Reflection Cryptanalysis of PRINCE-Like Ciphers

Abstract

PRINCE is a low-latency block cipher presented at ASIACRYPT 2012. The cipher was designed with a property called α-reflection which reduces the definition of decryption with a given key to encryption with a different but related key determined by α. In the design document, it was shown that PRINCE is secure against known attacks independently of the value of α, and the design criteria for α remained open.

In this paper, we introduce new distinguishers on PRINCE-like ciphers by constructing probable or impossible relations from the cipher data located at layers that are symmetric around the middle of the cipher. We show that the probabilities of such relations, called reflection characteristics in this paper, depend crucially on the choice of the reflection parameter α. Several classes of α are investigated. As a result we show that there exist values of α which, if used in the otherwise original PRINCE, would allow a key-recovery attack on the full 12-round cipher with the data complexity of 2^57.98 known plaintexts and the time complexity of 2^72.39 encryptions. While this attack is not better than the generic attack on the complete cipher, where the core cipher is protected by the whitening key, the same reflection distinguisher, when applied on the core cipher without the whitening key, yields a key-recovery attack with time complexity less than exhaustive key search and data complexity of 2^56.21 known plaintexts. As a result of the new cryptanalysis method presented in this paper, new design criteria concerning the selection of the value of α for PRINCE-like ciphers are obtained.

1 Introduction

Applications in special constrained environments such as RFID tags and sensors have recently received a lot of attention by the cryptographic community. The new secure primitives should provide the best possible security under tight constraints. Traditionally, cryptographic algorithms have been designed with large security margins to be on the secure side even when exposed to new and unknown vulnerabilities. Since lightweight ciphers must be optimized with respect to several performance criteria, such as chip size, power consumption, and energy efficiency, it is of utmost importance to analyze and quantify the cryptographic security of lightweight ciphers to reduce the superfluous security margins. New innovative and unconventional designs pose new challenges. For instance, new cipher proposals, such as PRINTcipher [24] and LED [18] with very simple key-schedule or even without key-schedule, have been developed to reduce the power consumption of the encryption algorithm. With the emergence of such constructions, new attacks have been developed.

PRINCE is a low-latency block cipher proposed at ASIACRYPT 2012 [7, 8]. It is an iterated block cipher structured as a substitution-permutation network (SPN). PRINCE has a new, original feature called the α-reflection property that involves a specific fixed parameter α. Because of this property, decryption with round key K is identical to encryption with round key K⊕α, which significantly reduces the cost of implementation of decryption. The cipher has even number of rounds, say 2R, and the round functions at round r and 2R−r+1, r<R, are selected to be the inverse of each other up to the round constant addition. Each round function is parameterized by a fixed round constant and a key, which are added to the round data by exclusive-or operation. The key is the same at all rounds. The round constants are selected in pairs. The constants that form a pair have a difference equal to α, and if one of them is used on round r then the other one is used on round 2R−r+1, r≤R.

As the key-schedule of the encryption is almost non-existent, the round constants play crucial role in preventing self-similarity attacks like slide attacks, and they have received due attention by the designers. Obviously, due to its similarity with the Even–Mansour construction [16], the cipher is vulnerable to a trivial related-key distinguishing attack. Although, it is not clear how to convert it to a key-recovery attack since the distinguisher holds for any numbers of rounds with probability one.

In the original proposal document, the security of PRINCE and the effects of the α-reflection were studied extensively and the cipher was shown to be secure against several known attacks with reasonable security margins. For instance, it was shown that any differential or linear characteristic over 4 consecutive rounds has at least 16 active Sboxes. This holds independently of the selection of the non-zero parameter α.

The purpose of this paper is to investigate the security of PRINCE against reflection attacks. Even if naturally suggested by the structure of the cipher, such attacks were not covered by the designers in the original proposal. The notion of reflection attack was coined by O. Kara, who presented a general framework of reflection attacks on iterated cryptographic functions [21]. The idea itself is much older and dates back to 1985, when D. Coppersmith explained the existence of short cycles in repeated encryptions with the DES using, in an alternating manner, the all-zero key and the all-one key [11]. According to Coppersmith, if a fixed point occurs at some point, the encryptions after the fixed point will revert the state back to the starting point. The idea was subsequently investigated in depth for weak and semi-weak keys of DES [26]. The contemporary reflection attacks apply this same idea, not to the full encryption function, but instead, to the round functions of an iterated cryptographic function. The recent works on generic cryptanalysis of Even–Mansour cipher also exploit the fact that distributions of differences between input and output are not completely random even for an ideal permutation [13, 15]. Moreover, there is some similarity in the process of key search between the generic attack on Even–Mansour cipher and our key-recovery attacks developed in the concrete setting of PRINCE-like ciphers presented in [28] and this paper.

In contrast to the other previously known and widely exploited attacks, such as related-key attacks and slide attacks that exploit self-similarity properties of the encryption round functions (see [4] and [5] and applications for hash functions [9]), reflection attacks are based on similarities between the encryption and decryption round functions. Hence Feistel structures with involutory round functions are natural targets of reflection cryptanalysis and they have been studied extensively [14, 19, 21, 22]. While reflection attacks are well known for Feistel ciphers, their applications on SPN ciphers cannot be found in the literature. To the best of our knowledge, the cryptanalysis of PRINCE presented in this paper is the first application of reflection cryptanalysis on SPN block ciphers.

The starting point of a reflection attack is a non-uniform distribution of fixed points on some layer of intermediate rounds of the iterated cipher. Then the fixed points are propagated backwards using decryption from this intermediate layer and, simultaneously, forwards using encryption. Due to the similarity of the corresponding encryption and decryption round functions, the endpoints resulting from this process are expected to have some relation with a biased distribution. Depending on the conditions that are imposed on the key-schedule by the similarity of encryption and decryption, the attack works for some class of weak keys, or even for all keys [21].

In this paper, we study PRINCE in a more general setting of PRINCE-like ciphers by allowing freedom in the selection of the value of α and of some other components of the cipher. We identify new types of relations over the cipher, show how they can be used as distinguishers over PRINCE, and examine how their effectivity depends crucially on the properties of α. We call these new relations reflection characteristics. They are constructed by feeding input data of round r, r≤R, forward over 2(R−r+1) rounds and comparing it with the corresponding output data of round 2R−r+1 by exclusive-or differences. We investigate distributions of these reflection differences. Their non-uniformity properties crucially depend on the relationships between the differential properties of the round functions, the reflection parameter α and the fixed points of the middle linear layer.

In sharp contrast to differential and linear characteristics on PRINCE-like ciphers, the number of active Sboxes in a reflection characteristic strongly depends on the value of α. In particular, we show that, for some values of α, the key-recovery attack using reflection characteristic works for the full 12-round version of the cipher with less data complexity than the whole code book. We present a known-plaintext single-key attack with the data complexity of 2^57.98 plaintexts and time complexity of 2^72.39. This attack comes close but does not surpass the generic attack on the FX-construction of PRINCE. By applying the same reflection characteristic to the core of the cipher, without the whitening key, we give a key-recovery attack with time complexity less than exhaustive key search and data complexity of 2^56.21 known plaintexts.

Since we developed our attack, other related cryptanalytic studies on PRINCE have appeared. In [1] a truncated attack on the original α was presented. We show the existence of a general truncated attack, which demonstrates that not only α with small number of active nibbles should be avoided when designing a PRINCE-like cipher but also other properties should be analyzed. Also related-key key-recovery attacks have appeared [20]. Note that while there exists a trivial related-key distinguisher on PRINCE, it cannot be used for key recovery as it holds with probability one independently of the number of rounds. In this paper we construct another non-trivial related-key distinguisher, which can be turned to a single-key distinguisher, if the attacker is given access to the decryption oracle. Based on this distinguisher we present a key-recovery attack over the 12-round core function of PRINCE for some specific choices of α.

The original α specified in [7] is not in the set of weak α found in this paper. Nevertheless, we believe that the introduction of the new distinguishers will shed light on the security of PRINCE-like ciphers and can be taken into consideration when designing ciphers according to the model of PRINCE.

The paper is organized as follows. In Sect. 2, we define a family of ciphers called PRINCE-like ciphers. In Sect. 3, different characteristics for the ciphers in this family are described and their probabilities determined. Concatenations of these characteristics are also studied in order to provide characteristics on a larger number of rounds. In Sect. 4, we show how reflection characteristics over 2R−2 rounds of the cipher can be converted to distinguishers and used for key-recovery attacks on the full 2R rounds of the PRINCE-like ciphers. In Sect. 5, we evaluate the complexity of the best reflection attacks and identify classes of the weakest α using the original S-layer and M-layer of PRINCE. In Sect. 6 we describe the truncated attacks and the related-key key-recovery attacks. To conclude in Sect. 7 we discuss restrictions made in this work and potential other directions for finding new and better reflection attacks.

2 Brief Description of PRINCE

Distinguishers and attacks presented in this paper focus not only on the original PRINCE but are more general and can be applied to all ciphers with similar reflection structure. To this aim, let us start by describing what we call a PRINCE-like cipher.

2.1 PRINCE-Like Cipher

A PRINCE-like cipher encrypts messages of n-bit blocks by iterating 2R times a round function. We denote by \(E^{\alpha}_{k}\) the encryption function parameterized with a 2n-bit key \(k=(k_{0}\parallel k_{1}) \in\mathbb{F}_{2}^{2n}\) and the reflection parameter \(\alpha\in{\mathbb{F}_{2}^{n}}^{*}\).

