Related-Key Slide Attacks on Block Ciphers with Secret Components

Lightweight cryptography aims to provide sufficient security with low area/power/energy requirements for constrained devices. In this paper, we focus on the lightweight encryption algorithm specified and approved in NRS 009-6-7:2002 by Electricity Suppliers Liaison Committee to be used with tokens in prepayment electricity dispensing systems in South Africa. The algorithm is a 16-round SP network with two 4-to-4 bit S-boxes and a 64-bit permutation. The S-boxes and the permutation are kept secret and provided only to the manufacturers of the system under license conditions. We present related-key slide attacks to recover the secret key and secret components using four scenarios; (i) known S-box and permutation with 2 time complexity using 2 + 1 chosen plaintexts; (ii) unknown S-box and known permutation with 2 time complexity using 2 + 1 chosen plaintexts; (iii) known S-box and unknown permutation with 2 time complexity using 2 + 1 chosen plaintexts and 2 adaptively chosen plaintexts; and finally, (iv) unknown S-box and permutation, with 2 time complexity using 2 + 1 chosen plaintexts and 2 adaptively chosen plaintexts. We also extend these attacks to recover the secret components in a chosen-key setting with practical complexities.