Meet-in-the-Middle Attacks and Structural Analysis of Round-Reduced PRINCE

Abstract

NXP Semiconductors and its academic partners challenged the cryptographic community with finding practical attacks on the block cipher they designed, PRINCE. Instead of trying to attack as many rounds as possible using attacks which are usually impractical despite being faster than brute force, the challenge invites cryptographers to find practical attacks and encourages them to actually implement them. In this paper, we present new attacks on round-reduced PRINCE including the ones which won the challenge in the 4-, 6- and 8-round categories—the highest for which winners were identified. Our first attacks rely on a meet-in-the-middle approach and break up to ten rounds of the cipher. We also describe heuristic methods we used to find practical SAT-based and differential attacks. Finally, we also present an analysis of the cycle structure of the internal rounds of PRINCE leading both to a low complexity distinguisher for 4-round PRINCE-core and an alternative representation of the cipher valid in particular contexts and which highlights, in these cases, a poor diffusion.

Appendices

A The Second 6-Round Attack

See Fig. 12.

Fig. 12

6r attack. No difference in white nibbles. Nibbles required in online (resp. offline) phase are in gray (resp. black). Differences in dotted nibbles are known during the offline phase. Hatched nibbles play no role

B The Second 8-Round Attack

See Fig. 13.

Fig. 13

8r attack. No difference in white nibbles. Nibbles required in online (resp. offline) phase are in gray (resp. black). Differences in dotted nibbles are known during the offline phase. Hatched nibbles play no role

C The Second 5.5-Round Trail

See Fig. 14.

Fig. 14

The second 5.5-round trail \(\mathcal {T}_{2}\)

Fig. 15

4r attack. Hatched bits play no role

D Simple Meet-in-the-Middle Attacks

In this section, we describe two attacks on round-reduced PRINCE. Both are simple meet-in-the-middle attacks requiring only few known plaintext/ciphertext pairs to work.

1.1 D.1 4-Round Attack

1.1.1 Simple Attack

We begin by presenting a simple attack on 4-round PRINCE with a complexity around \(2^{40}\) which is depicted in Fig. 15. It is based on the two following equations involving few bits of the middle states y and \(y'\):

$$\begin{aligned} \left\{ \begin{array}{l} y[38]_b \oplus y[46]_b = y'[38]_b \oplus y'[46]_b \\ y[39]_b \oplus y[43]_b \oplus y[47]_b = y'[47]_b \end{array} \right. \end{aligned}$$

Let \(K_p\) (resp. \(K_c\)) be the key bits required to compute \(y[38]_b \oplus y[46]_b\) and \(y[39]_b \oplus y[43]_b \oplus y[47]_b\) from p (resp. \(y'[38]_b \oplus y'[46]_b\) and \(y'[47]_b\) from c). Then, the attacks scenario is:

1. 1.

   Ask for n known plaintext/ciphertext pairs.

2. 2.

   Let T be an empty hash table.

3. 3.

   For all possible values of \(K_p\), do

   1. (a)

      for j from 1 to n compute \(y^{j}[38]_b \oplus y^{j}[46]_b\) and \(y^{j}[39]_b \oplus y^{j}[43]_b \oplus y^{j}[47]_b\) from the j-th plaintext

   2. (b)

      make the sequence \(s {=} \left[ y^{1}[38]_b {\oplus } y^{1}[46]_b,y^{1}[39]_b {\oplus } y^{1}[43]_b {\oplus } y^{1}[47]_b, \ldots \right] \)

   3. (c)

      add the value of \(K_p\) to \(T[s]_b\)

4. 4.

   For all possible values of \(K_c\), do

   1. (a)

      for j from 1 to n compute \(y'^{j}[38]_b \oplus y'^{j}[46]_b\) and \(y^{j}[47]_b\) from the j-th ciphertext

   2. (b)

      make the sequence \(s = \left[ y'^{1}[38]_b \oplus y'^{1}[46]_b,y'^{1}[47]_b, \ldots \right] \)

   3. (c)

      check whether T[s] is empty or not. If T[s] is empty, then the guess of \(K_c\) is wrong. Otherwise, T[s] contains the possible value(s) for \(K_p\) and, if n is large enough, this will happen only for the right guess.

