Keywords

1 Introduction

Recently, importantSoleimany, Hadi Blondeau, Céline Yu, Xiaoli Wu, Wenling Nyberg, Kaisa Zhang, Huiling Zhang, Lei Wang, Yanfeng applications in special constrained environments such as RFID tags and sensors have received a lot of attention by the cryptographic community. The new secure primitives should provide the best security possible while under tight constraints. Traditionally, cryptographic algorithms have been designed with large security margin to be on the secure side even when exposed to new and unknown vulnerabilities. Since lightweight ciphers must be as small and power-efficient as possible, it is of utmost importance to analyze and understand the security of cryptographic designs to reduce the superfluous margins. New innovative and unconventional designs pose new challenges. For instance, to reduce the power consumption of the encryption algorithm, new cipher proposals, such as PRINTcipher [7] and LED [5] with very simple key-schedule or even without key-schedule, have been developed. With the emergence of such constructions, new attacks have emerged.

PRINCE is a low-latency block cipher proposed at ASIACRYPT 2012 [2]. In order to reduce the cost of implementation of decryption, this iterated cipher uses a property called \(\alpha \)-reflection. As the key-schedule of the encryption is almost non-existent, the round constants play crucial role in preventing self-similarity attacks like slide attacks. The \(\alpha \)-reflection property is built in the cipher by selecting the round constants in pairs. The constants that form a pair have a difference equal to \(\alpha \), and if one of them is used on round \(r\) then the other one is used on round \(2R-r+1\), where \(r = 1,2,\ldots ,2R\), and \(2R\) is the total number of rounds of the cipher. As the round functions at round \(r\) and \(2R-r+1\), \(r < R\), are selected to be inverses of each other, it follows that decryption with round key \(K\) is identical to encryption with round key \(K\oplus \alpha \).

In the original proposal, the security of PRINCE and the effects of the \(\alpha \)-reflection were studied extensively. In particular, it was shown that the cipher is secure against known attacks with reasonable security margin. For instance, it was shown that any differential or linear characteristic over 4 consecutive rounds has at least 16 active S-boxes. This holds independently of the selection of the non-zero parameter \(\alpha \).

In this paper, we study PRINCE in a more general setting of PRINCE-like ciphers by allowing freedom in the selection of the value of \(\alpha \) and of some other components of the cipher. We identify new types of relations over the cipher, and show that they can be used as distinguishers over PRINCE, but that their effectivity depends crucially on the properties of \(\alpha \). We call these new relations reflection characteristics. They are constructed by feeding input data of round \(r\), \(r\le R\), forward over \(2(R-r+1)\) rounds and comparing it with the corresponding output data of round \(2R-r+1\) by exclusive-or differences. We investigate distributions of these reflection differences. Their non-uniformity properties crucially depend on the relationships between the differential properties of the round function, fixed points of the middle linear layer and the reflection parameter \(\alpha \).

The starting point of the reflection cryptanalysis is a probabilistic relation on the middle rounds of the cipher. The extracted relations starting from the middle of the cipher share some similarities with some attacks on Feistel ciphers. Self-similarity properties can be used to determine classes of weak keys as for instance for the DES [8]. The reflection attack [6] and its modifications for hash functions [3] take advantage of involution properties when classes of fixed points exist in some intermediate rounds. In this paper, the involution property is replaced by the \(\alpha \)-reflection property, and the resulting reflection characteristics are not necessarily deterministic, but evaluated in terms of differential probabilities. The resulting attacks require known plaintext only.

In sharp contrast to differential and linear characteristics on PRINCE-like ciphers, the number of active S-boxes in a reflection characteristic strongly depends on the value of \(\alpha \). In particular, we show that for some values of \(\alpha \) the key-recovery attack using reflection characteristic works for the full cipher. We present a known-plaintext single-key attack with the data complexity of \(2^{57.95}\) plaintexts and time complexity of \(2^{72.37}\). For the original \(\alpha \) specified in [2], the key recovery attack using a reflection distinguisher found in this paper breaks reduced-round versions of the cipher only up to \(6\) rounds and hence does not threaten the security of full \(12\)-round version of PRINCE. Nevertheless, we believe that the introduction of the new distinguishers will shed light on the security of PRINCE-like ciphers and can be taken into consideration when designing ciphers according to the model of PRINCE.

The paper is organized as follows. In Sect. 2, we define a family of ciphers called PRINCE-like ciphers. In Sect. 3, different characteristics for the ciphers in this family are described and their probabilities determined. Concatenations of these characteristics are also studied in order to provide characteristics on a larger number of rounds. In Sect. 4, we show how reflection characteristics over \(2R-2\) rounds of the cipher can be converted to distinguishers and used for key recovery attacks on the full \(2R\) rounds of the cipher. In Sect. 5, we evaluate the complexity of the best reflection attacks and identify classes of the weakest \(\alpha \) using the original S-layer and M-layer of PRINCE.

2 Brief Description of PRINCE

Distinguishers and attacks presented in this paper focus not only on the original PRINCE but are more general and can be applied to all ciphers with similar reflection structure. To this aim, let us start by describing what we call a PRINCE-like cipher.

2.1 PRINCE-Like Cipher

A PRINCE-like cipher encrypts messages of \(n\)-bit blocks by iterating \(2R\) times a round function. We denote by \(E^{\alpha }_k\) the encryption function parametrized with a \(2n\)-bit key \(k=(k_0||k_1) \in \mathbb {F}_2^{2n}\) and the reflection parameter \(\alpha \in {\mathbb {F}_2^{n}}^*\).

The key schedule of a PRINCE-like cipher is simple. The \(2n\)-bit key is split into two \(n\)-bit parts \(k_0\) and \(k_1\). From \(k_0\), a key \(k'_0\) is derived using a rotation and a shift as follows

$$\begin{aligned} k'_0=(k_0\ggg 1) \oplus (k_0 \gg (n-1)). \end{aligned}$$
(1)

The keys \(k_0\) and \(k'_0\) are used as whitening keys in the encryption operation that follows the FX structure. The \(n\)-bit key \(k_1\) is added to the state in the \(2R\) rounds of the cipher.

The core function \(G^{\alpha }_{k_1}\) of this cipher (denoted by PRINCE\(_{core}\) in the original proposal) is defined as an iteration of the \(2R\) rounds. To keep it as general as possible, we assume that we have a non-linear S-layer composed of a set of parallel Sboxes and two different linear layers, defined by \(n \times n\) matrices \(M'\) and \(M\), where \(M'\) is an involution matrix.

