Abstract
Differential distribution and linear approximation tables are the main security criteria for S-box designers. However, there are other S-box properties that, if overlooked by cryptanalysts, can result in erroneous results in theoretical attacks. In this paper we focus on two such properties, namely undisturbed bits and differential factors. We go on to identify several inconsistencies in published attacks against the lightweight block ciphers PRESENT, PRIDE, and RECTANGLE and present our corrections.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
References
Albrecht, M.R., Driessen, B., Kavun, E.B., Leander, G., Paar, C., Yalçın, T.: Block ciphers – focus on the linear layer (feat. PRIDE). In: Garay, J.A., Gennaro, R. (eds.) CRYPTO 2014. LNCS, vol. 8616, pp. 57–76. Springer, Heidelberg (2014). doi:10.1007/978-3-662-44371-2_4
Biham, E., Biryukov, A., Shamir, A.: Cryptanalysis of skipjack reduced to 31 rounds using impossible differentials. J. Cryptol. 18(4), 291–311 (2005)
Biham, E., Shamir, A.: Differential cryptanalysis of DES-like cryptosystems. J. Cryptol. 4(1), 3–72 (1991)
Bilgin, B., Nikova, S., Nikov, V., Rijmen, V., Stütz, G.: Threshold implementations of all 3 \({\times }\) 3 and 4 \({\times }\) 4 S-boxes. In: Prouff, E., Schaumont, P. (eds.) CHES 2012. LNCS, vol. 7428, pp. 76–91. Springer, Heidelberg (2012). doi:10.1007/978-3-642-33027-8_5
Bogdanov, A., Knudsen, L.R., Leander, G., Paar, C., Poschmann, A., Robshaw, M.J.B., Seurin, Y., Vikkelsoe, C.: PRESENT: an ultra-lightweight block cipher. In: Paillier, P., Verbauwhede, I. (eds.) CHES 2007. LNCS, vol. 4727, pp. 450–466. Springer, Heidelberg (2007). doi:10.1007/978-3-540-74735-2_31
Chakraborty, K., Sarkar, S., Maitra, S., Mazumdar, B., Mukhopadhyay, D., Prouff, E.: Redefining the transparency order. Cryptology ePrint Archive, Report 2014/367 (2014)
Courtois, N.T., Pieprzyk, J.: Cryptanalysis of Block ciphers with overdefined systems of equations. In: Zheng, Y. (ed.) ASIACRYPT 2002. LNCS, vol. 2501, pp. 267–287. Springer, Heidelberg (2002). doi:10.1007/3-540-36178-2_17
Dai, Y., Chen, S.: Cryptanalysis of full pride block cipher. Cryptology ePrint Archive, Report 2014/987 (2014). http://eprint.iacr.org/2014/987
Dinur, I., Shamir, A.: Cube attacks on tweakable black box polynomials. In: Joux, A. (ed.) EUROCRYPT 2009. LNCS, vol. 5479, pp. 278–299. Springer, Heidelberg (2009). doi:10.1007/978-3-642-01001-9_16
ISO/IEC 29192–2:2012: Information technology - security techniques - lightweight cryptography - part 2: Block ciphers (2011)
Kilian, J., Rogaway, P.: How to protect DES against exhaustive key search (an analysis of DESX). J. Cryptol. 14(1), 17–35 (2001)
Knudsen, L.R.: Truncated and higher order differentials. In: Preneel, B. (ed.) FSE 1994. LNCS, vol. 1008, pp. 196–211. Springer, Heidelberg (1995). doi:10.1007/3-540-60590-8_16
Kocher, P., Jaffe, J., Jun, B.: Differential power analysis. In: Wiener, M. (ed.) CRYPTO 1999. LNCS, vol. 1666, pp. 388–397. Springer, Heidelberg (1999). doi:10.1007/3-540-48405-1_25
Makarim, R.H., Tezcan, C.: Relating undisturbed bits to other properties of substitution boxes. In: Eisenbarth, T., Öztürk, E. (eds.) LightSec 2014. LNCS, vol. 8898, pp. 109–125. Springer, Cham (2015). doi:10.1007/978-3-319-16363-5_7
Matsui, M.: Linear cryptanalysis method for DES cipher. In: Helleseth, T. (ed.) EUROCRYPT 1993. LNCS, vol. 765, pp. 386–397. Springer, Heidelberg (1994). doi:10.1007/3-540-48285-7_33
Nyberg, K.: Differentially uniform mappings for cryptography. In: Helleseth, T. (ed.) EUROCRYPT 1993. LNCS, vol. 765, pp. 55–64. Springer, Heidelberg (1994). doi:10.1007/3-540-48285-7_6
Prouff, E.: DPA attacks and S-boxes. In: Gilbert, H., Handschuh, H. (eds.) FSE 2005. LNCS, vol. 3557, pp. 424–441. Springer, Heidelberg (2005). doi:10.1007/11502760_29
