Skip to main content
SpringerLink
Log in

The resistance of PRESENT-80 against related-key differential attacks

  • Published:
Cryptography and Communications Aims and scope Submit manuscript

Abstract

We examine the security of the 64-bit lightweight block cipher PRESENT-80 against related-key differential attacks. With a computer search we are able to prove that for any related-key differential characteristic on full-round PRESENT-80, the probability of the characteristic only in the 64-bit state is not higher than 2−64. To overcome the exponential (in the state and key sizes) computational complexity of the search we use truncated differences, however as the key schedule is not nibble oriented, we switch to actual differences and apply early abort techniques to prune the tree-based search. With a new method called extended split approach we are able to make the whole search feasible and we implement and run it in real time. Our approach targets the PRESENT-80 cipher however,with small modifications can be reused for other lightweight ciphers as well.

This is a preview of subscription content, log in via an institution to check access.

Access this article

Log in via an institution

Price excludes VAT (USA)
Tax calculation will be finalised during checkout.

Instant access to the full article PDF.

Institutional subscriptions

Fig. 1
Fig. 2
Fig. 3
Fig. 4
Fig. 5
Fig. 6
Fig. 7
Fig. 8

Similar content being viewed by others

Notes

  1. CLEFIA has non-nibble oriented operations in the key schedule, however they come only after the non-linear operations which are used for proving the upper bound.

  2. By taking into account that the best previously found characteristics in S 2 have 2 active S-boxes, and extending each of them for an additional round always gives at least 3 active S-boxes (we have checked this fact).

  3. Our approach only finds an upper bound, but does not provide valid characteristics on extended number of rounds, i.e. 8. On the other hand, the output of testing the conjecture on low number of rounds (i.e. 4) does not seem to be a valid measure.

References

  1. Biryukov, A., Khovratovich, D., Nikolic, I.: Distinguisher and related-key attack on the full AES-256. In: Halevi, S. (ed.) CRYPTO, Lecture Notes in Computer Science, vol. 5677, pp. 231–249. Springer (2009)

  2. Biryukov, A., Nikolic, I.: Automatic search for related-key differential characteristics in byte-oriented block ciphers: application to AES, Camellia, Khazad and others. In: Gilbert, H. (ed.) EUROCRYPT, Lecture Notes in Computer Science, vol. 6110 pp. 322–344. Springer (2010)

  3. Biryukov, A., Nikolic, I.: Search for related-key differential characteristics in DES-like ciphers. In: Joux, A. (ed.) Fast software encryption - 18th international workshop, FSE 2011, Lyngby, Denmark, February 13-16, 2011, Revised selected papers. Lecture Notes in Computer Science, vol. 6733, pp. 18–34. Springer (2011)

  4. Blondeau, C., Gérard, B.: Multiple differential cryptanalysis: theory and practice. In: Joux, A. (ed.) Fast software encryption – 18th international workshop, FSE 2011, Lyngby, Denmark, February 13-16, 2011, Revised selected papers. Lecture Notes in Computer Science, vol. 6733, pp. 35–54. Springer (2011)

  5. Bogdanov, A., Knudsen, L.R., Leander, G., Paar, C., Poschmann, A., Robshaw, M.J.B., Seurin, Y., Vikkelsoe, C.: PRESENT: an ultra-lightweight block cipher. In: Paillier, P., Verbauwhede, I. (eds.) CHES, Lecture Notes in Computer Science, vol. 4727, pp. 450–466. Springer (2007)

  6. Cho, J.Y.: Linear cryptanalysis of reduced-round PRESENT. In: Pieprzyk, J. (ed.) CT-RSA, Lecture Notes in Computer Science, vol. 5985, pp. 302–317. Springer (2010)

  7. Collard, B., Standaert, F.-X.: A statistical saturation attack against the block cipher PRESENT. In: Fischlin, M. (ed.) CT-RSA, Lecture Notes in Computer Science, vol. 5473, pp. 195–210. Springer (2009)

  8. Daemen, J., Rijmen, V.: The wide trail design strategy. In: Honary, B. (ed.) IMA International Conference, Lecture Notes in Computer Science, vol. 2260, pp. 222–238. Springer (2001)

