, it has been pointed out that the two branches on the right side will not affect the two on the right side during difference propagation in NUX. Then, for the full-round NUX, when the input difference is , the output difference satisfies the form of , shown in Figure 6, that is, . However, the probability of the output difference to be is for random permutations, when the input difference is . So 4 pairs of plaintexts are chosen, which are , , and , and the corresponding ciphertexts are checked to determine whether they satisfy . The probability of obtaining such input/output differences is 1 for NUX, while it is for a random permutation. Therefore, we can distinguish NUX from a random permutation. Besides, there is another distinguisher with probability 1, which is and can be used to perform a distinguishing attack like the one described before. So we will not explore it here.

Since only 4 pairs of plaintexts are used in the distinguishing attack, the data complexity is . And the attack needs no storage. In other words, the complexity of memory is 0. The time complexity is 8 31-round encryptions.

#### 6. Conclusions

NUX is a 31-round iterative ultralightweight cipher, which is suitable for extremely constrained environment and is applied to the Internet of Things. In this paper, differential and linear trails are searched for 131-round NUX, which are better than those proposed in design specification. Moreover, a key-recovery attack on 29-round NUX is given with the 22-round differential characteristic found in the paper, whose time, data, and memory complexities are 29-round encryptions and and bytes, respectively. Meanwhile, using 22-round differential characteristic obtained in the paper, 29-round differential attack is performed with time, data, and memory complexities to be 25-round encryptions and and bytes, respectively. Furthermore, a distinguishing attack can be implemented on full NUX with data complexity 8. Results in this paper are the best ones on NUX till now.

#### Data Availability

All the data are obtained by our programs and can be provided to interested readers by email.

#### Conflicts of Interest

The authors declare that there are no conflicts of interest regarding the publication of this paper.

#### Acknowledgments

This work has been supported by National Cryptography Development Fund (no. MMJJ20170102), the National Natural Science Foundation of China (nos. 61572293, 61502276, and 61692276), the National Natural Science Foundation of Shandong Province, China (ZR2016FM22), Major Scientific and Technological Innovation Projects of Shandong Province, China (2017CXGC0704), and Fundamental Research Fund of Shandong Academy of Sciences (no. 2018:12-16).