Reflection Cryptanalysis of PRINCE-like Ciphers Hadi Soleimany 1 , - - PowerPoint PPT Presentation

Description of PRINCE-like Ciphers Distinguishers Key Recovery Various Classes of α-reflection Conclusions

Reflection Cryptanalysis of PRINCE-like Ciphers

Hadi Soleimany1, Céline Blondeau1, Xiaoli Yu2,3, Wenling Wu2, Kaisa Nyberg1, Huiling Zhang2, Lei Zhang2, Yanfeng Wang2

1Department of Information and Computer Science,

Aalto University School of Science, Finland

2Institute of Software, Chinese Academy of Sciences, P. R. China 3Graduate University of Chinese Academy of Sciences, P. R. China

FSE 2013

1 / 23

Description of PRINCE-like Ciphers Distinguishers Key Recovery Various Classes of α-reflection Conclusions

Outline

1

Description of PRINCE-like Ciphers

2

Distinguishers

3

Key Recovery

4

Various Classes of α-reflection

5

Conclusions

2 / 23

Description of PRINCE-like Ciphers Distinguishers Key Recovery Various Classes of α-reflection Conclusions

1

Description of PRINCE-like Ciphers

2

Distinguishers

3

Key Recovery

4

Various Classes of α-reflection

5

Conclusions

3 / 23

Description of PRINCE-like Ciphers Distinguishers Key Recovery Various Classes of α-reflection Conclusions

Description of PRINCE-like cipher

Low-latency SPN block cipher was proposed at ASIACRYPT2012.

3 / 23

Description of PRINCE-like Ciphers Distinguishers Key Recovery Various Classes of α-reflection Conclusions

Description of PRINCE-like cipher

Low-latency SPN block cipher was proposed at ASIACRYPT2012. Based on the so-called FX construction

3 / 23

Description of PRINCE-like Ciphers Distinguishers Key Recovery Various Classes of α-reflection Conclusions

Description of PRINCE-like cipher

Low-latency SPN block cipher was proposed at ASIACRYPT2012. Based on the so-called FX construction The key is split into two parts of n bits k = k0||k1. PRINCEcore

✲ ✲ ❝ ❄

k0

❝ ❄

k′

3 / 23

Description of PRINCE-like Ciphers Distinguishers Key Recovery Various Classes of α-reflection Conclusions

Description of PRINCE-like cipher

Low-latency SPN block cipher was proposed at ASIACRYPT2012. Based on the so-called FX construction The key is split into two parts of n bits k = k0||k1. PRINCEcore

✲ ✲ ❝ ❄

k0

❝ ❄

k′ k′

0 = (k0 ≫ 1) ⊕ (k0 ≫ (n − 1))

3 / 23

Description of PRINCE-like Ciphers Distinguishers Key Recovery Various Classes of α-reflection Conclusions

Description of PRINCE-like cipher

Low-latency SPN block cipher was proposed at ASIACRYPT2012. Based on the so-called FX construction The key is split into two parts of n bits k = k0||k1. PRINCEcore

✲ ✲ ❝ ❄

k0

❝ ❄

k′ k′

0 = (k0 ≫ 1) ⊕ (k0 ≫ (n − 1))

With a property called α-reflection: D(k0||k′

0||k1)() = E(k′ 0||k0||k1 ⊕ α)()

3 / 23

Description of PRINCE-like Ciphers Distinguishers Key Recovery Various Classes of α-reflection Conclusions

Description of PRINCE-like cipher

Low-latency SPN block cipher was proposed at ASIACRYPT2012. Based on the so-called FX construction The key is split into two parts of n bits k = k0||k1. PRINCEcore

✲ ✲ ❝ ❄

k0

❝ ❄

k′ k′

0 = (k0 ≫ 1) ⊕ (k0 ≫ (n − 1))

With a property called α-reflection: D(k0||k′

0||k1)() = E(k′ 0||k0||k1 ⊕ α)()

Independently of the value of α, the designers showed that PRINCE is secure against known attacks.

