Multiple Differential Cryptanalysis of Round-Reduced Prince Anne - - PowerPoint PPT Presentation

multiple differential cryptanalysis of round reduced
SMART_READER_LITE
LIVE PREVIEW

Multiple Differential Cryptanalysis of Round-Reduced Prince Anne - - PowerPoint PPT Presentation

Jan 05, 2023 139 likes •508 views

Multiple Differential Cryptanalysis of Round-Reduced Prince Anne Canteaut 1 , Thomas Fuhr 2 , Henri Gilbert 2 , Mara Naya-Plasencia 1 , Jean-Ren Reinhard 2 1 INRIA, France 2 ANSSI, France FSE 2014 - March 5, 2014 Canteaut, Fuhr, Gilbert,

slide-1
SLIDE 1

Multiple Differential Cryptanalysis of Round-Reduced Prince

Anne Canteaut1, Thomas Fuhr2, Henri Gilbert2, María Naya-Plasencia1, Jean-René Reinhard2

1INRIA, France 2ANSSI, France

FSE 2014 - March 5, 2014

Canteaut, Fuhr, Gilbert, Naya-Plasencia, Reinhard Cryptanalysis of Prince FSE 2014 1 / 17

slide-2
SLIDE 2

Introduction

PRINCE

Low latency lightweight blockcipher Published by Borghoff et al. at Asiacrypt 2012 64-bit blocks, 128-bit keys 12-round SP Network Security claim:

No attack with Data × Time ≤ 2126 Due to the specific structure of the cipher

Canteaut, Fuhr, Gilbert, Naya-Plasencia, Reinhard Cryptanalysis of Prince FSE 2014 2 / 17

slide-3
SLIDE 3

Introduction

PRINCE - General structure

FX Construction m k0 k1 PRINCEcore P(k0) c PRINCEcore: Internal keyed permutation using a 64-bit key P(k0) = (k0 ≫ 1) ⊕ (k0 ≫ 63) 2 × 64 = 128-bit key (k0, k1) Generic attack in DT = 2126

Canteaut, Fuhr, Gilbert, Naya-Plasencia, Reinhard Cryptanalysis of Prince FSE 2014 3 / 17

slide-4
SLIDE 4

Introduction

Cryptanalyses of PRINCE

Several related publication

[AbedLL12]: Biclique attack on 12 rounds of PRINCEcore [JeanNPWW13]: integral attack on 6 rounds [SoleimanyBYWNZZW13]: reflection attack on 6 rounds [CanteautNV13]: sieve-in-the-middle on 8 rounds [LiJW13]: meet-in-the-middle on 9 rounds

Our results

9-round PRINCE: DT = 298.1 10-round PRINCE: DT = 2118.6 11-round PRINCE with modified S-box: up to DT = 2122.2 S-box choice allowed by the designers

Canteaut, Fuhr, Gilbert, Naya-Plasencia, Reinhard Cryptanalysis of Prince FSE 2014 4 / 17

slide-5
SLIDE 5

Description of Prince

PRINCEcore - Description

No key schedule 5 rounds, 2 middle rounds, 5 inverse rounds

S: 4 → 4 S-box layer MC: Involutive linear diffusion layer SR: Wire-crossing

  • peration

Use of a constant α Ek = E −1

k⊕α

S, MC, S−1 S, MC, SR SR−1, MC, S−1 . . . . . .

k ⊕ RC0 k ⊕ RC1 k ⊕ RC5 k ⊕ RC5 ⊕ α k ⊕ RC1 ⊕ α k ⊕ RC0 ⊕ α

Canteaut, Fuhr, Gilbert, Naya-Plasencia, Reinhard Cryptanalysis of Prince FSE 2014 5 / 17

slide-6
SLIDE 6

Description of Prince

PRINCE block representation

Representation of the block using a 4 × 4 nibble array . . . Column Row . . . or using a 4 × 16 bit array

Nibble Row Slice Column

Canteaut, Fuhr, Gilbert, Naya-Plasencia, Reinhard Cryptanalysis of Prince FSE 2014 6 / 17

slide-7
SLIDE 7

Description of Prince

PRINCEcore round transformation

Substitution layer S

16 identical 4-bit to 4-bit S-boxes working on nibbles A specific choice for PRINCE 8 affine equivalent classes allowed by the authors (family of ciphers)

