Slide Attack on Full-Round ULC Lightweight Block Cipher Designed for IoT

Zhang, Kai; Lai, Xuejia; Wang, Lei; Guan, Jie; Hu, Bin

doi:https://doi.org/10.1155/2022/4291000

Security and Communication Networks

On this page

Abstract Introduction Conclusion Data Availability Conflicts of Interest Acknowledgments References Copyright Related Articles

Research Article | Open Access

Volume 2022 | Article ID 4291000 | https://doi.org/10.1155/2022/4291000

Slide Attack on Full-Round ULC Lightweight Block Cipher Designed for IoT

Kai Zhang,^1,2Xuejia Lai,²Lei Wang,²Jie Guan,¹and Bin Hu¹

Academic Editor: Jie Cui

Received12 Jan 2022

Accepted17 Feb 2022

Published23 Apr 2022

Abstract

To meet the security demand for IoT devices, many new lightweight block ciphers are proposed. ULC is a lightweight block cipher designed for the IoT. It has many advantages in terms of memory use, efficiency, and security. In this paper, a slide attack on full-round ULC is proposed in a related key setting. First, two properties on ULC are discovered. The first property is presented to illustrate the property of a slid pair for ULC. The second property is introduced to construct a link between some round key bits and some master key bits. Based on these properties, a key recovery attack on ULC is proposed. In this attack, with the condition of one related key, all the 80 master key bits can be recovered with the data complexity of O(2³²), the memory complexity of O(2³²), and the time complexity of O(2⁶³). The result of this paper indicates that ULC can’t resist slide attack in related key settings.

1. Introduction

With the rapid development of the Internet of Things (IoT), it is getting deep into all fields of people’s lives. However, the devices used in the IoT are usually microcomputing equipment, which have weak computing power. Unlike traditional computers and high-performance computers, the computing and storage capacity for those devices in IoT are limited. So, it is very important to propose some better lightweight ciphers and guarantee the security of IoT devices. In order to solve this problem, the topic of lightweight block ciphers has been a hot topic for the last several years, and a number of new lightweight block ciphers have been proposed, which are represented by PRESENT [1], Lblock [2], RECTANGLE [3], TWINE [4], Piccolo [5], SIMON [6], Lilliput [7], SPECK [6], Simeck [8], HIGHT [9], LEA [10], etc. Among these ciphers, lightweight block ULC [11] is proposed in 2021 and designed for IoT. When compared with traditional block ciphers, it has many advantages in terms of performance, memory usage, and security level. However, a thorough security evaluation of these lightweight block ciphers is essential before actual usage.

Slide attack [12] is proposed by Biryukov and Wagner at FSE 1999. In the Journal of Cryptology (2018), more efficient slide attacks are proposed to reduce the time complexity of the slide attack [13]. At Eurocrypt 2020, several new types of slide attacks are proposed to overcome the asymmetry of the last round [14]. In recent years, quantum slide attacks have been proposed for better results [15, 16]. This attack has been applied successfully on many ciphers such as Keeloq, GOST, FF3, Trivium, IEC 62055-41, CLX-128, Spectr-H64, SHACAL-1, and WG-16 [17–24]. Among these results, the most notable ones are breaking the block ciphers Keeloq, FF3, and GOST, which are real-life cryptosystems. Keeloq is used to protect cars against theft and also is used in garage door openers. FF3 is the format-preserving encryption scheme selected as a US standard [25] by NIST. The GOST block cipher is a Russian encryption standard. The basic idea of slide attack is to use the property of a slid pair to derive some information about the key bits.

Our contribution is as follows: our overall contribution is proposing a slide attack on full-round ULC. First, two properties under ULC are presented. The first property is presented to illustrate the property of a slid pair for ULC. The second property is introduced to construct a link between some round key bits and the master key bits, which will be used in our attack. Based on these properties, a key recovery attack on ULC is proposed. In this attack, with the condition of one related key, 80-bit master key bits can be recovered with the data complexity of O(2³²), the memory complexity of O(2³²), and the time complexity of O(2⁶³).

The comparison between our results and some previous cryptanalytic results is illustrated in Table 1.

Outline. This paper is organized as follows: the notations used in this paper are illustrated in Section 2. Section 3 gives a brief description of slide attack and ULC. Section 4 proposes two properties on ULC. A key recovery attack on ULC is presented in Section 5. Section 6 concludes the paper.