3 / 23

Description of PRINCE-like Ciphers Distinguishers Key Recovery Various Classes of α-reflection Conclusions

Description of PRINCE-like Cipher

✲ ✲ ✲S−1

M′ S

❝ ✻

k1

❝ ❄ RC6 ✲ ❝ ❄ RC7 ❝ ✻

k1

The 2 midmost rounds

4 / 23

Description of PRINCE-like Ciphers Distinguishers Key Recovery Various Classes of α-reflection Conclusions

Description of PRINCE-like Cipher

✲ ✲ ✲S−1

M′ S

❝ ✻

k1

❝ ❄ RC6 ✲ ❝ ❄ RC7 ❝ ✻

k1

✲ ❄ ❄ ❄ ❄ ❄ ✲ ✲ ✲ ✲ ✻ ✻ ✻ ✻ ✻

k1 k1 k1 k1 k1 R1 R2 R3 R4 R5

RC1 RC2 RC3 RC4 RC5 ❄ ❄ ❄ ❄ ❄ ✲ ✲ ✲ ✲ ✻ ✻ ✻ ✻ ✻

k1 k1 k1 k1 k1 R8 R9 R10 R11 R12

RC8 RC9 RC10 RC11 RC12 ✲

Total 12 rounds

4 / 23

Description of PRINCE-like Ciphers Distinguishers Key Recovery Various Classes of α-reflection Conclusions

Description of PRINCE-like Cipher

✲ ✲ ✲S−1

M′ S

❝ ✻

k1

❝ ❄ RC6 ✲ ❝ ❄ RC7 ❝ ✻

k1

✲ ❄ ❄ ❄ ❄ ❄ ✲ ✲ ✲ ✲ ✻ ✻ ✻ ✻ ✻

k1 k1 k1 k1 k1 R1 R2 R3 R4 R5

RC1 RC2 RC3 RC4 RC5 ❄ ❄ ❄ ❄ ❄ ✲ ✲ ✲ ✲ ✻ ✻ ✻ ✻ ✻

k1 k1 k1 k1 k1 R8 R9 R10 R11 R12

RC8 RC9 RC10 RC11 RC12 ✲ ✲ ✲ ✲ ❝ ✻

k1

❝ ❄ RCr

M S

✁ ✁ ✁ ✁ ✁ ✁ ✁ ❆ ❆ ❆ ❆ ❆ ❆ ❆

The first rounds

4 / 23

Description of PRINCE-like Ciphers Distinguishers Key Recovery Various Classes of α-reflection Conclusions

Description of PRINCE-like Cipher

✲ ✲ ✲S−1

M′ S

❝ ✻

k1

❝ ❄ RC6 ✲ ❝ ❄ RC7 ❝ ✻

k1

✲ ❄ ❄ ❄ ❄ ❄ ✲ ✲ ✲ ✲ ✻ ✻ ✻ ✻ ✻

k1 k1 k1 k1 k1 R1 R2 R3 R4 R5

RC1 RC2 RC3 RC4 RC5 ❄ ❄ ❄ ❄ ❄ ✲ ✲ ✲ ✲ ✻ ✻ ✻ ✻ ✻

k1 k1 k1 k1 k1 R8 R9 R10 R11 R12

RC8 RC9 RC10 RC11 RC12 ✲ ✲ ✲ ✲ ❝ ✻

k1

❝ ❄ RCr

M S

✁ ✁ ✁ ✁ ✁ ✁ ✁ ❆ ❆ ❆ ❆ ❆ ❆ ❆ ✲ ✲ ✲ ❝ ❄ RCr

S−1 M−1

❝ ✻

k1

✁ ✁ ✁ ✁ ✁ ✁ ✁ ❆ ❆ ❆ ❆ ❆ ❆ ❆

The last rounds

4 / 23

Description of PRINCE-like Ciphers Distinguishers Key Recovery Various Classes of α-reflection Conclusions

Description of PRINCE-like Cipher

✲ ✲ ✲S−1

M′ S

❝ ✻

k1

❝ ❄ RC6 ✲ ❝ ❄ RC7 ❝ ✻

k1

✲ ❄ ❄ ❄ ❄ ❄ ✲ ✲ ✲ ✲ ✻ ✻ ✻ ✻ ✻

k1 k1 k1 k1 k1 R1 R2 R3 R4 R5

RC1 RC2 RC3 RC4 RC5 ❄ ❄ ❄ ❄ ❄ ✲ ✲ ✲ ✲ ✻ ✻ ✻ ✻ ✻

k1 k1 k1 k1 k1 R8 R9 R10 R11 R12

RC8 RC9 RC10 RC11 RC12 ✲ ✲ ✲ ✲ ❝ ✻

k1

❝ ❄ RCr

M S

✁ ✁ ✁ ✁ ✁ ✁ ✁ ❆ ❆ ❆ ❆ ❆ ❆ ❆ ✲ ✲ ✲ ❝ ❄ RCr

S−1 M−1

❝ ✻

k1

✁ ✁ ✁ ✁ ✁ ✁ ✁ ❆ ❆ ❆ ❆ ❆ ❆ ❆

Related constants: RC2R−r+1 = RCr ⊕ α, for all r = 1, . . . , 2R

4 / 23

Description of PRINCE-like Ciphers Distinguishers Key Recovery Various Classes of α-reflection Conclusions