The first \(R-1\) rounds \(\mathfrak {R}_r:\mathbb {F}_2^{n}\rightarrow \mathbb {F}_2^{n}\), \(1 \le r\le R-1\), are identical and are composed (in this order) of addition of the round constant \(RC_r\) and the key \(k_1\), the non-linear layer \(S\) and the linear permutation layer \(M\). The \(R-1\) last rounds \(\mathfrak {R}_r:\mathbb {F}_2^{n}\rightarrow \mathbb {F}_2^{n}\), \(R+2 \le r\le 2R\) are, in the reverse order, equal to inverses of the first \(R-1\) rounds except that the round constants are modified by \(\alpha \) so that the following holds:

$$\begin{aligned} RC_{2R-r+1}=RC_{r}\oplus \alpha ,~\mathrm{{for~all}}~r = 1,\ldots ,2R. \end{aligned}$$
(2)

We call these rounds with \(r\le R-1\) or \(r\ge R+2\) the external rounds of the PRINCE-like cipher.

The symmetry is broken by specifying the two middle rounds \(R\) and \(R+1\) to be different from each other and from the external rounds. Below we summarize the definitions for all rounds.

$$\begin{aligned} \begin{array}{lclcl} \mathfrak {R}_r(x)&{}=&{}M(S(x\oplus RC_{r}\oplus k_1))&{}&{}~\mathrm{if }~1\le r \le R-1 \\ \mathfrak {R}_r(x) &{}=&{}M'(S(x\oplus RC_{r}\oplus k_1))&{}&{}~\mathrm{if }~r=R \\ \mathfrak {R}_r(x) &{}=&{}S^{-1}(x)\oplus RC_{r}\oplus k_1&{}&{}~\mathrm{if }~r=R+1 \\ \mathfrak {R}_r(x)&{}=&{}S^{-1}(M^{-1}(x))\oplus RC_{r}\oplus k_1 &{}&{}~\mathrm{if }~R+2 \le r \le 2R\\ \end{array} \end{aligned}$$
(3)

The function \(G^{\alpha }_{k_1}(x)\) is then defined as the composition of these \(2R\) round functions. The structure of the cipher is depicted in Fig. 1. The family of PRINCE-like ciphers have been designed, like for the original cipher, such that decryption can be obtained from encryption with a different key. If we denote by \(P\) a plaintext, the corresponding ciphertext is computed as \(C=E_k^{\alpha }(P)\) with \(k= (k_0||k'_0||k_1) \). Decryption of \(C\) can be obtained by computing the encryption over a related key: \(D_k^\alpha (C)=E^{\alpha }_{k'}(C)\) with \(k'=(k'_0||k_0||k_1\oplus \alpha )\).

Fig. 1.
figure 1

Description of a \(2R=12\) rounds PRINCE-like cipher

Full size image

2.2 Description of PRINCE

The full specification of PRINCE is given in [2]. It is a PRINCE-like cipher with \(n = 64\) and \(R = 6\). The reflection constant is defined as \(\alpha =\mathtt{{C0AC29B7C97C50DD}}\). The function \(G^\alpha _{k_1}\) is called PRINCE\(_{core}\). The \(S\)-layer is a non-linear layer where each nibble is processed by the same Sbox. The action of this Sbox is given in Table 5, in Appendix  A.1. To construct the linear layers, first two \(16\times 16\) binary involution matrices \(\hat{M}_0,\hat{M}_{1}\) are defined. Definition of these components can be found in Appendix A.1. Then the \(64\times 64\) block diagonal matrix \(M'\) is generated by setting its diagonal equal to \((\hat{M}_0,\hat{M}_{1},\hat{M}_{1},\hat{M}_{0})\). Then \(M'\) is an involution. The second linear matrix \(M\) for PRINCE is obtained by composition of \(M'\) and a permutation \(SR\) of nibbles by setting \(M= SR \circ M'\). The permutation \(SR\) is analogous to the AES shift row operation, but instead of bytes, it operates on nibbles.

Definition of the original round constants can be found in [2]. Exact values of these round constants are not used in the analysis presented in this paper. However, our attacks exploit the \(\alpha \)-reflection of the round constants \(RC_r\), \(r= 1,\ldots ,12\), given in (2).

The description of the round functions given in Sect. 2.1 differs slightly from the original. Nevertheless, it is easy to see that both descriptions are equivalent.

3 Distinguishers for PRINCE-Like Ciphers

In this section, different reflection characteristics on PRINCE-like ciphers are constructed and investigated. The necessary notations for describing these characteristics are depicted in Fig. 1 and explained next in more detail.

Given the round number \(r\), \(1 \le r \le R\), we denote by \(X^I_r\) the input state of the round number \(r\), and by \(X^{K}_r\), \(X^S_r\) and \(X^M_r\), the states after the key and round constant addition, the \(S\)-layer, and the \(M\)-layer, respectively. In order to exploit the symmetry of the cipher, we give different definitions for \(R+1 \le r\le 2R\). For these rounds, we denote by \(Y^O_r\) the output state of the round number \(r\), and by \(Y^{K}_r\), \(Y^S_r\) and \(Y^M_r\), the states before the key and round constant addition, the \(S\)-layer, and the \(M\)-layer, respectively.

To build a distinguisher on a PRINCE-like cipher, we introduce two types of characteristics. First we focus on the middle rounds of the cipher which are different from the external ones. Characteristics on the middle rounds depend on the property of the matrix \(M'\). Then by using a folded view of the cipher and the \(\alpha \)-reflection property, we extend these characteristics to the external rounds of the cipher.

3.1 Characteristics on the Middle Rounds

We identify two kinds of characteristics on 2 or 4 middle rounds of the cipher. The first characteristic on the 2 midmost rounds is independent of the reflection parameter. The second one is defined on \(4\) rounds and extends over one round before and one round after the midmost rounds. It behaves differently depending of the reflection parameter. Probability of both of these characteristics is related to the number of fixed points of the matrix \(M'\).

Definition 1

Let \(f:A\rightarrow A\) be a function on a set \(A\). A point \(x\in A\) is called a fixed point of the function \(f\) if and only if \(f(x)=x\).

In [2] it is stated based on the result of [4] that the number of fixed points of an involution \(f:\mathbb {F}_2^{n}\rightarrow \mathbb {F}_2^{n}\) is on the average equal to \(2^{n/2}\). While the result of [4] holds in general, restricting to the case of linear involutions \(f\) over \(\mathbb {F}_2^{}\) gives the following result.

Lemma 1

Let \(f:\mathbb {F}_2^{n}\rightarrow \mathbb {F}_2^{n}\) be a linear involution. Then the number of fixed points of \(f\) is greater than or equal to \(2^{n/2}\).

Proof

Let us denote \(B = f \oplus I\), where \(I\) is the \(n\times n\) identity matrix over \(\mathbb {F}_2^{}\). Then \(B^2 = 0\), which means that \(\mathrm{Im}(B) \subset \mathrm{Ker}(B)\). As \(\mathrm{dim}(\mathrm{Ker}(B)) + \mathrm{dim}(\mathrm{Im}(B)) = n\), we have \(\mathrm{dim}(\mathrm{Ker}(B)) \ge \frac{n}{2}\). As \(\mathrm{Ker}(B)\) is the set of fixed points of \(f\), the claim follows.

