Security Analysis of PRINCE

Jean, Jérémy; Nikolić, Ivica; Peyrin, Thomas; Wang, Lei; Wu, Shuang

doi:10.1007/978-3-662-43933-3_6

Cited by 46 publications

(55 citation statements)

References 11 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…We have also shown how to directly tweak the AES-128 block cipher, with the very simple and extremely efficient Kiasu-BC tweakable block cipher. Our three proposals Deoxys-BC, Joltik-BC and Kiasu-BC are the base of the three CAESAR authenticated encryption competition candidates Deoxys [31], Joltik [32] and Kiasu [33], respectively.…”

Section: Resultsmentioning

confidence: 99%

Tweaks and Keys for Block Ciphers: The TWEAKEY Framework

Jean

Nikolić

Peyrin

2014

Lecture Notes in Computer Science

Self Cite

196

153

View full text Add to dashboard Cite

Abstract. We propose the TWEAKEY framework with goal to unify the design of tweakable block ciphers and of block ciphers resistant to related-key attacks. Our framework is simple, extends the key-alternating construction, and allows to build a primitive with arbitrary tweak and key sizes, given the public round permutation (for instance, the AES round). Increasing the sizes renders the security analysis very difficult and thus we identify a subclass of TWEAKEY, that we name STK, which solves the size issue by the use of finite field multiplications on low hamming weight constants. We give very efficient instances of STK, in particular, a 128-bit tweak/key/state block cipher Deoxys-BC that is the first AES-based ad-hoc tweakable block cipher. At the same time, Deoxys-BC could be seen as a secure alternative to AES-256, which is known to be insecure in the related-key model. As another member of the TWEAKEY framework, we describe Kiasu-BC, which is a very simple and even more efficient tweakable variation of AES-128 when the tweak size is limited to 64 bits. In addition to being efficient, our proposals, compared to the previous schemes that use AES as a black box, offer security beyond the birthday bound. Deoxys-BC and Kiasu-BC represent interesting pluggable primitives for authenticated encryption schemes, for instance, ΘCB3 instantiated with Kiasu-BC runs at about 0.75 c/B on Intel Haswell. Our work can also be seen as advances on the topic of secure key schedule design for AES-like ciphers, describing several proposals in this direction.

show abstract

Section: Resultsmentioning

confidence: 99%

Tweaks and Keys for Block Ciphers: The TWEAKEY Framework

Jean

Nikolić

Peyrin

2014

Lecture Notes in Computer Science

Self Cite

196

153

View full text Add to dashboard Cite

show abstract

“…Though being very recent, it has already waked the interest of many cryptanalysts [37,26,1]. The best known attacks so far on the proposed cipher, including the security analysis performed by the authors, reach 6 rounds.…”

Section: Application To Princementioning

confidence: 99%

“…In particular, MITM with bicliques (without guessing the whole key) is said to reach at most 6 rounds (out of 12). In [26], a reduction of the security by one bit is presented, and in [1] an accelerated exhaustive search using bicliques is presented. Here, we describe how to build sieve-in-the-middle attacks on 8 rounds with data complexity 1 (or 2 if we want to the whole key instead of a set of candidates).…”

Section: Application To Princementioning

confidence: 99%

Sieve-in-the-Middle: Improved MITM Attacks

Canteaut

Naya-Plasencia

Vayssière

2013

Lecture Notes in Computer Science

View full text Add to dashboard Cite

Abstract. This paper presents a new generic technique, named sieve-in-the-middle, which improves meet-in-the-middle attacks in the sense that it provides an attack on a higher number of rounds. Instead of selecting the key candidates by searching for a collision in an intermediate state which can be computed forwards and backwards, we here look for the existence of valid transitions through some middle sbox. Combining this technique with short bicliques allows to freely add one or two more rounds with the same time complexity. Moreover, when the key size of the cipher is larger than its block size, we show how to build the bicliques by an improved technique which does not require any additional data (on the contrary to previous biclique attacks). These techniques apply to PRESENT, DES, PRINCE and AES, improving the previously known results on these four ciphers. In particular, our attack on PRINCE applies to 8 rounds (out of 12), instead of 6 in the previous cryptanalyses. Some results are also given for theoretically estimating the sieving probability provided by some subsets of the input and output bits of a given sbox.

show abstract

“…Some have no key schedule, and just use master keys directly in each round [9,14]. These key schedules are succinct but responsible for many attacks, especially related-key attacks [18,13], MITM attacks and their variants [19,12,5], and special attacks such as the invariant subspace attack on PRINTcipher [15].…”

Section: Introductionmentioning

confidence: 99%

On the Key Schedule of Lightweight Block Ciphers

Huang

Vaudenay

Lai

2014

Progress in Cryptology -- INDOCRYPT 2014

View full text Add to dashboard Cite

Abstract. Key schedules in lightweight block ciphers are often highly simplified, which causes weakness that can be exploited in many attacks. Today it remains an open problem on how to use limited operations to guarantee enough diffusion of key bits in lightweight key schedules. Also, there are few tools special for detecting weakness in the key schedule. In 2013 Huang et al. pointed out that insufficient actual key information (AKI) in computation chains is responsible for many attacks especially the meet-in-the-middle (MITM) attacks. Motivated by this fact, in this paper we develop an efficient (with polynomial time complexity) and effective tool to search the computation chains which involve insufficient AKI for iterated key schedules of lightweight ciphers. The effectiveness of this tool is shown by an application on TWINE-80. Then, we formulate the cause of key bits leakage phenomenon, where the knowledge of subkey bits is leaked or overlapped by other subkey bits in the same computation chain. Based on the interaction of diffusion performed by the key schedule and by the round function, a necessary condition is thus given on how to avoid key bits leakage. Therefore, our work sheds light on the design of lightweight key schedules by guiding how to quickly rule out unreasonable key schedules and maximize the security under limited diffusion.

show abstract

Security Analysis of PRINCE

Cited by 46 publications

References 11 publications

Tweaks and Keys for Block Ciphers: The TWEAKEY Framework

Tweaks and Keys for Block Ciphers: The TWEAKEY Framework

Sieve-in-the-Middle: Improved MITM Attacks

On the Key Schedule of Lightweight Block Ciphers

Contact Info

Product

Resources

About