2. Notations

Suppose E is an n-bit block cipher of R rounds, the following notations are used throughout this paper.(i)P: plaintext;(ii)C: ciphertext;(iii): 80-bit master key, represents the 80-bit key register at the t-th round and represents the i-th bit to the j-th bit of K;(iv): 64-bit round key at the i-th round;(v)“i”: left rotation with i bits;(vi)“”: XOR operation.

3. Preliminary

3.1. General Procedures of a Slide Attack

In this section, the general procedures of a typical slide attack are illustrated. As is known to all, a block cipher uses a relatively weak round function iteratively to reach a strong security strength. According to the original slide attack, all the round functions of a block cipher E_k are supposed to be the same, which can be denoted as f_k. E_k can be written as

The key point for a slide attack is seeking a sliding pair. If two plaintexts P, P′ satisfy the equation P′ = f_k (P), (P, P′) is a slid pair. If a slid pair appears, for the two ciphertexts of P and P′, C = E_k (P), C′ = E_k(P′), the conclusion C′ = f_k(C) can be derived. This procedure is demonstrated in Figure 1 and all the intermediate states in the same nibble marked in red lines are totally the same.

It is difficult for an attacker to figure out which pair is a slid pair. So, we have to construct a set containing sufficient plaintext-ciphertext pairs. According to the birthday paradox, if the block size of E_k is n and the set contains 2^n/2 plaintext-ciphertext pairs, a slid pair is expected to appear with a high probability (about 63%). If a slide appears, as P, P′, C, C′ are all known, we can solve k from the following equation:

For some block ciphers, the round keys for different rounds are not always the same. According to the key schedule, we can use the condition of related keys to make have a dynamic match to construct a slid pair.

3.2. Related Key Attack

The related key attack model is a class of cryptanalytic attacks that correspond to the “single key attack model.” In the related key attack model, the attacker can know or choose the relationship between several keys, and the target of the attacker is to find the correct secret key.

The related key attack model is important in the area of cryptanalysis. For slide attacks, the condition of “related key” usually appears, and the idea of using a related key in slide attack has been used in much previous literature. Besides, the security level of related key attacks is included as a rationale in many design specifications of block ciphers.

3.3. Brief Description on ULC

The structure of ULC is SPN. The idea of the ULC originated from the PRESENT and the RECTANGLE. The block size of ULC is 64 bits, and there are altogether 15 rounds. The round function is composed of three layers: the key addition layer, the substitution layer, and the bit permutation layer. In the key addition layer, the 64-bit round key is XORed into the internal state. In the substitution layer, a bit-sliced four-bit Sbox is used in parallel to introduce nonlinearity. In the bit permutation layer, an involutive 64-bit permutation is used to bring in quicker diffusion. The round function of ULC is illustrated in Figure 2.

The key schedule of ULC is modified from an ISO standard block cipher, PRESENT. First, the 80-bit register is initialized with the master key. We substitute the four most significant bits of the key register with the Sbox, then rotate the register by 61 bits on the left. Finally, the 64 most significant bits of the key register are extracted as the round key RK. The mathematical form of this key register updating progress can be illustrated as follows:(1)[k₇₉k₇₈k₇₇k₇₆] = S[k₇₉k₇₈k₇₇k₇₆](2)[k₇₉k₇₈,…,k₁k₀] = [k₁₈k₁₇,…,k₂₀k₁₉](3) = [k₇₉k₇₈,…,k₁₇k₁₆]

4. Slide Properties on ULC

To better illustrate the slide attack on ULC, two properties are presented in this section. The first property is to illustrate the concrete conditions for a slid pair on ULC. The second property is to demonstrate the relationship between some subkey bits of the last round and some master key bits that will be used in our attack.

Property 1. (Sufficient prerequisite for a slid pair on ULC). For ULC, given two plaintext pairs (P, P′) and a related key , , C = ULC(P, K), C′ = ULC(P′, K′), the sufficient prerequisite for a slid pair is as follows:If equation (3) is satisfied, the following equation (4) must also hold

Proof. if we want to construct a slid pair for one round, the intermediate value after the first round must be equal to P′. This implies that . Using the inverse operation of Perm and Sbox, equation (3) can be derived asBased on the condition of equation (3), P and P′ must constitute a slid pair under the related key .
To make it more intuitive, this process is shown in Figure 3. As P′ equals to the intermediate value after the first-round encryption of (P, K), the state for the key register of the first round, i.e., K¹, , and , According to the relationship of the related key, equals to K¹. Therefore, the first 14 rounds for the encryption process of (P′, K′) (with a round key added after) are totally the same as 2–15 rounds encryption of (P, K) (the is added after which is equals to ). This similarity is illustrated in the red box in Figure 3.
Based on this observation, for the encryption of (P′, K′), the intermediate value after adding the round key must be C. This indicates the following equation must hold.

