Privacy and Security of Information Processing in Industrial Big Data and Internet of Things
View this Special IssueResearch Article  Open Access
Security Cryptanalysis of NUX for the Internet of Things
Abstract
In order to adopt the restricted environment, such as radio frequency identification technology or sensor networking, which are the important components of the Internet of Things, lightweight block ciphers are designed. NUX is a 31round iterative ultralightweight cipher proposed by Bansod et al. In this paper, we examine the resistance of NUX to differential and linear analysis and search for round differential characteristics and linear approximations. In design specification, authors claimed that 25round NUX is resistant to differential and linear attack. However, we can successfully perform 29round differential attack on NUX with the 22round differential characteristic found in this paper, which is 4 rounds more than the limitation given by authors. Furthermore, we present the key recovery attack on 22round NUX using a 19round linear approximation determined in this paper. Besides, distinguishing attack, whose distinguisher is built utilizing the property of differential propagation through NUX, is implemented on full NUX with data complexity 8.
1. Introduction
The Internet of Things is defined as a variety of devices and technologies such as sensors, radio frequency identification (RFID) technology, global positioning systems, infrared sensors, laser scanners, and gas sensors. Its essence is to use RFID technology to realize the automatic identification of items, the interconnection, and sharing of information through the computer Internet. In this kind of new cryptography environment, RFID technology and sensor networking have similar properties, such as weak computation abilities, small storage spaces, and strict power constraints. Therefore, traditional block ciphers are not suitable for this kind of extremely constrained environment. Hence, lightweight block ciphers are put forward for restricted environment and have shown importance in various applications. Recently, copious lightweight block ciphers are designed to maintain security under limited resource conditions, such as PRESENT [1], LBlock [2], and PRINCE [3]. And many cryptographers are concerned about the security of lightweight block ciphers.
Differential analysis, which is a chosenplaintext attack, is proposed by Biham and Shamir to analyze DES [4]. Differential analysis studies probability propagation property in the encryption/decryption process. This method seeks for high probability differential characteristics to perform a distinguishing attack or a keyrecovery attack. Later, linear analysis, which is the duality of differential analysis and is a knownplaintext attack, is presented by Matsui in EUROCRYPT’93 [5]. Similarly, linear analysis studies the linear relationship between plaintexts and ciphertexts and finds linear approximations with high probability to build a distinguisher or carry out a keyrecovery attack. In addition, these two methods are the most popular cryptanalysis methods nowadays. They have been used to analyze many ciphers and should be taken into consideration for designing a new cipher scheme [6–11].
NUX is a 31round iterative lightweight block cipher proposed by Bansod et al. [12] which adopts generalized Feistel structure. And it supports 64bit blocks and 80/128bit keys. For the version with 128bit key, the author pointed out that NUX needs 1022 GEs, which is less than all existing ciphers. In terms of security, they expected that NUX could resist differential/linear analysis. They examined the resistance of NUX against differential/linear cryptanalysis. At last, they showed that NUX cipher with no less than 25 round is enough to resist linear or differential attack. Besides, a biclique attack on NUX is presented in [12].
Our Contribution(i)131round differential characteristics of NUX are searched for, and 10 25round differential characteristics are found with probability , which are better than the one with probability limitation given in the design script, shown in Table 1.(ii)The resistance to the linear analysis for round NUX is examined, and 48 25round linear approximations are presented with absolute value of bias to be better than the limitation on bias presented in the design script, which is , depicted in Table 1.(iii)For full NUX, the probability of the best differential characteristic is , and the absolute value of bias for the best linear approximation is , which are described in Table 1.(iv)Using 22round differential characteristic with probability obtained in this paper, 29round differential attack is performed with time, data, and memory complexity to be 29round encryptions and and bytes, respectively. Furthermore, based on a 19round linear approximation with bias to be , 25round linear attack is executed with time complexity 25round encryptions, data complexity , and memory complexity bytes. Till now, these two attacks are the best differential attack and best linear attack, respectively. A summary of our attacks is given in Table 2.(v)Utilizing the property of difference propagation through NUX, distinguishing attack can be implemented on full NUX with data complexity 8, which is depicted in Table 2.