In what follows, we denote by \(F_{M'}\), the set of fixed points of the matrix \(M'\) and by \(|F_{M'}|\) the size of this set, which by Lemma 1 is larger than or equal to \(2^{n/2}\).

Fig. 2.
figure 2

Middle-round characteristics

Full size image

Characteristic \({\varvec{\mathcal {I}_1.}}\) The characteristic

$$ Y_{R+1}^O \oplus X_R^I = \alpha $$

over two rounds \(\mathfrak {R}_{R+1}\circ \mathfrak {R}_{R}\) of a PRINCE-like cipher holds with probability

$$\begin{aligned} \mathcal {P}_{\mathcal {I}_1}=\mathcal {P}_{F_{M'}}=\frac{|F_{M'}|}{2^{n}}. \end{aligned}$$

Characteristic \(\mathcal {I}_1\) is depicted in Fig. 2(a). By Lemma 1 we have that \(\mathcal {P}_{\mathcal {I}_1} \ge 2^{-n/2}\). As the matrix \(M'\) of PRINCE has exactly \(2^{32}=2^{n/2}\) fixed points, it minimizes the probability of characteristic \(\mathcal {I}_{1}\).

Characteristic \({\varvec{\mathcal {I}_2.}}\) The characteristic

$$ Y_{R+2}^O \oplus X_{R-1}^I = \alpha $$

over four rounds \(\mathfrak {R}_{R+2}\circ \mathfrak {R}_{R+1}\circ \mathfrak {R}_{R}\circ \mathfrak {R}_{R-1}\) of a PRINCE-like cipher holds with probability

$$\begin{aligned} \mathcal {P}_{\mathcal {I}_2}=2^{-n}\#\left\{ x\in \mathbb {F}_2^{n}\,|\, S^{-1}\Big (M'\big (S(x)\big )\Big )\oplus x =\alpha \right\} . \end{aligned}$$

Characteristic \(\mathcal {I}_2\) is depicted in Fig. 2(b). Next we show that \(\mathcal {P}_{\mathcal {I}_2}\) can be computed efficiently. We write

$$\begin{aligned} \mathcal {P}_{\mathcal {I}_2}&= 2^{-n}\sum _{\varDelta \in \mathbb {F}_2^{n}} \#\left\{ x\in \mathbb {F}_2^{n}\,|\, M'\big (S(x)\big )\oplus S(x) =\varDelta , S(x\oplus \alpha )\oplus S(x) = \varDelta \right\} . \end{aligned}$$

The set on the right hand side of the equality is not empty only if \(\varDelta \in \mathrm{Im}(M'\oplus I)\). We then deduce as in the proof of Lemma 1 that \(\varDelta \in F_{M'}\), and obtain

$$\begin{aligned} \mathcal {P}_{\mathcal {I}_2}&= 2^{-n}\sum _{\varDelta \in F_{M'}} \#\left\{ x\in \mathbb {F}_2^{n}\,|\, M'(S(x))\oplus S(x) = \varDelta , S(x\oplus \alpha )\oplus S(x) = \varDelta \right\} .\nonumber \\ \end{aligned}$$

Assuming that the fixed point properties of \(M'\) and differential properties of \(S\) are independent we obtain

$$\begin{aligned} \mathcal {P}_{\mathcal {I}_2} \approx \mathcal {P}_{F_{M'}}\sum _{\varDelta \in F_{M'}} \mathrm{Pr}_\mathbf{X}\left[ S(\mathbf{X}) \oplus S(\mathbf{X} \oplus \alpha ))= \varDelta \right] . \end{aligned}$$
(4)

The exact expression of the probability can be efficiently evaluated as the summation is taken over the fixed points only. In the case where \(M'\) is a block-diagonal matrix, the probability \(\mathcal {P}_{\mathcal {I}_2}\) can be computed by decomposing the probabilities over the different blocks, and will be shown in detail in the case of PRINCE in Sect. 5.

This characteristic is useful for building a distinguisher if \(\mathcal {P}_{\mathcal {I}_2} > 2^{-n}\). But depending on \(M'\) and the value of \(\alpha \), it is also possible that \(\mathcal {P}_{\mathcal {I}_2}=0\). In this case we get an impossible reflection characteristic. We will show in Sect. 4.2 how characteristic \(\mathcal {I}_2\), even if impossible, can be used for a distinguisher. Such a situation occurs if \(S(x\oplus \alpha )\oplus S(x)\) is never equal to a fixed point of \(M'\).

3.2 External Characteristic

When the probabilities \(\mathcal {P}_{\mathcal {I}_1}\) and \(\mathcal {P}_{\mathcal {I}_2}\) are large, it is useful to extend the characteristics \(\mathcal {I}_1\) and \(\mathcal {I}_2\) to more rounds. In what follows, we denote these characteristics by \(\mathcal {I}_v\), \(v=1,\,2\). The structure of PRINCE-like ciphers is such that the first and the last external rounds are symmetrical. One of the main ideas in this paper is to use this specific property to extend the distinguishers \(\mathcal {I}_v\), which cover \(2v\) middle rounds, to external rounds. This idea is illustrated in Fig. 3, which gives another view of the cipher. In this representation, the \(2R\)-round cipher can be viewed as composed of two parallel copies of a \((R-v)\)-round cipher connected together by \(2v\) rounds. Then characteristics on \(2u\) external rounds, \(1\le u\le R-v\), are built as ordinary related key differential characteristics with input data difference equal to \(\alpha \) and the key difference or round constant difference equal to \(\alpha \).

Fig. 3.
figure 3

A folded view of a PRINCE-like cipher: the external characteristic

Full size image

Characteristic \({\varvec{\mathcal {C}_u.}}\) Suppose that the characteristic \(Y^O_{R+v}\oplus X^I_{R-v+1}=\alpha \) holds. The characteristic

$$Y^O_{R+u+v}\oplus X^I_{R-u-v+1} =\varDelta $$

on the \(2u\) external rounds is denoted by \(\mathcal {C}_u\). It holds with probability

$$\mathcal {P}_{\mathcal {C}_v}=\mathrm{Pr}_\mathbf{X}\left[ F^u_{0}(x)\oplus F^u_{\alpha }(x\oplus \alpha )=\varDelta \right] ,$$

where \(F^{u}_{0}=\mathfrak {R}^{-1}_{R-v-u+1}\circ \cdots \circ \mathfrak {R}^{-1}_{R-v}\) and \(F^{u}_{\alpha }=\mathfrak {R}^{-1}_{R+v+u}\circ \cdots \circ \mathfrak {R}^{-1}_{R+v+1}.\)

The probability of this characteristic can be computed by using techniques similar to the ones used in classical differential cryptanalysis. In particular, using the Branch and Bound algorithm, it is possible to find the best characteristics for a fixed reflection parameter \(\alpha \). Description of this method for PRINCE is detailed in Sect. 5.