  9. Daemend, J., Rijmen, V.: The design of Rijndael: AES-the advanced encryption standard. Springer (2002)

  10. Fouque, P.-A., Jean, J., Peyrin, T.: Structural evaluation of AES and chosen-key distinguisher of 9-round AES-128. In: Canetti, R.J., Garay, J.A. (eds.) CRYPTO, Lecture Notes in Computer Science, vol. 8042, pp. 183–203. Springer (2013)

  11. Guo, J., Peyrin, T., Poschmann, A., Robshaw, M.J.B.: The LED block cipher. In: Preneel, B., Takagi, T. (eds.)Proceedings of the Cryptographic hardware and embedded systems - CHES 2011–13th International Workshop, Nara, Japan, September 28 - October 1, 2011. Lecture Notes in Computer Science, vol. 6917, pp. 326–341 Springer (2011)

  12. Joux, A. (ed.): Fast Software Encryption–18th International Workshop, FSE 2011, Lyngby, Denmark, February 13-16, 2011, Revised Selected Papers. Lecture Notes in Computer Science, vol. 6733. Springer (2011)

  13. Matsui, M.: On correlation between the order of s-boxes and the strength of DES. In: Santis, A.D. (ed.) EUROCRYPT, Lecture Notes in Computer Science, vol. 950, pp. 366–375. Springer (1994)

  14. Mouha, N., Preneel, B.: A proof that the ARX cipher Salsa20 is secure against differential cryptanalysis. IACR Cryptology ePrint Archive 2013(328) (2013)

  15. Mouha, N., Wang, Q., Gu, D., Preneel, B.: Differential and linear cryptanalysis using mixed-integer linear programming. In Wu, C., Yung, M., Lin, D. (eds.) Inscrypt, Lecture Notes in Computer Science, vol. 7537, pp. 57–76. Springer (2011)

  16. Nakahara, J., Sepehrdad, P., Zhang, B., Wang, M.: Linear (hull) and algebraic cryptanalysis of the block cipher PRESENT. In Garay, J.A., Miyaji, A. Otsuka, A. (eds.) CANS, Lecture Notes in Computer Science, vol. 5888, pp. 58–75. Springer (2009)

  17. Nikolic, I.: Tweaking AES. In: Biryukov, A. Gong, G., Stinson, D.R. (eds.) Selected areas in cryptography, Lecture Notes in Computer Science, vol. 6544, pp. 198–210. Springer (2010)

  18. Nyberg, K., Knudsen, L.R.: Provable security against differential cryptanalysis. In: Brickell, E. F. (ed.) CRYPTO, Lecture Notes in Computer Science, vol. 740, pp. 566–574. Springer (1992)

  19. Özen, O., Varici, K., Tezcan, C., Kocair, Ç.: Lightweight block ciphers revisited: Cryptanalysis of reduced round PRESENT and HIGHT. In: Boyd, C., Nieto, J.M.G. (eds.) ACISP, Lecture Notes in Computer Science, vol. 5594, pp. 90–107. Springer (2009)

  20. Preneel, B., Takagi, T. (eds.): Cryptographic Hardware and Embedded Systems - CHES 2011 - 13th International Workshop, Nara, Japan, September 28–October 1, 2011. Proceedings of the Lecture Notes in Computer Science, vol. 6917. Springer (2011)

  21. Shibutani, K., Isobe, T., Hiwatari, H., Mitsuda, A., Akishita, T., Shirai, T.: Piccolo: an ultra-lightweight blockcipher. In: Preneel and Takagi [20], pp. 342–357

  22. Shirai, T., Shibutani, K., Akishita, T., Moriai, S., Iwata, T.: The 128-bit blockcipher CLEFIA (extended abstract). In: Biryukov, A. (ed.) FSE, Lecture Notes in Computer Science, vol. 4593, pp. 181–195. Springer (2007)

  23. Suzaki, T., Minematsu, K., Morioka, S., Kobayashi, E.: TWINE: A lightweight block cipher for multiple platforms. In: Knudsen, L. R., Wu, H. (eds.) Selected Areas in Cryptography, Lecture Notes in Computer Science, vol. 7707, pp. 339–354. Springer (2012)

  24. Wagner, D.: The boomerang attack. In: Knudsen, L.R. (ed.) FSE, Lecture Notes in Computer Science, vol. 1636, pp. 156–170. Springer (1999)