The organization of the paper is as follows. The notations and description of NUX are given in Section 2. Section 3 shows the differential characteristics and differential attack on 29round NUX. In Section 4, the linear approximations and linear attack on 25round NUX are introduced. Section 5 describes distinguishing attacks between full NUX and random permutations. Finally, Section 6 concludes the paper.
2. Preliminaries
This section will list notations and operations used in this paper and describe NUX.
2.1. Notations and Operations
(i): The set of strings with bits length.(ii): The th bit of , if .(iii): The th bit to th bit of , if .(iv): The th and th bits of , if .(v): Concatenation of and , if .(vi): Right cyclic shift operation.(vii): Left cyclic shift operation.(viii): XOR operation.
2.2. Description of NUX
NUX is a 31round ultralightweight cipher based on generalized Feistel network. It supports a key length of 128/80 bits and a block length of 64 bits. The round function is illustrated in Figure 1.
There are two Ffunctions and , which are constructed by four Sboxes and a circular shift operator. The Sbox is represented in Table 3. Then and can be depicted as follows:

The 64bit input of the th round, , is divided into 4 blocks of 16 bits, named , , , and , respectively. and then there are the following formulas: where is a 16bit permutation, which is depicted in Table 4.

After 31 rounds, the ciphertext will be acquired as . The key schedule is omitted and interested readers are referred to [12] for more details about NUX.
3. Differential Attack on 29Round NUX
In this section, how to search for differential characteristics of NUX will be described. And then a keyrecovery attack is conducted on 29round NUX.
3.1. Differential Characteristics of NUX
To search for the differential characteristic of NUX, the different propagation between round functions should be considered. And how differences propagate through Sboxes should also be taken into account. When a difference passes through an Sbox, the output difference and probability are determined by looking up the XOR difference distribution table (DDT) of the Sbox.
Algorithm 1 is designed to search for differential characteristics of NUX, and notations used in this algorithm are depicted in Figure 2. From the structure of NUX, it is obvious that the probability of one round can be 1; that is, all the 8 Sboxes are passive. So a special round differential characteristic, , is chosen, and oneround differential characteristic with probability 1 is added to catch round differential characteristics. Meanwhile, and , which lie in the two branches on the left side, will not affect and , the two branches on the right side, during propagation in NUX. So differences of two branches on the left or right are set to 0, and the difference propagation in the other two branches will be focused on during the encryption process. In this way, the number of active Sboxes is always no more than 4 in one round, which can make the probability of the differential characteristic as large as possible. The results of our search algorithm are listed in Table 5.

Input: Sbox , Probability threshold .  
Output: A differential trail with the best probability.  
Generate the DDT of Sbox.  
Store all 2, 4 and the corresponding input/output differences in DDT in the table  
for Each of 8 Sboxes in the first round do  
for all nonzero entities in DDT do  
if Sbox is in then  
, .  
Store them in .  
else  
, .  
Store them in .  
Calculate , , , , and store them in .  
Calculate , , , , and store them in .  
The probability is recorded as .  
for to do  
if then  
Travel to get and its corresponding probability  
else if then  
Travel to get and the corresponding probability  
Keep , which greater than threshold  
Calculate , , , , and store them in .  
for Each of 8 Sboxes in the first round do  
for all nonzero entities in DDT do  
Find the largest and store it in  
Output different characteristics with probability 
Furthermore, the minimal numbers of active Sboxes of 15round differential characteristics are shown in the design manuscript [12]. So the minimal number of active Sboxes is also studied, and the minimum active Sboxes of 4 5round differential characteristics are less than the ones given in [12], which are presented in Table 6.