In comparison with differential cryptanalysis, the characteristic \(\mathcal {C}_u\) benefits from the related constant \(\alpha \). Similarly to related key differential attacks, zero differences between states are possible. Then two parallel rounds, say \(\mathfrak {R}_{R-z+1}\) and \(\mathfrak {R}_{R+z}\), can for some characteristics be passed with probability equal to 1. This happens when the data difference is cancelled by the key or round constant difference. Examples of such situations will be given in Sect. 5. Even when the difference is non-zero, two rounds of the cipher can be passed at the cost of one non-linear layer, where the classical differential cryptanalysis on PRINCE-like ciphers must consider differential probabilities over two non-linear layers.

Distinguishers over several rounds of the cipher, can then be built using a combination of the external characteristic \(\mathcal {C}_u\) with \(\mathcal {I}_v\), \(v =1,\,2\). If \( \mathcal {P}_{\mathcal {I}_v}\times \mathcal {P}_{\mathcal {C}_u} > 2^{-n},\) then \(2v+2u\) rounds of the cipher are distinguishable from random. In Sect. 5 we identify classes of parameters \(\alpha \) such that 4, 6, 8 and 10 rounds of a PRINCE-like cipher can be distinguished from random.

4 Key Recovery

The characteristics constructed in the previous section can be used to build either a probabilistic or a deterministic distinguisher. The combination of \(\mathcal {I}_v\) and \(\mathcal {C}_u\) gives a probabilistic reflection distinguisher. Then the relation

$$\begin{aligned} Y^O_{R+i}\oplus X^I_{R-i+1}= \varDelta , \end{aligned}$$
(5)

for some \(i=u+v\), holds with a positive probability \(p\).

A deterministic distinguisher over 4 rounds exists for those values of \(\alpha \) such that \(\mathcal {P}_{\mathcal {I}_2}=0\). Then we have an impossible reflection distinguisher such that the relation

$$\begin{aligned} Y^O_{R+2}\oplus X^I_{R-1}\ne \alpha , \end{aligned}$$
(6)

holds with probability \(1\).

In this section we describe how to convert these distinguishers on \(2i\) rounds to a key recovery attack on a cipher of \(2R=2i+2\) rounds.

4.1 Probabilistic Reflection Setting

Assuming a probabilistic distinguisher on \(2i\) rounds of a PRINCE-like cipher as described in Sect. 3, a key recovery attack can be derived by counting the number of plaintext-ciphertext pairs such that the difference between \(X^I_2\) and \(Y^O_{2i+1}\) is equal to \(\varDelta \).

In what follows, we denote by \(2^m\) the data complexity of the attack. This value can be computed using Algorithm 1 of [1]. If we denote by \(a\) the advantage of this attack, the corresponding false alarm probability is \(p_\mathrm{fa}=2^{-a}\).

Fig. 4.
figure 4

Key recovery principle when \(2R=2i+2\)

Full size image

Key Recovery Attack for \(\mathbf{2}{{\varvec{R}}=}~\mathbf{2}{{\varvec{i}}}\,\mathbf{+ \, 2}\) Rounds. Let us assume that a characteristic \(Y^{O}_{2i+1}\oplus X_{2}^I =\varDelta \) over the midmost \(2i\) rounds holds with probability \(p\), \(0< p\le 1\). Without modification of the probability, this characteristic can be extended in both sides over linear layer \(M^{-1}\) to obtain a characteristic \( Y_{2i+2}^S\oplus X_{1}^S =M^{-1}(\varDelta )=\varDelta ^*\) depicted in Fig. 4.

To find the values of \(X^S_1\) and \(Y^S_{2i+2}\) for all pairs \((P,C)\), the whole key \((k_0||k_1)\) needs to be guessed. The procedure makes use of the word-oriented structure of the non-linear layer. We assume that the S-layer is nibble-oriented like in the original PRINCE.

We present the \(n\)-bit state with \(n/4\) nibbles and number them from \(1\) to \(n/4\). The \(j\)-th nibble of any \(n\)-bit word \(X\) is denoted by \(X(j)\). The complexity of the attack depends of the number of non-zero nibbles of \(\varDelta ^*\). In what follows, we denote by \(w(\varDelta ^*)\), the number of non-zero nibbles of the difference \(\varDelta ^*\).

As depicted in Fig. 4, the following property holds for all \(1 \le j \le n/4\):

$$\begin{aligned} \varDelta ^*(j) = S\big (P(j) \oplus k_0(j) \oplus k_1(j) \oplus RC_1(j)\big ) \oplus S\big (C(j) \oplus k'_0(j) \oplus k_1(j) \oplus RC_{2R}(j)\big ). \end{aligned}$$

We denote the number of nibbles of \(\varDelta ^*\) that are equal to zero by \(\ell =n/4-w(\varDelta ^*)\). Indices of these nibbles are stored in a list \(L\). Hence \(|L|=\ell \). Then the property

$$\begin{aligned} P(j) \oplus k_0(j) \oplus C(j) \oplus k'_0(j) \oplus \alpha (j) = 0, \end{aligned}$$

holds for all \(j \in L\), and can be used to reduce the time complexity of the attack. For these nibbles, the value of \(k_1(j)\) need not be guessed. Guessing \(k_0 \oplus k'_0\) and computing \(P(j) \oplus k_0(j) \oplus C(j) \oplus k'_0(j)\) allows us to discard already a large number of \((P,C)\) pairs.

Let us assume that the attacker has \(2^m\) plaintexts with corresponding ciphertexts. Then the attack proceeds as follows:

  1. 1.

    For \(2^{4\ell }\) values of \(K_0\) such that \( K_0(j) = k_0(j)\oplus k'_0(j) \) holds for all \(j\in L\)

    1. 1.0

      Take all \(2^m\) plaintext ciphertext pairs

    2. 1.1

      For all \(j\in L\)

         Among the remaining pairs discard the ones such that

          \( P(j)\oplus C(j) \oplus K_0(j) \oplus \alpha (j)\ne 0.\)

    3. 1.2

      For \(2^{4w(\varDelta ^*)}=2^{n-4\ell }\) values of \(K_1\) such that \(K_1(j) = k_0(j)\oplus k_1(j)\) holds for all \(j \notin L\) and for all \( 2^{n-4\ell }\) completions of \(K_0\)

      1. 1.2.1

        For all \(j\notin L\)

            Compute \(K'_1(j)=K_0(j)\oplus K_1(j)=k'_0(j)\oplus k_1(j)\)

            Among the remaining pairs discard the ones such that

               \(S\left( P(j) \oplus K_1(j) \oplus RC_1(j)\right) \oplus S\left( C(j) \oplus K'_1(j) \oplus RC_{2R}(j)\right) \ne \varDelta ^*(j).\)

      2. 1.2.2

        Count the number of remaining pairs.

        Store this number to a counter indexed by \((K_0||K_1)\).

  2. 2.