The key schedule of a PRINCE-like cipher is simple. The 2n-bit key is split into two n-bit parts k ₀ and k ₁. From k ₀, a key \(k'_{0}\) is derived using a rotation and a shift as follows

$$\begin{aligned} k'_0=(k_0\ggg1) \oplus \bigl(k_0 \gg(n-1)\bigr). \end{aligned}$$

(1)

The keys k ₀ and \(k'_{0}\) are used as pre- and post-whitening keys in the encryption operation that follows the FX-construction. The exclusive-or of the plaintext and k ₀ is encrypted using the core function of the cipher under the key k ₁, and to this result the key \(k'_{0}\) is added using the exclusive-or operation.

The core function of this cipher (denoted by PRINCE_core in the original proposal) is defined as an iteration of the 2R-round functions. The n-bit key k ₁ is added to the state at each of the 2R rounds of the cipher. The building blocks of the round functions are a non-linear layer S composed of a set of parallel Sboxes and two different linear layers defined by n×n matrices M′ and M, where M′ is an involutory matrix. The structure of the cipher is depicted in Fig. 1.

Fig. 1.

Description of a (2R=12)-round PRINCE-like cipher.

The descriptions of the first R−1 rounds \(\mathfrak{R}_{r}:\mathbb {F}_{2}^{n}\rightarrow\mathbb{F}_{2}^{n}\), 1≤r≤R−1, are identical. Each of them is composed, in this order, of an addition of the round constant RC _r and the key k ₁, the non-linear layer S and the linear permutation layer M. The R−1 last rounds \(\mathfrak{R}_{r}:\mathbb{F}_{2}^{n}\rightarrow \mathbb{F}_{2}^{n}\), R+2≤r≤2R are, in the reverse order, equal to inverses of the first R−1 rounds except that the round constants are modified by α so that the following holds:

$$ RC_{2R-r+1}=RC_{r}\oplus\alpha,\quad \mbox{for all } r = 1,\ldots,2R. $$

(2)

In what follows, these rounds with r≤R−1 or r≥R+2 will be called the external rounds of the PRINCE-like cipher.

The symmetry is broken by the two middle rounds R and R+1. They are different from each other and from the external rounds. Below we summarize the definitions for all rounds.

$$\begin{aligned} \begin{array}{rcl@{\quad}l} \mathfrak{R}_r(x) &=& M \bigl(S(x\oplus RC_{r}\oplus k_1) \bigr)& \textrm{if } 1\leq r \leq R-1,\\ \mathfrak{R}_r(x) &=& M' \bigl(S(x\oplus RC_{r}\oplus k_1) \bigr)& \textrm{if } r=R,\\ \mathfrak{R}_r(x) &=& S^{-1}(x)\oplus RC_{r}\oplus k_1& \textrm{if } r=R+1,\\ \mathfrak{R}_r(x) &=& S^{-1} \bigl(M^{-1}(x) \bigr)\oplus RC_{r}\oplus k_1 & \textrm{if } R+2 \leq r \leq2R. \end{array} \end{aligned}$$

(3)

The PRINCE-like ciphers have the property that decryption can be obtained from encryption with a different key. If we denote by P a plaintext, the corresponding ciphertext is computed as \(C=E_{k}^{\alpha}(P)\), where \(k= (k_{0}\parallel k'_{0}\parallel k_{1}) \). Then C can be decrypted by encrypting it using a related key as \(P = E^{\alpha}_{k'}(C)\), where \(k'=(k'_{0}\parallel k_{0}\parallel k_{1}\oplus\alpha)\).

2.2 Description of PRINCE

The full specification of PRINCE is given in [7]. It is a PRINCE-like cipher with n=64 and R=6. The reflection constant is set to α=C0AC29B7C97C50DD. Throughout this paper, we use the same convention as in the original proposal and use hexadecimal notation in typewriter type fonts to denote numerical values of bit strings. The non-linear layer S consists of 16 copies of a 4-to-4-bit Sbox given in Table 1 and each nibble is processed by the same Sbox.

Table 1. Sbox of PRINCE.

The linear layer of PRINCE is defined using four 4×4 binary matrices M ₀, M ₁, M ₂, M ₃ given as follows:

$$\begin{aligned} &M_0=\left [ \begin{array}{c@{\quad}c@{\quad}c@{\quad}c} 0&0&0&0\\ 0&1&0&0\\ 0&0&1&0\\ 0&0&0&1\\ \end{array} \right ],\qquad M_1=\left [ \begin{array}{c@{\quad}c@{\quad}c@{\quad}c} 1&0&0&0\\ 0&0&0&0\\ 0&0&1&0\\ 0&0&0&1\\ \end{array} \right ], \\ &M_2=\left [ \begin{array}{c@{\quad}c@{\quad}c@{\quad}c} 1&0&0&0\\ 0&1&0&0\\ 0&0&0&0\\ 0&0&0&1\\ \end{array} \right ],\qquad M_3=\left [ \begin{array}{c@{\quad}c@{\quad}c@{\quad}c} 1&0&0&0\\ 0&1&0&0\\ 0&0&1&0\\ 0&0&0&0\\ \end{array} \right ]. \end{aligned}$$

Then two 16×16 binary matrices \(\hat{M}_{0}\) and \(\hat{M}_{1}\) are defined as:

$$\hat{M}_0=\left [ \begin{array}{c@{\quad}c@{\quad}c@{\quad}c} M_0&M_1&M_2&M_3\\ M_1&M_2&M_3&M_0\\ M_2&M_3&M_0&M_1\\ M_3&M_0&M_1&M_2\\ \end{array} \right ], \qquad \hat{M}_1=\left [ \begin{array}{c@{\quad}c@{\quad}c@{\quad}c} M_1&M_2&M_3&M_0\\ M_2&M_3&M_0&M_1\\ M_3&M_0&M_1&M_2\\ M_0&M_1&M_2&M_3\\ \end{array} \right ]. $$

Finally, a 64×64 block-diagonal and involutory matrix M′ over \({\mathbb{F}}_{2}\) is generated by setting its diagonal equal to \((\hat{M}_{0},\hat{M}_{1},\hat{M}_{1},\hat{M}_{0})\). The second linear matrix M for PRINCE is obtained by composition of M′ and a permutation SR of nibbles, that is, M=SR∘M′. The permutation SR is analogous to the shift row operation of the AES, but instead of bytes, it operates on nibbles.

The definition of the original round constants can be found in [7]. Exact values of the round constants are not relevant to the analysis presented in this paper. Only the α-reflection property (2) of the round constants will be exploited in the attacks discussed in this paper.

One of the goal of this paper is to study the effect of the value α on the security of this cipher. For clarification, we denote respectively by PRINCE^α and \(\mathrm {PRINCE}^{\alpha}_{\mathrm{core}}\) the cipher and its core function when PRINCE is defined with a different but specific value α.

The description of the round functions given in Sect. 2.1 differs slightly from the original. Nevertheless, it is easy to see that both descriptions are equivalent.

3 Distinguishers for PRINCE-Like Ciphers

In this section, different reflection characteristics on PRINCE-like ciphers are constructed and investigated. The necessary notation for describing these characteristics is depicted in Fig. 1 and explained next in more detail.

Given the round number r, 1≤r≤R, we denote by \(X^{I}_{r}\) the input state of the round number r, and by \(X^{K}_{r}\), \(X^{S}_{r}\) and \(X^{M}_{r}\), the states after the key and round constant addition, after the S-layer, and after the M-layer, respectively. In order to exploit the symmetry of the cipher, we give different definitions if R+1≤r≤2R. For these rounds, we denote by \(Y^{O}_{r}\) the output state of the round number r, and by \(Y^{K}_{r}\), \(Y^{S}_{r}\) and \(Y^{M}_{r}\), the states before the key and round constant addition, before the S-layer, and before the M-layer, respectively.

To build a distinguisher on a PRINCE-like cipher, we introduce two types of characteristics. First we focus on the middle rounds of the cipher which are different from the external ones. Characteristics on the middle rounds depend on the property of the matrix M′. Then by using a folded view of the cipher and the α-reflection property, we extend these characteristics to the external rounds of the cipher.

3.1 Characteristics on the Middle Rounds

We identify two kinds of characteristics on 2 or 4 middle rounds of the cipher. The first characteristic on the 2 midmost rounds is independent of the reflection parameter. The second one is defined on 4 rounds and extends over one round before and one round after the midmost rounds. It behaves differently depending of the reflection parameter. The probability of each of these characteristics depends on the number of fixed points of the matrix M′.

Definition 1

Let f:A→A be a function on a set A. A point x∈A is called a fixed point of the function f if and only if f(x)=x.

In [7] it is stated based on the result of [17] that the number of fixed points of an involution \(f:\mathbb {F}_{2}^{n}\rightarrow\mathbb{F}_{2}^{n}\) is on the average equal to 2^n/2. While the result of [17] holds in general, restricting to the case of linear involutions f over \(\mathbb {F}_{2}\) gives the following result.

Lemma 1

Let \(f:\mathbb{F}_{2}^{n}\rightarrow\mathbb{F}_{2}^{n}\) be a linear involution. Then the number of fixed points of f is greater than or equal to 2^n/2.

