Reflection Cryptanalysis of PRINCE-like Ciphers Hadi Soleimany 1 , - PowerPoint PPT Presentation

Description of PRINCE-like Ciphers Distinguishers Key Recovery Various Classes of α -reflection Conclusions Reflection Cryptanalysis of PRINCE-like Ciphers Hadi Soleimany 1 , Céline Blondeau 1 , Xiaoli Yu 2 , 3 , Wenling Wu 2 , Kaisa Nyberg 1 , Huiling Zhang 2 , Lei Zhang 2 , Yanfeng Wang 2 1 Department of Information and Computer Science, Aalto University School of Science, Finland 2 Institute of Software, Chinese Academy of Sciences, P. R. China 3 Graduate University of Chinese Academy of Sciences, P. R. China FSE 2013 1 / 23

Description of PRINCE-like Ciphers Distinguishers Key Recovery Various Classes of α -reflection Conclusions Outline Description of PRINCE-like Ciphers 1 Distinguishers 2 Key Recovery 3 Various Classes of α -reflection 4 Conclusions 5 2 / 23

Description of PRINCE-like Ciphers Distinguishers Key Recovery Various Classes of α -reflection Conclusions Description of PRINCE-like Ciphers 1 Distinguishers 2 Key Recovery 3 Various Classes of α -reflection 4 Conclusions 5 3 / 23

Description of PRINCE-like Ciphers Distinguishers Key Recovery Various Classes of α -reflection Conclusions Description of PRINCE-like cipher Low-latency SPN block cipher was proposed at ASIACRYPT2012. 3 / 23

Description of PRINCE-like Ciphers Distinguishers Key Recovery Various Classes of α -reflection Conclusions Description of PRINCE-like cipher Low-latency SPN block cipher was proposed at ASIACRYPT2012. Based on the so-called FX construction 3 / 23

Description of PRINCE-like Ciphers Distinguishers Key Recovery Various Classes of α -reflection Conclusions Description of PRINCE-like cipher Low-latency SPN block cipher was proposed at ASIACRYPT2012. Based on the so-called FX construction The key is split into two parts of n bits k = k 0 || k 1 . k ′ k 0 0 ❄ ❄ ✲ ✲ PRINCE core ❝ ❝ 3 / 23

Description of PRINCE-like Ciphers Distinguishers Key Recovery Various Classes of α -reflection Conclusions Description of PRINCE-like cipher Low-latency SPN block cipher was proposed at ASIACRYPT2012. Based on the so-called FX construction The key is split into two parts of n bits k = k 0 || k 1 . k ′ k 0 0 ❄ ❄ ✲ ✲ PRINCE core ❝ ❝ k ′ 0 = ( k 0 ≫ 1 ) ⊕ ( k 0 ≫ ( n − 1 )) 3 / 23

Description of PRINCE-like Ciphers Distinguishers Key Recovery Various Classes of α -reflection Conclusions Description of PRINCE-like cipher Low-latency SPN block cipher was proposed at ASIACRYPT2012. Based on the so-called FX construction The key is split into two parts of n bits k = k 0 || k 1 . k ′ k 0 0 ❄ ❄ ✲ ✲ PRINCE core ❝ ❝ k ′ 0 = ( k 0 ≫ 1 ) ⊕ ( k 0 ≫ ( n − 1 )) With a property called α -reflection: D ( k 0 || k ′ 0 || k 1 )() = E ( k ′ 0 || k 0 || k 1 ⊕ α )() 3 / 23

Description of PRINCE-like Ciphers Distinguishers Key Recovery Various Classes of α -reflection Conclusions Description of PRINCE-like cipher Low-latency SPN block cipher was proposed at ASIACRYPT2012. Based on the so-called FX construction The key is split into two parts of n bits k = k 0 || k 1 . k ′ k 0 0 ❄ ❄ ✲ ✲ PRINCE core ❝ ❝ k ′ 0 = ( k 0 ≫ 1 ) ⊕ ( k 0 ≫ ( n − 1 )) With a property called α -reflection: D ( k 0 || k ′ 0 || k 1 )() = E ( k ′ 0 || k 0 || k 1 ⊕ α )() Independently of the value of α , the designers showed that PRINCE is secure against known attacks. 3 / 23

Description of PRINCE-like Ciphers Distinguishers Key Recovery Various Classes of α -reflection Conclusions Description of PRINCE-like Cipher RC 6 RC 7 ❄ ❄ ✲ ✲ ✲ S − 1 ✲ M ′ S ❝ ❝ ❝ ❝ ✻ ✻ k 1 k 1 The 2 midmost rounds 4 / 23