Selçuk, A.A.: On probability of success in linear and differential cryptanalysis. J. Cryptol. 21(1), 131–147 (2008)
Shan, J., Hu, L., Song, L., Sun, S., Ma, X.: Related-key differential attack on round reduced rectangle-80. Cryptology ePrint Archive, Report 2014/986 (2014). http://eprint.iacr.org/2014/986
Shan, J., Hu, L., Song, L., Sun, S., Ma, X.: Related-key differential attack on 19-round reduced rectangle-80. J. Cryptol. Res. 2(1), 54 (2015). http://www.jcr.cacrnet.org.cn:8080/mmxb/EN/abstract/abstract73.shtml
Tezcan, C.: The improbable differential attack: cryptanalysis of reduced round CLEFIA. In: Gong, G., Gupta, K.C. (eds.) INDOCRYPT 2010. LNCS, vol. 6498, pp. 197–209. Springer, Heidelberg (2010). doi:10.1007/978-3-642-17401-8_15
Tezcan, C.: Improbable differential attacks on present using undisturbed bits. J. Comput. Appl. Math. 259, 503–511 (2014)
Tezcan, C.: Differential factors revisited: corrected attacks on PRESENT and SERPENT. In: Güneysu, T., Leander, G., Moradi, A. (eds.) LightSec 2015. LNCS, vol. 9542, pp. 21–33. Springer, Cham (2016). doi:10.1007/978-3-319-29078-2_2
Tezcan, C., Özbudak, F.: Differential factors: improved attacks on SERPENT. In: Eisenbarth, T., Öztürk, E. (eds.) LightSec 2014. LNCS, vol. 8898, pp. 69–84. Springer, Cham (2015). doi:10.1007/978-3-319-16363-5_5
Wang, M.: Differential cryptanalysis of reduced-round PRESENT. In: Vaudenay, S. (ed.) AFRICACRYPT 2008. LNCS, vol. 5023, pp. 40–49. Springer, Heidelberg (2008). doi:10.1007/978-3-540-68164-9_4
Yang, Q., Hu, L., Sun, S., Qiao, K., Song, L., Shan, J., Ma, X.: Improved differential analysis of block cipher PRIDE. In: Lopez, J., Wu, Y. (eds.) ISPEC 2015. LNCS, vol. 9065, pp. 209–219. Springer, Cham (2015). doi:10.1007/978-3-319-17533-1_15
Zhang, W., Bao, Z., Lin, D., Rijmen, V., Yang, B., Verbauwhede, I.: Rectangle: a bit-slice lightweight block cipher suitable for multiple platforms. Cryptology ePrint Archive, Report 2014/084 (2014). http://eprint.iacr.org/2014/084
Zhang, W., Bao, Z., Lin, D., Rijmen, V., Yang, B., Verbauwhede, I.: Rectangle: a bit-slice lightweight block cipher suitable for multiple platforms. Sci. China Inf. Sci. 58(12), 1–15 (2015)
Zhao, J., Wang, X., Wang, M., Dong, X.: Differential analysis on block cipher pride. Cryptology ePrint Archive, Report 2014/525 (2014). http://eprint.iacr.org/
Acknowledgment
The work of Cihangir Tezcan was supported by The Scientific and Technological Research Council of Turkey (TÜBİTAK) under the grant 115E447 titled “Quasi-Differential Factors and Time Complexity of Block Cipher Attacks”.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
A Modified 19-Round Related-Key Attack on REC-0
A Modified 19-Round Related-Key Attack on REC-0
Step 1: Guess the value of a part of subkey bits of \(K_0\).
-
1.
Guess \(K_0^{(14)}\) and compute the output difference of the 14rd S-box for each remaining plaintext pair; i.e. \(S(P^{(14)} \oplus K_0^{(14)}) \oplus S(P'^{(14)} \oplus K_0^{(14)} \oplus \varDelta K_0^{(14)})\). This step has time complexity \(2\cdot 2^{x+34.54}\cdot 2^3\cdot \frac{1}{16}\cdot \frac{1}{19} =2^{x+30.29}\) If the difference does not have the form ?000, discard the pair. Then the number of expected remaining pairs is \(2^{x+28.54}\).
-
2.
Guess \(K_0^{(7)}\) and compute the output difference of the 7th S-box for each remaining plaintext pair; i.e. \(S(P^{(7)} \oplus K_0^{(7)})+S(P'^{(7)} \oplus K_0^{(7)} \oplus \varDelta K_0^{(7)})\). This step has time complexity \(2\cdot 2^{x+31.54}\cdot 2^6\cdot \frac{1}{16}\cdot \frac{1}{19} =2^{x+30.29}\). If the difference does not have the form ?000, discard the pair. Then the number of expected remaining pairs is \(2^{x+28.54}\).