Proof

Let us denote B=f⊕I, where I is the n×n identity matrix over \(\mathbb{F}_{2}\). Then B ²=0, which means that \(\operatorname{Im}(B) \subset{\operatorname{Ker}}(B)\). As \(\operatorname{dim}(\operatorname{Ker}(B)) + \operatorname{dim}(\operatorname{Im}(B)) = n\), we have \(\operatorname{dim}(\operatorname{Ker}(B)) \geq\frac{n}{2}\). As \(\operatorname{Ker}(B)\) is the set of fixed points of f, the claim follows. □

In what follows, we denote by F _M′ the set of fixed points of the matrix M′ and by |F _M′| the size of this set, which by Lemma 1 is larger than or equal to 2^n/2.

Characteristic \(\mathcal{I}_{1}\)

The characteristic

$$Y_{R+1}^O \oplus X_R^I = \alpha $$

over two rounds \(\mathfrak{R}_{R+1}\circ\mathfrak{R}_{R}\) of a PRINCE-like cipher holds with probability

$$\begin{aligned} \mathcal{P}_{\mathcal{I}_1}=\mathcal{P}_{F_{M'}}= \frac{|F_{M'}|}{2^{n}}. \end{aligned}$$

Characteristic \(\mathcal{I}_{1}\) is depicted in Fig. 2(a). By Lemma 1 we have that \(\mathcal{P}_{\mathcal{I}_{1}} \geq 2^{-n/2}\). As the matrix M′ of PRINCE has exactly 2³²=2^n/2 fixed points, it minimizes the probability of \(\mathcal{I}_{1}\). Also the probability of the characteristic \(\mathcal{I}_{1}\) is then \(\mathcal{P}_{\mathcal{I}_{1}}=\frac {2^{32}}{2^{64}}=2^{-32}\).

Fig. 2.

Middle-round characteristics.

Characteristic \(\mathcal{I}_{2}\)

The characteristic

$$Y_{R+2}^O \oplus X_{R-1}^I = \alpha $$

over four rounds \(\mathfrak{R}_{R+2}\circ\mathfrak{R}_{R+1}\circ \mathfrak{R}_{R}\circ \mathfrak{R}_{R-1}\) of a PRINCE-like cipher holds with probability

$$\begin{aligned} \mathcal{P}_{\mathcal{I}_2}=2^{-n}\# \bigl\{ x\in\mathbb{F}_2^{n} \mid S^{-1} \bigl(M' \bigl(S(x) \bigr) \bigr)\oplus x = \alpha \bigr\} . \end{aligned}$$

Characteristic \(\mathcal{I}_{2}\) is depicted in Fig. 2(b). Next we show that an estimate of \(\mathcal {P}_{\mathcal{I}_{2}}\) can be computed efficiently. We write

$$\begin{aligned} \mathcal{P}_{\mathcal{I}_2} =& 2^{-n}\sum _{\varDelta \in\mathbb {F}_2^{n}} \# \bigl\{ x\in\mathbb{F}_2^{n} \mid M' \bigl(S(x) \bigr)\oplus S(x) =\varDelta , S(x\oplus\alpha)\oplus S(x) = \varDelta \bigr\} . \end{aligned}$$

The set under summation is non empty only if \(\varDelta \in {\operatorname{Im}}(M'\oplus I)\). We then deduce as in the proof of Lemma 1 that Δ∈F _M′, and obtain the following equation

$$\begin{aligned} \mathcal{P}_{\mathcal{I}_2} =& 2^{-n}\sum _{\varDelta \in F_{M'}} \# \bigl\{ x\in\mathbb{F}_2^{n} \mid M' \bigl(S(x) \bigr)\oplus S(x) = \varDelta , S(x\oplus \alpha) \oplus S(x) = \varDelta \bigr\} . \end{aligned}$$

The expression on the right hand side can be efficiently evaluated as the summation is taken over the fixed points only.

As M′ in PRINCE is a block-diagonal matrix constructed from the 16×16 matrices \(\hat{M}_{0}\) and \(\hat{M}_{1}\), probability \(\mathcal{P}_{\mathcal {I}_{2}}\) can be computed exactly by computing the following probabilities:

$$\begin{aligned} \mathcal{P}_{\hat{M}_0}^{(\beta)} =&2^{-16}\# \bigl\{ x\in \mathbb {F}_2^{16}|S^{-1} \bigl( \hat{M}_0 \bigl(S(x) \bigr) \bigr)\oplus x=\beta \bigr\} , \\ \mathcal{P}_{\hat{M}_1}^{(\beta)} =&2^{-16}\# \bigl\{ x\in \mathbb {F}_2^{16}|S^{-1} \bigl( \hat{M}_1 \bigl(S(x) \bigr) \bigr)\oplus x=\beta \bigr\} , \end{aligned}$$

where β is a 16-bits word and S is the application of 4 Sboxes. Then if α=(α ₀,α ₁,α ₂,α ₃), we have

$$\begin{aligned} \mathcal{P}_{\mathcal{I}_2}=\mathcal{P}_{\hat{M}_0}^{(\alpha _0)} \times \mathcal{P}_{\hat{M}_1}^{(\alpha_1)}\times \mathcal{P}_{\hat {M}_1}^{(\alpha_2)} \times \mathcal{P}_{\hat{M}_0}^{(\alpha_3)}. \end{aligned}$$

(4)

This characteristic is useful for building a distinguisher if \(\mathcal{P}_{\mathcal{I}_{2}} > 2^{-n}\). But depending on M′ and the value of α, it is also possible that \(\mathcal{P}_{\mathcal{I}_{2}}=0\). In this case we get an impossible reflection characteristic. We will show in Sect. 4.2 how characteristic \(\mathcal{I}_{2}\), even if impossible, can be used for a distinguisher. Such a situation occurs if S(x⊕α)⊕S(x) is never equal to a fixed point of M′.

3.2 External Characteristic

When the probabilities \(\mathcal{P}_{\mathcal{I}_{1}}\) and \(\mathcal {P}_{\mathcal{I}_{2}}\) are large, it is useful to extend the characteristics \(\mathcal{I}_{1}\) and \(\mathcal {I}_{2}\) to more rounds. In what follows, we denote these characteristics by \(\mathcal{I}_{v}\), v=1,2. The structure of PRINCE-like ciphers is such that the first and the last external rounds are symmetrical. One of the main ideas in this paper is to use this specific property to extend the distinguishers \(\mathcal{I}_{v}\), which cover 2v middle rounds, to external rounds. This idea is illustrated in Fig. 3, which gives another view of the cipher. In this representation, the 2R-round cipher can be viewed as composed of two parallel copies of a (R−v)-round cipher connected together by 2v rounds. Then characteristics on 2u external rounds, 1≤u≤R−v, are built as ordinary related-key differential characteristics with an input data difference equal to α and a key difference or a round constant difference equal to α.

Fig. 3.

A folded view of a PRINCE-like cipher: The external characteristic.

Characteristic \(\mathcal{C}_{u}\)

Suppose that the characteristic \(Y^{O}_{R+v}\oplus X^{I}_{R-v+1}=\alpha\) holds. The characteristic

$$Y^O_{R+u+v}\oplus X^I_{R-u-v+1} =\varDelta $$

on the 2u external rounds is denoted by \(\mathcal{C}_{u}\). It holds with probability

$$\mathcal{P}_{\mathcal{C}_u}=\operatorname{Pr}_{\mathbf{X}} \bigl[F^u_{0}(\mathbf{X})\oplus F^u_{\alpha}( \mathbf{X}\oplus\alpha)=\varDelta \bigr], $$

where \(F^{u}_{0}=\mathfrak{R}^{-1}_{R-v-u}\circ\cdots\circ\mathfrak {R}^{-1}_{R-v}\) and \(F^{u}_{\alpha}=\mathfrak{R}^{-1}_{R+v+u+1}\circ \cdots\circ\mathfrak{R}^{-1}_{R+v+1}\).

The probability of this characteristic can be computed using techniques similar to the ones used in classical differential cryptanalysis. In Sect. 5, two methods to compute the probability of such characteristics are described. For some reflection parameters α, an iterative characteristic on 4 rounds can be constructed by hand. For other values of α, an automatic search based on a Branch and Bound algorithm can be used for finding the best possible characteristics for different number of rounds.

In comparison with differential cryptanalysis, the characteristic \(\mathcal{C}_{u}\) potentially benefits from the related constant α. Similarly to related-key differential attacks, zero differences between states are possible. Then two parallel rounds, say \(\mathfrak{R}_{R-z+1}\) and \(\mathfrak{R}_{R+z}\), can for some characteristics be passed with probability equal to 1. This happens when the data difference is cancelled by the key or round constant difference. Examples of such situations will be given in Sect. 5. Even when the difference is non-zero, two rounds of the cipher can be passed at the cost of one non-linear layer, where the classical differential cryptanalysis on PRINCE-like ciphers must consider differential probabilities over two non-linear layers.

Distinguishers over several rounds of the cipher, can then be built using a combination of the external characteristic \(\mathcal{C}_{u}\) with \(\mathcal{I}_{v}\), v=1,2. If \(\mathcal{P}_{\mathcal{I}_{v}}\times \mathcal{P}_{\mathcal{C}_{u}} > 2^{-n}\), then 2v+2u rounds of the cipher are distinguishable from random. In Sect. 5 we identify classes of parameters α such that up to 10 rounds of a PRINCE-like cipher can be distinguished from random.

4 Key Recovery

The characteristics constructed in the previous section can be used to build either a probabilistic or a deterministic distinguisher. The combination of \(\mathcal{I}_{v}\) and \(\mathcal{C}_{u}\) gives a probabilistic reflection distinguisher. Then the relation

$$\begin{aligned} Y^O_{R+i}\oplus X^I_{R-i+1}= \varDelta , \end{aligned}$$

(5)

for some i=u+v, holds with a positive probability p.