Property 2. (Relationship of , and ). If a slid pair appears, given , the round key bits and master key bits can be determined according to the following equation:
(a)^m3.
represents the three most significant bits of a.

Proof. The 64 round key bits of are focused according to the key schedule. In this property, a link between the master key and round key bits for the first and last round is illustrated.
To better illustrate the relevance of these bits between different key registers, Figure 4 is presented to depict the path for these concerned key bits. In this figure, each row represents a state of the 80-bit key register at different rounds, and each nibble represents a bit for the key register. The colored nibbles represent the concerned round key bits at different rounds. The orange nibbles represent that these bits go through an Sbox. The rest of the concerned bits are marked in blue.
Through deduction, it is found that for the 64 bits of the round key , 12 bits are totally the same from single-shift operation and the other 52 bits go through a single Sbox. Each four of the 52 bits go through the Sbox at rounds 1, 3–5, 7–9, 11–13, and 15-16 (these round numbers are defined according to the key K). The relationship between the master key bits and the bits going through each Sbox is calculated as follows:The relationship between the key register and is as follows:According to the relationship between the round key, related key, and key register, the following equations can be obtained.After applying the Sbox⁻¹ on both two sides of the equations, the conclusion of equation (7) in Property 2 can be derived (those bits from only shift operation can be calculated directly).As the round key bits of and have the following relations:So the round key bits of and have the following relation, and the conclusion of (7) in Property 2 can be derived.There are two ways to further utilize Property 2:(1)If a slid pair appears, given and , all the 80 master key bits of K can be recovered.(2)If a slid pair appears, 48 bits of can be determined according to . This can be viewed as a distinguisher to eliminate wrong slid pair candidates.

5. Key Recovery Attack on ULC

In this section, a key recovery attack on ULC is proposed based on the properties in Section 4. With our method, the full-round ULC can be attacked and all the 80-bit master keys can be recovered. The details of the attack are illustrated in Algorithm 1.

	Input: randomly choose an 80-bit master key K;
	Output: the recovered 80-bit master key.
	Preliminary:
	randomly choose 2³² plaintext-ciphertext pairs (P_i, C_i) (encrypted with K) to construct a set δ;
	set related key .
	Step 1. Choose two plaintext-ciphertext pairs (P_i, C_i) and (P_j, C_j) from δ;
	Step 2. Calculate , ;
	Step 3. Suppose (P_i, P_j) is a slid pair. Calculate , . Test whether the relationship of and satisfies the equation (4) in Property 2.
(a)	If the relationship of and satisfies the condition, recover 80-bit K″ according to Property 2, and go to Step 5.
(b)	Otherwise, go to Step 1.
	Step 4. Suppose (P_j, P_i) is a slid pair. Calculate , . Test whether the relationship of and satisfies the equation (5) in Property 2.
(a)	If the relationship of and satisfies the condition, recover 80-bit K″ according to Property 2 and go to Step 5.
(b)	Otherwise, go to Step1.
	Step 5. Encrypt P_i with K″ and ciphertext can be derived.
(a)	If , K″ is the correct master key and output K″;
(b)	Otherwise, go to Step 1.

The target of Algorithm 1 is to recover the master key K. There are two preconditions. The first one is a set δ consisting of 2³² plaintext-ciphertext pairs encrypted with the master key K and the second one is a related key K′. In our attack, we regard the chosen two plaintexts P_i and P_j as two potential slid pairs with each other, i.e., both (P_i, P_j) and (P_j, P_i) are potential slid pairs. This strategy will improve the search efficiency by about two times faster.

The general procedures of the attack are as follows: first, we choose two plaintexts from the set δ, and regard these two plaintexts as two potential slid pairs. We use the two properties in Section 4 to eliminate those nonslid pairs and recover the 80-bit master key as a key candidate. Then we test the remaining key candidates through a plaintext-ciphertext pair to guarantee the correctness of the recovered master key. To sum up, the complexities of our attack are summarized in Table 2.

5.1. Complexity Analysis

With Algorithm 1, we can recover all the 80 master key bits. As the slide attack has no constraint on the number of rounds, this implies that our attack can be applied to arbitrary rounds. In this paper, as ULC has a total of 15 rounds, we set the number of our attacks to be 15 as well.