-
3.
Repeatedly guess \(K_0^{(3)}\), \(K_0^{(6)}\), \(K_0^{(8)}\), \(K_0^{(9)}\), \(K_0^{(10)}\), \(K_0^{(12)}\), \(K_0^{(13)}\). There are \(2^{x+8.54}\) right pairs left. This step has time complexity \(2\cdot (2^{x+38.54}\cdot 2^{x+39.54}\cdot 2^{x+40.54}\cdot 2^{x+41.54}\cdot 2^{x+42.54}\cdot 2^{x+43.54}\cdot 2^{x+44.54})\cdot \frac{1}{16}\cdot \frac{1}{19} = 2^{x+38.29}\).
Step 2: Guess the value of a part of subkey bits of \(K_0\) by guessing some bits of \(K_0\) and \(K_1\).
-
1.
Since many bits of \(K_1\) are obtained from \(K_0\) directly by shifting and adding constant, we only need to guess some bits for a column in \(K_1\). For the 3rd column of \(K_1\), by the key schedule we have (\(K_1^{(0,3)}\), \(K_1^{(1,3)}\), \(K_1^{(2,3)}\), \(K_1^{(3,3)}\)) = (\(K_0^{(0,16)}\), \(K_0^{(1,14)}\), \(K_0^{(2,12)}\), \(K_0^{(3,10)}\)) Therefore, we need to guess \(K_0^{(0,16)}\) = \(K_1^{(0,3)}\) and we also need \(K_0^{(3,10)}\) = \(K_1^{(3,3)}\) because \(K_1^{(3,3)}\) was flipped when we apply Substitution operation to \(K_1^{(2,7)}\), \(K_1^{(3,10)}\) are flipped when we apply Substitution operation to \(K_1^{(2,15)}\) because of Property 2. Then the number of expected remaining pairs is \(2^{x+4.54}\).
-
2.
Guess the bits \(K_0^{(1,1)}\), \(K_0^{(2,19)}\), \(K_0^{(3,17)}\), and then check up whether \(S(I_1^{(10)} \oplus K_1^{(10)}) \oplus S(I'^{(10)} \oplus K_1^{(10)} \oplus \varDelta K_1^{(10)}) = 1000\). On average, there are \(2^{x+0.54}\) right pairs left.
-
3.
Similarly, as the previous step, guess the bits \(K_0^{(0,2)}\), \(K_1^{(1,9)}\), \(K_0^{(2,18)}\), \(K_0^{(3,16)}\), then there are \(2^{x-3.46}\) right pairs left on average.
In step 2, time complexity is \(2\cdot (2^{x+45.54}\cdot 2^{x+44.54}\cdot 2^{x+44.54})\cdot \frac{1}{16}\cdot \frac{1}{19} = 2^{x+39.29}\).
Step 3: Guess the value of a part of subkey bits of \(K_{19}\). This step is identical to the Step 3 of [19] and has a time complexity of \(2^{38.55}\).
Step 4: The involved secret bits of \(K_{18}\) have guessed in Step 1–3, and we do not need to guess any other secret bits. Add one to the corresponding counter, if there is a right pair left. This step is identical to the Step 3 of [19] and has a time complexity of \(2^{28.54}\).
Step 5: If the counter is larger than 1, keep the guess of the subkey bits as the candidates of the right subkeys. For each survived candidate, compute the seed key by doing an exhaustive search for other secret bits.
Therefore, the total time complexity is \(2^{66.35}\) 19-round Rec-0 encryptions, data complexity is \(2^{62}\) chosen plaintexts since \(x=26\), and the memory complexity is \(2^{72}\) key counters.
Rights and permissions
Copyright information
© 2017 Springer International Publishing AG
About this paper
Cite this paper
Tezcan, C., Okan, G.O., Şenol, A., Doğan, E., Yücebaş, F., Baykal, N. (2017). Differential Attacks on Lightweight Block Ciphers PRESENT, PRIDE, and RECTANGLE Revisited. In: Bogdanov, A. (eds) Lightweight Cryptography for Security and Privacy. LightSec 2016. Lecture Notes in Computer Science(), vol 10098. Springer, Cham. https://doi.org/10.1007/978-3-319-55714-4_2
Download citation
DOI: https://doi.org/10.1007/978-3-319-55714-4_2
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-55713-7
Online ISBN: 978-3-319-55714-4
eBook Packages: Computer ScienceComputer Science (R0)