Linear layer L composed of

Involutive linear diffusion (MixColumns): composition of

"Mirror" on the rows: (r0, r1, r2, r3) ← (r3, r2, r1, r0) Addition of a parity bit: ri ← ri ⊕ (r0 ⊕ r1 ⊕ r2 ⊕ r3) Slice-wise rotations by 0,1,2 or 3 positions

Wire-crossing (ShiftRows): similar to AES ShiftRows

Canteaut, Fuhr, Gilbert, Naya-Plasencia, Reinhard Cryptanalysis of Prince FSE 2014 7 / 17

slide-8
SLIDE 8

Differential properties of PRINCEcore

Principle of our attack

Study of the differential properties of PRINCEcore Aggregation of several differentials on up 6 rounds

Cancellation of differences on the parity bits Use of iterative differential patterns

Extension to a key recovery attack on 10 rounds Generalization with different S-boxes

Canteaut, Fuhr, Gilbert, Naya-Plasencia, Reinhard Cryptanalysis of Prince FSE 2014 8 / 17

slide-9
SLIDE 9

Differential properties of PRINCEcore

A key observation on differences

MixColumns ShiftRows

Linear Layer of PRINCE

≪ 3 ≪ 2 ≪ 1 ≪ 3 ≪ 2 ≪ 1 ≪ 3 ≪ 2 ≪ 1 ≪ 3 ≪ 2 ≪ 1 Canteaut, Fuhr, Gilbert, Naya-Plasencia, Reinhard Cryptanalysis of Prince FSE 2014 9 / 17

slide-10
SLIDE 10

Differential properties of PRINCEcore

A key observation on differences

MixColumns ShiftRows

Linear Layer of PRINCE

≪ 3 ≪ 2 ≪ 1 ≪ 3 ≪ 2 ≪ 1 ≪ 3 ≪ 2 ≪ 1 ≪ 3 ≪ 2 ≪ 1

Difference

Canteaut, Fuhr, Gilbert, Naya-Plasencia, Reinhard Cryptanalysis of Prince FSE 2014 9 / 17

slide-11
SLIDE 11

Differential properties of PRINCEcore

A key observation on differences

MixColumns ShiftRows

Linear Layer of PRINCE

≪ 3 ≪ 2 ≪ 1 ≪ 3 ≪ 2 ≪ 1 ≪ 3 ≪ 2 ≪ 1 ≪ 3 ≪ 2 ≪ 1

Difference

Canteaut, Fuhr, Gilbert, Naya-Plasencia, Reinhard Cryptanalysis of Prince FSE 2014 9 / 17

slide-12
SLIDE 12

Differential properties of PRINCEcore

A key observation on differences

MixColumns ShiftRows

Linear Layer of PRINCE

≪ 3 ≪ 2 ≪ 1 ≪ 3 ≪ 2 ≪ 1 ≪ 3 ≪ 2 ≪ 1 ≪ 3 ≪ 2 ≪ 1

Difference

Canteaut, Fuhr, Gilbert, Naya-Plasencia, Reinhard Cryptanalysis of Prince FSE 2014 9 / 17

slide-13
SLIDE 13

Differential properties of PRINCEcore

A key observation on differences

MixColumns ShiftRows

Linear Layer of PRINCE

≪ 3 ≪ 2 ≪ 1 ≪ 3 ≪ 2 ≪ 1 ≪ 3 ≪ 2 ≪ 1 ≪ 3 ≪ 2 ≪ 1

Difference

The same 4 active nibbles

Canteaut, Fuhr, Gilbert, Naya-Plasencia, Reinhard Cryptanalysis of Prince FSE 2014 9 / 17

slide-14
SLIDE 14

Differential properties of PRINCEcore

A key observation on differences

MixColumns ShiftRows

Linear Layer of PRINCE

≪ 3 ≪ 2 ≪ 1 ≪ 3 ≪ 2 ≪ 1 ≪ 3 ≪ 2 ≪ 1 ≪ 3 ≪ 2 ≪ 1

Difference

The same 4 active nibbles

Canteaut, Fuhr, Gilbert, Naya-Plasencia, Reinhard Cryptanalysis of Prince FSE 2014 9 / 17

slide-15
SLIDE 15

Differential properties of PRINCEcore

A key observation on differences

MixColumns ShiftRows

Linear Layer of PRINCE

≪ 3 ≪ 2 ≪ 1 ≪ 3 ≪ 2 ≪ 1 ≪ 3 ≪ 2 ≪ 1 ≪ 3 ≪ 2 ≪ 1

Difference

The same 4 active nibbles

Canteaut, Fuhr, Gilbert, Naya-Plasencia, Reinhard Cryptanalysis of Prince FSE 2014 9 / 17