Description of PRINCE-like Cipher

✲ ✲ ✲S−1

M′ S

❝ ✻

k1

❝ ❄ RC6 ✲ ❝ ❄ RC7 ❝ ✻

k1

✲ ❄ ❄ ❄ ❄ ❄ ✲ ✲ ✲ ✲ ✻ ✻ ✻ ✻ ✻

k1 k1 k1 k1 k1 R1 R2 R3 R4 R5

RC1 RC2 RC3 RC4 RC5 ❄ ❄ ❄ ❄ ❄ ✲ ✲ ✲ ✲ ✻ ✻ ✻ ✻ ✻

k1 k1 k1 k1 k1 R8 R9 R10 R11 R12

RC8 RC9 RC10 RC11 RC12 ✲ ✲ ✲ ✲ ❝ ✻

k1

❝ ❄ RCr

M S

✁ ✁ ✁ ✁ ✁ ✁ ✁ ❆ ❆ ❆ ❆ ❆ ❆ ❆ ✲ ✲ ✲ ❝ ❄ RCr

S−1 M−1

❝ ✻

k1

✁ ✁ ✁ ✁ ✁ ✁ ✁ ❆ ❆ ❆ ❆ ❆ ❆ ❆ ❝ ✻

k0

❝ ✻

k′

The whitening key

4 / 23

Description of PRINCE-like Ciphers Distinguishers Key Recovery Various Classes of α-reflection Conclusions

Description of PRINCE

PRINCE-like cipher with n = 64. Constant is defined as α = 0xc0ac29b7c97c50dd. The S-layer is a non-linear layer where each nibble is processed by the same Sbox.

5 / 23

Description of PRINCE-like Ciphers Distinguishers Key Recovery Various Classes of α-reflection Conclusions

Description of PRINCE

M′ is an involutory 64 × 64 block diagonal matrix ( ˆ M0, ˆ M1, ˆ M1, ˆ M0).

6 / 23

Description of PRINCE-like Ciphers Distinguishers Key Recovery Various Classes of α-reflection Conclusions

Description of PRINCE

M′ is an involutory 64 × 64 block diagonal matrix ( ˆ M0, ˆ M1, ˆ M1, ˆ M0).

ˆ M0 =     M0 M1 M2 M3 M1 M2 M3 M0 M2 M3 M0 M1 M3 M0 M1 M2     , ˆ M1 =     M1 M2 M3 M0 M2 M3 M0 M1 M3 M0 M1 M2 M0 M1 M2 M3     .

6 / 23

Description of PRINCE-like Ciphers Distinguishers Key Recovery Various Classes of α-reflection Conclusions

Description of PRINCE

M′ is an involutory 64 × 64 block diagonal matrix ( ˆ M0, ˆ M1, ˆ M1, ˆ M0).

ˆ M0 =     M0 M1 M2 M3 M1 M2 M3 M0 M2 M3 M0 M1 M3 M0 M1 M2     , ˆ M1 =     M1 M2 M3 M0 M2 M3 M0 M1 M3 M0 M1 M2 M0 M1 M2 M3     .

The second linear matrix M for PRINCE is obtained by composition of M′ and a permutation SR of nibbles by setting M = SR ◦ M′.

6 / 23

Description of PRINCE-like Ciphers Distinguishers Key Recovery Various Classes of α-reflection Conclusions

1

Description of PRINCE-like Ciphers

2

Distinguishers

3

Key Recovery

4

Various Classes of α-reflection

5

Conclusions

7 / 23

Description of PRINCE-like Ciphers Distinguishers Key Recovery Various Classes of α-reflection Conclusions

Previous Works: Reflection Attack

It has been applied on some ciphers and hash functions with Feistel construction (Kara 2008, Bouillaguet et al. 2010).

❄ ❄ ✲ ✲ ❝ ❝ ✘✘✘✘✘✘✘✘ ❳ ❳ ❳ ❳ ❳ ❳ ❳ ❳

F F x x

7 / 23

Description of PRINCE-like Ciphers Distinguishers Key Recovery Various Classes of α-reflection Conclusions

Previous Works: Reflection Attack

It has been applied on some ciphers and hash functions with Feistel construction (Kara 2008, Bouillaguet et al. 2010).