3.2. Differential Attack on NUX
A 22round differential characteristic is chosen with probability to be , which is shown in Table 7, and 7 rounds are extended forward. The description is given in Figure 3. There are , , and according to the 22round differential distinguisher. Then , , and satisfy the form as , where can be deduced. And the output difference of the 28th round is . , , , and can be gotten by 6round decryption. So , , , , , and should be guessed and denoted by . The attack process is described as follows:(1)Collect pairs of plaintext satisfying and their corresponding ciphertext pairs .(2)Initialize counters and reset them.(3)For each plaintext pair , check whether its ciphertext pair satisfies . If the ciphertext pair meets the formula, and .(4)Initialize counters and reset them.(5)Guess 96bit key , and decrypt to obtain , , , and . Check whether and are equal to and . If the conditions are met, then let .(6)Use to calculate and . If and , .(7)Set advantage to be 51, which implies that the top absolute values in are kept. For each remaining key, we guess the remaining 58bit subkey and calculate the master key. Finally, we test the key by trail encryptions.

If set , then about pieces of data enter step , which means 6round encryptions, that is, 29round encryptions. The complexity of step is 29round encryptions. So the total time complexity of this attack is about 29round encryptions.
The counters require storing bytes, so the memory complexity for the attack is bytes. The data complexity is .
The success rate by [13].
4. Linear Attack on 25Round NUX
Linear approximations of NUX are searched for in this section, and the 25round keyrecovery attack is performed on NUX using a 19round linear approximation.
4.1. Linear Approximations of NUX
To search for linear approximations of NUX, how masks propagate through Sboxes should be taken into account. When a mask passes through an Sbox, the linear approximation table (LAT) of the Sbox is looked up to determine the output mask and bias. Algorithm 2 searches for linear approximations of NUX and notations used in this algorithm are depicted in Figure 4.
Input: Sbox , Bias threshold .  
Output: A linear approximation with the best bias.  
Data: The number of active Sboxes in i rounds .  
The number of active Sboxes of the ith round .  
Generate the LAT of Sbox.  
Store all 2, 4 and the corresponding input/output masks in LAT in the table  
for Each of 8 Sboxes in the first round do  
for all nonzero entities in LAT do  
if Sbox is in then  
, .  
Store them in .  
else  
, .  
Store them in .  
Calculate , , , , and store them in .  
Calculate , , , , and store them in .  
Update to be 1.  
The bias is recorded as .  
for to do  
if then  
Travel to get , and its corresponding bias  
else if then  
Travel to get , and the corresponding bias  
Compute the total bias, and keep ones greater than threshold  
Calculate , , , , and store them in .  
Update the number of active Sboxes and bias  
for Each of 8 Sboxes in the first round do  
for all nonzero entities in DDT do  
Find the largest and store it in  
Output linear approximations with bias 
The bias of one round can be , which can be obtained from the structure of NUX; that is, all the 8 Sboxes are passive. So special round linear approximations are chosen, which satisfy (), and oneround linear approximation with bias 1 is added to catch round linear approximations. Similar to searching for differential characteristics, there is only one active Sbox in the first round of rounds. Meanwhile, and , which lie in the two branches on the left side, will not affect and , the two branches on the right side, during propagation in NUX. So the linear propagation on the left or right is taken into consideration, and differences of the other two branches are set to 0. In this way, the number of active Sboxes is always no more than 4 in one round, which can make the absolute value of the linear approximation bias as large as possible. The results of the search algorithm are listed in Table 8.

Moreover, the minimal numbers of active Sboxes of 15round linear approximations are shown in the design manuscript [12]. And the minimal number of active Sboxes is also considered, and the minimum active Sboxes of 35round linear approximations are less than the ones given in [12], which are presented in Table 9.
4.2. Linear Attack on NUX
Utilizing obtained linear approximations, a keyrecovery attack can be applied to 25round NUX using a 19round linear approximation with bias , which is described in Table 10. The 19round linear approximation is put from the 4th to the 22th round of NUX, extending 3 rounds both backward and forward. The 25round keyrecovery attack is shown in Figure 5.

