Recursive Linear and Differential Cryptanalysis of Ultralightweight Authentication Protocols

Privacy is faced with serious challenges in the ubiquitous computing world. In order to handle this problem, some researchers in recent years have focused on design and analysis of privacy-friendly ultralightweight authentication protocols. Although the majority of these schemes have been broken to a greater or lesser extent, most of these attacks are based on ad-hoc methods that are not extensible to a large class of ultralightweight protocols. So this research area still suffers from the lack of structured cryptanalysis and evaluation methods. In this paper, we introduce new frameworks for full disclosure attacks on ultralightweight authentication protocols based on new concepts of recursive linear and recursive differential cryptanalysis. The recursive linear attack is passive, deterministic, and requires only a single authentication session, if it can be applied successfully. The recursive differential attack is more powerful and can be applied to the protocols on which the linear attack may not work. This attack is probabilistic, active in the sense that the attacker suffices only to block some specific messages, and requires a few authentication sessions. Having introduced these frameworks in a general view, we apply them on some well-known ultralightweight protocols. The first attack can retrieve all the secret data of Yeh and SLMAP authentication protocols and the second one can retrieve all the secret data of LMAP⁺⁺, SASI, and David-Prasad authentication protocols.