❄ ❄ ✲ ✲ ❝ ❝ ✘✘✘✘✘✘✘✘ ❳ ❳ ❳ ❳ ❳ ❳ ❳ ❳

F F

k k

x x

7 / 23

Description of PRINCE-like Ciphers Distinguishers Key Recovery Various Classes of α-reflection Conclusions

Previous Works: Reflection Attack

It has been applied on some ciphers and hash functions with Feistel construction (Kara 2008, Bouillaguet et al. 2010).

❄ ❄ ✲ ✲ ❝ ❝ ✘✘✘✘✘✘✘✘ ❳ ❳ ❳ ❳ ❳ ❳ ❳ ❳

F F

k k

x x y y

7 / 23

Description of PRINCE-like Ciphers Distinguishers Key Recovery Various Classes of α-reflection Conclusions

Previous Works: Reflection Attack

It has been applied on some ciphers and hash functions with Feistel construction (Kara 2008, Bouillaguet et al. 2010).

❄ ❄ ✲ ✲ ❝ ❝ ✘✘✘✘✘✘✘✘ ❳ ❳ ❳ ❳ ❳ ❳ ❳ ❳

F F

k k

x x x ⊕ y x ⊕ y

✻ ❄

∆ = 0

7 / 23

Description of PRINCE-like Ciphers Distinguishers Key Recovery Various Classes of α-reflection Conclusions

Previous Works: Reflection Attack

It has been applied on some ciphers and hash functions with Feistel construction (Kara 2008, Bouillaguet et al. 2010).

❄ ❄ ✲ ✲ ❝ ❝ ✘✘✘✘✘✘✘✘ ❳ ❳ ❳ ❳ ❳ ❳ ❳ ❳

F F

k k

x x x ⊕ y x ⊕ y

✻ ❄

∆ = 0 This work Using probabilistic reflection property instead of deterministic approach.

7 / 23

Description of PRINCE-like Ciphers Distinguishers Key Recovery Various Classes of α-reflection Conclusions

Fixed Points

Definition Let f : A → A be a function on a set A. A point x ∈ A is called a fixed point of the function f if and only if f (x) = x.

8 / 23

Description of PRINCE-like Ciphers Distinguishers Key Recovery Various Classes of α-reflection Conclusions

Fixed Points

Definition Let f : A → A be a function on a set A. A point x ∈ A is called a fixed point of the function f if and only if f (x) = x. Lemma Let f : Fn

2 → Fn 2 be a linear involution. Then the number of fixed

points of f is greater than or equal to 2n/2.

8 / 23

Description of PRINCE-like Ciphers Distinguishers Key Recovery Various Classes of α-reflection Conclusions

Fixed Points

Definition Let f : A → A be a function on a set A. A point x ∈ A is called a fixed point of the function f if and only if f (x) = x. Lemma Let f : Fn

2 → Fn 2 be a linear involution. Then the number of fixed

points of f is greater than or equal to 2n/2. Idea Take advantage of α-reflection property and the fact that always fixed points exist in midmost rounds of PRINCE-like ciphers.

8 / 23

Description of PRINCE-like Ciphers Distinguishers Key Recovery Various Classes of α-reflection Conclusions

Characteristic I1

❝ ✻

RCR

❝ ❄

k1

✲ S ✲

x M′ ✲ x

✲ ✛

Pr[M′(x) = x] S−1

✲ ❝ ✻

RCR ⊕ α

❝ ❄

k1 PI1 = PFM′ = |FM′| 2n .

9 / 23

Description of PRINCE-like Ciphers Distinguishers Key Recovery Various Classes of α-reflection Conclusions

Characteristic I1

❝ ✻

RCR

❝ ❄

k1

✲ S ✲

x M′ ✲ x

✲ ✛

Pr[M′(x) = x] S−1

✲ ❝ ✻

RCR ⊕ α

❝ ❄

k1

✲ ✛

PI1 = PFM′ = |FM′| 2n .

9 / 23

Description of PRINCE-like Ciphers Distinguishers Key Recovery Various Classes of α-reflection Conclusions

Characteristic I1

❝ ✻

RCR

❝ ❄

k1

✲ S ✲

x M′ ✲ x

✲ ✛

Pr[M′(x) = x] S−1

✲ ❝ ✻

RCR ⊕ α

❝ ❄

k1

✲ ✛ ✲ ✛

α PI1 = PFM′ = |FM′| 2n .

9 / 23

Description of PRINCE-like Ciphers Distinguishers Key Recovery Various Classes of α-reflection Conclusions

Characteristic I2

✲ ❝ ✻

RCR−1

❝ ❄

k1 S ✲ M

✲ ❝ ✻

RCR

❝ ❄

k1 S ✲ M′ ✲S−1

✲ ❝ ❄

k1

❝ ✻

RCR ⊕ α M−1✲S−1

✲ ❝ ✻

RCR−1 ⊕ α

❝ ❄

k1

✲ ✛

α

PI2 = 2−n#

• x ∈ Fn

2 | S−1(M′(S(x))) ⊕ x = α

• .