According to the linear approximation, there are , , , and . Furthermore, the following formula can be gotten: where can be calculated through 3round encryption by guessing 26bit subkeys, which are denoted by including , , and . Besides, and are obtained by 3round decryption, which involves 40bit subkeys, namely, , , and . For the sake of simplicity, and are denoted by . In the following, the attack process is depicted. (1)Collect plaintext/ciphertext pairs.(2)Initialize counters and reset them.(3)Guess 26bit key .(4)For each plaintext/ciphertext pair, calculate . Then .(5)Initialize counters and reset them.(6)Guess 16bit key .(7)For every , calculate . Then .(8)Initialize counters and reset them.(9)Guess 24bit key .(10)For every , calculate and . Then compute . If , then ; otherwise, decrease the counter by .(11)Set the advantage to be 17, which means that the top absolute values in are kept. For each remaining key, we guess 77bit subkey to determine the master key. And then we test the key by trail encryptions.
If , then the time complexity of step , step , and step is about 3round encryption, 1round decryption, and 2round encryption, respectively. Besides, the complexity of step is 25round encryption. Hence, the total time complexity of this attack is about 25round encryption.
Both the counters and need bytes to store, so the memory complexity for the attack is bytes. The data complexity is .
The success rate by [14].
5. Distinguishing Attack on NUX
Generally speaking, the distinguishing attack is a kind of test algorithm, which tries to perform the nonrandom behavior in cryptographic system. A distinguishing attack needs to find a distinguisher, which makes cryptographic algorithm different from random permutation. When analyzing NUX, we find a distinguisher with probability 1, that is, a deterministic distinguisher to distinguish NUX from a random permutation.
In Section 3, it has been pointed out that the two branches on the right side will not affect the two on the right side during difference propagation in NUX. Then, for the fullround NUX, when the input difference is , the output difference satisfies the form of , shown in Figure 6, that is, . However, the probability of the output difference to be is for random permutations, when the input difference is . So 4 pairs of plaintexts are chosen, which are , , and , and the corresponding ciphertexts are checked to determine whether they satisfy . The probability of obtaining such input/output differences is 1 for NUX, while it is for a random permutation. Therefore, we can distinguish NUX from a random permutation. Besides, there is another distinguisher with probability 1, which is and can be used to perform a distinguishing attack like the one described before. So we will not explore it here.
Since only 4 pairs of plaintexts are used in the distinguishing attack, the data complexity is . And the attack needs no storage. In other words, the complexity of memory is 0. The time complexity is 8 31round encryptions.
6. Conclusions
NUX is a 31round iterative ultralightweight cipher, which is suitable for extremely constrained environment and is applied to the Internet of Things. In this paper, differential and linear trails are searched for 131round NUX, which are better than those proposed in design specification. Moreover, a keyrecovery attack on 29round NUX is given with the 22round differential characteristic found in the paper, whose time, data, and memory complexities are 29round encryptions and and bytes, respectively. Meanwhile, using 22round differential characteristic obtained in the paper, 29round differential attack is performed with time, data, and memory complexities to be 25round encryptions and and bytes, respectively. Furthermore, a distinguishing attack can be implemented on full NUX with data complexity 8. Results in this paper are the best ones on NUX till now.
Data Availability
All the data are obtained by our programs and can be provided to interested readers by email.
Conflicts of Interest
The authors declare that there are no conflicts of interest regarding the publication of this paper.
Acknowledgments
This work has been supported by National Cryptography Development Fund (no. MMJJ20170102), the National Natural Science Foundation of China (nos. 61572293, 61502276, and 61692276), the National Natural Science Foundation of Shandong Province, China (ZR2016FM22), Major Scientific and Technological Innovation Projects of Shandong Province, China (2017CXGC0704), and Fundamental Research Fund of Shandong Academy of Sciences (no. 2018:1216).