A deterministic distinguisher over 4 rounds exists for those values of α such that \(\mathcal{P}_{\mathcal{I}_{2}}=0\). Then we have an impossible reflection distinguisher such that the relation

$$\begin{aligned} Y^O_{R+2}\oplus X^I_{R-1} \neq\alpha, \end{aligned}$$

(6)

holds with probability 1.

In this section we describe how to convert these distinguishers on 2i rounds to a key-recovery attack on a cipher of 2R=2i+2 rounds.

4.1 Probabilistic Reflection Setting

Assuming a probabilistic distinguisher on 2i rounds of a PRINCE-like cipher as described in Sect. 3, a key-recovery attack can be derived by counting the number of plaintext-ciphertext pairs such that the difference between \(X^{I}_{2}\) and \(Y^{O}_{2i+1}\) is equal to Δ.

In what follows, we denote by 2^m the data complexity of the attack. This value can be computed using Algorithm 1 of [6]. Given the false alarm probability p _fa=2^−a, the quantity a is called the advantage of the attack.

Key-Recovery Attack for 2R=2i+2 Rounds

Let us assume that a characteristic \(Y^{O}_{2i+1}\oplus X_{2}^{I} =\varDelta \) over the midmost 2i rounds holds with probability p, 0<p≤1. Without modification of the probability, this characteristic can be extended in both sides over linear layer M ⁻¹ to obtain a characteristic \(Y_{2i+2}^{S}\oplus X_{1}^{S} =M^{-1}(\varDelta )=\varDelta ^{*}\) depicted in Fig. 4.

Fig. 4.

Key-recovery principle when 2R=2i+2.

To find the values of \(X^{S}_{1}\) and \(Y^{S}_{2i+2}\) for all pairs (P,C), the whole key (k ₀∥k ₁) needs to be guessed. The procedure makes use of the word-oriented structure of the non-linear layer. We assume that the S-layer is nibble-oriented like in the original PRINCE.

We present the n-bit state with n/4 nibbles and number them from 1 to n/4. The jth nibble of any n-bit word X is denoted by X(j). The complexity of the attack depends of the number of non-zero nibbles of Δ ^∗. In what follows, we denote by w(Δ ^∗), the number of non-zero nibbles of the difference Δ ^∗.

As depicted in Fig. 4, the following property holds for all 1≤j≤n/4:

$$\begin{aligned} \varDelta ^*(j) =& S\bigl(P(j) \oplus k_0(j) \oplus k_1(j) \oplus RC_1(j)\bigr) \\ &{}\oplus S\bigl(C(j) \oplus k'_0(j) \oplus k_1(j) \oplus RC_{2R}(j)\bigr). \end{aligned}$$

We denote the number of nibbles of Δ ^∗ that are equal to zero by ℓ=n/4−w(Δ ^∗) where w(Δ ^∗) is the number of non-zero nibble of Δ ^∗. Indices of these nibbles are stored in a list L. Hence |L|=ℓ. Then the property

$$\begin{aligned} P(j) \oplus k_0(j) \oplus C(j) \oplus k'_0(j) \oplus\alpha(j) = 0, \end{aligned}$$

holds for all j∈L, and can be used to reduce the time complexity of the attack. For these nibbles, the value of k ₁(j) need not be guessed. Guessing \(k_{0} \oplus k'_{0}\) and computing \(P(j) \oplus k_{0}(j) \oplus C(j) \oplus k'_{0}(j)\) allows us to discard already a large number of (P,C) pairs.

Let us assume that the attacker has 2^m plaintexts with corresponding ciphertexts. Then the attack proceeds as follows:

1. 1.

   For 2^4ℓ values of K ₀ such that \(K_{0}(j) = k_{0}(j)\oplus k'_{0}(j) \) holds for all j∈L

   1. 1.0

      Take all 2^m plaintext-ciphertext pairs

   2. 1.1

      For all j∈L

      Among the remaining pairs discard the ones such that

      $$P(j)\oplus C(j) \oplus K_0(j) \oplus\alpha(j)\neq0. $$
   3. 1.2

      For \(2^{4w(\varDelta ^{*})}=2^{n-4\ell}\) values of K ₁ such that K ₁(j)=k ₀(j)⊕k ₁(j) holds for all j∉L and for all 2^n−4ℓ completions of K ₀

      1. 1.2.1

         For all j∉L

         Compute \(K'_{1}(j)=K_{0}(j)\oplus K_{1}(j)=k'_{0}(j)\oplus k_{1}(j)\)

         Among the remaining pairs discard the ones such that

         $$\begin{aligned} &S\bigl(P(j) \oplus K_1(j) \oplus RC_1(j)\bigr) \oplus S\bigl(C(j) \oplus K'_1(j) \oplus RC_{2R}(j)\bigr) \\ &\quad{}\neq \varDelta ^*(j). \end{aligned}$$
      2. 1.2.2

         Count the number of remaining pairs.

         Store this number to a counter indexed by (K ₀∥K ₁).

2. 2.

   Keep a list of (K ₀∥K ₁) ordered according to the counter values with the highest value on top. Compute the corresponding keys k ₀ from K ₀ according to the key expansion. Also compute k ₁(j) for j∉L.

3. 3.

   For the 2^{2n−4ℓ−a} top candidates of k ₀ on the list and the 2^4ℓ remaining bits of k ₁, do an exhaustive search to find the whole key (k ₀∥k ₁).

For each j in Step 1.1, only 4 bits out of 2^4ℓ of key K ₀ are involved. At the first iteration, we have to check the equality of 2^m plaintexts, among which 2^m−4 pairs are expected to remain. After z iterations of the loop in Step 1.1, for each 4z−4 key bits guessed in the previous steps and the 4 key bits of the current iteration, we should guess a nibble of the key and check the property for all remaining 2^m−4(z−1) plaintext-ciphertext pairs. The time complexity of Step 1.1 is \(\sum_{z=1}^{\ell} 2^{m-4z+4} \cdot2^{4z} = \ell\cdot2^{m+4}\) simple operations.

Using the same arguments, Step 1.2 is iterated

$$2^{4\ell}\sum_{z=\ell+1}^{n/4} 2^{m-4z+4} \cdot 2^{8(z-\ell)}=2^{m-4\ell+4} \sum _{z=\ell+1}^{n/4} 2^{4z} \simeq 2^{m+n+4-4\ell} = 2^{m+4\omega+4} $$

times where ω=w(Δ ^∗). The total time complexity of Step 1 corresponds to 2^m+4ω+4 double S-box evaluations, which is equivalent to \(\frac{2^{m+5+4\omega }}{(n/4) \cdot(2R)}= \frac{2^{m+6+4\omega}}{n\cdot R} \) full encryptions. Step 3 corresponds to 2^2n−a full encryptions, where 1≤a≤2n−4ℓ. As Step 2 is negligible compared to Steps 1 and 3 the total complexity of key-recovery attack on 2R rounds corresponds to

$$2^{2n-a}+\frac{1}{n R}\cdot2^{m+6+4w(\varDelta ^*)} $$

full encryptions. Note that when the advantage 1≤a≤n+4w(Δ ^∗) is large, the second term dominates.

To perform the described attack, the storage of the 2^m plaintext-ciphertext pairs is necessary, as well as the storage of all the \(2^{n+4w(\varDelta ^{*})}\) counters, one per each guessed key. Nevertheless, the memory complexity can be reduced by keeping only keys for which the number of remaining pairs is above some fixed bound.

Generic Attack on PRINCE-Like Ciphers

A PRINCE-like cipher is based on the generalized Even–Mansour or FX construction and does not provide the same security level than an ideal block cipher primitive with a 2n-bit master-key [7, 15, 23]. Given 2^m pairs of plaintexts and corresponding ciphertexts, the time complexity of the generic attack of a PRINCE-like cipher corresponds to 2^2n−m−2 encryptions as explained recently by the designers of PRINCE, e.g. in [25]. It means that for the original PRINCE, the correct number for the data and time complexity of the generic attack is 2¹²⁶. Due to the existence of the generic attack, it is very hard to build an efficient key-recovery attack on 12 rounds of the cipher even if for some α an efficient reflection distinguisher over 10 rounds could be found.

Therefore, to illustrate the effect of the non-randomness of the SPN primitive, we omit the pre- and post-whitenings and consider key-recovery attack on \(\mathrm{PRINCE}^{\alpha}_{\mathrm{core}}\). \(\mathrm{PRINCE}^{\alpha}_{\mathrm{core}}\) is parameterized with the n-bit key k ₁ and hence all attacks with data complexity and time complexity less than 2ⁿ⁻¹ can be considered better than any generic attack.