In our case, both \(K_p\) and \(K_c\) can assume only \(2^{40}\) values and thus 40 plaintext/ciphertext pairs are enough to get only one candidate for \(K_p \cup K_c\) with high probability. Thus, the complexity of this attack is 40 known plaintexts and around \(2^{40}\) for both time and memory.

Saving data and memory First, we stress that \(K_P\) (resp. \(K_C\)) can be safely replaced by any basis of the vector space spawned by itself, so let consider it as a vector space over \(\mathbb {F}_2\). Now, we are interested by the vector space \(K_P \cap K_C\). Here, a basis of this vector space is:

$$\begin{aligned}&\{k_1[36..39]_b, k_1[44..47]_b, k_0[37..39]_b, k_0[45..47]_b, k_0[40]_b \oplus \ldots \\&\quad \oplus k_0[44]_b \oplus k_1[40]_b \oplus \ldots \oplus k_1[43]_b\}. \end{aligned}$$

Thus, only 33 plaintext/ciphertext pairs are needed to discard the wrong guesses and the attack scenario becomes:

1. 1.

   Ask for n known plaintext/ciphertext pairs.

2. 2.

   For all possible values of \(K_p \cap K_c\), do

   1. (a)

      Let T be an empty hash table.

   2. (b)

      Partially encrypt/decrypt the plaintext/ciphertext pairs.

   3. (c)

      For all possible values of \(K_p\), do

      1. (i)

         for j from 1 to n compute \(y^{j}[38]_b \oplus y^{j}[46]_b\) and \(y^{j}[39]_b \oplus y^{j}[43]_b \oplus y^{j}[47]_b\) from the j-th plaintext

      2. (ii)

         make the sequence \(s = \left[ y^{1}[38]_b \oplus y^{1}[46]_b,y^{1}[39]_b \oplus y^{1}[43]_b \oplus y^{1}[47]_b, \ldots \right] \)

      3. (iii)

         add the value of \(K_p\) to T[s]

   4. (d)

      For all possible values of \(K_c\), do

      1. (i)

         for j from 1 to n compute \(y'^{j}[38]_b \oplus y'^{j}[46]_b\) and \(y^{j}[47]_b\) from the j-th ciphertext

      2. (ii)

         make the sequence \(s = \left[ y'^{1}[38]_b \oplus y'^{1}[46]_b,y'^{1}[47]_b, \ldots \right] \)

      3. (iii)

         check whether T[s] is empty or not. If T[s] is empty, then the guess of \(K_c\) is wrong. Otherwise, T[s] contains the possible value(s) for \(K_p\) and, if n is large enough, this will happen only for the right guess.

All in all the memory requirement is approximately \(25 \times 2^{25} \times 2^{-3} \approx 2^{26.7}\) bytes and the time complexity around \(33 \times 2 \times 2^{40} \times 40 / (4 \times 64) \approx 2^{43.4}\) encryptions.

Key recovery At the end of the attack, we know (or have very few candidates for) \(K_p \cup K_c\). But we still need \(128 - 65 = 63\) key bits to fully recover \(k_0\) and \(k_1\). Performing an exhaustive search at this point would increase the overall complexity of the attack and thus is not a good idea. Instead, it is better to perform another meet-in-the-middle attacks successively. For instance, the attack depicted in Fig. 16 allows to recover 20 more key bits with a time complexity around \(2^{20}\).

Fig. 16

4r attack. Black bits are known. Hatched bits play no role

1.2 6-Round Attack

The 4-round attack can be extended to a 6-round attack as depicted in Fig. 17. Now, the dimension of both \(K_p\) and \(K_c\) is 96 and the dimension of the intersection is 64. Thus, it leads to an attack requiring \((2 \times 96 - 64)/2 = 64\) known plaintext/ciphertext pairs, with a memory complexity around \((96 - 64) \times 2^{96-64} \times 2^{-3} = 2^{34}\) bytes and a time complexity of approximately \(2 \times 64 \times 2^{96} \times 104 / (6 \times 64) \approx 2^{101.1}\) encryptions.