10 / 23

Description of PRINCE-like Ciphers Distinguishers Key Recovery Various Classes of α-reflection Conclusions

Characteristic I2

✲ ❝ ✻

RCR−1

❝ ❄

k1 S ✲ M

✲ ❝ ✻

RCR

❝ ❄

k1 S ✲ M′ ✲S−1

✲ ❝ ❄

k1

❝ ✻

RCR ⊕ α M−1✲S−1

✲ ❝ ✻

RCR−1 ⊕ α

❝ ❄

k1

✲ ✛

α

✲ ✛

PI2 = 2−n#

• x ∈ Fn

2 | S−1(M′(S(x))) ⊕ x = α

• .

10 / 23

Description of PRINCE-like Ciphers Distinguishers Key Recovery Various Classes of α-reflection Conclusions

Characteristic I2

✲ ❝ ✻

RCR−1

❝ ❄

k1 S ✲ M

✲ ❝ ✻

RCR

❝ ❄

k1 S ✲ M′ ✲S−1

✲ ❝ ❄

k1

❝ ✻

RCR ⊕ α M−1✲S−1

✲ ❝ ✻

RCR−1 ⊕ α

❝ ❄

k1

✲ ✛

α

✲ ✛ ✲ ✛

α

PI2 = 2−n#

• x ∈ Fn

2 | S−1(M′(S(x))) ⊕ x = α

• .

10 / 23

Description of PRINCE-like Ciphers Distinguishers Key Recovery Various Classes of α-reflection Conclusions

Characteristic I2

✲ ❝ ✻

RCR−1

❝ ❄

k1 S ✲ M

✲ ❝ ✻

RCR

❝ ❄

k1 S ✲ M′ ✲S−1

✲ ❝ ❄

k1

❝ ✻

RCR ⊕ α M−1✲S−1

✲ ❝ ✻

RCR−1 ⊕ α

❝ ❄

k1

✲ ✛

α

✲ ✛ ✲ ✛

α

If PI2 = 0 then we have impossible differential.

10 / 23

Description of PRINCE-like Ciphers Distinguishers Key Recovery Various Classes of α-reflection Conclusions

External Characteristic PCr

RR+v ◦ · ◦ RR−v+1

✟✟ ❍❍ ✲ ✲

k1

RCR, RCR+1 (RCR−1, RCR+2)

✲ ✲ ✲ ❝ ❄

k1 ⊕ RCR−v

✲ ✲ ✲ ❝ ✻

k1 ⊕ RCR+v+1

✲ ✲ ✲ ✲ ❝ ❄

k1 ⊕ RCR−u−v+1

✲ ✲ ❝ ✻

k1 ⊕ RCR+u+v

✲ ✲ ✲ ✲ ❝ ❄

k1 ⊕ RCR−u−v

❝ ✻

k1 ⊕ RCR+u+v+1

M−1 S−1 M−1 S−1 M−1 S−1 M−1 S−1 M−1 S−1 M−1 S−1

✻ ❄

α

✻ ❄ ✻ ❄

∆

❄ ✻

∆∗

11 / 23

Description of PRINCE-like Ciphers Distinguishers Key Recovery Various Classes of α-reflection Conclusions

1

Description of PRINCE-like Ciphers

2

Distinguishers

3

Key Recovery

4

Various Classes of α-reflection

5

Conclusions

12 / 23

Description of PRINCE-like Ciphers Distinguishers Key Recovery Various Classes of α-reflection Conclusions

Key Recovery

P

✲ ❝ ❄

k0

❝ ✻

k1

❝ ❄

RC1 S ✲ M

✲R2R−1 ◦ · · · ◦ R2 ✲M−1✲S−1 ✲ ❝ ❄

RC1 ⊕ α

❝ ✻

k1

❝ ❄

k′ C

12 / 23

Description of PRINCE-like Ciphers Distinguishers Key Recovery Various Classes of α-reflection Conclusions

Key Recovery

P

✲ ❝ ❄

k0

❝ ✻

k1

❝ ❄

RC1 S ✲ M

✲R2R−1 ◦ · · · ◦ R2 ✲M−1✲S−1 ✲ ❝ ❄

RC1 ⊕ α

❝ ✻

k1

❝ ❄

k′ C

✲ ✛

∆

12 / 23

Description of PRINCE-like Ciphers Distinguishers Key Recovery Various Classes of α-reflection Conclusions