  25. Wang, M.: Differential cryptanalysis of reduced-round PRESENT. In: Vaudenay, S. (ed.) AFRICACRYPT, Lecture Notes in Computer Science, vol. 5023, pp. 40–49. Springer (2008)

  26. Wang, M., Sun, Y., Tischhauser, E., Preneel, B.: A model for structure attacks, with applications to PRESENT and Serpent. In: Canteaut, A. (ed.) FSE, Lecture Notes in Computer Science, vol. 7549, pp. 49–68. Springer (2012)

Download references

Author information

Authors and Affiliations

  1. Nanyang Technological University, 639798, Singapore, 50 Nanyang Ave., Singapore

    San Ling, Ivica Nikolić & Huaxiong Wang

  2. Macquarie University, Balaclava Rd., North Ryde NSW, 2109, Australia

    Sareh Emami & Josef Pieprzyk

Authors
  1. Sareh Emami
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. San Ling
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Ivica Nikolić
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. Josef Pieprzyk
    View author publications

    You can also search for this author in PubMed Google Scholar

  5. Huaxiong Wang
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Ivica Nikolić.

Additional information

The researcher is supported by the Singapore National Research Foundation Fellowship 2012 NRF-NRFF2012-06.

Appendix

Appendix

1.1 An example of invalid 8-round related-key characteristic

Here we give an example of one related-key differential characteristic for 8-round PRESENT-80 found by search that has less than 10 active S-boxes, passes all the filters and is invalid (see Fig. 9). Recall that our search algorithm outputs 869 such characteristics and each of them is invalid. In the analysis given below, we would like to point out the inconsistency found in this characteristic. Other characteristics can be analyzed similarly.

Fig. 9
figure 9

An example of invalid 8-round characteristics found by the search

Full size image

We focus on the differences in the round keys. Note that they pass all of our 5 filters. However our filters are not sufficient to test completely the validity of round key differences, i.e. they might miss to filter out some invalid characteristics. One might create stronger filters but then the computational efficiency of such filters might slow down the search. The differential characteristics in the round keys is (0020) → (0003) → (0000) → (0800) → (0040) → (0002) → (0000) (see Fig. 9). Further we try to find the exact value of the difference in the round keys from the truncated ones. We analyze each round key separately, assuming that the nibbles are enumerated 1-16 plus the four nibbles 17-20 that are not used in the round key but are part of the master key. Recall that each consecutive round key is produced from the previous (along with 4 more nibbles) by a rotation by 19 bits to the right. For the differences in the round keys, we get:

  • Round key 1 - difference 0020 - There is only one active nibble at the position 11. Let the value of the difference be xyzt, where x, y, z, t are single bit differences.

  • Round key 2 - difference 0003 - The active nibbles at the positions 15 and 16 have the values 000x and y z t0. As both are active, it follows that x = 1 and one of y, z, t is 1 (otherwise these two nibbles would not be active).

  • Round key 3 - difference 0000 - No active nibbles in this round key. However, the active nibbles from the previous round key, with the rotation went to one of the nibbles 17-20. In fact, the nibble 20 has the difference 00xy = 001y while the nibble 21, which is in fact the nibble 1, has the value z t00. As the nibble 1 is not active in this round key it follows that z = t = 0.

  • Round key 4 - difference 0800 - Only one nibble at the position 5 is active. This has to correspond to the nibble at position 20 from the previous round key. Thus the value of the difference in this nibble is 01y0.

  • Round key 5 - difference 0040 - Similarly, we have only one active nibble at the position 10, with the difference 1y00.

  • Round key 6 - difference 0002 - Only one active nibble at the position 15 is active. However, if we rotate by 19 the previous round key difference 1y00, we will end up with the difference 0001 in the nibble 14, and the difference y000 in the nibble 15. As the nibble 14 is inactive, we get a contradiction.

Rights and permissions

Reprints and permissions

About this article

Cite this article

Emami, S., Ling, S., Nikolić, I. et al. The resistance of PRESENT-80 against related-key differential attacks. Cryptogr. Commun. 6, 171–187 (2014). https://doi.org/10.1007/s12095-013-0096-8

Download citation

  • Received:

  • Accepted:

  • Published:

  • Issue Date:

  • DOI: https://doi.org/10.1007/s12095-013-0096-8

Keywords

Search

Navigation