Abstract
Subspace trail cryptanalysis is a very recent new cryptanalysis technique, and includes differential, truncated differential, impossible differential, and integral attacks as special cases.
In this paper, we consider PRINCE, a widely analyzed block cipher proposed in 2012. After the identification of a 2.5 rounds subspace trail of PRINCE, we present several (truncated differential) attacks up to 6 rounds of PRINCE. This includes a very practical attack with the lowest data complexity of only 8 plaintexts for 4 rounds, which co-won the final round of the PRINCE challenge in the 4-round chosen-plaintext category. The attacks have been verified using a C implementation.
Of independent interest, we consider a variant of PRINCE in which ShiftRows and MixLayer operations are exchanged in position. In particular, our result shows that the position of ShiftRows and MixLayer operations influences the security of PRINCE. The same analysis applies to follow-up designs inspired by PRINCE.
Keywords
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Notes
- 1.
- 2.
- 3.
The source code is available at https://github.com/Krypto-iaik/PRINCE_Attacks.
- 4.
We observe that attacks that exploit the key-schedule can be affected by the order of linear operations. To better highlight this fact, we refer to the analysis done in [10] about the effect of the omission of the final MixColumns operation. While in general key-recovery attacks are not influenced by the presence of the last MixColumns operation, some of the attacks that exploit it (e.g. Meet-in-the-Middle attacks) are affected, since a different key schedule can affect the amount of key material that has to be guessed in key-recovery attacks (also in the standard single-key model). In a similar way, the same analysis holds also when the positions of the MixColumns and ShiftRows operations are exchanged.
- 5.
We emphasize that the right key is always found. We use more plaintexts only to discard false positives that pass the test.
- 6.
Note that: [S-Box\((t^2[0]\oplus k_1[0])\, \oplus \) S-Box\((t^3[0]\oplus k_1[0]) ] \, \wedge 0\)x\(8 = [\) S-Box\((t^2[0]\oplus k_1[0]) \, \oplus \oplus \) S-Box\((t^1[0]\oplus k_1[0]) \, \oplus \) S-Box\((t^1[0]\oplus k_1[0]) \, \oplus \) S-Box\((t^3[0]\oplus k_1[0]) ]\, \wedge 0\)x\(8 = 0\).
- 7.
References
Abed, F., List, E., Lucks, S.: On the Security of the Core of PRINCE Against Biclique and Differential Cryptanalysis. Cryptology ePrint Archive, Report 2016/712 (2016)
Avanzi, R.: The QARMA Block Cipher Family - Almost MDS Matrices Over Rings With Zero Divisors, Nearly Symmetric Even-Mansour Constructions With Non-Involutory Central Rounds, and Search Heuristics for Low-Latency S-Boxes. Cryptology ePrint Archive, Report 2016/444 (2016)
Banik, S., Bogdanov, A., Isobe, T., Shibutani, K., Hiwatari, H., Akishita, T., Regazzoni, F.: Midori: a block cipher for low energy. In: Iwata, T., Cheon, J.H. (eds.) ASIACRYPT 2015. LNCS, vol. 9453, pp. 411–436. Springer, Heidelberg (2015). doi:10.1007/978-3-662-48800-3_17
Bay, A., Ersoy, O., Karakoç, F.: Universal Forgery and Key Recovery Attacks on ELmD Authenticated Encryption Algorithm. Cryptology ePrint Archive, Report 2016/640 (2016). To appear at Asiacrypt 2016
Beierle, C., Jean, J., Kölbl, S., Leander, G., Moradi, A., Peyrin, T., Sasaki, Y., Sasdrich, P., Sim, S.M.: The SKINNY family of block ciphers and its low-latency variant MANTIS. In: Robshaw, M., Katz, J. (eds.) CRYPTO 2016. LNCS, vol. 9815, pp. 123–153. Springer, Heidelberg (2016). doi:10.1007/978-3-662-53008-5_5
Borghoff, J., Canteaut, A., Güneysu, T., Kavun, E.B., Knezevic, M., Knudsen, L.R., Leander, G., Nikov, V., Paar, C., Rechberger, C., Rombouts, P., Thomsen, S.S., Yalçın, T.: PRINCE – a low-latency block cipher for pervasive computing applications. In: Wang, X., Sako, K. (eds.) ASIACRYPT 2012. LNCS, vol. 7658, pp. 208–225. Springer, Heidelberg (2012). doi:10.1007/978-3-642-34961-4_14
Bouillaguet, C., Derbez, P., Dunkelman, O., Fouque, P., Keller, N., Rijmen, V.: Low-data complexity attacks on AES. IEEE Trans. Inf. Theory 58(11), 7002–7017 (2012)
Derbez, P., Perrin, L.: Meet-in-the-middle attacks and structural analysis of round-reduced PRINCE. In: Leander, G. (ed.) FSE 2015. LNCS, vol. 9054, pp. 190–216. Springer, Heidelberg (2015). doi:10.1007/978-3-662-48116-5_10