Key Recovery

P

✲ ❝ ❄

k0

❝ ✻

k1

❝ ❄

RC1 S ✲ M

✲R2R−1 ◦ · · · ◦ R2 ✲M−1✲S−1 ✲ ❝ ❄

RC1 ⊕ α

❝ ✻

k1

❝ ❄

k′ C

✲ ✛

∆

✲ ✛

M−1(∆) = ∆∗

12 / 23

Description of PRINCE-like Ciphers Distinguishers Key Recovery Various Classes of α-reflection Conclusions

Key Recovery Nibble by Nibble

S S S S . . .

✲ M−1 ◦ R2R−1 ◦ · · · ◦ R2 ◦ M ✲

S−1 S−1 S−1 S−1 . . . . . . P(j) ❝

k0

✲ ✻ ❝

k1

✻ ❝

RC1

✻

C(j)

✛ ❝ ✻

k1

❝

RC2R

✻ ❝ ✻

k′

✲ ✛

∆∗(j)

∆∗(j) = S(P(j) ⊕ k0(j) ⊕ k1(j) ⊕ RC1(j)) ⊕S(C(j) ⊕ k′

0(j) ⊕ k1(j) ⊕ RC2R(j)) 13 / 23

Description of PRINCE-like Ciphers Distinguishers Key Recovery Various Classes of α-reflection Conclusions

Key Recovery for Passive Nibble

S S S S . . .

✲ M−1 ◦ R2R−1 ◦ · · · ◦ R2 ◦ M ✲

S−1 S−1 S−1 S−1 . . . . . . P(j) ❝

k0

✲ ✻ ❝

k1

✻ ❝

RC1

✻

C(j)

✛ ❝ ✻

k1

❝

RC2R

✻ ❝ ✻

k′

✲ ✛

∆∗(j) = 0

• P(j) ⊕ k0(j) ⊕ C(j) ⊕ k′

0(j) ⊕ α(j) = 0,

The difference after passing through the S-boxes is still zero. The value of k1(j) need not be known.

14 / 23

Description of PRINCE-like Ciphers Distinguishers Key Recovery Various Classes of α-reflection Conclusions

1

Description of PRINCE-like Ciphers

2

Distinguishers

3

Key Recovery

4

Various Classes of α-reflection

5

Conclusions

15 / 23

Description of PRINCE-like Ciphers Distinguishers Key Recovery Various Classes of α-reflection Conclusions

Maximizing Probability PC of Characteristic

To maximize PC we can either use Cancellation idea. Branch and Bound algorithm.

RR+v ◦ · ◦ RR−v+1

✟✟ ❍❍ ✲ ✲

k1

RCR, RCR+1 (RCR−1, RCR+2)

✲ ✲ ✲ ❝ ❄

k1 ⊕ RCR−v

✲ ✲ ✲ ❝ ✻

k1 ⊕ RCR+v+1

✲ ✲ ✲ ✲ ❝ ❄

k1 ⊕ RCR−u−v+1

✲ ✲ ❝ ✻

k1 ⊕ RCR+u+v

✲ ✲ ✲ ✲ ❝ ❄

k1 ⊕ RCR−u−v

❝ ✻

k1 ⊕ RCR+u+v+1

M−1 S−1 M−1 S−1 M−1 S−1 M−1 S−1 M−1 S−1 M−1 S−1

✻ ❄

α

✻ ❄ ✻ ❄

∆

❄ ✻

∆∗

15 / 23

Description of PRINCE-like Ciphers Distinguishers Key Recovery Various Classes of α-reflection Conclusions

Cancellation Idea

RR+v ◦ · ◦ RR−v+1

✟✟ ❍❍ ✲ ✲

k1

RCR, RCR+1 (RCR−1, RCR+2)

✲ ✲ ✲ ❝ ❄

k1 ⊕ RCR−v

✲ ✲ ✲ ❝ ✻

k1 ⊕ RCR+v+1

✲ ✲ ❝ ❄

k1 ⊕ RCR−v−1

✲ ✲ ❝ ✻

k1 ⊕ RCR+v+2

✲ ✲ ✲ ✲ ✲ ✲

M−1 S−1 M−1 S−1 M−1 S−1 M−1 S−1 M−1 S−1 M−1 S−1

✻ ❄

α

16 / 23

Description of PRINCE-like Ciphers Distinguishers Key Recovery Various Classes of α-reflection Conclusions

