Meet-in-the-middle Attack on the 6-round Variant of the Block Cipher PRINCE

Transcription

1 Vol.5 (ITCS 204), pp Meet-in-the-middle Attack on the 6-round Variant of the Block Cipher PRINCE Yasutaka Igarashi, Toshinobu Kaneko 2, Satoshi Setoguchi, Seiji Fukushima, and Tomohiro Hachino Kagoshima University, Korimoto, Kagoshima, Japan 2 Tokyo University of Science, 264 Yamazaki, Noda, Chiba, Japan Abstract. We show a meet-in-the-middle (MITM) attack on the 6-round variant of the block cipher PRINCE. PRINCE is proposed by Borghoff et al. in 202, which applies substitution-permutation network (SPN) with 64-bit data block and 28-bit secret key. MITM attack was proposed by Diffie and Hellman in 977 as a generic method to analyze symmetric-key cryptographic algorithms. In this paper we show that PRINCE can be attacked with 2 32 words of memory, 9 pairs of known plain and cipher tets, and times of an encryption operation. Keywords: meet-in-the-middle attack, block cipher PRINCE Introduction We show a meet-in-the-middle (MITM) attack on the 6-round variant of the block cipher PRINCE. PRINCE is proposed by Borghoff et al. in 202, which applies substitutionpermutation network (SPN) with 64-bit data block and 28-bit secret key []. PRINCE is optimized with respect to latency when implemented in hardware for many future pervasive applications with real-time security needs. The designers assessed the resistance of PRINCE core function against MITM attack at up to 4 rounds. MITM attack was proposed by Diffie and Hellman in 977 as a generic method to analyze symmetric-key cryptographic algorithms [2], [3], [4]. Its basic idea is that if a target algorithm can be decomposed into two small consecutive segments and the computation of each segment only involves portions of a master key, then we can check the consistence of the intermediate data of each segment. Because separately analyzing two small segments does not require much effort, the overall time compleity to analyze the whole algorithm could decrease significantly compared to a brute force attack. In this article we decompose 6-round PRINCE into a 3-round forward segment and a 3-round backward segment, and show that PRINCE can be attacked with 2 32 words of memory, 9 pairs of known plain and cipher tets, and times of an encryption operation. 2 Overview of PRINCE Figure shows the encryption process of PRINCE, which consists of XOR ( ), R and R functions, S and S layers, and M layer. RC i (i = 0,,, ) denotes a 64-bit ISSN: ASTL Copyright 204 SERSC

2 Vol.5 (ITCS 204) Fig.. Encryption process of PRINCE []. round constant given by []. k 0 and k denote 64-bit secret keys being independent from each other. k 0 is also a 64-bit key given by k 0 = (k 0 >>> ) (k 0 >> 63) () where ( >>> i) and ( >> i) represent i-bit cyclic and non-cyclic right shifts of a bit string, respectively. Because () is a bijective linear transformation, we can inversely derive k 0 from k 0. S layer consists of 6 pieces of parallel 4-bit S-bo that is a bijective nonlinear function, and S layer is the inverse function of S layer. M layer is a involutional matri given by ˆM (0) M = M 0 ˆM = () ˆM (), (2) ˆM (0) M 0 M M 2 M 3 ˆM (0) = ˆM (0) M = M 2 M 3 M 0 M 2 M 3 M 0 M M 3 M 0 M M M 0 = , M = , ˆM () = ˆM () =, M 2 = M M 2 M 3 M 0 M 2 M 3 M 0 M M 3 M 0 M M 2 M 0 M M 2 M , M 3 = 0 0 0, (3). (4) 0 in (2) is a 6 6 zero matri. Figure 2 shows R function that consists of S layer, M layer, and S R layer. In the case of R the input (output) becomes the output (input). 3 Outline of Meet-in-the-middle Attack and its application to the 6-round variant of PRINCE MITM attack is based on the primary idea that we decompose a cipher algorithm into two consecutive parts. Each part of them only involves partial information of a secret key. We encrypt/decrypt each part separately and check whether the intermediate data from each part correspond to each other. Because separately cryptanalyzing each part requires low computational compleity, the overall compleity to cryptanalyze the whole algorithm could decrease significantly. Figure 3 shows the general model of MITM attack. We suppose an encryption algorithm E(k, P) = C can be decomposed into two consecutive parts E f (k f, P) and E b (k b, C) Copyright 204 SERSC 25

3 Vol.5 (ITCS 204) Fig. 2. R function. where P and C are plain/cipher tets, and k f and k b are subkeys used in E f and E b. f and b denote forward and backward processes. k f and k b are given by k f = (k f, k c) and k b = (k b, k c), respectively where k c is the dependent (common) key on both k f and k b. k f (k b ) is the independent key from k b (k f ). The number of bits of k f and k b are given by k f = k f + k c and k b = k b + k c, respectively where denotes the number of bits of data. v and v are intermediate data of an encryption process. r is the total number of S-boes in the whole algorithm. r f and r b represent the total numbers of S-boes that must be calculated to derive v and v through E f (k f, P) and E b (k b, C), respectively. The detailed steps of MITM attack are as follows [3], [4]:. Prepare one known pair of P and C. 2. For each guess of the common key k c (a) Compute all possible values of v through E f (k f, P) for all possible key k f. And then collect all k f in a set T indeed by v. (b) Compute v through E b (k b, C) for all values of k b and check whether v T. If so output the corresponding key pair (k f, k b ) as a possible key. The time compleity for the step 2(a) in terms of complete encryption/decryption is given by 2 k f r f /r. Similarly the time compleity of the step 2(b) is given by 2 k b r b /r. The memory compleity of T is given by 2 k f. The memory compleity to store possible keys is given by 2 k c + k f + k b v because the total number of possible keys 2 k c + k f + k b is reduced to /2 v through the steps and 2. When we perform these steps n times with different n pairs of P and C, the total number of possible keys is reduced to 2 k c + k f + k b n v. If the following equation (5) is satisfied, we check the remaining possible keys by ehaustive search with a few different m (described later) pairs of P and C. 2 k c + k f + k b n v (2 k f r f /r + 2 k b r b /r). (5) Figure 4 shows the 6-round variant of PRINCE, to which we apply MITM attack. Bold data lines are necessary for the attack. According to the designers recommendation we omit 3 pieces of R with RC i (i = 3, 4, 5) and 3 pieces of R with RC i (i = 6, 7, 8) from the original in order to keep the symmetry around the middle. E f (k f, P) 252 Copyright 204 SERSC