Dobraunig, C., Eichlseder, M., Mendel, F.: Key recovery for MANTIS-5. Cryptology ePrint Archive, Report 2016/754 (2016)
Dunkelman, O., Keller, N.: The effects of the omission of last round’s MixColumns on AES. Inf. Process. Lett. 110(8–9), 304–308 (2010)
Grassi, L., Rechberger, C.: Practical low data-complexity subspace-trail cryptanalysis of round-reduced PRINCE. IACR Cryptology ePrint Archive (2016)
Grassi, L., Rechberger, C., Rønjom, S.: Subspace trail cryptanalysis and its applications to AES. Cryptology ePrint Archive, Report 2016/592 (2016)
Kilian, J., Rogaway, P.: How to protect DES against exhaustive key search. In: Koblitz, N. (ed.) CRYPTO 1996. LNCS, vol. 1109, pp. 252–267. Springer, Heidelberg (1996). doi:10.1007/3-540-68697-5_20
Knudsen, L.R.: Truncated and higher order differentials. In: Preneel, B. (ed.) FSE 1994. LNCS, vol. 1008, pp. 196–211. Springer, Heidelberg (1995). doi:10.1007/3-540-60590-8_16
Leander, G., Abdelraheem, M.A., AlKhzaimi, H., Zenner, E.: A cryptanalysis of PRINTcipher: the invariant subspace attack. In: Rogaway, P. (ed.) CRYPTO 2011. LNCS, vol. 6841, pp. 206–221. Springer, Heidelberg (2011). doi:10.1007/978-3-642-22792-9_12
Leander, G., Minaud, B., Rønjom, S.: A generic approach to invariant subspace attacks: cryptanalysis of Robin, iSCREAM and Zorro. In: Oswald, E., Fischlin, M. (eds.) EUROCRYPT 2015. LNCS, vol. 9056, pp. 254–283. Springer, Heidelberg (2015). doi:10.1007/978-3-662-46800-5_11
Morawiecki, P.: Practical Attacks on the Round-reduced PRINCE. Cryptology ePrint Archive, Report 2016/245 (2016)
Posteuca, R., Negara, G.: Integral Cryptanalysis of Round-Reduced PRINCE Cipher. Proceedings of the Romanian Academy, Series A 16, 265–270 (2015)
Raddum, H., Rasoolzadeh, S.: Faster Key Recovery Attack on Round-Reduced PRINCE. Cryptology ePrint Archive, Report 2016/828 (2016). To appear at LightSec 2016
Soleimany, H., Blondeau, C., Yu, X., Wu, W., Nyberg, K., Zhang, H., Zhang, L., Wang, Y.: Reflection cryptanalysis of PRINCE-like ciphers. J. Crypt. 28(3), 718–744 (2013)
Zhao, G., Sun, B., Li, C., Su, J.: Truncated differential cryptanalysis of PRINCE. Secur. Commun. Netw. 8(16), 2875–2887 (2015)
Acknowledgements
The work in this paper has been partially supported by the Austrian Science Fund (project P26494-N15).
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
A MANTIS Encryption Scheme: Subspace Trail Cryptanalysis
A MANTIS Encryption Scheme: Subspace Trail Cryptanalysis
MANTIS encryption scheme [5] is a low-latency tweakable block cipher proposed at CRYPTO 2016. The starting point used by the designer for this encryption scheme is a PRINCE-like encryption scheme, keeping the entire design symmetric around the middle (to have the \(\alpha \)-reflection property). In order to improve the security, the PRINCE-round has been replaced by the MIDORI-round function. This simple change results in a cipher with improved latency and improved security compared to PRINCE. Note that in contrast to PRINCE, the PermuteCells operation is performed before the MixLayer one.
MANTIS\(_r\) has a 64-bit block length and works with a 128-bit key (\(k = k_0 || k_1\) with 64-bit subkeys \(k_0, k_1\)) and 64-bit tweak T. The parameter r specifies the number of rounds of one half of the cipher. As PRINCE, MANTIS is based on the FX-construction and thus applies whitening keys before and after applying its core components (the whitening keys are generated in the same way as for PRINCE). Every round \(R^i(\cdot )\) in MANTIS is defined as
for \(i =0, \dots , r\), whereFootnote 7:
-
S-Box layer: Every byte in the internal state is replaced by using the involutory \(4 \times 4\)-bit MIDORI S-Box;
-
A bit-wise XOR with the (full) round tweakey state \(h^i(T) \oplus k_1\), for \(i =0, \dots , r\), where T is the tweak and \(h^i\) is the tweak permutation;
-
PermuteCells Operation \(\mathbf {P}\): The cells of the internal state are permuted according to the MIDORI permutation;
-
MixColumns \(\mathbf {M}\): Each column of the cipher internal state array is multiplied by the MixColumns binary matrix of MIDORI M (we recall that \(M=M^{-1}\)):
-
A bit-wise XOR with the key \(k_1\) and a round constant \(RC_i\).