Cancellation Idea

RR+v ◦ · ◦ RR−v+1

✟✟ ❍❍ ✲ ✲

k1

RCR, RCR+1 (RCR−1, RCR+2)

✲ ✲ ✲ ❝ ❄

k1 ⊕ RCR−v

✲ ✲ ✲ ❝ ✻

k1 ⊕ RCR+v+1

✲ ✲ ❝ ❄

k1 ⊕ RCR−v−1

✲ ✲ ❝ ✻

k1 ⊕ RCR+v+2

✲ ✲ ✲ ✲ ✲ ✲

M−1 S−1 M−1 S−1 M−1 S−1 M−1 S−1 M−1 S−1 M−1 S−1

✻ ❄

α

✻ ❄

α

With P = PrX

• S(X) ⊕ S(X ⊕ α) = M−1(α)
• 16 / 23

Description of PRINCE-like Ciphers Distinguishers Key Recovery Various Classes of α-reflection Conclusions

Cancellation Idea

RR+v ◦ · ◦ RR−v+1

✟✟ ❍❍ ✲ ✲

k1

RCR, RCR+1 (RCR−1, RCR+2)

✲ ✲ ✲ ❝ ❄

k1 ⊕ RCR−v

✲ ✲ ✲ ❝ ✻

k1 ⊕ RCR+v+1

✲ ✲ ❝ ❄

k1 ⊕ RCR−v−1

✲ ✲ ❝ ✻

k1 ⊕ RCR+v+2

✲ ✲ ✲ ✲ ✲ ✲

M−1 S−1 M−1 S−1 M−1 S−1 M−1 S−1 M−1 S−1 M−1 S−1

✻ ❄

α

✻ ❄

α

✻ ❄

16 / 23

Description of PRINCE-like Ciphers Distinguishers Key Recovery Various Classes of α-reflection Conclusions

Cancellation Idea

RR+v ◦ · ◦ RR−v+1

✟✟ ❍❍ ✲ ✲

k1

RCR, RCR+1 (RCR−1, RCR+2)

✲ ✲ ✲ ❝ ❄

k1 ⊕ RCR−v

✲ ✲ ✲ ❝ ✻

k1 ⊕ RCR+v+1

✲ ✲ ❝ ❄

k1 ⊕ RCR−v−1

✲ ✲ ❝ ✻

k1 ⊕ RCR+v+2

✲ ✲ ✲ ✲ ✲ ✲

M−1 S−1 M−1 S−1 M−1 S−1 M−1 S−1 M−1 S−1 M−1 S−1

✻ ❄

α

✻ ❄

α

✻ ❄ ✻ ❄

16 / 23

Description of PRINCE-like Ciphers Distinguishers Key Recovery Various Classes of α-reflection Conclusions

Cancellation Idea

RR+v ◦ · ◦ RR−v+1

✟✟ ❍❍ ✲ ✲

k1

RCR, RCR+1 (RCR−1, RCR+2)

✲ ✲ ✲ ❝ ❄

k1 ⊕ RCR−v

✲ ✲ ✲ ❝ ✻

k1 ⊕ RCR+v+1

✲ ✲ ❝ ❄

k1 ⊕ RCR−v−1

✲ ✲ ❝ ✻

k1 ⊕ RCR+v+2

✲ ✲ ✲ ✲ ✲ ✲

M−1 S−1 M−1 S−1 M−1 S−1 M−1 S−1 M−1 S−1 M−1 S−1

✻ ❄

α

✻ ❄

α

✻ ❄ ✻ ❄ ✻ ❄

α · · ·

With P = PrX

• S(X) ⊕ S(X ⊕ α) = M−1(α)
• there is an iterative

characteristic over four rounds of a PRINCE-like cipher.

16 / 23

Description of PRINCE-like Ciphers Distinguishers Key Recovery Various Classes of α-reflection Conclusions

Best α with Cancellation Idea on 12 rounds

α ∆∗ w(∆∗) PC4 Data Compl. Time Compl. 0x8400400800000000 0x8800400400000000 4 2−22 257.95 271.37 0x8040000040800000 0x8080000040400000 4 2−22 257.95 271.37 0x0000408000008040 0x0000404000008080 4 2−22 257.95 271.37 0x0000000048008004 0x0000000044008008 4 2−22 257.95 271.37 0x0000440040040000 0x0000440040040000 4 2−24 260.27 273.69 0x8008000000008800 0x8008000000008800 4 2−24 260.27 273.69

17 / 23

Description of PRINCE-like Ciphers Distinguishers Key Recovery Various Classes of α-reflection Conclusions

Examples of α with Branch and Bound Algorithm on 12 Rounds

α ∆∗ w(∆∗) PC4 Data Compl. Time Compl. 0x0108088088010018 0x0000001008000495 5 2−26 262.78 280.2 0x0088188080018010 0x00000100c09d0008 5 2−26 262.78 280.2 0x0108088088010018 0x000000100800d8cc 6 2−26 262.83 284.25 0x0001111011010011 0x1101100110000100 7 2−28 263.45(a = 32) 288.87

18 / 23

Description of PRINCE-like Ciphers Distinguishers Key Recovery Various Classes of α-reflection Conclusions

Number of non-zero nibbles of α

Observation The best results so far have been obtained for α with a small number of non-zero nibbles.

