@inproceedings{AbdelraheemBorghoffZenneretal.2011,
  author    = {Mohamed Ahmed Abdelraheem and Julia Borghoff and Erik Zenner and Mathieu David},
  title     = {Cryptanalysis of the Light-Weight Cipher A2U2},
  series = {Cryptography and Coding},
  volume    = {LNCS 7089},
  editor    = {Liqun Chen},
  publisher = {Springer},
  address   = {Berlin, Heidelberg},
  organization    = {IMACC},
  isbn      = {978-3-642-25515-1 (Softcover)},
  issn      = {0302-9743},
  doi       = {10.1007/978-3-642-25516-8\_23},
  pages     = {375 -- 390},
  year      = {2011},
  abstract  = {In recent years, light-weight cryptography has received a lot of attention. Many primitives suitable for resource-restricted hardware platforms have been proposed. In this paper, we present a cryptanalysis of the new stream cipher A2U2 presented at IEEE RFID 2011 [9] that has a key length of 56 bit. We start by disproving and then repairing an extremely efficient attack presented by Chai et al. [8], showing that A2U2 can be broken in less than a second in the chosen-plaintext case. We then turn our attention to the more challenging known-plaintext case and propose a number of attacks. A guess-and-determine approach combined with algebraic cryptanalysis yields an attack that requires about 249 internal guesses. We also show how to determine the 5-bit counter key and how to reconstruct the 56-bit key in about 238 steps if the attacker can freely choose the IV. Furthermore, we investigate the possibility of exploiting the knowledge of a “noisy keystream” by solving a Max-PoSSo problem. We conclude that the cipher needs to be repaired and point out a number of simple measures that would prevent the above attacks.},
  language  = {en}
}