Description of PRINCE-like Ciphers Distinguishers Key Recovery Various Classes of α -reflection Conclusions Description of PRINCE-like Cipher RC 1 RC 2 RC 3 RC 4 RC 5 RC 8 RC 9 RC 10 RC 11 RC 12 ❄ ❄ ❄ ❄ ❄ ❄ ❄ ❄ ❄ ❄ RC 6 RC 7 ❄ ❄ ✲ ✲ ✲ ✲ ✲ ✲ ✲ ✲ S − 1 ✲ ✲ ✲ ✲ ✲ ✲ M ′ R 1 R 2 R 3 R 4 R 5 S R 8 R 9 R 10 R 11 R 12 ❝ ❝ ❝ ❝ ✻ ✻ ✻ ✻ ✻ ✻ ✻ ✻ ✻ ✻ ✻ ✻ k 1 k 1 k 1 k 1 k 1 k 1 k 1 k 1 k 1 k 1 k 1 k 1 Total 12 rounds 4 / 23

Description of PRINCE-like Ciphers Distinguishers Key Recovery Various Classes of α -reflection Conclusions Description of PRINCE-like Cipher RC 1 RC 2 RC 3 RC 4 RC 5 RC 8 RC 9 RC 10 RC 11 RC 12 ❄ ❄ ❄ ❄ ❄ ❄ ❄ ❄ ❄ ❄ RC 6 RC 7 ❄ ❄ ✲ ✲ ✲ ✲ ✲ ✲ ✲ ✲ S − 1 ✲ ✲ ✲ ✲ ✲ ✲ M ′ R 1 R 2 R 3 R 4 R 5 S R 8 R 9 R 10 R 11 R 12 ❝ ❝ ❝ ❝ ✻ ✻ ✁ ❆ ✻ ✻ ✻ ✻ ✻ ✻ ✻ ✻ ✻ ✻ k 1 k 1 ✁ ❆ k 1 k 1 k 1 k 1 k 1 k 1 k 1 k 1 k 1 k 1 ✁ ❆ ✁ ❆ ✁ ❆ RC r ✁ ❆ ❄ ✁ ✲ ✲ ✲ ❆ S M ❝ ❝ ✻ k 1 The first rounds 4 / 23

Description of PRINCE-like Ciphers Distinguishers Key Recovery Various Classes of α -reflection Conclusions Description of PRINCE-like Cipher RC 1 RC 2 RC 3 RC 4 RC 5 RC 8 RC 9 RC 10 RC 11 RC 12 ❄ ❄ ❄ ❄ ❄ ❄ ❄ ❄ ❄ ❄ RC 6 RC 7 ❄ ❄ ✲ ✲ ✲ ✲ ✲ ✲ ✲ ✲ S − 1 ✲ ✲ ✲ ✲ ✲ ✲ M ′ R 1 R 2 R 3 R 4 R 5 S R 8 R 9 R 10 R 11 R 12 ❝ ❝ ❝ ❝ ✻ ✻ ✁ ❆ ✁ ❆ ✻ ✻ ✻ ✻ ✻ ✻ ✻ ✻ ✻ ✻ k 1 k 1 ✁ ❆ ✁ ❆ k 1 k 1 k 1 k 1 k 1 k 1 k 1 k 1 k 1 k 1 ✁ ❆ ✁ ❆ ✁ ❆ ✁ ❆ ✁ ❆ ✁ ❆ RC r RC r ✁ ❆ ✁ ❆ ❄ ❄ ✁ ✲ ✲ ✲ ❆ ✁ ✲ ✲ ✲ ❆ S M M − 1 S − 1 ❝ ❝ ❝ ❝ ✻ ✻ k 1 k 1 The last rounds 4 / 23

Description of PRINCE-like Ciphers Distinguishers Key Recovery Various Classes of α -reflection Conclusions Description of PRINCE-like Cipher RC 1 RC 2 RC 3 RC 4 RC 5 RC 8 RC 9 RC 10 RC 11 RC 12 ❄ ❄ ❄ ❄ ❄ ❄ ❄ ❄ ❄ ❄ RC 6 RC 7 ❄ ❄ ✲ ✲ ✲ ✲ ✲ ✲ ✲ ✲ S − 1 ✲ ✲ ✲ ✲ ✲ ✲ M ′ R 1 R 2 R 3 R 4 R 5 S R 8 R 9 R 10 R 11 R 12 ❝ ❝ ❝ ❝ ✻ ✻ ✁ ❆ ✁ ❆ ✻ ✻ ✻ ✻ ✻ ✻ ✻ ✻ ✻ ✻ k 1 k 1 k 1 k 1 ✁ k 1 ❆ k 1 k 1 k 1 ✁ k 1 ❆ k 1 k 1 k 1 ✁ ❆ ✁ ❆ ✁ ❆ ✁ ❆ ✁ ❆ ✁ ❆ RC r RC r ✁ ❆ ✁ ❆ ❄ ❄ ✁ ✲ ✲ ✲ ❆ ✲ ✁ ✲ ✲ ❆ S M M − 1 S − 1 ❝ ❝ ❝ ❝ ✻ ✻ k 1 k 1 Related constants: RC 2 R − r + 1 = RC r ⊕ α, for all r = 1 , . . . , 2 R 4 / 23