19 / 23

Description of PRINCE-like Ciphers Distinguishers Key Recovery Various Classes of α-reflection Conclusions

Number of non-zero nibbles of α

Observation The best results so far have been obtained for α with a small number of non-zero nibbles. Question Would α with many non-zero nibbles guarantee security against reflection attacks?

19 / 23

Description of PRINCE-like Ciphers Distinguishers Key Recovery Various Classes of α-reflection Conclusions

Number of non-zero nibbles of α

Observation The best results so far have been obtained for α with a small number of non-zero nibbles. Question Would α with many non-zero nibbles guarantee security against reflection attacks? α =

    0x7 0x1 0xc 0xb 0x9 0x5 0x9 0x3 0x9 0xa 0x5 0x9 0x3 0x6 0x8 0xd     ,

19 / 23

Description of PRINCE-like Ciphers Distinguishers Key Recovery Various Classes of α-reflection Conclusions

Number of non-zero nibbles of α

Observation The best results so far have been obtained for α with a small number of non-zero nibbles. Question Would α with many non-zero nibbles guarantee security against reflection attacks? α =

    0x7 0x1 0xc 0xb 0x9 0x5 0x9 0x3 0x9 0xa 0x5 0x9 0x3 0x6 0x8 0xd     ,

M−1(α) =

    0x7 0xb 0xd 0x9    .

19 / 23

Description of PRINCE-like Ciphers Distinguishers Key Recovery Various Classes of α-reflection Conclusions

Truncated Attack

Assume α is such that M−1(α) =

    ∗ 0 0 0 0 0 0 ∗ 0 0 ∗ 0 0 ∗ 0 0     where ∗ can be any

arbitrary value. For six rounds RR−2 ◦ · · · ◦ RR+3, the following truncated characteristic: Y O

R+3 ⊕ X I R−2 =

    ∗ 0 0 0 ∗ 0 0 ∗ ∗ 0 ∗ 0 ∗ ∗ 0 0     ⊕ α, holds with probability PFM′ = |FM′|

2n

= 2−32.

20 / 23

Description of PRINCE-like Ciphers Distinguishers Key Recovery Various Classes of α-reflection Conclusions

Truncated Attack

Similar characteristics can be obtained for α such that: M−1(α) =

    0 ∗ 0 0 ∗ 0 0 0 0 0 0 ∗ 0 0 ∗ 0     or M−1(α) =     0 0 ∗ 0 0 ∗ 0 0 ∗ 0 0 0 0 0 0 ∗     or

M−1(α) =

    0 0 0 ∗ 0 0 ∗ 0 0 ∗ 0 0 ∗ 0 0 0    .

This truncated characteristic over six rounds exists for 4 × (216 − 1) ≈ 218 values of α, Key recovery attack on 8 rounds can be done by data complexity 235.8 and time complexity of 296.8 memory accesses in addition of 288 full encryption.

21 / 23

Description of PRINCE-like Ciphers Distinguishers Key Recovery Various Classes of α-reflection Conclusions

1

Description of PRINCE-like Ciphers

2

Distinguishers

3

Key Recovery

4

Various Classes of α-reflection

5

Conclusions

22 / 23

Description of PRINCE-like Ciphers Distinguishers Key Recovery Various Classes of α-reflection Conclusions

Conclusions

We introduced new generic distinguishers on PRINCE-like ciphers. The security of PRINCE-like ciphers depends strongly on the choice of the value of α. We identified special classes of α for which 4, 6, 8 or 10 rounds can be distinguished from random. The weakest class allows an efficient key-recovery attack on 12 rounds of the cipher. Our best attack on PRINCE with original α breaks a reduced 6-round version. New design criteria for the selection of the value of α for PRINCE-like ciphers are obtained.

22 / 23

Description of PRINCE-like Ciphers Distinguishers Key Recovery Various Classes of α-reflection Conclusions

Thanks for your attention!

23 / 23