As for PRINCE, in the last r rounds the order of operations is inverse with respect to the first r rounds, where only the round constants differ. Moreover, the middle rounds consist of three key-less operations: an S-Box layer, a matrix multiplication with M and an inverse S-Box layer. Finally, as PRINCE, MANTIS has the \(\alpha \) -reflection property, that is \(D_{(k_0||k_0'||k_1)}(\cdot , T) = E_{(k_0'||k_0||k_1\oplus \alpha )}(\cdot , T)\). Thus, our results presented in Sect. 4 can be applied on MANTIS.
Subspace Trail of MANTIS. Proceeding as for PRINCE, we first identify analogous subspace trails for MANTIS. The column, diagonal and mixed subspaces are defined exactly as the ones defined for PRINCE in Sect. 3.1, but their representations are a little different (expect for the column space).
For instance, \(\mathcal D_0 = P(\mathcal C_0),\) \(\mathcal {ID}_0=P^{-1}(\mathcal C_0)\), \(\mathcal M_0 = M(\mathcal D_0)\) and \(\mathcal {IM}_0 = M(\mathcal {ID}_0)\) correspond to matrix representations:
Let \(I\subseteq \{0,1,2,3\}\). Since \(\mathcal C_I\) is an invariant subspace for the middle rounds, note that it is possible to set up a subspace trail for 3.5 rounds of MANTIS:
A More Secure Version of MANTIS. As for PRINCE, we consider a version of MANTIS where the MixColumns and the PermuteCells operations are exchanged in positions - called for the following MANTIS\(^\star \). In this version, the rounds of MANTIS\(^\star \) are defined similar of the PRINCE ones, where the MixColumns operation is performed before (resp. after) the PermuteCells one in the forward (resp. backwards) rounds.
As first consequence, in this case it is only possible to set up a subspace trail for 2.5 rounds (similar to PRINCE), that is \(\mathcal C_I \oplus a \xrightarrow []{R(\cdot )} \mathcal D_I \oplus b \xrightarrow []{M \circ \text {S-Box}(\cdot )} \mathcal M_I \oplus c\) or \(\mathcal C_I \oplus a \xrightarrow []{super\text {-}SBox(\cdot )} \mathcal C_I \oplus b \xrightarrow []{M \circ SR^{-1}(\cdot )} \mathcal {IM}_I \oplus c\).
Moreover, “as one round of MANTIS is almost identical to one round in MIDORI, most of the security analysis can simply be copied from the latter” (see Sect. 6.3 of [5]). By our analysis of Sect. 4 and since MIDORI [3] is an AES-like cipher, its security is not influenced by the positions of the MixColumns and of the PermuteCells operations. Thus, the version of MIDORI - called for consistency MIDORI\(^\star \) - in which the MixColumns operation is performed before the PermuteCells operation has the same security of the original one.
Due to previous considerations and since the analysis done for PRINCE in Sect. 4 also applies on MANTIS as well, we can claim that MANTIS \(^\star \) (i.e. the version of MANTIS in which MixColumns and PermuteCells are exchanged in positions) is more secure than the original version proposed by [5] with respect to the attack vectors considered in this paper. Note that this claim is also justified by the fact that authors didn’t consider related-key attacks in order to evaluate the security of MANTIS, and that its key schedule is linear (in particular, there is no key-schedule since all the subkeys are equal to the whitening key).
For completeness and following our analysis of Sect. 4, we defined another version of MANTIS - called in the following MANTIS\(^\prime \), such that MANTIS\(^\prime \) is identical to the original MANTIS excepted for the middle rounds, defined as
As for MANTIS\(^\star \), we can claim that MANTIS\(^\prime \) is more secure than the original version proposed by [5], and that it has the same security of MANTIS\(^\star \). For completeness, a similar but independent analysis is proposed in [9], which leads to analogous results and conclusions.
Rights and permissions
Copyright information
© 2016 Springer International Publishing AG
About this paper
Cite this paper
Grassi, L., Rechberger, C. (2016). Practical Low Data-Complexity Subspace-Trail Cryptanalysis of Round-Reduced PRINCE. In: Dunkelman, O., Sanadhya, S. (eds) Progress in Cryptology – INDOCRYPT 2016. INDOCRYPT 2016. Lecture Notes in Computer Science(), vol 10095. Springer, Cham. https://doi.org/10.1007/978-3-319-49890-4_18
Download citation
DOI: https://doi.org/10.1007/978-3-319-49890-4_18
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-49889-8
Online ISBN: 978-3-319-49890-4
eBook Packages: Computer ScienceComputer Science (R0)