# Full analysis of PRINTcipher with respect to invariant subspace attack: efficient key recovery and countermeasures

- 384 Downloads
- 1 Citations

## Abstract

In this paper we investigate the invariant property of PRINTcipher initially discovered by Leander et al. in their CRYPTO 2011 paper. We provide a complete study of the attack and show that there exist 64 families of weak keys for PRINTcipher–48 and as many as 115,669 for PRINTcipher–96. Moreover, we show that searching the weak key space may be substantially sped up by splitting the search process into two consecutive steps. We show that for many classes of weak keys, key recovery can be done with very small time complexity in the chosen/known plaintext scenario. In fact, at least \(2^{45}\) weak keys can be recovered in less than 10 s per key on a single PC. Still, effective countermeasures exist against the attack. On the methodological level, the method of finding all weak key families has value on its own. It is based on Mixed Integer Linear Programming and can be adapted to solving other interesting problems on similar ciphers.

## Keywords

PRINTcipher Invariant coset attack Mixed integer linear programming Weak keys Chosen plaintext attack Key recovery## Mathematics Subject Classification

94A60 68P25 90C10## Notes

### Acknowledgments

The first author is supported by the German Science Foundation (DFG) Grant BU 630/22-1. The second author is supported in part by the NSF Grant CNS-1117936. We thank anonymous referees for their numerous valuable comments. The authors are also thankful to Yue Sun and especially to Gregor Leander for useful discussions and to Mohamed Ahmed Abdelraheem for providing a C implementation of PRINTcipher that was used in the implementation of the attacks.