The key-recovery algorithm for this attack is similar to the previous one. If the number of active nibbles of Δ ^∗ is small, a sieving process can be performed to discard all plaintext-ciphertext pairs such that P(j)⊕C(j)⊕α(j)≠0 for all j∈L. Using the previous notation and setting K ₀=0, \(K_{1}=K'_{1}=k_{1}\), only about 2^m−4ℓ pairs of plaintext-ciphertext will help us to determine \(2^{4w(\varDelta ^{*})}\) bits of k ₁. Then as described in Step 1.2, we should nibble by nibble, for all j∉L, guess the value of k ₁(j) and discard the pairs such that

$$S \bigl(P(j) \oplus k_1(j) \oplus RC_1(j) \bigr) \oplus S \bigl(C(j) \oplus k_1(j) \oplus RC_{2R}(j) \bigr) \neq \varDelta ^*(j). $$

These checks take

$$2\cdot\sum_{z=\ell+1}^{n/4} 2^{m-4z+4} \cdot2^{4z-4\ell-4} \cdot 2^{4}=w\cdot 2^{m-4\ell+5}. $$

Sbox evaluations and 2^n−a full encryptions over 2R=2i+2 rounds of \(\mathrm{PRINCE}^{\alpha}_{\mathrm {core}}\). The time complexity of this attack corresponds to

$$\frac{1}{nR}\cdot2^{m+6-n+4w(\varDelta ^*)}+2^{n-a} $$

full encryptions, where the advantage a can be up to 4w(Δ ^∗). It is negligible when the number of non-zero nibbles of Δ ^∗ is small. So the overall complexity of this attack is dominated by the sieving process consisting in the preparation and evaluation of the 2^m known plaintexts.

4.2 Impossible Reflection Setting

In this attack we make use of \(\mathcal{I}_{2}\) and assume that the parameter α is such that \(\mathcal{I}_{2}\) holds with probability equal to zero. Then a deterministic reflection distinguisher with probability equal to one can be built. A guessed key can be discarded if it gives a data pair such that the difference is equal to α. As for this attack the full code book (or almost) is necessary, we describe the attack on 2R=2i+2 rounds for the family of PRINCE-like cipher without whitening keys. Like in some generic attacks [12, 13] on Even–Mansour construction, our key-recovery attack take advantage of the fact that the first and last keys are identical.

Key Recovery for 6 Rounds of \(\mathrm{PRINCE}^{\alpha}_{\mathrm{core}}\)

In the case of \(\mathcal{I}_{2}\) we have i=2, but the attack works for any i, if an impossible characteristic over 2i rounds can be built. To reduce the time complexity, we pre-compute certain values from the states of the second round and the second to last round of the cipher. We denote by P′ and C′ the plaintext and ciphertext of the cipher without whitening keys. For all 0≤b≤2ⁿ−1, we denote by (V _b ,W _b ) the following values:

$$ \begin{aligned} V_b&= S^{-1}(b)\oplus RC_1, \\ W_b&=S^{-1} \bigl(b \oplus M^{-1}(\alpha) \bigr) \oplus RC_{2R}. \end{aligned} $$

(7)

Then, as depicted in Fig. 4, for each pair (P′,C′) and the unknown key k ₁ there exist V _b and W _b such that the following equations hold:

$$\begin{aligned} P'\oplus V_b =& k_1, \\ P' \oplus C' =& V_b\oplus W_b. \end{aligned}$$

Store the value V _b in a hash table T of 2⁶⁴ rows indexed by V _b ⊕W _b . On average, each row of T contains only one V _b . By assuming that we have 2^m known pairs (P′,C′), the goal is to find for as many key candidates k ₁ as possible a pair (P′,C′) such that (P′⊕k ₁,C′⊕k ₁) is equal to some pair (V _b ,W _b ). Then we can conclude that the key k ₁ is a wrong key and discard it. After pre-computation, the attack works as follows.

Attack Procedure

1. 1.

   Consider a list of all keys k ₁.

2. 2.

   For each of the 2^m pairs (P′,C′)

   • Compute Λ=P′⊕C′.

   • For all V _b in the row Λ in the hash table T compute the value k ₁=P′⊕V _b and discard it from the list.

3. 3.

   If there is still a key in the list of key k ₁, consider k ₁ as a key candidate.

By using 2^m known plaintexts and by considering the collisions, the number of remaining wrong keys k ₁ is about \(2^{n}(1-2^{-n})^{2^{m}}=2^{n}(1-2^{-n})^{2^{n} 2^{m-n}}\approx 2^{n}e^{-2^{m-n}}=2^{n-1.44 \times2^{m-n}}\). The remaining keys are then searched exhaustively.

The impossible characteristic \(\mathcal{I}_{2}\) holds for the involution matrix M′, the non-linear layer S and the reflection parameter value α specified for the original PRINCE. In Sect. 5.3, we show that this attack can be applied for many more values of α.

5 Various Classes of α-Reflection

In [7], the security of PRINCE and the effects of the α-reflection were studied extensively. In particular, it was shown that the cipher is secure against known attacks with reasonable security margin. For instance, it was shown that any differential or linear characteristic over 4 consecutive rounds has at least 16 active Sboxes. This holds independently of the selection of the non-zero parameter α.

In this section, we focus on a sub-family of PRINCE-like ciphers using the same S-layer and the same linear layers M and M′ as in the original PRINCE. Definition of these components as given in [7] are recalled in Sect. 2.2. In this section, we compute the probabilities of the distinguishers proposed in Sect. 3 and their combinations for various classes of values of α, and determine the maximum number of rounds which can be attacked.

As presented in Sect. 3.2, characteristics on the external rounds can be seen as a differential characteristic with input difference α and related constant difference α, see Fig. 3. As PRINCE^α is a 64-bit cipher with 12 rounds, only 3 or 4 external rounds must be considered, and therefore computation of the best characteristics for a fixed α is possible by a Branch and Bound algorithm. Finding the weakest α for such a characteristic remains nevertheless a challenging task. When aiming at a combination with \(\mathcal{I}_{2}\), focusing on the best α for \(\mathcal{I}_{2}\) gives a good starting point, whereas \(\mathcal{I}_{1}\) is independent of α, a more complex analysis should be done to find the values of α for which an attack on the full 12 rounds of \(\mathrm{PRINCE}^{\alpha}_{\mathrm{core}}\) is possible.

5.1 Maximizing \(\mathcal{P}_{\mathcal{C}_{u}}\) for Combination of \({\mathcal{C}_{u}}\) with \(\mathcal{I}_{1}\)

We describe here the method we use to derive the α for which 12 rounds of the cipher can be attacked using a combination of \(\mathcal {I}_{1}\) and \(\mathcal{C}_{4}\). As we have seen in Sect. 4, a key-recovery attack on 12 rounds can be derived using a distinguisher on 10 rounds. Hence we are interested in finding values of α which maximize \(\mathcal{P}_{\mathcal{C}_{4}}\). In this section, two methods to maximize \(\mathcal{P}_{\mathcal{C}_{u}}\) are described. The first one inspired from the cancellation property can be performed for particular α. For the other values of α, we describe a more systematic method based on a Branch and Bound algorithm.

Cancellation Property

In classical differential and linear cryptanalysis the idea of iterative characteristic have been used in the past to derive manually good characteristics. In some settings—for instance, when some component are not balanced or when considering related-key characteristics—cancellation of the differential characteristic allow to extend deterministically a characteristic to more rounds. For some α, we observe in the case of PRINCE^α that a cancellation of the differential characteristic is possible for two “symmetric” rounds with input difference the reflection parameter α. In the following, we describe this characteristic model for the family of PRINCE-like cipher. Illustration of this particular type of characteristic is given in Fig. 5.

Fig. 5.

Iterative characteristic.

Suppose that the characteristic \(Y^{O}_{R+i+1}\oplus X^{I}_{R-i}=\alpha\) holds. Then with probability

$$\operatorname{Pr}_{\mathbf{X}} \bigl[S(\mathbf{X}) \oplus S(\mathbf{X} \oplus \alpha)=M^{-1}(\alpha) \bigr] $$

a cancellation of the difference occurs and we have \(Y^{O}_{R+i+2}\oplus X^{I}_{R-i-1}=0\). So the next folded round can be passed with probability one and finally based on the round constant property we have \(Y^{O}_{R+i+3}\oplus X^{I}_{R-i-2}=\alpha\). This characteristic can be applied iteratively. Such characteristics are easily found even by hand. We just look for α such that α and M ⁻¹(α) are non-zero on exactly the same nibble position. Such a cancellation property occurs for some particular values of α. In Fig. 6, we provide an illustration of this phenomenon for α=8400400800000000.

Fig. 6.

Example of α for which we can derive an iterative characteristic.

For the α in Table 2 with w(α)=4, the cancellation property leads to an attack on 12 rounds of \(\mathrm{PRINCE}^{\alpha}_{\mathrm{core}}\). The probability of the characteristic has been computed from the difference table of the Sbox, see Table 3. In this table, complexity estimates have been computed under the assumption that the right key maximizes the number of remaining pairs in Step 4 of the key-recovery attack, meaning that the advantage is a=4w(Δ ^∗) for \(\mathrm{PRINCE}^{\alpha}_{\mathrm{core}}\) and a=64+4w(Δ ^∗) for PRINCE^α. The success probability is taken equal to 95 %. The data complexity is derived using Algorithm 1 of [6] and the time complexity is derived as for the key-recovery attack presented in Sect. 4.1.

Table 2. The weakest α with attack on 12 rounds using \(C_{4}\circ\mathcal{I}_{1}\) and the iterative characteristic based on the cancellation idea.

Table 3. Differential probabilities of the inverse Sbox for single-bit input and output differences.

No α with less than 4 active nibbles or with w(α)=5 can satisfy the cancellation property. Nevertheless some α with 6 active nibbles have characteristic which cancel the difference after two rounds. As for these α, \(Y^{O}_{R+3}\oplus X^{I}_{R-2} =\alpha\) with probability \(\mathcal{P}_{\mathcal{C}_{2}}\leq2^{-16}\), the iterative characteristic \(\mathcal{C}_{u}\) can be applied only once and a distinguisher on 6 rounds with probability p, where 2⁻⁴⁹≤p≤2⁻⁴⁸, leads to a key-recovery attack on 8 rounds.