Fig. 17

6r attack. Hatched bits play no role

Finally, an exhaustive search can be performed to retrieve \(k_0\) and \(k_1\) without increasing the overall complexity.

E Improved 8-Round Attack

In this section, we concisely describe a second attack against 8-round PRINCE, still based on Demirci and Selçuk technique, requiring much less memory than the attack described in Sect. 3.2.

1.1 Step 1

The first step of the attack is depicted in Fig. 18. This is a classical Demirci and Selçuk attack against 8-round PRINCE. The nibble requiblack in the online phase is in gray and can take \(2^{8 \times 4} = 2^{32}\) values. In another hand, nibbles requiblack in the offline phase are in black and can assume \(2^{80}\) values thanks to the (lack of) key schedule.

Fig. 18

8r attack. No difference in white nibbles. Nibbles required in online (resp. offline) phase are in gray (resp. black). Differences in dotted nibbles are known during the offline phase. Hatched nibbles play no role

Here, \(\delta \)-sets contain \(2^{4} = 16\) messages and the check is performed on sequences of \((16 - 1) = 15\) differences in one nibble, i.e., on 60-bit sequences. As more than \(2^{60}\) sequences are computed during the offline phase, the attack does not filter values of gray nibbles.

1.2 Step 2

The idea is to switch the online and the offline phases (and actually they are now both performed online). Given a plaintext/ciphertext pair (P, C), we compute the \(2^{32}\) possible 60-bit sequences and store them in a hash table. Then for each value of the black nibbles, we compute the corresponding 60-bit sequence and check whether it belongs to the hash table. Only \(2^{80 - 60 + 32} = 2^{52}\) values should pass this test.

1.3 Step 3

We notice that, given a structure of \(2^{16}\) plaintexts such that the first column is active, while the other ones are constant, each column of state \(y_3\) takes all the possible values too. Hence, we can fix the value to 0 of four black nibbles of \(y_4\) (shiftrows of a column), decreasing the time complexity by a factor \(2^{16}\). As a result, the hash table now has to contain \(2^{48}\) sequences, \(2^{32}\) for each of the \(2^{16}\) plaintext/ciphertext pairs.

1.4 Step 4

To decrease further the number of possible values for the black nibbles, we apply the same attack, but we change the nibble on which the check is performed as shown in Fig. 19. So we have to store an other table containing \(2^{48}\) 60-bit sequences and guess the value of the black nibble of \(y'_2\). Only \(2^{52 + 4 - 60 + 48} = 2^{44}\) values should pass this test.

Fig. 19

Step 4. No difference in white nibbles. Nibbles required in online (resp. offline) phase are in gray (resp. black). Differences in dotted nibbles are known during the offline phase. Hatched nibbles play no role

1.5 Step 5

As in step 4, we perform the two other attacks corresponding to the two other positions for the black nibble on \(y'_2\). Only \(2^{28}\) values should pass this test.

1.6 Step 6

We switch again online and offline phases, coming back to a classical Demirci and Selçuk attack. We run successively the four previous attacks to retrieve a unique plaintext/ciphertext pair together with a unique value for the first column of \(y_1\) and the whole state \(y'_1\). Indeed, we did not check whether the plaintext/ciphertext pair and the first column of \(y_1\) are the same for the four attacks, while they have to. Thus, only the right ones should remain at the end of the attack.

1.7 Step 7

The missing 48 bits of the key can be exhausted.

1.8 Complexity

The data complexity is \(2^{16}\) chosen plaintexts. The memory complexity is around \(4 \times 2^{48}\) 60-bit sequences which is equal to \(2^{52.9}\) bytes. The time complexity is dominated by steps 2/3, which is equivalent to \(2^{64} \times 2^{4} \times (42 - 4)/(8 \times 16) \simeq 2^{66.25}\) encryptions.