文摘
The Welch-Gong (WG) family of stream ciphers include two subfamilies, which we call WG-A and WG-B, of patented (ultra-)lightweight ciphers designed by Gong et al. The Waterloo Commercialization Office, Canada, has included the WG-A in an RFID anti-counterfeiting system and has proposed the WG-B for securing 4G networks. The WG-A and WG-B ciphers support 80- and 128-bit keys, respectively. In this paper, we detect input-output correlations in the nonlinear transformations used by these ciphers. Exploiting these, we show distinguishing attacks that require, to nearly ensure success, between \(2^{22.20}\) and \(2^{29.07}\) keystream samples for WG-A and not more than \(2^{56.84}\) keystream samples for WG-B. We are not aware of any prior attacks on these ciphers.