## References

- 1.Abdelraheem M.A., Leander G., Zenner E.: Differential cryptanalysis of round-reduced PRINTcipher: Computing roots of permutations. In: Joux A. (ed.) FSE 2011. Lecture Notes in Computer Science, vol. 6733, pp. 1–17. Springer, Berlin (2011).Google Scholar
- 2.Agren, M., Johansson, T.: Linear cryptanalysis of PRINTcipher—trails and samples everywhere. In: Bernstein D.J., Chatterjee S. (eds.) INDOCRYPT 2011. Lecture Notes in Computer Science, vol. 7107, pp. 114–133. Springer, Berlin (2011).Google Scholar
- 3.Bard G.V.: Algebraic cryptanalysis, Springer, Dordrecht (2009).Google Scholar
- 4.Bogdanov A.: On unbalanced Feistel networks with contracting MDS diffusion. Des. Codes Cryptogr.
**59**(1–3), 35–58 (2011).Google Scholar - 5.Bogdanov A., Knudsen L.R., Leander G., Paar C., Poschmann A., Robshaw M.J.B., Seurin Y., Vikkelsoe C.: PRESENT—An ultra-lightweight block cipher. In: Pailier P., Verbauwhede I. (eds.) CHES 2007. Lecture Notes in Computer Science, vol. 4727, pp. 450–466. Springer, Berlin (2007).Google Scholar
- 6.Borghoff J., Knudsen L.R., Stolpe M.: Bivium as a mixed-integer linear programming problem. In: IMA International Conference on Cryptography and Coding. Lecture Notes in Computer Science, vol. 5921, pp. 133–152. Springer, Berlin (2009).Google Scholar
- 7.Bogdanov A., Knezević M., Leander G., Toz D., Varici K., Verbauwhede I.: SPONGENT: A lightweight hash function. In: Preneel B., Takagi T. (eds.) CHES 2011. Lecture Notes in Computer Science, vol. 6917, pp. 312–325. Springer, Berlin (2011).Google Scholar
- 8.Borghoff J., Canteaut A., Gneysu T., Kavun E.B., Knezevic M., Knudsen L.R., Leander G., Nikov V., Paar C., Rechberger C., Rombouts P., Thomsen S.S., Yalcin T.: PRINCE—A low-latency block cipher for pervasive computing applications: Extended Abstract. In: Wang X., Sako K. (eds.) ASIACRYPT 2012. Lecture Notes in Computer Science, vol. 7658, pp. 208–225. Springer, Berlin (2012).Google Scholar
- 9.Bulygin S., Buchmann J.: Algebraic cryptanalysis of the round-reduced and side channel analysis of the full PRINTcipher-48. In: Lin D., Tsudik G., Wang X. (eds.) CANS 2011. Lecture Notes in Computer Science, vol. 7092, pp. 54–75. Springer, Berlin (2011).Google Scholar
- 10.Bulygin S., Walter M.: Study of the invariant coset attack on PRINTcipher: More weak keys with practical key recovery. http://eprint.iacr.org/2012/085 (2012). Accessed 15 June 2013.
- 11.Bulygin S., Walter M., Buchmann J.: Many weak keys for PRINTcipher: Fast key recovery and countermeasures. In: Dawson E. (ed.) CT-RSA 2013. Lecture Notes in Computer Science, vol. 7779, pp. 189–206. Springer, Berlin (2013).Google Scholar
- 12.Cid C., Murphy S., Robshaw M.: Algebraic Aspects of the Advanced Encryption Standard. Springer, New York (2006).Google Scholar
- 13.de Canniére C., Dunkelman O., Knezević M.: KATAN and KTANTAN : A family of small and efficient hardware-oriented block ciphers. In: Clavier C., Gaj K. (eds.) CHES 2009. Lecture Notes in Computer Science, vol. 5747, pp. 272–288. Springer, Berlin (2009).Google Scholar
- 14.Guo J., Peyrin T., Poschmann A., Robshaw M.: The LED block cipher. In: Preneel B., Takagi T. (eds.) CHES 2011. Lecture Notes in Computer Science, vol. 6917, pp. 326–341. Springer, Berlin (2011).Google Scholar
- 15.Karakoc F., Demirci H., Harmanci A.E.: Combined differential and linear cryptanalysis of reduced-round PRINTcipher. In: Miri A., Vaudenay S. (eds.) SAC 2011. Lecture Notes in Computer Science, vol. 7118, pp. 169–184. Springer, Berlin (2012).Google Scholar
- 16.Knudsen L., Leander G., Poschmann A., Robshaw M.J.B.: PRINTcipher: A block cipher for IC-printing. In: Mangard S., Standaert F.-X. (eds.) CHES 2010. Lecture Notes in Computer Science, vol. 6225, pp. 16–32. Springer, Berlin (2010).Google Scholar
- 17.Leander G., Abdelraheem M.A., AlKhzaimi H., Zenner E.: A cryptanalysis of PRINTcipher: The invariant subspace attack. In: Rogaway P. (ed.) CRYPTO 2011. Lecture Notes in Computer Science, vol. 6841, pp. 206–221. Springer, Berlin (2011).Google Scholar
- 18.Mouha N., Wang Q., Gu D., Preneel B.: Differential and linear cryptanalysis using mixed-integer linear programming. In: Wu C.-K., Yung M., Lin D. (eds.) Inscypt 2011. Lecture Notes in Computer Science, vol. 7537, pp. 57–76. Springer, Berlin (2011).Google Scholar
- 19.Stein S.W., et al.: SAGE mathematics software. The Sage Development Team. http://www.sagemath.org (2008). Accessed 15 June 2013.
- 20.Walter M., Bulygin S., Buchmann J.: Optimizing guessing strategies for algebraic cryptanalysis with applications to EPCBC. In: Kutylowski M.,Yung M. (eds.) Lecture Notes in Computer Science. Springer, Berlin (2012).Google Scholar
- 21.Wu W., Zhang L.: LBlock: A lightweight block cipher. In: Lopez J., Tsudik G. (eds.) ACNS 2011. Lecture Notes in Computer Science, vol. 6715, pp. 327–344. Springer, Berlin (2011).Google Scholar
- 22.Yap H., Khoo K., Poschmann A., Henricksen M.: EPCBC—A block cipher suitable for electronic product code encryption. In: Lin D., Tsudik G., Wang X. (eds.) Lecture Notes in Computer Science, vol. 7092, pp. 76–97 Springer, Berlin (2011).Google Scholar
- 23.Zhao X., Wang T., Guo S.: Fault propagate pattern based DFA on SPN structure block ciphers using bitwise permutation, with application to PRESENT and PRINTcipher. http://eprint.iacr.org/2011/086.pdf (2011). Accessed 15 June 2013.