Cryptanalytic Time-Memory-Data Tradeoffs for FX-Constructions with Applications to PRINCE and PRIDE

  • Itai DinurEmail author
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 9056)


The FX-construction was proposed in 1996 by Kilian and Rogaway as a generalization of the DESX scheme. The construction increases the security of an \(n\)-bit core block cipher with a \(\kappa \)-bit key by using two additional \(n\)-bit masking keys. Recently, several concrete instances of the FX-construction were proposed, including PRINCE (proposed at Asiacrypt 2012) and PRIDE (proposed at CRYPTO 2014). These ciphers have \(n=\kappa =64\), and are proven to guarantee about \(127-d\) bits of security, assuming that their core ciphers are ideal, and the adversary can obtain at most \(2^d\) data.

In this paper, we devise new cryptanalytic time-memory-data tradeoff attacks on FX-constructions. While our attacks do not contradict the security proof of PRINCE and PRIDE, nor pose an immediate threat to their users, some specific choices of tradeoff parameters demonstrate that the security margin of the ciphers against practical attacks is smaller than expected. Our techniques combine a special form of time-memory-data tradeoffs, typically applied to stream ciphers, with recent analysis of FX-constructions by Fouque, Joux and Mavromati.


Cryptanalysis Block cipher Time-memory-data tradeoff FX-construction DESX PRINCE PRIDE 


  1. 1.
    Albrecht, M.R., Driessen, B., Kavun, E.B., Leander, G., Paar, C., Yalçın, T.: Block Ciphers – Focus on the Linear Layer (feat. PRIDE). In: Garay, J.A., Gennaro, R. (eds.) CRYPTO 2014, Part I. LNCS, vol. 8616, pp. 57–76. Springer, Heidelberg (2014) CrossRefGoogle Scholar
  2. 2.
    Barkan, E., Biham, E., Shamir, A.: Rigorous Bounds on Cryptanalytic Time/Memory Tradeoffs. In: Dwork, C. (ed.) CRYPTO 2006. LNCS, vol. 4117, pp. 1–21. Springer, Heidelberg (2006) CrossRefGoogle Scholar
  3. 3.
    Biryukov, A., Shamir, A.: Cryptanalytic Time/Memory/Data Tradeoffs for Stream Ciphers. In: Okamoto, T. (ed.) ASIACRYPT 2000. LNCS, vol. 1976, pp. 1–13. Springer, Heidelberg (2000) CrossRefGoogle Scholar
  4. 4.
    Biryukov, A., Shamir, A., Wagner, D.: Real Time Cryptanalysis of A5/1 on a PC. In: Schneier, B. (ed.) FSE 2000. LNCS, vol. 1978, pp. 1–18. Springer, Heidelberg (2001) CrossRefGoogle Scholar
  5. 5.
    Biryukov, A., Wagner, D.: Advanced Slide Attacks. In: Preneel, B. (ed.) EUROCRYPT 2000. LNCS, vol. 1807, pp. 589–606. Springer, Heidelberg (2000) CrossRefGoogle Scholar
  6. 6.
    Bitcoin network graphs.
  7. 7.
    Borghoff, J., et al.: PRINCE – A Low-latency Block Cipher for Pervasive Computing Applications. In: Wang, X., Sako, K. (eds.) ASIACRYPT 2012. LNCS, vol. 7658, pp. 208–225. Springer, Heidelberg (2012) CrossRefGoogle Scholar
  8. 8.
    Borst, J., Preneel, B., Vandewalle, J.: On the Time-memory Tradeoff Between Exhaustive Key Search and Table Precomputation. In: Proceedings of 19th Symposium in Information Theory in the Benelux, WIC, pp. 111–118 (1998)Google Scholar
  9. 9.
  10. 10.
    Daemen, J.: Limitations of the Even-mansour Construction. In: Imai et al. (eds.) [17], pp. 495–498Google Scholar
  11. 11.
    Dinur, I.: Cryptanalytic Time-Memory-Data Tradeoffs for FX-Constructions with Applications to PRINCE and PRIDE. Cryptology ePrint Archive, Report 2014/656 (2014).
  12. 12.
    Dunkelman, O., Keller, N., Shamir, A.: Minimalism in Cryptography: The Even-Mansour Scheme Revisited. In: Pointcheval, D., Johansson, T. (eds.) EUROCRYPT 2012. LNCS, vol. 7237, pp. 336–354. Springer, Heidelberg (2012) CrossRefGoogle Scholar
  13. 13.
    Even, S., Mansour, Y.: A Construction of a Cioher From a Single Pseudorandom Permutation. In: Imai et al. (eds.) [17], pp. 210–224Google Scholar
  14. 14.
    Fouque, P.-A., Joux, A., Mavromati, C.: Multi-user Collisions: Applications to Discrete Logarithm, Even-Mansour and PRINCE. In: Sarkar, P., Iwata, T. (eds.) ASIACRYPT 2014. LNCS, vol. 8873, pp. 420–438. Springer, Heidelberg (2014) CrossRefGoogle Scholar
  15. 15.
    Güneysu, T., Kasper, T., Novotný, M., Paar, C., Rupp, A.: Cryptanalysis with COPACOBANA. IEEE Trans. Computers 57(11), 1498–1513 (2008)CrossRefGoogle Scholar
  16. 16.
    Hellman, M.E.: A Cryptanalytic Time-Memory Trade-Off. IEEE Transactions on Information Theory 26(4), 401–406 (1980)CrossRefzbMATHMathSciNetGoogle Scholar
  17. 17.
    Imai, H., Rivest, R.L., Matsumoto, T. (eds.): ASIACRYPT 1991. LNCS, vol. 739. Springer, Heidelberg (1993) zbMATHGoogle Scholar
  18. 18.
    Kilian, J., Rogaway, P.: How to Protect DES Against Exhaustive Key Search. In: Koblitz, N. (ed.) CRYPTO 1996. LNCS, vol. 1109, pp. 252–267. Springer, Heidelberg (1996) Google Scholar
  19. 19.
    Mentens, N., Batina, L., Preneel, B., Verbauwhede, I.: Time-Memory Trade-Off Attack on FPGA Platforms: UNIX Password Cracking. In: Bertels, K., Cardoso, J.M.P., Vassiliadis, S. (eds.) ARC 2006. LNCS, vol. 3985, pp. 323–334. Springer, Heidelberg (2006) CrossRefGoogle Scholar
  20. 20.
    National Institute of Standards and Technology. Recommendation for Key Management - Part 1: General (revision 3). NIST Special Publication 800–57 (2012)Google Scholar
  21. 21.
    Rivest, R.L.: DESX (1984) (never published)Google Scholar
  22. 22.
    Standaert, F.-X., Rouvroy, G., Quisquater, J.-J., Legat, J.-D.: A Time-Memory Tradeoff Using Distinguished Points: New Analysis & FPGA Results. In: Kaliski, B.S., Koç, Ç.K., Paar, C. (eds.) CHES 2002. LNCS, vol. 2523, pp. 593–609. Springer, Heidelberg (2002) CrossRefGoogle Scholar
  23. 23.
  24. 24.
    van Oorschot, P.C., Wiener, M.J.: Parallel Collision Search with Cryptanalytic Applications. J. Cryptology 12(1), 1–28 (1999)CrossRefzbMATHMathSciNetGoogle Scholar

Copyright information

© International Association for Cryptologic Research 2015

Authors and Affiliations

  1. 1.Département d’InformatiqueÉcole Normale SupérieureParisFrance

Personalised recommendations