As our attack needs 2³² plaintext-ciphertext pairs, it means the data complexity is O(2³²) and memory complexity is also O(2³²), which is used to store these pairs. According to the birthday paradox, the success probability of the attack is about 63%. There are altogether 2³² (2³² − 1)/2≈2⁶³ different pairs of (P_i, P_j) originated from δ. So, the time complexity for our attack is O(2⁶³).

In addition, if the slid pair does not occur, and can be viewed as random. This implies that if we use (5) of Property 2 as a distinguisher and the slid pair does not occur, the probability of a wrong key candidate to pass the test of the distinguisher is about 2⁻⁴⁸. This means we still need an extra plaintext-ciphertext pair to eliminate all the possible wrong key candidates, and this is realized by Step 5 of Algorithm 1.

6. Conclusion

In this paper, a related key slide attack on full-round ULC is proposed. As a first step, a property on ULC is presented to characterize a slid pair on ULC. As a second step, a relationship between some of the first round, last round, and master key bits is constructed. Finally, we propose a key recovery attack based on these two properties. Our attack can attack a full-round cipher and recover all the 80 master key bits. For improving the security of ULC, on the one hand, the security margin for ULC is too small, the number of total rounds should be increased. On the other hand, to prevent ULC from slide attack, at least different constants should be added for each round. As related keys are a relatively strong condition for cryptanalysis, other better single key attacks can be explored, which is left as future work.

Data Availability

All the data included in this study are available upon request by contacting the corresponding author.

Conflicts of Interest

The authors declare that they have no conflicts of interest.

Acknowledgments

This work was partially supported by the National Natural Science Foundation of China under Grant nos. 61802437, 62102448, 61972248, and 61902428 and China Postdoctoral Science Foundation under Grant no. 2020M681314.