slide-16
SLIDE 16

Differential properties of PRINCEcore

A key observation on differences

MixColumns ShiftRows

Linear Layer of PRINCE

≪ 3 ≪ 2 ≪ 1 ≪ 3 ≪ 2 ≪ 1 ≪ 3 ≪ 2 ≪ 1 ≪ 3 ≪ 2 ≪ 1

Difference

The same 4 active nibbles

Canteaut, Fuhr, Gilbert, Naya-Plasencia, Reinhard Cryptanalysis of Prince FSE 2014 9 / 17

slide-17
SLIDE 17

Differential properties of PRINCEcore

A key observation on differences

MixColumns ShiftRows

Linear Layer of PRINCE

≪ 3 ≪ 2 ≪ 1 ≪ 3 ≪ 2 ≪ 1 ≪ 3 ≪ 2 ≪ 1 ≪ 3 ≪ 2 ≪ 1

Difference

The same 4 active nibbles

Canteaut, Fuhr, Gilbert, Naya-Plasencia, Reinhard Cryptanalysis of Prince FSE 2014 9 / 17

slide-18
SLIDE 18

Differential properties of PRINCEcore

A key observation on differences

MixColumns ShiftRows

Linear Layer of PRINCE

≪ 3 ≪ 2 ≪ 1 ≪ 3 ≪ 2 ≪ 1 ≪ 3 ≪ 2 ≪ 1 ≪ 3 ≪ 2 ≪ 1

Difference

Another square active pattern

Canteaut, Fuhr, Gilbert, Naya-Plasencia, Reinhard Cryptanalysis of Prince FSE 2014 9 / 17

slide-19
SLIDE 19

Differential properties of PRINCEcore

1-round differentials on square patterns

δ1, δ2 ∈ (∆1 × ∆2) ∪ (∆2 × ∆1) with ∆1 = {1, 4, 5}, ∆2 = {2, 8, 10} 18 admissible differences after each S-box layer

δ′

1

δ′

2

δ′

1

δ′

2

δ′

1

δ′

2

δ′

1

δ′

2

δ′

1

δ′

2

δ′

1

δ′

2

δ′

1

δ′

2

δ′

1

δ′

2

δ1 δ2 δ2 δ1 δ1 δ2 δ2 δ1 δ1 δ2 δ2 δ1 δ1 δ2 δ2 δ1 δ′

1

δ′

2

δ′

2

δ′

1

δ′

1

δ′

2

δ′

2

δ′

1

δ′

2

δ′

1

δ′

1

δ′

2

δ′

2

δ′

1

δ′

1

δ′

2

δ′

2

δ′

1

δ′

1

δ′

2

δ′

2

δ′

1

δ′

1

δ′

2

δ′

2

δ′

1

δ′

1

δ′

2

δ′

2

δ′

1

δ′

1

δ′

2

∆1 × ∆2 ∆2 × ∆1 S ∆1 × ∆2 ∆2 × ∆1 S ∆1 × ∆2 ∆2 × ∆1 S ∆1 × ∆2 ∆2 × ∆1 S Canteaut, Fuhr, Gilbert, Naya-Plasencia, Reinhard Cryptanalysis of Prince FSE 2014 10 / 17

slide-20
SLIDE 20

Differential properties of PRINCEcore

Differentials over several rounds

On several rounds: aggregation of differential trails on square patterns Complexity evaluation

Under the classical assumption that round keys are independent Multiplication of probabilities of 1-round differentials Addition of probabilities of aggregated trails Middle rounds: no key addition between 2 S-box layers ⇒ treated as a layer of 4 S-boxes on 16 bits

Canteaut, Fuhr, Gilbert, Naya-Plasencia, Reinhard Cryptanalysis of Prince FSE 2014 11 / 17

slide-21
SLIDE 21

Differential properties of PRINCEcore

Differentials for round-reduced PRINCE

Most probable differentials found

Original PRINCE: 2−47.42 on 5 rounds, 2−56.42 on 6 rounds PRINCE, modified S-box: 2−50 on 6 rounds, 2−58 on 7 rounds

x 1 2 3 4 5 6 7 8 9 A B C D E F S[x] A 6 5 8 D 3 4 7 C 2 E 9 F B 1

Experimental validation

Random choice of keys Exhaustive search for pairs following one of our differential trails