    Keep a list of \((K_0||K_1)\) ordered according to the counter values with the highest value on top. Compute the corresponding keys \(k_0\) from \(K_0\) according to the key expansion. Also compute \(k_1(j)\) for \(j \notin L\).

  3. 3.

    For the \(2^{2n-4\ell -a}\) top candidates of \(k_0\) on the list and the \(2^{4\ell }\) remaining bits of \(k_1\), do an exhaustive search to find the whole key \((k_0||k_1)\).

For each \(j\) in Step 1.1, only \(4\) bits out of \(2^{4\ell }\) of key \(K_0\) are involved. The first time we do this loop, we have to check the equality of \(2^m\) plaintexts, among which \(2^{m-4}\) pairs are expected to remain. After \(z\) iterations of the loop in Step 1.1, for each \({4z-4}\) key bits guessed in the previous steps and the \(4\) key bits of the current iteration, we should guess a nibble of the key and check the property for all remaining \(2^{m-4(z-1)}\) plaintext-ciphertext pairs. The time complexity of Step 1.1 is \(\sum _{z=1}^{\ell } 2^{m-4z+4} \cdot 2^{4z} = \ell \cdot 2^{m+4}\) simple operations.

Using the same arguments, Step 1.2 is iterated \(2^{4\ell }\sum _{z=\ell +1}^{n/4} 2^{m-4z+4} \cdot 2^{8(z-\ell )}=2^{m-4\ell +4} \sum _{z=\ell +1}^{n/4} 2^{4z} \simeq 2^{m+n+4-4\ell } = 2^{m+4\omega (\varDelta ^*)+4}\) times. If we denote \(\omega = w(\varDelta ^{*})\), the total time complexity of Step 1 corresponds to \(2^{m+4\omega +4}\) double S-box evaluations, which is equivalent to \(\frac{2^{m+5+4\omega }}{(n/4) \cdot (2R)}= \frac{2^{m+6+4\omega }}{n\cdot R} \) full encryptions. Step 3 corresponds to \(2^{2n-a}\) full encryptions, where \(0\le a\le 2n-4\ell \). Step 2, is negligible compared to Step 1 and 3 and the total complexity of the algorithm is \(2^{2n-a}+\frac{1}{n\cdot R}\times 2^{m+6+4w(\varDelta ^*)}\) full encryptions. When the advantage is large, the second term dominates.

To perform the described attack, storage of the \(2^m\) plaintext-ciphertext pairs is necessary, as well as storage of all the \(2^{2n-l}\) counters, one per guessed key. Nevertheless, the memory complexity can be reduced by keeping only keys for which the number of remaining pairs is above some fixed bound.

4.2 Impossible Reflection Setting

In this attack we make use of \(\mathcal {I}_2\) and assume that the parameter \(\alpha \) is such that \(\mathcal {I}_2\) holds with probability equal to zero. Then a deterministic reflection distinguisher with probability equal to one can be built. A guessed key can be discarded if it gives a data pair such that the difference is equal to \(\alpha \).

Key Recovery for \(\mathbf{2}{{\varvec{R}}=}\,\mathbf{2}{{\varvec{i}}}\, \mathbf{+\,2}\) Rounds. In the case of \(\mathcal {I}_2\) we have \(i=2\), but the attack works for any \(i\), if an impossible characteristic over \(2i\) rounds can be built. To reduce the time complexity, we precompute certain values from the states of the second round and the second to last round of the cipher. We denote by \(P'=P\oplus k_0\) and \(C'=C\oplus k'_0\) the states after modification of the plaintext and ciphertext by the whitening keys. For all \(0\le b\le 2^n-1\), we denote by \((V_b,W_b)\) the following values:

$$\begin{aligned} V_b&= S^{-1}(b)\oplus RC_1,\nonumber \\ W_b&= S^{-1}(b \oplus M^{-1}(\alpha )) \oplus RC_{2R}. \end{aligned}$$
(7)

Then, as depicted in Fig. 4, the following properties hold for the pairs \((P',C')\) and the corresponding \((V_b,W_b)\):

$$\begin{aligned} P'\oplus V_b&= k_1,\\ P' \oplus C'&= V_b\oplus W_b. \end{aligned}$$

Assume again we have \(2^{m}\) known pairs \((P, C)\) of plaintexts with corresponding ciphertexts. The goal is to find for as many key candidates \(k_1\) as possible a \((P', C')\) such that \((P' \oplus k_1, C' \oplus k_1)\) is equal to some pair \((V_b, W_b)\). Then we can conclude that the key \(k_1\) is a wrong key and discard it. After pre-computation, the attack works as follows.

Attack Procedure when \((k_0,k'_0)\) is known

  1. 1.

    Consider a list of all keys \(k_1\).

  2. 2.

    For each \(2^m\) pairs \((P', C')\)

    •        Compute \(\Lambda =P' \oplus C' \).

    •        For all \(V_b\) in the row \(\Lambda \) in the hash table \(T\) compute the value \(k_1=P' \oplus V_b\) and discard it from the list.

  3. 3.

    If there is still a key in the list of key \(k_1\), consider \(k=(k_0||k_1)\) as a key candidate.

On average, there is one \(V_b\) in each row of \(T\). So by using \(2^m\) known plaintexts and by considering the collisions, the number of remaining wrong keys \(k_1\) is about \(2^{n}(1-2^{-n})^{2^m}=2^{n}(1-2^{-n})^{2^{n} 2^{m-n}}\approx 2^{n}e^{-2^{m-n}}=2^{n-1.44 \times 2^{m-n}}\), for each fixed \(k_0\). The remaining keys are then searched exhaustively.

The impossible characteristic \(\mathcal {I}_2\) holds for the involution matrix \(M'\), the non-linear layer \(S\) and the reflection parameter value \(\alpha \) specified for the original PRINCE. In Sect. 5.4, many more such values of \(\alpha \) are shown to exist. For all these \(\alpha \), by using the full codebook, the right key can be found after \(2^{126.56}\) encryptions. In total \(2^{67}\) bytes are necessary for the storage of the hash table. Considering only PRINCE\(_{core}\), using the full codebook, the right key \(k_1\) can be found after \(2^{62.56}\) encryptions.

5 Various Classes of \(\alpha \)-Reflection

In [2], the security of PRINCE and the effects of the \(\alpha \)-reflection were studied extensively. In particular, it was shown that the cipher is secure against known attacks with reasonable security margin. For instance, it was shown that any differential or linear characteristic over 4 consecutive rounds has at least 16 active Sboxes. This holds independently of the selection of the non-zero parameter \(\alpha \).