4 Vol.5 (ITCS 204) Fig. 3. General model of MITM attack [3], [4]. consists of the rounds, 2, and 3. E b (k b, C) consists of the rounds 4, 5, and 6. X and Y represent the 64-bit intermediate data at the output of the round 3 and at the input of the round 4, respectively. We set variables k and k y as k = k 0 k at the input part and k y = k 0 k at the output part of Fig. 4. And we decompose k as k = k (5) k (4) k (3) k () k (0) (6) where y represents concatenation of two data and y. k (i) data that is further decomposed as k (i) = k (i,3) k (i,2) k (i,) (i = 0,,, 5) is 4-bit k (i,0) (7) (i, j) where k ( j = 0,, 2, 3) represents -bit data. We also apply these decompositions and notations to k y, k, X, and Y. From Fig. 4 we can derive that k f = k b = 96, k f = k b = 32, k c = 64, and v = v = 2. These reasons are as follows. k f has 96 bits on the bold line in E f (k f, P) given by k f = (k, k (5), k (4), k (3), k (2), k (3), k(2), k() k b also has 96 bits on the bold line in E b (k b, C) given by k b = (k y, k (5), k (4), k (3), k (2), k (3), k(2), k(), k(0), k(0) ). (8) ). (9) k (i) (i = 5, 4, 3, 2, 3, 2,, 0) is common to both k f and k b. Furthermore there are 32-bit common keys, which are and (k c of k f ) (k (5), k (4), k (3), k (2), k (3), k (2), k (), k (0) ) (0) (k c of k b ) (k (5) y, k (4) y, k (3) y, k (2) y, k (2) y, k () y, k (0) y, k (,3) y, k (3,2) y, k (3,) y, k (3,0) y ). () The reason why (0) and () hold is that k c of k y (k c of k ) is uniquely determined by () with k c of k (k c of k y ) and the common key k (i) (i = 5, 4, 3, 2, 3, 2,, 0). Therefore the independent keys k f and k b have the 32 bits given by and k f = (k (), k (0), k (9), k (8), k (7), k (6), k (5), k (4) ) (2) k b = (k(0), k (9), k (8), k (7), k (6), k (5), k (4), k (,2), k (,), k (,0), k (3,3) ). (3) Copyright 204 SERSC 253

5 Vol.5 (ITCS 204) v and v have the 2 bits given by v = (X (5,0) X (2,0), X (3,2) X (2,2) ) and v = (Y (5,0) Y (2,0), Y (3,2) Y (2,2) ). (4) We can derive v = v by (2). Because there are 96 pieces of S-bo in the whole algorithm in Figure 4, we can derive that r = 96. Similarly we can derive that r f = r b = 28 because there are respectively 28 pieces of S-bo on the bold lines in E f (k f, P) and in E b (k b, C). To satisfy (5), we set n as n = 7. In this case the total number of possible keys is reduced to = 2 94 < / These 2 94 pieces of possible key are furthermore reduced to = 2 34 when we check these keys by ehaustive search with different 2 (= m) pairs of P and C because the block size of PRINCE is 64 bits. However the true key definitely survives. Therefore the number of known plain/cipher tets pair required for this MITM attack is derived as 7+2=9. And the time compleity for the attack in terms of complete encryption/decryption is derived as 7 ( / /96) The memory compleity of a set T is derived as Conclusions We have shown MITM attack on the 6-round variant of the block cipher PRINCE. We reviewed the general model of MITM attack and applied it to PRINCE. We decomposed the 6-round PRINCE into a 3-round forward segment and a 3-round backward segment. As a result, we showed that PRINCE can be attacked with 2 32 words of memory, 9 pairs of known plain and cipher tets, and times of an encryption operation, which is more efficient than 2 28 times of simple ehaustive key search. References. Borghoff, J., Canteaut, A., Gneysu, T., et al.: PRINCE A Low-Latency Block Cipher for Pervasive Computing Applications. LNCS, vol. 7658, pp Springer, Heidelberg (202) 2. Diffie, M.E., Hellman, W.: Special Feature Ehaustive Cryptanalysis of the NBS Data Encryption Standard. Computer 0(6), (977) 3. Zhu, B., Gong, G.: Multidimensional Meet-in-the-Middle Attack and Its Applications to KATAN32/48/64. Cryptology eprint Archive: Report 20/69, org/20/69 4. Boztaş, Ö., Karakoç, F., Çoban, M.: Multidimensional Meet-in-the-Middle Attacks on Reduced-Round TWINE-28. LNCS, vol. 862, pp Springer, Heidelberg (203) 254 Copyright 204 SERSC

6 Vol.5 (ITCS 204) Fig round variant of PRINCE. Copyright 204 SERSC 255