References

A. Bogdanov, L. R. Knudsen, G. Leander et al., “PRESENT: an ultra-lightweight block cipher,” in Proceedings of the International workshop on cryptographic hardware and embedded systems, pp. 450–466, Springer, Vienna, Austria, September 2007.
View at: Google Scholar
W. Wu and L. Zhang, “LBlock: a lightweight block cipher,” in Proceedings of the International conference on applied cryptography and network security, pp. 327–344, Springer, Nerja, Spain, June 2011.
View at: Publisher Site | Google Scholar
W. Zhang, Z. Bao, D. Lin, V. Rijmen, B. Yang, and I. Verbauwhede, “RECTANGLE: a bit-slice lightweight block cipher suitable for multiple platforms,” Science China Information Sciences, vol. 58, no. 12, pp. 1–15, 2015.
View at: Publisher Site | Google Scholar
T. Suzaki, K. Minematsu, S. Morioka, and E. Kobayashi, “TWINE: a lightweight block cipher for multiple platforms,” in Proceedings of the International Conference on Selected Areas in Cryptography, vol. 22, pp. 339–354, Springer, Windsor, ON, Canada, August 2012.
View at: Google Scholar
K. Shibutani, T. Isobe, H. Hiwatari, A. Mitsuda, T. Akishita, and T. Shirai, “Piccolo: an ultra-lightweight blockcipher,” in Proceedings of the International workshop on cryptographic hardware and embedded systems, pp. 342–357, Springer, Nara, Japan, September 2011.
View at: Publisher Site | Google Scholar
R. Beaulieu, D. Shors, J. Smith, S. Treatman-Clark, B. Weeks, and L. Wingers, “The SIMON and SPECK lightweight block ciphers,” in Proceedings of the Proceedings of the 52nd Annual Design Automation Conference, pp. 1–6, ACM, San Francisco California, June 2015.
View at: Publisher Site | Google Scholar
T. P. Berger, J. Francq, M. Minier, and G. Thomas, “Extended generalized Feistel networks using matrix representation to propose a new lightweight block cipher: Lilliput,” IEEE Transactions on Computers, vol. 65, no. 7, pp. 2074–2089, 2015.
View at: Google Scholar
G. Yang, B. Zhu, V. Suder, M. D. Aagaard, and G. Gong, “The simeck family of lightweight block ciphers,” in Proceedings of the International Workshop on Cryptographic Hardware and Embedded Systems, pp. 307–329, Springer, Berlin, Heidelberg, 2015.
View at: Publisher Site | Google Scholar
D. Hong, J. Sung, S. Hong et al., “HIGHT: a new block cipher suitable for low-resource device,” in Proceedings of the International Workshop on Cryptographic Hardware and Embedded Systems, pp. 46–59, Springer, Yokohama, Japan, October 2006.
View at: Publisher Site | Google Scholar
D. Hong, J. K. Lee, D. C. Kim, D. Kwon, K. H. Ryu, and D. G. Lee, “LEA: a 128-bit block cipher for fast encryption on common processors,” in Proceedings of the International Workshop on Information Security Applications, vol. 8267, pp. 3–27, Springer, Jeju Island, Korea, August 2013.
View at: Google Scholar
L. Sliman, T. Omrani, Z. Tari, A. E. Samhat, and R. Rhouma, “Towards an ultra lightweight block ciphers for Internet of Things,” Journal of Information Security and Applications, vol. 61, Article ID 102897, 2021.
View at: Publisher Site | Google Scholar
A. Biryukov and D. Wagner, “Slide attacks,” in Proceedings of the International Workshop on Fast Software Encryption, pp. 245–259, Springer, Berlin, Heidelberg, March 1999.
View at: Publisher Site | Google Scholar
A. Bar-On, E. Biham, O. Dunkelman, and N. Keller, “Efficient slide attacks,” Journal of Cryptology, vol. 31, no. 3, pp. 641–670, 2018.
View at: Publisher Site | Google Scholar
O. Dunkelman, N. Keller, N. Lasry, and A. Shamir, “New slide attacks on almost self-similar ciphers,” in Proceedings of the Annual International Conference on the Theory and Applications of Cryptographic Techniques, pp. 250–279, Springer, Zagreb, Croatia, May 2020.
View at: Publisher Site | Google Scholar
X. Bonnetain, M. Naya-Plasencia, and A. Schrottenloher, “On quantum slide attacks,” in Proceedings of the International Conference on Selected Areas in Cryptography, vol. 11959, pp. 492–519, Springer, Waterloo, ON, Canada, August 2019.
View at: Google Scholar
X. Dong, B. Dong, and X. Wang, “Quantum attacks on some Feistel block ciphers,” Designs, Codes and Cryptography, vol. 88, no. 6, pp. 1179–1203, 2020.
View at: Publisher Site | Google Scholar
A. Mege, “Slide attack on CLX-128,” in Proceedings of the Lightweight Cryptography Workshop, p. 169, 2019.
View at: Google Scholar
S. Kavut and M. D. Yücel, “Slide attack on Spectr-H64,” in Proceedings of the International Conference on Cryptology in India, pp. 34–47, Springer, Berlin, Heidelberg, December 2002.
View at: Publisher Site | Google Scholar
R. Mbitiru and T. S. Ustun, “Using input-output correlations and a modified slide attack to compromise IEC 62055-41,” in Proceedings of the 2017 IEEE International Autumn Meeting on Power, Electronics and Computing (ROPEC), pp. 1–6, IEEE, Ixtapa, Mexico, November 2017.
View at: Publisher Site | Google Scholar
L. Lu and S. Chen, “A compress slide attack on the full GOST block cipher,” Information Processing Letters, vol. 113, no. 17, pp. 634–639, 2013.
View at: Publisher Site | Google Scholar
A. Baksi, S. Maitra, and S. Sarkar, An Improved Slide Attack on Trivium, IPSI Transaction on Internet Research, France, Paris, pp. 351–375, 2015.
M. Gorski, S. Lucks, and T. Peyrin, “Slide attacks on a class of hash functions,” ASIACRYPT 2008. LNCS, Springer, Heidelberg, vol. 5350, pp. 143–160, 2008.
View at: Publisher Site | Google Scholar
F. B. Durak and S. Vaudenay, “Breaking the FF3 format-preserving encryption standard over small domains,” CRYPTO 2017. LNCS, Springer, New York, NY, US, pp. 679–707, 2017.
View at: Publisher Site | Google Scholar
L. Ding, D. Gu, L. Wang, C. Jin, and J. Guan, “A real-time related key attack on the WG-16 stream cipher for securing 4G-LTE networks,” Journal of Information Security and Applications, vol. 63, Article ID 103015, 2021.
View at: Publisher Site | Google Scholar
M. Dworkin, “Recommendation for block cipher modes of operation: methods for format preserving encryption,” National Institute of Standards and Technology, vol. 28, p. 1, 2016.
View at: Publisher Site | Google Scholar

Copyright

Copyright © 2022 Kai Zhang et al. This is an open access article distributed under the Creative Commons Attribution License, which permits unrestricted use, distribution, and reproduction in any medium, provided the original work is properly cited.

PDF Download Citation

Download other formats

Order printed copies

Views

343

Downloads

425

Citations