Description of PRINCE-like Ciphers Distinguishers Key Recovery Various Classes of α -reflection Conclusions Description of PRINCE-like Cipher RC 1 RC 2 RC 3 RC 4 RC 5 RC 8 RC 9 RC 10 RC 11 RC 12 ❄ ❄ ❄ ❄ ❄ ❄ ❄ ❄ ❄ ❄ RC 6 RC 7 ❄ ❄ ✲ ✲ ✲ ✲ ✲ ✲ ✲ ✲ S − 1 ✲ ✲ ✲ ✲ ✲ ✲ R 1 R 2 R 3 R 4 R 5 M ′ R 8 R 9 R 10 R 11 R 12 S ❝ ❝ ❝ ❝ ❝ ❝ ✻ ✻ ✻ ✻ ✁ ❆ ✁ ❆ ✻ ✻ ✻ ✻ ✻ ✻ ✻ ✻ ✻ ✻ k ′ k 0 k 1 k 1 ✁ ❆ ✁ ❆ k 1 k 1 k 1 k 1 k 1 k 1 k 1 k 1 k 1 k 1 0 ✁ ❆ ✁ ❆ ✁ ❆ ✁ ❆ ✁ ❆ ✁ ❆ RC r RC r ✁ ❆ ✁ ❆ ❄ ❄ ✁ ✲ ✲ ✲ ❆ ✁ ✲ ✲ ✲ ❆ S M M − 1 S − 1 ❝ ❝ ❝ ❝ ✻ ✻ k 1 k 1 The whitening key 4 / 23

Description of PRINCE-like Ciphers Distinguishers Key Recovery Various Classes of α -reflection Conclusions Description of PRINCE PRINCE-like cipher with n = 64. Constant is defined as α = 0 xc 0 ac 29 b 7 c 97 c 50 dd . The S -layer is a non-linear layer where each nibble is processed by the same Sbox. 5 / 23

Description of PRINCE-like Ciphers Distinguishers Key Recovery Various Classes of α -reflection Conclusions Description of PRINCE M ′ is an involutory 64 × 64 block diagonal matrix ( ˆ M 0 , ˆ M 1 , ˆ M 1 , ˆ M 0 ) . 6 / 23

Description of PRINCE-like Ciphers Distinguishers Key Recovery Various Classes of α -reflection Conclusions Description of PRINCE M ′ is an involutory 64 × 64 block diagonal matrix ( ˆ M 0 , ˆ M 1 , ˆ M 1 , ˆ M 0 ) .     M 0 M 1 M 2 M 3 M 1 M 2 M 3 M 0 M 1 M 2 M 3 M 0 M 2 M 3 M 0 M 1 ˆ ˆ     M 0 = M 1 =  ,  .     M 2 M 3 M 0 M 1 M 3 M 0 M 1 M 2   M 3 M 0 M 1 M 2 M 0 M 1 M 2 M 3 6 / 23

Description of PRINCE-like Ciphers Distinguishers Key Recovery Various Classes of α -reflection Conclusions Description of PRINCE M ′ is an involutory 64 × 64 block diagonal matrix ( ˆ M 0 , ˆ M 1 , ˆ M 1 , ˆ M 0 ) .     M 0 M 1 M 2 M 3 M 1 M 2 M 3 M 0 M 1 M 2 M 3 M 0 M 2 M 3 M 0 M 1 ˆ ˆ     M 0 = M 1 =  ,  .     M 2 M 3 M 0 M 1 M 3 M 0 M 1 M 2   M 3 M 0 M 1 M 2 M 0 M 1 M 2 M 3 The second linear matrix M for PRINCE is obtained by composition of M ′ and a permutation SR of nibbles by setting M = SR ◦ M ′ . 6 / 23

Description of PRINCE-like Ciphers Distinguishers Key Recovery Various Classes of α -reflection Conclusions Description of PRINCE-like Ciphers 1 Distinguishers 2 Key Recovery 3 Various Classes of α -reflection 4 Conclusions 5 7 / 23