Canteaut, Fuhr, Gilbert, Naya-Plasencia, Reinhard Cryptanalysis of Prince FSE 2014 12 / 17

slide-22
SLIDE 22

Extension to a key recovery attack

Extension by four rounds

Plaintext Ciphertext r S-box layers S and r + 1 linear layers L S L S S−1 L−1 S−1 Key additions do not modify differences Observation: no full diffusion after two rounds

Canteaut, Fuhr, Gilbert, Naya-Plasencia, Reinhard Cryptanalysis of Prince FSE 2014 13 / 17

slide-23
SLIDE 23

Extension to a key recovery attack

Extension by four rounds

Plaintext Ciphertext Difference δout Difference δin Differential over r S-box layers S and r + 1 linear layers L S L S S−1 L−1 S−1

δ1 δ1 δ2 δ2 δ′

1

δ′

1

δ′

2

δ′

2

Key additions do not modify differences Observation: no full diffusion after two rounds

Canteaut, Fuhr, Gilbert, Naya-Plasencia, Reinhard Cryptanalysis of Prince FSE 2014 13 / 17

slide-24
SLIDE 24

Extension to a key recovery attack

Extension by four rounds

Plaintext Ciphertext Difference δout Difference δin Differential over r S-box layers S and r + 1 linear layers L S L S S−1 L−1 S−1

δ1 δ1 δ2 δ2 δ′

1

δ′

1

δ′

2

δ′

2

Key additions do not modify differences Observation: no full diffusion after two rounds

Canteaut, Fuhr, Gilbert, Naya-Plasencia, Reinhard Cryptanalysis of Prince FSE 2014 13 / 17

slide-25
SLIDE 25

Extension to a key recovery attack

Extension by four rounds

Plaintext Ciphertext Difference δout Difference δin Differential over r S-box layers S and r + 1 linear layers L S L S S−1 L−1 S−1

δ1 δ1 δ2 δ2 δ′

1

δ′

1

δ′

2

δ′

2

Key additions do not modify differences Observation: no full diffusion after two rounds

Canteaut, Fuhr, Gilbert, Naya-Plasencia, Reinhard Cryptanalysis of Prince FSE 2014 13 / 17

slide-26
SLIDE 26

Extension to a key recovery attack

A criterion for key recovery

Input: a differential (δin, δout) and encryption under k∗ Build structures of 232 plaintexts Pi

Exhaustive on columns 0 and 2, fixed value on columns 1 and 3 Consider pairs (Pi, Pj) s.t. ciphertexts (Ci, Cj) collide on columns 1 and 3

In Ns structures: Ns × 263 × 2−32 = 231Ns such pairs For each key guess k: how many pairs lead to (δin, δout)?

Encryption under k∗

δin δout

r-round differential S ◦ L ◦ S S ◦ L ◦ S k?? k??

Canteaut, Fuhr, Gilbert, Naya-Plasencia, Reinhard Cryptanalysis of Prince FSE 2014 14 / 17

slide-27
SLIDE 27

Extension to a key recovery attack

A criterion for key recovery

Input: a differential (δin, δout) and encryption under k∗ Build structures of 232 plaintexts Pi

Exhaustive on columns 0 and 2, fixed value on columns 1 and 3 Consider pairs (Pi, Pj) s.t. ciphertexts (Ci, Cj) collide on columns 1 and 3

In Ns structures: Ns × 263 × 2−32 = 231Ns such pairs For each key guess k: how many pairs lead to (δin, δout)?

Encryption under k∗

δin δout

r-round differential S ◦ L ◦ S S ◦ L ◦ S k?? k??

Canteaut, Fuhr, Gilbert, Naya-Plasencia, Reinhard Cryptanalysis of Prince FSE 2014 14 / 17

slide-28
SLIDE 28

Extension to a key recovery attack

A criterion for key recovery

Input: a differential (δin, δout) and encryption under k∗ Build structures of 232 plaintexts Pi

Exhaustive on columns 0 and 2, fixed value on columns 1 and 3 Consider pairs (Pi, Pj) s.t. ciphertexts (Ci, Cj) collide on columns 1 and 3

In Ns structures: Ns × 263 × 2−32 = 231Ns such pairs For each key guess k: how many pairs lead to (δin, δout)?

