Practical Low Data-Complexity Subspace-Trail Cryptanalysis of Round-Reduced PRINCE

Abstract

Subspace trail cryptanalysis is a very recent new cryptanalysis technique, and includes differential, truncated differential, impossible differential, and integral attacks as special cases.

In this paper, we consider PRINCE, a widely analyzed block cipher proposed in 2012. After the identification of a 2.5 rounds subspace trail of PRINCE, we present several (truncated differential) attacks up to 6 rounds of PRINCE. This includes a very practical attack with the lowest data complexity of only 8 plaintexts for 4 rounds, which co-won the final round of the PRINCE challenge in the 4-round chosen-plaintext category. The attacks have been verified using a C implementation.

Of independent interest, we consider a variant of PRINCE in which ShiftRows and MixLayer operations are exchanged in position. In particular, our result shows that the position of ShiftRows and MixLayer operations influences the security of PRINCE. The same analysis applies to follow-up designs inspired by PRINCE.

A MANTIS Encryption Scheme: Subspace Trail Cryptanalysis

MANTIS encryption scheme [5] is a low-latency tweakable block cipher proposed at CRYPTO 2016. The starting point used by the designer for this encryption scheme is a PRINCE-like encryption scheme, keeping the entire design symmetric around the middle (to have the \(\alpha \)-reflection property). In order to improve the security, the PRINCE-round has been replaced by the MIDORI-round function. This simple change results in a cipher with improved latency and improved security compared to PRINCE. Note that in contrast to PRINCE, the PermuteCells operation is performed before the MixLayer one.

MANTIS\(_r\) has a 64-bit block length and works with a 128-bit key (\(k = k_0 || k_1\) with 64-bit subkeys \(k_0, k_1\)) and 64-bit tweak T. The parameter r specifies the number of rounds of one half of the cipher. As PRINCE, MANTIS is based on the FX-construction and thus applies whitening keys before and after applying its core components (the whitening keys are generated in the same way as for PRINCE). Every round \(R^i(\cdot )\) in MANTIS is defined as

$$\begin{aligned} R^i(\cdot ) = M\circ P(h^i(T) \oplus k_1\oplus RC_i \oplus \,\text {S-Box}(\cdot )), \end{aligned}$$

for \(i =0, \dots , r\), where⁷:

• S-Box layer: Every byte in the internal state is replaced by using the involutory \(4 \times 4\)-bit MIDORI S-Box;

• A bit-wise XOR with the (full) round tweakey state \(h^i(T) \oplus k_1\), for \(i =0, \dots , r\), where T is the tweak and \(h^i\) is the tweak permutation;

• PermuteCells Operation \(\mathbf {P}\): The cells of the internal state are permuted according to the MIDORI permutation;

• MixColumns \(\mathbf {M}\): Each column of the cipher internal state array is multiplied by the MixColumns binary matrix of MIDORI M (we recall that \(M=M^{-1}\)):

• A bit-wise XOR with the key \(k_1\) and a round constant \(RC_i\).

As for PRINCE, in the last r rounds the order of operations is inverse with respect to the first r rounds, where only the round constants differ. Moreover, the middle rounds consist of three key-less operations: an S-Box layer, a matrix multiplication with M and an inverse S-Box layer. Finally, as PRINCE, MANTIS has the \(\alpha \) -reflection property, that is \(D_{(k_0||k_0'||k_1)}(\cdot , T) = E_{(k_0'||k_0||k_1\oplus \alpha )}(\cdot , T)\). Thus, our results presented in Sect. 4 can be applied on MANTIS.

Subspace Trail of MANTIS. Proceeding as for PRINCE, we first identify analogous subspace trails for MANTIS. The column, diagonal and mixed subspaces are defined exactly as the ones defined for PRINCE in Sect. 3.1, but their representations are a little different (expect for the column space).