References
 A. A. Bogdanov, L. R. Knudsen, G. Leander et al., “An ultralightweight block cipher,” in Proceedings of the Cryptographic Hardware and Embedded Systems (CHES 2007), P. Paillier and I. Verbauwhede, Eds., vol. 4727 of Lecture Notes in Computer Science LNCS, pp. 450–466, Springer, 2007. View at: Google Scholar
 W. Wu and L. Zhang, “LBlock: a lightweight block cipher,” in Proceedings of the 9th International Conference on Applied Cryptography and Network Security (ACNS 2011), J. Lopez and G. Tsudik, Eds., vol. 6715 of Lecture Notes in Computer Science, pp. 327–344, Springer, Heidelberg, Germany, 2011. View at: Publisher Site  Google Scholar
 J. Borghoff, A. Canteaut, T. Güneysu et al., “PRINCEA low latency block cipher for pervasive computing applications,” in Proceedings of the the 25th Annual International Conference on the Theory and Application of Cryptology and Information Security (ASIACRYPT 2012), X. Wang and K. Sako, Eds., vol. 7658 of Lecture Notes in Computer Science, pp. 208–225, Springer, Heidelberg, Germany, 2012. View at: Google Scholar
 E. Biham and A. Shamir, “Differential cryptanalysis of DESlike cryptosystems,” Journal of Cryptology, vol. 4, no. 1, pp. 3–72, 1991. View at: Publisher Site  Google Scholar
 M. Matsui, “Linear cryptanalysis method for DES cipher,” in Proceedings of the Workshop on the Theory and Application of of Cryptographic Techniques (EUROCRYPT 1993), T. Helleseth, Ed., vol. 765 of Lecture Notes in Computer Science, pp. 386–397, Springer, 1993. View at: Publisher Site  Google Scholar
 A. G. Bafghi, R. Safabakhsh, and B. Sadeghiyan, “Finding the differential characteristics of block ciphers with neural networks,” Information Sciences, vol. 178, no. 15, pp. 3117–3131, 2008. View at: Google Scholar
 H. M. Heys and S. E. Tavares, “Substitutionpermutation networks resistant to differential and linear cryptanalysis,” Journal of Cryptology. The Journal of the International Association for Cryptologic Research, vol. 9, no. 1, pp. 1–19, 1996. View at: Publisher Site  Google Scholar  MathSciNet
 G. Jakimoski and L. Kocarev, “Differential and linear probabilities of a blockencryption cipher,” IEEE Transactions on Circuits and Systems I: Fundamental Theory and Applications, vol. 50, no. 1, pp. 121–123, 2003. View at: Publisher Site  Google Scholar  MathSciNet
 J. Kim and R. C.W. Phan, “Advanced differentialstyle cryptanalysis of the NSA's Skipjack block Cipher,” Cryptologia, vol. 33, no. 3, pp. 246–270, 2009. View at: Publisher Site  Google Scholar
 F. Sano, K. Ohkuma, H. Shimizu, and S. Kawamura, “On the security of nested SPN cipher against the differential and linear cryptanalysis,” IEICE Transactions on Fundamentals of Electronics, Communications and Computer Sciences, vol. 86, no. 1, pp. 37–46, 2003. View at: Google Scholar
 B.Z. Su, W.L. Wu, and W.T. Zhang, “Security of the SMS4 block cipher against differential cryptanalysis,” Journal of Computer Science and Technology, vol. 26, no. 1, pp. 130–138, 2011. View at: Publisher Site  Google Scholar  MathSciNet
 G. Bansod, S. Sutar, A. Patil, and J. Patil, “NUX: a lightweight block cipher for security at wireless sensor node level. World academy of science, engineering and technology,” International Journal of Bioengineering and Life Sciences, vol. 5, no. 1, 2018. View at: Google Scholar
 A. A. Selçuk, “On probability of success in linear and differential cryptanalysis,” Journal of Cryptology. The Journal of the International Association for Cryptologic Research, vol. 21, no. 1, pp. 131–147, 2008. View at: Publisher Site  Google Scholar  MathSciNet
 A. Bogdanov and E. Tischhauser, “On the wrong key randomisation and key equivalence hypotheses in Matsui's algorithm 2,” in Proceedings of the International Workshop on Fast Software Encryption (FSE 2013), S. Moriai, Ed., vol. 8424 of Lecture Notes in Computer Science, pp. 19–38, Springer, 2014. View at: Publisher Site  Google Scholar
Copyright
Copyright © 2019 Yu Liu et al. This is an open access article distributed under the Creative Commons Attribution License, which permits unrestricted use, distribution, and reproduction in any medium, provided the original work is properly cited.