Automatic Search

As the number of rounds of the folded cipher is small, the existence of iterative characteristic is, for many α, hard to determine. A Branch and Bound algorithm can then be used for searching the best reflection characteristics for a fixed α. Nevertheless, this method does not allow searching for the best α directly. Therefore, we must make guesses of the potentially best α to reduce the search space.

We start by analyzing the properties of the Sbox and the linear layer M of PRINCE in order to identify those values of α for which the number of active Sboxes at each round is minimal and the differential probabilities of the Sboxes are maximal. To this aim, we first express some properties of the matrices \(\hat{M}_{0}\) and \(\hat{M}_{1}\).

To maximize \(\mathcal{P}_{\mathcal{C}_{u}}\), we want to minimize the weight of α=(α ₀,α ₁,α ₂,α ₃) and M ⁻¹(α). Since \(\hat{M}_{\epsilon}\), ϵ=0,1, have a branch number 4, \(w(\beta)+ w(\hat{M}_{\epsilon}(\beta))\geq4\) and we have only 61 out of the total of 2¹⁶ values β such that \(w(\beta)+ w(\hat{M}_{\epsilon}(\beta))=4\) for both ϵ=1 and ϵ=2. Among these 61 values, 57 are such that β=(a ₁,a ₂,a ₃,a ₄), where a _i is a 4-bit value, \(a_{i}\in\{ \tt0,1,2,4,8\}\), i=1,2,3,4. Differential probabilities of the inverse Sbox for single-bit differences are given in Table 3. Based on this table and experiments, we assume that α with some nibbles equal to 2 is not likely to maximize \(\mathcal{P}_{\mathcal{C}_{4}}\). To find the best distinguisher on 10 rounds, we reduce the search space of α using the following procedure:

1. 1.

   For α=(a ₁,a ₂,…,a ₁₅,a ₁₆), where \(a_{i}\in\{\tt 0,1,4,8\}\) (2³² values).

2. 2.

   Select the ones such that there exists a characteristic \(\mathcal{C}_{2}\) with \(\mathcal{P}_{\mathcal{C}_{2}}\geq 2^{-12}\) (there are more than 300 values of α of this sort).

3. 3.

   Among the remaining ones, check if there is a characteristic \(\mathcal{C}_{4}\) with \(\mathcal{P}_{\mathcal{C}_{4}}\geq2^{-28}\).

Using this method the best derived α are the one of Table 2, with iterative characteristics.

In Table 4, we give other example of α derived from this automatic search, which allow an attack on 12 rounds. While the list is not exhaustive, this table illustrates that also α with larger weight can lead to an attack on 12 rounds. We notice that different characteristics for the same α can be derived. Table 4 presents one of the best characteristic for 4 example of α with different probability and different time complexity.

Table 4. Example of α with attack on 12 rounds using \(C_{4}\circ\mathcal{I}_{1}\).

While the list of α with a key-recovery attack on 12 rounds is already quite large, the number of α such that attacks on 6, 8, or 10 rounds are possible is even larger. Search for α of this sort can be done by adjusting the constraints of the Branch and Bound algorithm.

5.2 Maximizing \(\mathcal{P}_{\mathcal{I}_{2}}\) for Combination with \(\mathcal{C}_{u}\)

Finding the values of α which maximize \(\mathcal{P}_{\mathcal{I}_{2}}\) can be done exhaustively by decomposing over the matrices \(\hat{M}_{\epsilon}\), ϵ=0,1, see Sect. 3.1. Computation for 2¹⁶ values of β gives us the list of best α regarding to this characteristic. In what follows, we focus on β≠0 such that \(2^{-12}\leq \mathcal{P}_{\hat{M}_{\epsilon}}^{(\beta)}\leq 2^{-10.54}\). As \(\mathcal{P}_{\hat{M}_{\epsilon}}^{0}\leq2^{-8}\), computation for \(\hat{M}_{0}\) and \(\hat{M}_{1}\) gives us respectively 63 and 73 16-bit values and we obtain a list of 63²×73²≈2^24.33 values of α for which \(2^{-48}\leq \mathcal{P}_{\mathcal{C}_{2}}\leq2^{-34.54}\). Two values of α reach this upper bound. They are α=0000111100000000 and α=0000000011110000.

The values α which maximize \(\mathcal{I}_{2}\) and for which 10 rounds of a PRINCE-like cipher can be distinguished from random also allow a combination of \(\mathcal{C}_{4}\) and \(\mathcal{I}_{1}\). For instance, for α=0000408000008040 given in Table 2 we have a characteristic with \(\mathcal{P}_{\mathcal{C}_{3}}=2^{-19}\) and \(\mathcal{P}_{\mathcal {I}_{2}}=2^{-40}\) while using \(\mathcal{C}_{4}\) and \(\mathcal{I}_{1}\) the best characteristic has probability 2⁻⁵⁴. None of these characteristics give a better cryptanalysis results than the ones given in Table 2. While for the attacks on 12 rounds all values of α are such that w(α)≥4, we can find α of smaller nibble weight, which allow a key-recovery attack on a 10-round cipher using a combination of \(\mathcal{C}_{2}\) and \(\mathcal{I}_{2}\) as illustrated in Table 5.

Table 5. Example of α with attack on 10 rounds and w(α)=2 using \(C_{2}\circ\mathcal{I}_{2}\), computed for P _S =95 % and a=16.

For all the α presented in this section, other characteristics can also be derived. Complexities of our attacks are based on the best found characteristic.

5.3 Impossible Attack

If \(\mathcal{P}_{\mathcal{I}_{2}}=0\), a deterministic distinguisher on 4 rounds of the cipher can be built. It leads to the key-recovery attack described in Sect. 4.2 for a 6-round cipher without whitening keys. The time complexity of this attack correspond to 2^62.56 encryptions and a storage of 2⁶⁷ bytes of the hash table is needed. This attack is efficient, in particular, for α=C0AC29B7C97C50DD of PRINCE. But we can find many more values of α with \(\mathcal{P}_{\mathcal{I}_{2}}=0\).

As specified by (4), the computation of \(\mathcal{P}_{\mathcal{C}_{2}}\) can be decomposed over \(\hat{M}_{0}\) and \(\hat{M}_{1}\). For \(\hat{M_{0}}\), the number of \(\beta\in\mathbb{F}_{2}^{16}\) for which \(\mathcal{P}^{(\beta)}_{\hat{M_{0}}}=0\) is 5940. For \(\hat{M_{1}}\), the number of β for which \(\mathcal {P}^{(\beta)}_{\hat{M_{1}}}=0\) is 6914. In total, we deduce that the impossible distinguisher is valid for approximately 2⋅(2^12.54)×2⁴⁸+2⋅(2^12.76)×2⁴⁸=2^62.65 values of α.

Using the fact that \(\hat{M}_{0}\) and \(\hat{M}_{1}\) have no fixed points of weight 1, we conclude that \(\mathcal{P}_{\mathcal{I}_{2}}=0\), for all α with only 1 or 3 non-zero nibbles. Also a large number of α with 2, 4 and 5 non-zero nibbles allow this impossible distinguisher. We also found that for some α with 4 active nibbles we have an attack on 12 rounds, while for some other α the best attack we found is on 6 rounds only. Hence the weight of α alone does not prove anything about the security or insecurity against the reflection attacks discussed in this paper.

6 Other Types of Attacks and Related Work

Due to its innovative structure, PRINCE has received a lot of attention from the cryptographic community as soon as it was released. In parallel works [1, 20], the authors studied many types of attacks on PRINCE with its original parameter value α including biclique attacks [1] and different time-memory trade-offs [20]. These attacks are not better than the generic attacks as pointed out in [25]. Recently, using an advanced meet-in-the-middle technique, the authors of [10] have provided an attack on PRINCE reduced to 8 rounds with large time complexity requiring only one plaintext-ciphertext pair.

The integral distinguisher on the 4 middle rounds of PRINCE built in [20] allows to recover the key of a 6-round reduced version of PRINCE and thus improves on our attack presented in Sect. 5.3, which is efficient only on PRINCE_core.

Next, in Sect. 6.1, we take a detailed look at an attack based on a truncated characteristic proposed in [1]. Then we describe another attack of ours based on a similar truncated characteristic in Sect. 6.2.

In Sect. 6.3, we discuss related-key key-recovery attacks on \(\mathrm{PRINCE}^{\alpha}_{\mathrm{core}}\). Since there is a trivial related-key distinguisher with probability one, the designers of PRINCE do not claim resistance against related-key attacks. On the other hand, the trivial distinguisher cannot be used for key recovery. Hence related-key attacks on PRINCE-like ciphers that can be used for key recovery are of interest. Moreover, the related-key attack presented in Sect. 6.3 can be turned to an efficient single-key attack assuming access to both encryption and decryption oracles.

6.1 Truncated Attack for Original α

The work reported in [1] also includes an attack for the original α which has been built upon similar reflection ideas than our attacks. But their distinguisher is a probabilistic one, while we considered only the impossible characteristic \(\mathcal{I}_{2}\) which in the case of the original α is impossible as α is not among the fixed points of M′. To bypass this situation they construct a truncated characteristic, see Sect. 3.2 of [1]. This characteristic is depicted in Fig. 7 using our notation.

Fig. 7.

The truncated characteristic of Sect. 3 of [1].