Encryption under k∗

δin δout

r-round differential S ◦ L ◦ S S ◦ L ◦ S k?? k??

Canteaut, Fuhr, Gilbert, Naya-Plasencia, Reinhard Cryptanalysis of Prince FSE 2014 14 / 17

slide-29
SLIDE 29

Extension to a key recovery attack

A criterion for key recovery

Input: a differential (δin, δout) and encryption under k∗ Build structures of 232 plaintexts Pi

Exhaustive on columns 0 and 2, fixed value on columns 1 and 3 Consider pairs (Pi, Pj) s.t. ciphertexts (Ci, Cj) collide on columns 1 and 3

In Ns structures: Ns × 263 × 2−32 = 231Ns such pairs For each key guess k: how many pairs lead to (δin, δout)?

Encryption under k∗

δin δout

r-round differential S ◦ L ◦ S S ◦ L ◦ S k?? k??

Canteaut, Fuhr, Gilbert, Naya-Plasencia, Reinhard Cryptanalysis of Prince FSE 2014 14 / 17

slide-30
SLIDE 30

Extension to a key recovery attack

A criterion for key recovery

For a wrong guess:

231Ns

δin δout

2−32 2−32

For k∗:

231Ns

δin δout

Pr[δin → δout] 1

Useful property if Pr[δin → δout] ≫ 2−64

Canteaut, Fuhr, Gilbert, Naya-Plasencia, Reinhard Cryptanalysis of Prince FSE 2014 15 / 17

slide-31
SLIDE 31

Extension to a key recovery attack

A criterion for key recovery

For a wrong guess: 2−33Ns pairs

231Ns

δin δout

2−32 2−32

For k∗:

231Ns

δin δout

Pr[δin → δout] 1

Useful property if Pr[δin → δout] ≫ 2−64

Canteaut, Fuhr, Gilbert, Naya-Plasencia, Reinhard Cryptanalysis of Prince FSE 2014 15 / 17

slide-32
SLIDE 32

Extension to a key recovery attack

A criterion for key recovery

For a wrong guess: 2−33Ns pairs

231Ns

δin δout

2−32 2−32

For k∗: 231Ns × Pr[δin → δout] pairs

231Ns

δin δout

Pr[δin → δout] 1

Useful property if Pr[δin → δout] ≫ 2−64

Canteaut, Fuhr, Gilbert, Naya-Plasencia, Reinhard Cryptanalysis of Prince FSE 2014 15 / 17

slide-33
SLIDE 33

Extension to a key recovery attack

A criterion for key recovery

For a wrong guess: 2−33Ns pairs

231Ns

δin δout

2−32 2−32

For k∗: 231Ns × Pr[δin → δout] pairs

231Ns

δin δout

Pr[δin → δout] 1

Useful property if Pr[δin → δout] ≫ 2−64

Canteaut, Fuhr, Gilbert, Naya-Plasencia, Reinhard Cryptanalysis of Prince FSE 2014 15 / 17

slide-34
SLIDE 34

Extension to a key recovery attack

Key recovery - Putting it together

Only 66 out of 128 bits involved in the guess An efficient precomputation-based algorithm to recover 66 bit possible partial keys from (Pi, Pj, Ci, Cj) Use of several (|δ|) differentials to limit the amount of data A similar distinguisher with differences on columns 1 and 3 → Second iteration of the previous step Try all possible keys which score reach some threshold τ in both steps

Canteaut, Fuhr, Gilbert, Naya-Plasencia, Reinhard Cryptanalysis of Prince FSE 2014 16 / 17

slide-35
SLIDE 35

Conclusion

Our results

Estimation of the number of remaining wrong keys: based on [BlondeauGerard12] Theoretical evaluation, success probability of 0.5 in each selection step Cipher Rounds |δ| τ Data Time Memory D × T Original 9 40 3 246.9 251.2 251.2 298.1 Original 10 12 6 257.9 260.7 260.5 2118.6 Modified 10 12 3 250.4 253.6 253 2104 Modified 11 12 8 259.8 262.4 262.4 2122.2 Best known attack on PRINCE

Breaks up to 10 rounds of the original cipher and up to 11 rounds for some other S-box choice

Enlightens that the security margin offered is small

Canteaut, Fuhr, Gilbert, Naya-Plasencia, Reinhard Cryptanalysis of Prince FSE 2014 17 / 17