Differential cryptanalysis of full-round ANU-II ultra-lightweight block cipher

Abstract

Lightweight ciphers are often used as the underlying encryption algorithm in resource-constrained devices. Their cryptographic security is a mandatory goal for ensuring the security of data transmission. Differential cryptanalysis is one of the most fundamental methods applicable primarily to block ciphers, and the resistance against this type of cryptanalysis is a necessary design criterion. ANU-II is an ultra-lightweight block cipher proposed in 2017, whose design offers many advantages such as the use of fewer hardware resources (logic gates), low power consumption and fast encryption for Internet of Things devices. The designers of ANU-II claimed its resistance against differential cryptanalysis and postulated that the design is safe enough for Internet of Things devices. However, as addressed in this article, the security claims made by designers appear not to be well grounded. Using mixed-integer linear programming–like techniques, we identify one-round differential characteristic that holds with probability 1, which is then efficiently employed in mounting the key recovery attack on full-round ANU-II with only 22 chosen plaintexts and 262.4 full-round encryptions. The result shows that the designers’ security evaluation of ANU-II against differential cryptanalysis is incorrect and the design rationale is flawed. To remedy this weakness, we provide an improved variant of ANU-II, which has much better resistance to differential cryptanalysis without affecting the hardware and/or software implementation cost.