For instance, \(\mathcal D_0 = P(\mathcal C_0),\) \(\mathcal {ID}_0=P^{-1}(\mathcal C_0)\), \(\mathcal M_0 = M(\mathcal D_0)\) and \(\mathcal {IM}_0 = M(\mathcal {ID}_0)\) correspond to matrix representations:

$$\begin{aligned} \mathcal D_0 \equiv \begin{bmatrix} x&0&0&0 \\ 0&0&y&0 \\ 0&0&0&z \\ 0&w&0&0 \end{bmatrix} \, \mathcal {ID}_0 \equiv \begin{bmatrix} x&0&0&0 \\ 0&y&0&0 \\ 0&0&z&0 \\ 0&0&0&w \end{bmatrix} \, \mathcal M_0 \equiv \begin{bmatrix} 0&w&y&z \\ x&w&0&z \\ x&w&y&0 \\ x&0&y&z \end{bmatrix} \, \mathcal {IM}_0 \equiv \begin{bmatrix} 0&w&y&z \\ x&0&y&z \\ x&w&0&z \\ x&w&y&0 \end{bmatrix}. \end{aligned}$$

Let \(I\subseteq \{0,1,2,3\}\). Since \(\mathcal C_I\) is an invariant subspace for the middle rounds, note that it is possible to set up a subspace trail for 3.5 rounds of MANTIS:

$$\begin{aligned} \mathcal {ID}_I \oplus a \xrightarrow []{R\circ ARK(\cdot )} \mathcal C_I \oplus b \xrightarrow []{super\text {-}SBox(\cdot )} \mathcal C_I \oplus c \xrightarrow []{M^\prime \circ SR^{-1}(\cdot )} \mathcal {IM}_I \oplus d. \end{aligned}$$

A More Secure Version of MANTIS. As for PRINCE, we consider a version of MANTIS where the MixColumns and the PermuteCells operations are exchanged in positions - called for the following MANTIS\(^\star \). In this version, the rounds of MANTIS\(^\star \) are defined similar of the PRINCE ones, where the MixColumns operation is performed before (resp. after) the PermuteCells one in the forward (resp. backwards) rounds.

As first consequence, in this case it is only possible to set up a subspace trail for 2.5 rounds (similar to PRINCE), that is \(\mathcal C_I \oplus a \xrightarrow []{R(\cdot )} \mathcal D_I \oplus b \xrightarrow []{M \circ \text {S-Box}(\cdot )} \mathcal M_I \oplus c\) or \(\mathcal C_I \oplus a \xrightarrow []{super\text {-}SBox(\cdot )} \mathcal C_I \oplus b \xrightarrow []{M \circ SR^{-1}(\cdot )} \mathcal {IM}_I \oplus c\).

Moreover, “as one round of MANTIS is almost identical to one round in MIDORI, most of the security analysis can simply be copied from the latter” (see Sect. 6.3 of [5]). By our analysis of Sect. 4 and since MIDORI [3] is an AES-like cipher, its security is not influenced by the positions of the MixColumns and of the PermuteCells operations. Thus, the version of MIDORI - called for consistency MIDORI\(^\star \) - in which the MixColumns operation is performed before the PermuteCells operation has the same security of the original one.

Due to previous considerations and since the analysis done for PRINCE in Sect. 4 also applies on MANTIS as well, we can claim that MANTIS \(^\star \) (i.e. the version of MANTIS in which MixColumns and PermuteCells are exchanged in positions) is more secure than the original version proposed by [5] with respect to the attack vectors considered in this paper. Note that this claim is also justified by the fact that authors didn’t consider related-key attacks in order to evaluate the security of MANTIS, and that its key schedule is linear (in particular, there is no key-schedule since all the subkeys are equal to the whitening key).

For completeness and following our analysis of Sect. 4, we defined another version of MANTIS - called in the following MANTIS\(^\prime \), such that MANTIS\(^\prime \) is identical to the original MANTIS excepted for the middle rounds, defined as

$$\begin{aligned} middle\text{- }rounds(\cdot ) = \, \text {S-Box}^{-1} \circ P^{-1} \circ M \circ P \circ \, \text {S-Box}(\cdot ). \end{aligned}$$

As for MANTIS\(^\star \), we can claim that MANTIS\(^\prime \) is more secure than the original version proposed by [5], and that it has the same security of MANTIS\(^\star \). For completeness, a similar but independent analysis is proposed in [9], which leads to analogous results and conclusions.