In this section, we focus on a sub-family of PRINCE-like ciphers using the same S-layer and the same linear layers \(M\) and \(M'\) as in the original PRINCE. Definition of these components as given in [2] are recalled in Sect. A.1. We compute the probabilities \(\mathcal {P}_{\mathcal {I}_1}\), \(\mathcal {P}_{\mathcal {I}_2}\), and \(\mathcal {P}_{\mathcal {C}_u}\) (\(1\le u\le 4\)) of the distinguishers proposed in Sect. 3, for various classes of values of \(\alpha \). Then we use these distinguishers for key-recovery attacks on PRINCE presented in Sect. 4, determine the maximum number of rounds that can be attacked, and give complexities of these attacks. The key-recovery attacks in Sect. 4, can be modified to apply on PRINCE\(_{core}\), in which case their complexities will be reduced. We will give these complexities for comparison, but omit the descriptions of the actual attacks on PRINCE\(_{core}\) due to lack of space.

5.1 Probability of the Characteristics: Computation

The difference between \(\mathcal {I}_1\) and \(\mathcal {I}_2\) is noticeable, since the probability of the former is independent of the value of \(\alpha \), which is not the case for \(\mathcal {I}_2\) on the \(4\) midmost rounds. Next we describe how to compute the probability of these characteristics for PRINCE.

Characteristic \({\varvec{\mathcal {I}_1.}}\) The involution matrix \(M'\) of the original PRINCE is such that \(|F_M'|=2^{32}\). The probability of the characteristic \(\mathcal {I}_1\) is then \(\mathcal {P}_{\mathcal {I}_1}=\frac{2^{32}}{2^{64}}=2^{-32}\).

Characteristic \({\varvec{\mathcal {I}_2.}}\) As \(M'\) is a block-diagonal matrix constructed from the \(16\times 16\) matrices \(\hat{M}_0\) and \(\hat{M}_1\), probability \(\mathcal {P}_{\mathcal {I}_2}\) can be computed exactly by computing the following probabilities:

$$\begin{aligned} \mathcal {P}_{\hat{M}_0}^{(\beta )}&= 2^{-16}\#\left\{ x\in \mathbb {F}_2^{16}|S^{-1}\Big (\hat{M}_0\big (S(x)\big )\Big )\oplus x=\beta \right\} \\ \mathcal {P}_{\hat{M}_1}^{(\beta )}&= 2^{-16}\#\left\{ x\in \mathbb {F}_2^{16}|S^{-1}\Big (\hat{M}_1\big (S(x)\big )\Big )\oplus x=\beta \right\} \end{aligned}$$

where \(\beta \) is a 16-bits word and \(S\) is the application of 4 Sboxes. Then if \(\alpha =(\alpha _0,\alpha _1,\alpha _2,\alpha _3)\), we have

$$\begin{aligned} \mathcal {P}_{\mathcal {I}_2}=\mathcal {P}_{\hat{M}_0}^{(\alpha _0)}\times \mathcal {P}_{\hat{M}_1}^{(\alpha _1)}\times \mathcal {P}_{\hat{M}_1}^{(\alpha _2)}\times \mathcal {P}_{\hat{M}_0}^{(\alpha _3)}. \end{aligned}$$
(8)

Characteristic \({\varvec{\mathcal {C}_u.}}\) As presented in Sect. 3.2, characteristics on the external rounds can be seen as a differential characteristics with input difference \(\alpha \) and related constant difference \(\alpha \), see Fig. 3. As PRINCE is a 64-bit cipher with 12 rounds, only 3 or 4 external rounds must be considered, and therefore computation of the best characteristics for a fixed \(\alpha \) is possible by the Branch and Bound algorithm. Finding the weakest \(\alpha \) for such a characteristic remains nevertheless a challenging task. When aiming at a combination with \(\mathcal {I}_2\), focusing on the best \(\alpha \) for \(\mathcal {I}_2\) gives a good starting point, whereas \(\mathcal {I}_1\) is independent of \(\alpha \), a more complex analysis should be done to find the values of \(\alpha \) for which an attack on the full 12 rounds of PRINCE\(_{core}\) is possible.

5.2 Maximizing \(\mathcal {P}_{\mathcal {C}_u}\) for Combination of \({\mathcal {C}_u}\) with \(\mathcal {I}_1\)

We describe here the method we use to derive the \(\alpha \) for which \(12\) rounds of the cipher can be attacked using a combination of \(\mathcal {I}_1\) and \(\mathcal {C}_4\). As we have seen in Sect. 4, a key-recovery attack on 12 rounds can be derived using a distinguisher on 10 rounds. Hence we are interested in finding values of \(\alpha \) which maximize \(\mathcal {P}_{\mathcal {C}_4}\).

Maximizing \({\varvec{\mathcal {P}_{\mathcal {C}_4}.}}\) We start by the analysis of the properties of the S-box and permutation layer \(M\) of PRINCE. Indeed, the values of \(\alpha \) for which a minimal number of Sboxes are active (that is, have non-zero differences) at each round and the differential probabilities of the Sbox are maximal. To this aim, we first express some properties of the matrices \(\hat{M}_0\) and \(\hat{M}_1\).

To maximize \(\mathcal {P}_{\mathcal {C}_u}\), we want to minimize the weight of \(\alpha =(\alpha _0,\alpha _1,\alpha _2,\alpha _3)\) and \(M^{-1}(\alpha )\). Since \(\hat{M}_\epsilon \), \(\epsilon =0,1\), have a branch number 4, \(w(\beta )+ w(\hat{M}_\epsilon (\beta ))\ge 4\) and we have only \(61\) out of the total of \(2^{16}\) values \(\beta \) such that \(w(\beta )+ w(\hat{M}_\epsilon (\beta ))=4\) for both \(\epsilon = 1\) and \(\epsilon = 2\). Among these \(61\) values, \(57\) are such that \(\beta = (a_1,a_2,a_3,a_4)\), where \(a_i\in \{\mathtt{0, 1, 2, 4, 8}\}\). Differential probabilities of the inverse Sbox for single-bit differences are given in Table 1. Based on this table and experiments, we assume that \(\alpha \) with some nibble equal to \(\mathtt{2}\) is not likely to maximize \(\mathcal {P}_{\mathcal {C}_4}\). To find the best distinguisher on 10 rounds, we reduce the search space of \(\alpha \) using the following procedure: For \(\alpha = (a_1,a_2,\cdots ,a_{15},a_{16})\), where \(a_i\in \{\mathtt{0, 1, 4, 8}\}\) (\(2^{32}\) values), we select the ones such that there exists a characteristic \(\mathcal {C}_2\) with \(\mathcal {P}_{\mathcal {C}_2}\ge 2^{-12}\) (there are more than \(300\) values of \(\alpha \) of this sort). Among the remaining ones, check if there is a characteristic \(\mathcal {C}_4\) with \(\mathcal {P}_{\mathcal {C}_4}\ge 2^{-28}\).

