Practical-time related-key attack on Hummingbird-2
Hummingbird-2, designed by Engels et al., is a lightweight cipher with built-in MAC functionality. In this study, the authors examine the security of Hummingbird-2 in the related-key model. First, the authors define a new cryptographic notion of an S-box, called combination points, based on its differential equation, and demonstrate some properties of combination points. A potential application of the new notion is to recover some partial input of an S-box, and the authors show this on Hummingbird-2 by recovering some internal state bits. Then, by carefully studying the differential distributions of the S-boxes, a set of key dependent S-boxes can be derived and be used to recover the subkey word of Hummingbird-2. At last, by the divide and conquer strategy, all the 128 key bits can be recovered with a complexity of 240, which is much lower than that (264) of the attack at FSE 2013. The attack has been fully implemented on a PC and the secret key has been recovered in a few hours. The results provide some new insights into the design of cryptographic S-boxes.