As α′ can take 2¹⁶ values, the probability that \(X_{2}^{S}\oplus Y_{5}^{S}\) is equal to one of these α′ is 2⁻⁴⁸. Using 2^56.08 plaintext-ciphertext pairs, the key k ₁ of a 6-round version of \(\mathrm{PRINCE}^{\alpha}_{\mathrm{core}}\) is derived using similar key-recovery technique than in Sect. 4. This probabilistic distinguisher allows a more powerful attack on a 6-round reduced version of \(\mathrm{PRINCE}^{\alpha}_{\mathrm{core}}\) in terms of complexity than the one described in Sect. 5.3.

In the next section, we present a different attack based on another similar truncated characteristics which allows to recover the full key of a 8-round reduced version of PRINCE^α. The attack is efficient for 2¹⁸ values of α which do not include the original one.

6.2 Stronger Truncated Attack for Some Other α

When the linear layer is defined as in the original proposal, using the shift row SR operation of the AES, truncated reflection distinguishers can be derived for α such that M ⁻¹(α) has a small number of active nibbles.

Lemma 2

Assume α is such that M ⁻¹(α)= , where \(\mathtt{*}\) can be any 4-bit value. Then the following truncated characteristic

$$\begin{aligned} Y_{R+3}^O\oplus X_{R-2}^I = \left [ \begin{array}{c@{\quad}c@{\quad}c@{\quad}c} {\mathtt{*}}&\mathtt{0}&\mathtt{0}&\mathtt{0}\\ \mathtt{*}&\mathtt{0}&\mathtt{0}&\mathtt{*}\\ \mathtt{*}&\mathtt{0}&\mathtt{*}&\mathtt{0}\\ \mathtt{*}&\mathtt{*}&\mathtt{0}&\mathtt{0}\\ \end{array} \right ] \oplus\alpha, \end{aligned}$$

(8)

holds on 6 rounds \(\mathfrak{R}_{R-2}\circ\cdots\circ\mathfrak {R}_{R+3}\) of the cipher with probability  \(\mathcal{P}_{F_{M'}}= 2^{-32}\). Similar characteristics can be obtained for α such that:

$$\begin{aligned} &M^{-1}(\alpha)=\left [ \begin{array}{c@{\quad}c@{\quad}c@{\quad}c} {\mathtt{0}}&\mathtt{*}&\mathtt{0}&\mathtt{0}\\ \mathtt{*}&\mathtt{0}&\mathtt{0}&\mathtt{0}\\ \mathtt{0}&\mathtt{0}&\mathtt{0}&\mathtt{*}\\ \mathtt{0}&\mathtt{0}&\mathtt{*}&\mathtt{0}\\ \end{array} \right ] \quad\textrm{or}\quad M^{-1}(\alpha)= \left [ \begin{array}{c@{\quad}c@{\quad}c@{\quad}c} {\mathtt{0}}&\mathtt{0}&\mathtt{*}&\mathtt{0}\\ \mathtt{0}&\mathtt{*}&\mathtt{0}&\mathtt{0}\\ \mathtt{*}&\mathtt{0}&\mathtt{0}&\mathtt{0}\\ \mathtt{0}&\mathtt{0}&\mathtt{0}&\mathtt{*}\\ \end{array} \right ] \quad\textrm{or} \\ &M^{-1}(\alpha)= \left [ \begin{array}{c@{\quad}c@{\quad}c@{\quad}c} {\mathtt{0}}&\mathtt{0}&\mathtt{0}&\mathtt{*}\\ \mathtt{0}&\mathtt{0}&\mathtt{*}&\mathtt{0}\\ \mathtt{0}&\mathtt{*}&\mathtt{0}&\mathtt{0}\\ \mathtt{*}&\mathtt{0}&\mathtt{0}&\mathtt{0}\\ \end{array} \right ] . \end{aligned}$$

Proof

The four types of truncated characteristics given in Lemma 2 differ only by the position of the completely undetermined column of the difference. We present here the proof for the first column. Proofs for the other types are similar.

As described by the characteristic \(\mathcal{I}_{1}\), the probability that \(X_{R}^{I} \oplus Y_{R+1}^{O} = \alpha\) is equal to \(P_{F_{M'}}\) (=2⁻³² for PRINCE^α). For the previous and the next round, we have

$$Y_{R+2}^O \oplus X_{R-1}^I = S^{-1} \bigl(M^{-1}(\alpha) \bigr) \oplus\alpha= \left [ \begin{array}{c@{\quad}c@{\quad}c@{\quad}c} {\mathtt{*}}&\mathtt{0}&\mathtt{0}&\mathtt{0}\\ \mathtt{0}&\mathtt{0}&\mathtt{0}&\mathtt{*}\\ \mathtt{0}&\mathtt{0}&\mathtt{*}&\mathtt{0}\\ \mathtt{0}&\mathtt{*}&\mathtt{0}&\mathtt{0}\\ \end{array} \right ] \oplus \alpha. $$

Since M ⁻¹=M′∘SR ⁻¹ is linear and

$$M^{-1} \left (\left [ \begin{array}{c@{\quad}c@{\quad}c@{\quad}c} {\mathtt{*}}&\mathtt{0}&\mathtt{0}&\mathtt{0}\\ \mathtt{0}&\mathtt{0}&\mathtt{0}&\mathtt{*}\\ \mathtt{0}&\mathtt{0}&\mathtt{*}&\mathtt{0}\\ \mathtt{0}&\mathtt{*}&\mathtt{0}&\mathtt{0}\\ \end{array} \right ] \right )=\left [ \begin{array}{c@{\quad}c@{\quad}c@{\quad}c} {\mathtt{*}}&\mathtt{0}&\mathtt{0}&\mathtt{0}\\ \mathtt{*}&\mathtt{0}&\mathtt{0}&\mathtt{0}\\ \mathtt{*}&\mathtt{0}&\mathtt{0}&\mathtt{0}\\ \mathtt{*}&\mathtt{0}&\mathtt{0}&\mathtt{0}\\ \end{array} \right ], $$

we have

$$Y_{R+3}^O \oplus X_{R-2}^I = S^{-1} \left(M^{-1}(\alpha) \oplus \left [ \begin{array}{c@{\quad}c@{\quad}c@{\quad}c} {\mathtt{*}}&\mathtt{0}&\mathtt{0}&\mathtt{0}\\ \mathtt{*}&\mathtt{0}&\mathtt{0}&\mathtt{0}\\ \mathtt{*}&\mathtt{0}&\mathtt{0}&\mathtt{0}\\ \mathtt{*}&\mathtt{0}&\mathtt{0}&\mathtt{0}\\ \end{array} \right ] \right) \oplus \alpha= \left [ \begin{array}{c@{\quad}c@{\quad}c@{\quad}c} {\mathtt{*}}&\mathtt{0}&\mathtt{0}&\mathtt{0}\\ \mathtt{*}&\mathtt{0}&\mathtt{0}&\mathtt{*}\\ \mathtt{*}&\mathtt{0}&\mathtt{*}&\mathtt{0}\\ \mathtt{*}&\mathtt{*}&\mathtt{0}&\mathtt{0}\\ \end{array} \right ] \oplus\alpha. $$

 □

In all four cases of the characteristics, nine nibbles of the data difference are equal to those of α. Hence the uniform probability of such a truncated characteristic is 2⁻³⁶ while the proposed characteristic has probability \(P_{F_{M'}}=2^{-32}\).

By the previous lemma, such truncated characteristics exist for 4×(2¹⁶−1)≈2¹⁸ values of α. While the distinguishers of Sect. 5.1 and Sect. 5.2 focused on α with a small number of active nibbles, this distinguisher is targeted on α, for which M ⁻¹(α) has a small number of active nibbles, but α itself can have any number of non-zero nibbles. As an example, we give

$$\alpha= \left [ \begin{array}{c@{\quad}c@{\quad}c@{\quad}c} {\mathtt{7}}&\mathtt{1}&\mathtt{C}&\mathtt{B}\\ \mathtt{9}&\mathtt{5}&\mathtt{9}&\mathtt{3}\\ \mathtt{9}&\mathtt{A}&\mathtt{5}&\mathtt{9}\\ \mathtt{3}&\mathtt{6}&\mathtt{8}&\mathtt{D}\\ \end{array} \right ], \qquad M^{-1}(\alpha)= \left [ \begin{array}{c@{\quad}c@{\quad}c@{\quad}c} {\mathtt{7}}&{\mathtt{0}}&{\mathtt{0}}&{\mathtt{0}}\\ {\mathtt{0}}&{\mathtt{0}}&{\mathtt{0}}&\mathtt{B}\\ {\mathtt{0}}&{\mathtt{0}}&\mathtt{D}&{\mathtt{0}}\\ {\mathtt{0}}&\mathtt{9}&{\mathtt{0}}&{\mathtt{0}}\\ \end{array} \right ] . $$

This truncated distinguisher enables a key-recovery attack for a cipher without whitening keys reduced to eight rounds in the same way that the key-recovery attack described in Sect. 4.2. In the following we describe the key-recovery attack for this truncated characteristic.

Key-Recovery Attack on \(\mathrm{PRINCE}^{\alpha}_{\mathrm{core}}\)

For simplicity, we restrict to the characteristic given by (8). As this characteristic is completely undetermined in the first column, and will stay completely undetermined in the same column after application of the inverse of shift row, it is sufficient to focus on the 12 nibbles corresponding to the three most right columns of the matrix of (8). For a state Z, we denote the truncation of the state to the last three columns by Z _t . Let (P′,C′) be a plaintext-ciphertext pair of \(\mathrm{PRINCE}^{\alpha}_{\mathrm {core}}\). The distinguisher involves only partial encryption of 48 bits of the plaintext \(P'_{t}\) and partial decryption of the ciphertext \(C'_{t}\) with the key k ₁. It means that only up to 48 bits of k ₁ can be obtained in a similar way to the attack of Sect. 4 (1≤a≤48). An exhaustive search on the remaining bits is then necessary to recover the full key.