Table 1. Differential probabilities of the inverse Sbox for single-bit differences.
Full size table
Table 2. The weakest \(\alpha \) with attack on 12 rounds (using \(C_4\circ \mathcal {I}_1\)). Iterative characteristic based on the cancellation idea.
Full size table
Table 3. Example of \(\alpha \) with attack on 12 rounds (using \(C_4\circ \mathcal {I}_1\)).
Full size table

In Tables 2 and 3, we present some values of \(\alpha \), for which we obtain a distinguisher on 10 rounds. Estimated time and data complexities of a key recovery attack on the 12-round cipher are also shown in the same tables. These estimates have been computed under the assumption that the right key maximizes the number of remaining pairs in Step 4 of the key recovery attack, meaning that the advantage is \(a=n+4w(\varDelta ^*)\). The success probability is taken equal to \(95\,\%\). The data complexity is derived using Algorithm 1 of [1] and the time complexity is derived as for the key recovery attack presented in Sect. 4.1.

Iterative Characteristic. For the \(\alpha \) in Table 2, which maximize the probability \(\mathcal {P}_{\mathcal {C}_4}\times \mathcal {P}_{\mathcal {I}_1}\), the characteristic \(\mathcal {C}_4\) is particular since a cancellation of the difference occurs every second round. For instance, we can have \(Y^O_{R+1}\oplus X^I_{R} =\alpha \), \(Y^O_{R+2}\oplus X^I_{R-1} =0\), \(Y^O_{R+3}\oplus X^I_{R-2} =\alpha \), \(Y^O_{R+4}\oplus X^I_{R-3} =0\), and \(Y^O_{R+5}\oplus X^I_{R-4} =\alpha \). Then every second folded round can be passed with probability one, and it can be applied iteratively to minimize the probability of the characteristic. Such characteristic are easily found even by hand. We just look for \(\alpha \) such that \(\alpha \) and \(M^{-1}(\alpha )\) are non-zero on exactly the same nibble position. Such a cancellation property occurs for some particular values of \(\alpha \). When \(w(\alpha )=4\), the cancellation property leads to an attack on 12 rounds of the cipher. No \(\alpha \) with less than 4 active nibbles or with \(w(\alpha )=5\) can satisfy the cancellation property. Nevertheless some \(\alpha \) with 6 active nibbles have characteristic which cancel the difference after two rounds. As for these \(\alpha \), \(Y^O_{R+3}\oplus X^I_{R-2} =\alpha \) with probability \(\mathcal {P}_{\mathcal {C}_2}\le 2^{-16}\), the iterative characteristic \(\mathcal {C}_u\) can be applied only once and a distinguisher on 6 rounds with probability \(p\), where \(2^{-49}\le p\le 2^{{-48}}\), leads to a key-recovery attack on 8 rounds.

Non-Iterative Characteristic. In Table 3, we give other values of \(\alpha \), which allow an attack on 12 rounds. While the list is not exhaustive, this table illustrates that also \(\alpha \) with larger weight can lead to an attack on 12 rounds. Different characteristic for the same \(\alpha \) can be derived. While the weight of \(\varDelta ^*\) is larger for these characteristics, the time complexity of this attack is still reasonable. While the list of \(\alpha \) with a key recovery attack on 12 rounds is already quite large, the number of \(\alpha \) such that attacks on 6, 8, or 10 rounds are possible is even larger. Search for \(\alpha \) of this sort can be done by adjusting the constraint of the Branch and Bound algorithm.

5.3 Maximizing \(\mathcal {P}_{\mathcal {I}_2}\) for Combination with \(\mathcal {C}_u\)

Finding the values of \(\alpha \) which maximize \(\mathcal {P}_{\mathcal {I}_2}\) can be done exhaustively by decomposing over the matrices \(\hat{M}_\epsilon \), \(\epsilon =0,1\), see Sect. 5.1. Computation for \(2^{16}\) values of \(\beta \) gives us the list of best \(\alpha \) regarding to this characteristic. In what follows, we focus on \(\beta \ne 0\) such that \(2^{-12}\le \mathcal {P}_{\hat{M}_\epsilon }^{(\beta )}\le 2^{-10.54}\). As \(\mathcal {P}_{\hat{M}_\epsilon }^{0}\le 2^{-8}\), we obtain a list of \(63^2\times 73^2\approx 2^{24.33}\) values of \(\alpha \) for which \(2^{-48}\le \mathcal {P}_{\mathcal {C}_2}\le 2^{-34.54}\). Two values of \(\alpha \) reach this upper bound. They are \(\alpha =\mathtt{0000111100000000}\) and \(\alpha =\mathtt{0000000011110000}\).

The values \(\alpha \) which maximize \(\mathcal {I}_2\) and for which 10 rounds of a PRINCE-like cipher can be distinguished from random also allow a combination of \(\mathcal {C}_4\) and \(\mathcal {I}_1\). For instance, for \(\alpha =\mathtt{0000408000008040}\) we have a characteristic with \(\mathcal {P}_{\mathcal {C}_3}=2^{-19}\) and \(\mathcal {P}_{\mathcal {I}_2}=2^{-40}\). None of these characteristics give a better cryptanalysis results than the ones given in Table 2. While for the attacks on 12 rounds all values of \(\alpha \) are such that \(w(\alpha )\ge 4\), we can find \(\alpha \) of smaller nibble weight which allow a key recovery attack on a 10-round cipher using a combination of \(\mathcal {C}_2\) and \(\mathcal {I}_2\) as illustrated in Table 4.

Table 4. Example of \(\alpha \) with attack on 10 rounds and \(w(\alpha )=2\) (using \(C_2\circ \mathcal {I}_2\)). Computation done for \(P_S=95\,\%\) and \(a=16\).
Full size table

For all the \(\alpha \) presented in this section, also other characteristics can be derived. Complexities of our attacks are based on the best characteristic.

5.4 Impossible Attack

If \(\mathcal {P}_{\mathcal {I}_2}=0\), a deterministic distinguisher on 4 rounds of the cipher can be built. It leads to a key-recovery attack for a 6-round cipher described in Sect. 4.2. The time complexity of this attack correspond to \(2^{126.56}\) encryptions and \(2^{67}\) bytes are necessary for the storage of the hash table. This attack is efficient, in particular, for \(\alpha =\mathtt{C0AC29b7C97C50DD}\) of PRINCE. But we can find many more values of \(\alpha \) with \(\mathcal {P}_{\mathcal {I}_2}=0\).

As specified by Eq. (8), the computation of \(\mathcal {P}_{\mathcal {C}_2}\) can be decomposed over \(\hat{M}_0\) and \(\hat{M}_1\). For \(\hat{M_0}\), the number of \(\beta \in \mathbb {F}_2^{16}\) for which \(\mathcal {P}^{(\beta )}_{\hat{M_0}}=0\) is \(5940\). For \(\hat{M_1}\), the number of \(\beta \) for which \(\mathcal {P}^{(\beta )}_{\hat{M_1}}=0\) is \(6914\). In total, we deduce that the impossible distinguisher is valid for approximately \(2\cdot (2^{12.54})\times 2^{48}+2\cdot (2^{12.76})\times 2^{48}=2^{62.65}\) values of \(\alpha \).

