Cryptanalytic Time-Memory-Data Tradeoffs for FX-Constructions with Applications to PRINCE and PRIDE
The FX-construction was proposed in 1996 by Kilian and Rogaway as a generalization of the DESX scheme. The construction increases the security of an \(n\)-bit core block cipher with a \(\kappa \)-bit key by using two additional \(n\)-bit masking keys. Recently, several concrete instances of the FX-construction were proposed, including PRINCE (proposed at Asiacrypt 2012) and PRIDE (proposed at CRYPTO 2014). These ciphers have \(n=\kappa =64\), and are proven to guarantee about \(127-d\) bits of security, assuming that their core ciphers are ideal, and the adversary can obtain at most \(2^d\) data.
In this paper, we devise new cryptanalytic time-memory-data tradeoff attacks on FX-constructions. While our attacks do not contradict the security proof of PRINCE and PRIDE, nor pose an immediate threat to their users, some specific choices of tradeoff parameters demonstrate that the security margin of the ciphers against practical attacks is smaller than expected. Our techniques combine a special form of time-memory-data tradeoffs, typically applied to stream ciphers, with recent analysis of FX-constructions by Fouque, Joux and Mavromati.
KeywordsCryptanalysis Block cipher Time-memory-data tradeoff FX-construction DESX PRINCE PRIDE
- 6.Bitcoin network graphs. http://bitcoin.sipa.be/
- 8.Borst, J., Preneel, B., Vandewalle, J.: On the Time-memory Tradeoff Between Exhaustive Key Search and Table Precomputation. In: Proceedings of 19th Symposium in Information Theory in the Benelux, WIC, pp. 111–118 (1998)Google Scholar
- 9.COPACOBANA faqs. http://www.copacobana.org/faq.html
- 10.Daemen, J.: Limitations of the Even-mansour Construction. In: Imai et al. (eds.) , pp. 495–498Google Scholar
- 11.Dinur, I.: Cryptanalytic Time-Memory-Data Tradeoffs for FX-Constructions with Applications to PRINCE and PRIDE. Cryptology ePrint Archive, Report 2014/656 (2014). http://eprint.iacr.org/
- 13.Even, S., Mansour, Y.: A Construction of a Cioher From a Single Pseudorandom Permutation. In: Imai et al. (eds.) , pp. 210–224Google Scholar
- 18.Kilian, J., Rogaway, P.: How to Protect DES Against Exhaustive Key Search. In: Koblitz, N. (ed.) CRYPTO 1996. LNCS, vol. 1109, pp. 252–267. Springer, Heidelberg (1996) Google Scholar
- 20.National Institute of Standards and Technology. Recommendation for Key Management - Part 1: General (revision 3). NIST Special Publication 800–57 (2012)Google Scholar
- 21.Rivest, R.L.: DESX (1984) (never published)Google Scholar
- 23.The PRINCE Team. The PRINCE Challenge (2014). https://www.emsec.rub.de/research/research_startseite/prince-challenge/