文摘
Lightweight cryptography aims to provide sufficient security with low area/power/energy requirements for constrained devices. In this paper, we focus on the lightweight encryption algorithm specified and approved in NRS 009-6-7:2002 by Electricity Suppliers Liaison Committee to be used with tokens in prepayment electricity dispensing systems in South Africa. The algorithm is a 16-round SP network with 64-bit key using two 4-to-4 bit S-boxes and a 64-bit permutation. The S-boxes and the permutation are kept secret and provided only to the manufacturers of the system under license conditions. We present related-key slide attacks to recover the secret key and secret components using four scenarios; (i) known S-box and permutation with 248 time complexity using 216-- chosen plaintexts; (ii) unknown S-box and known permutation with 255 time complexity using 222.71-- chosen plaintexts; (iii) known S-box and unknown permutation with 248 time complexity using 216-- chosen plaintexts and 212.28 adaptively chosen plaintexts; and finally, (iv) unknown S-box and permutation, with 248 time complexity using 222.71-- chosen plaintexts and 231.29 adaptively chosen plaintexts. We also extend these attacks to recover the secret components in a chosen-key setting with practical complexities.