Using the fact that \(\hat{M}_0\) and \(\hat{M}_1\) have no fixed points of weight \(1\), we conclude that \(\mathcal {P}_{\mathcal {C}_2}=0\), for all \(\alpha \) with only 1 or 3 non-zero nibbles. Also a large number of \(\alpha \) with 2, 4 and 5 non-zero nibbles allow this impossible distinguisher. We also found that for some \(\alpha \) with 4 active nibbles we have an attack on 12 rounds, while for some other \(\alpha \) the best attack we found is on 6 rounds only. Hence the weight of \(\alpha \) alone does not prove anything about security or insecurity against the reflection attacks discussed in this paper.

5.5 Truncated Attack

When the linear layer is defined as in the original proposal, using the shift row operation of the AES, truncated reflection distinguishers can be derived for \(\alpha \) such that \(M^{-1}({\alpha })\) has a small number of active nibbles. Proof of the characteristic presented below can be found in Appendix A.2.

Lemma 2

Assume \(\alpha \) is such that \(M^{-1}(\alpha )=\) \( \left[ \begin{array}{cccc} *&{}0&{}0&{}0\\ 0&{}0&{}0&{}*\\ 0&{}0&{}*&{}0\\ 0&{}*&{}0&{}0\\ \end{array}\right] \), where \(*\) can be any 4-bit value. Then the following truncated characteristic

$$\begin{aligned} Y_{R+3}^O\oplus X_{R-2}^I = {\small \left[ \begin{array}{cccc} *&{}0&{}0&{}0\\ *&{}0&{}0&{}*\\ *&{}0&{}*&{}0\\ *&{}*&{}0&{}0\\ \end{array}\right] } \oplus \alpha , \end{aligned}$$
(9)

holds on 6 rounds \(\mathfrak {R}_{R-2}\circ \cdots \circ \mathfrak {R}_{R+3}\) of the cipher with probability \(\mathcal {P}_{F_{M'}}= 2^{-32}\). Similar characteristics can be obtained for \(\alpha \) such that:

$$\begin{aligned} M^{-1}(\alpha )={ \left[ \begin{array}{cccc} 0&{}*&{}0&{}0\\ *&{}0&{}0&{}0\\ 0&{}0&{}0&{}*\\ 0&{}0&{}*&{}0\\ \end{array}\right] }~~ or~~ M^{-1}(\alpha )={ \left[ \begin{array}{cccc} 0&{}0&{}*&{}0\\ 0&{}*&{}0&{}0\\ *&{}0&{}0&{}0\\ 0&{}0&{}0&{}*\\ \end{array}\right] }~~ or~~ M^{-1}(\alpha )={ \left[ \begin{array}{cccc} 0&{}0&{}0&{}*\\ 0&{}0&{}*&{}0\\ 0&{}*&{}0&{}0\\ *&{}0&{}0&{}0\\ \end{array}\right] .} \end{aligned}$$

In all four cases of the characteristics, nine nibbles of the data difference are equal to those of \(\alpha \). Hence the probability of such a truncated characteristic is \(2^{-36}\).

By the previous lemma, such truncated characteristics exist for \(4 \times (2^{16}-1)\approx 2^{18}\) values of \(\alpha \). While distinguisher of Sects. 5.2 and 5.3 focused on \(\alpha \) with a small number of active nibbles, this distinguisher is targeted on \(\alpha \), for which \(M^{-1}(\alpha )\) has a small number of active nibbles, but \(\alpha \) itself can have any number of non-zero nibbles. As an example, we give

$$\begin{aligned} \alpha ={ \left[ \begin{array}{cccc} \mathtt{7}&{}\mathtt{1}&{}\mathtt{C}&{}\mathtt{B}\\ \mathtt{9}&{}\mathtt{5}&{}\mathtt{9}&{}\mathtt{3}\\ \mathtt{9}&{}\mathtt{A}&{}\mathtt{5}&{}\mathtt{9}\\ \mathtt{3}&{}\mathtt{6}&{}\mathtt{8}&{}\mathtt{D}\\ \end{array} \right] , }\quad M^{-1}(\alpha )={ \left[ \begin{array}{cccc} \mathtt{7}&{}\mathtt{0}&{}\mathtt{0}&{}\mathtt{0}\\ \mathtt{0}&{}\mathtt{0}&{}\mathtt{0}&{}\mathtt{B}\\ \mathtt{0}&{}\mathtt{0}&{}\mathtt{D}&{}\mathtt{0}\\ \mathtt{0}&{}\mathtt{9}&{}\mathtt{0}&{}\mathtt{0}\\ \end{array}\right] .} \end{aligned}$$

This truncated distinguisher enables a key-recovery attack for a cipher reduced to eight rounds in the same way that the key recovery attack described in Sect. 4. The keys \(k_0\) and \(k_1\) can then be recovered independently. In Appendix A.2 details of this key recovery attack are explained. This key recovery attack has data complexity \(2^{36.85}\), time complexity of \(2^{97.8}\) memory accesses and \(2^{80}\) full encryptions. The memory complexity is dominated by the storage of \(2^{63.6}\) bytes for the hash table.

Several other kinds of truncated reflection characteristics can be derived for different configuration of \(M^{-1}(\alpha )\). For instance, in some configurations, where \(M^{-1}(\alpha )\) has up to eight non-zero nibbles a key-recovery attack on a 6-round cipher can be done using a distinguisher on 4 rounds.

6 Conclusion

In this paper, we investigated the security of a family of ciphers, which includes the new design PRINCE. This family is characterized by the \(\alpha \)-reflection property. We constructed new types of characteristics for such ciphers starting from a probabilistic or impossible relation on the midmost rounds of the cipher. By using properties of the constant \(\alpha \) and the symmetry of the cipher, such reflection characteristics can be considered as differential characteristics over a half of the cipher, and in particular, their probabilities can be computed efficiently using ordinary differential probabilities over the non-linear components of the cipher. In the security analysis of PRINCE given in [2] the properties of \(\alpha \) did not receive much attention. In this paper, we show that the security of PRINCE-like ciphers depends strongly on the choice of the value of \(\alpha \). By keeping the other components of PRINCE as in the original design, and by varying the value of \(\alpha \), we identified special classes of \(\alpha \) for which reduced-round versions of the cipher can be distinguished from random. The values of \(\alpha \) in the weakest class allow an efficient key-recovery attack on \(12\) rounds of the cipher. These results show that the security of PRINCE is not independent of the value of \(\alpha \). On the other hand, the best attack we could construct using this technique on PRINCE with the original value of the reflection parameter \(\alpha \), was a key recovery attack on a reduced 6-round version of the cipher. While the new technique, which exploits the special reflection structure of the cipher, did not reveal any vulnerabilities in the original design, it provided new information about the security criteria for the selection of the reflection parameter as well as other componenets of the cipher.