The attack procedure is as follows:

Pre-computation

• For each possible 2⁴⁸×2¹²=2⁶⁰ pairs \((a, b)\in (\mathbb{F}_{2}^{48}\times\mathbb{F}_{2}^{48})\) such that a⊕b is equal to the truncated state of the three most right columns in compute the pair \((\nu_{a}, \omega_{b})\in(\mathbb{F}_{2}^{48}\times\mathbb{F}_{2}^{48})\) (see Fig. 4) such that

  $$\begin{aligned} \nu_a =& S^{-1} \bigl(M^{-1}(a) \bigr)\oplus RC_1, \\ \omega_b =&S^{-1} \bigl(M^{-1}(b) \bigr) \oplus RC_{8}. \end{aligned}$$

  Store ν _a in the row Λ=ν _a ⊕ω _b of the hash table T. The hash table T has 2⁴⁸ rows and on average each row has \(\frac{2^{60}}{2^{48}}=2^{12}\) values.

Attack Procedure

1. 1.

   Allocate a counter \(D_{k_{1}}\) for each 2⁴⁸ values of k ₁.

2. 2.

   For each 2^m pairs (P _t ,C _t )

   • Compute \(\varLambda=P'_{t} \oplus C'_{t}\).

   • For all ν _a in the row Λ of the hash table T increase the counter \(D_{(P_{t} \oplus\nu_{a})}\) by one.

3. 3.

   Consider a list of 2^48−a of the keys k ₁ with highest counter values. Do an exhaustive search on the remaining 64−a bits of key.

Assuming that α does not have any zero nibble, the time complexity of Step 2 corresponds to 2^m+12 memory accesses. The exhaustive search described in Step 3, required 2^64−a. We need 2⁶⁰×48/8×2≃2^63.6 bytes for the storage of the hash table T and 2^48−a×48/8=2^50.6−a bytes for the storage of the list of key candidates.

When considering only the most probable key (a=48), this attack can be performed using 2^36.82 known plaintext-ciphertext in time corresponding to 2^48.8 memory accesses and 2¹⁶ full encryptions. The memory complexity is dominated by the storage of 2^63.6 bytes for the hash table.

Extension of this attack on a 8-round reduced version of PRINCE^α, will require a data complexity of 2^36.85, a time complexity of 2^97.8 memory accesses and 2⁸⁰ full encryptions and the storage of 2^63.6 bytes.

Several other kinds of truncated reflection characteristics can be derived for different configuration of M ⁻¹(α). For instance, in some configurations, where M ⁻¹(α) has up to eight non-zero nibbles a key-recovery attack on a 6-round cipher can be done using a distinguisher on 4 rounds.

6.3 Related-Key Key-Recovery Attacks

Recently a related-key key-recovery attack for 240 values of α in the boomerang setting was presented in [20]. It makes use of a characteristic which is similar to the iterative characteristics we exploited in our analysis and uses adaptively chosen plaintext. It is also interesting to note that this related-key attack is efficient for the values of α such that α is block diagonal, while our attack based on truncated characteristic in Sect. 6.2 is applicable to α such that M ⁻¹(α) is block diagonal.

Next we present a related-key attack on \(\mathrm{PRINCE}^{\alpha}_{\mathrm{core}}\), which is applicable to the values of α given in Table 2. Let us assume that the attacker obtains encryptions C and C′ of the same, but possibly unknown plaintext P using \(\mathrm{PRINCE}^{\alpha}_{\mathrm{core}}\) under keys k ₁ and k ₁⊕α, respectively. Note that due to the α-reflection property, the related-key encryption oracle with the key k ₁⊕α can be replaced by the decryption oracle with the original key k ₁, and in this manner, this attack can be turned to an attack in a single-key model. Also note that the difference is introduced only in the key and not in the plaintext.

Based on the iterative characteristic presented in Sect. 5, we define a related-key characteristic. Using this 11.5-round distinguisher the full \(\mathrm{PRINCE}^{\alpha}_{\mathrm{core}}\) is vulnerable for some reflection parameters including the α given in Table 2, for which this attack is particularly effective. Let γ=M ⁻¹(α), this distinguisher is built on the following characteristic over 11.5 rounds (see Fig. 8).

Fig. 8.

A related-key characteristic.

This related-key characteristic is deterministic on the midmost rounds, while in all other attacks presented in this paper for α in Table 2, the midmost rounds are the most expensive for the characteristics and can be passed over with small probabilities \(\mathcal{P}_{\mathcal{I}_{1}}=2^{-32}\) and \(\mathcal{P}_{\mathcal {I}_{2}}\leq 2^{-32}\). Moreover, the related-key characteristic cancels every two rounds, and can be efficient for the α such that γ=M ⁻¹(α) is non-zero on the same nibble positions. The probability of this characteristic is

$$\operatorname{Pr}_{\mathbf{X}} \bigl[S(\mathbf{X})\oplus S(\mathbf{X}\oplus\alpha )=M^{-1}(\alpha) \bigr]^{5}=2^{-55}, $$

for the first four α of Table 2.

The most expensive part of this attack, similarly to any last-round key-recovery attack in the differential context, is the sieving process. It consists of discarding all ciphertext pairs (C,C′) such that C⊕C′ is non-zero on the zero nibble positions of α. For the remaining pairs, up to 4w(α) bits of k ₁ can be found by partially deciphering the last round. The remaining bits of k ₁ can be found using exhaustive search. The time complexity of this attack is dominated by the sieving process, which is roughly equivalent to the data complexity.

To achieve the full advantage of 4w(α) key bits, this related-key attack on \(\mathrm{PRINCE}^{\alpha}_{\mathrm{core}}\) takes 2^57.89 known plaintexts and corresponding ciphertexts encrypted with two different keys. The attack requires the storage of 2^4w(α)=2¹⁶ counters and its time complexity is 2^57.89.

7 Conclusion and Open Questions

In this paper, we presented results of the first application of reflection cryptanalysis on PRINCE-like ciphers. Since the characteristics \({\mathcal{I}}_{1}\) and \({\mathcal{I}}_{2}\) are naturally suggested by the α-reflection structure of the cipher, we restricted our attention to them as starting points for the reflection characteristics. In addition to studying the structural extensions of \({\mathcal{I}}_{1}\) and \({\mathcal{I}}_{2}\) by the characteristics \({\mathcal{C}}_{u}\) and finding the weakest α for such combinations, we also performed automatic searches and found many weak α values directly. The weakest values of α were found when starting from \({\mathcal{I}}_{1}\), and they allow an efficient key-recovery attack on 12 rounds of the core cipher.

Our results show that the security of PRINCE is not independent of the value of α. On the other hand, the best attack we could construct using this technique on PRINCE with the original value of the reflection parameter α, was a key-recovery attack on a reduced 6-round version of the cipher. This attack which requires 2^56.08 known plaintext-ciphertext pairs is, however, not better than the generic attack. It would also be possible to perform similar analysis starting from some other characteristics over the midmost rounds of the cipher. The question, whether such an approach can be successfully used to find new distinguishers that are more efficient for the original α, remains to be studied.

One of the main goals of this work was to investigate how the choice of the reflection parameter influences the security of a PRINCE-like cipher. For this reason, in all concrete examples presented in this paper, the other components of the cipher were kept as specified in the original design. Based on their analysis of resistance against differential and linear attacks in [7, 8], the designers suggested that also other non-linear layers ensuring the same differential and linear properties could have been chosen. Encouraged by one of the anonymous reviewers, we experimented on S-boxes obtained from the original one using affine transformations and observed that such changes could significantly weaken the resistance of the cipher against reflection attack. Our experiments on the characteristics \({{\mathcal{C}}_{4}}\) and the values of α in Table 2 showed that there are affine transformations such that, when applied to the original Sbox, the differential probabilities in Table 3 will be changed in such a way that the probabilities \({\mathcal{P}}_{{\mathcal{C}}_{4}}\) can be increased significantly. For example, for some α, the probability \({\mathcal{P}}_{{\mathcal{C}}_{4}}\) can be increased from 2⁻²⁴ to 2⁻¹⁶. Using the otherwise same setting as in Sect. 5.1, we obtain an attack requiring 2^51.41 plaintext/ciphertext pairs and performing in time 2^65.82 which is better than the generic attack over the complete 12-round cipher. This example demonstrates that resistance against reflection attack depends strongly on the properties of the combinations of the linear layer, the non-linear layer and the reflection parameter, and opens up the need for more research to achieve better understanding of this complex issue.

In this work we developed and applied probabilistic reflection distinguishers for a cipher with SPN structure. We see at least two directions as potential future applications of our ideas. First, it would be interesting to revisit deterministic reflection distinguishers that are previously known to exist on several Feistel ciphers and investigate if they have probabilistic extensions that could be used for attacking more rounds of those ciphers. A second direction would be look at other involutional SPN ciphers like ICEBERG [29], KHAZAD [3] or ANUBIS [2] as possible targets of probabilistic reflection distinguishers. More generally, cryptanalysis on specific Even–Mansour designs, such as our work on PRINCE presented here and the recent attacks on the LED cipher [27], may serve as sources of inspiration for future research on the general Even–Mansour scheme.