Differential Attacks on Lightweight Block Ciphers PRESENT, PRIDE, and RECTANGLE Revisited

Abstract

Differential distribution and linear approximation tables are the main security criteria for S-box designers. However, there are other S-box properties that, if overlooked by cryptanalysts, can result in erroneous results in theoretical attacks. In this paper we focus on two such properties, namely undisturbed bits and differential factors. We go on to identify several inconsistencies in published attacks against the lightweight block ciphers PRESENT, PRIDE, and RECTANGLE and present our corrections.

A Modified 19-Round Related-Key Attack on REC-0

Step 1: Guess the value of a part of subkey bits of \(K_0\).

1. 1.

   Guess \(K_0^{(14)}\) and compute the output difference of the 14rd S-box for each remaining plaintext pair; i.e. \(S(P^{(14)} \oplus K_0^{(14)}) \oplus S(P'^{(14)} \oplus K_0^{(14)} \oplus \varDelta K_0^{(14)})\). This step has time complexity \(2\cdot 2^{x+34.54}\cdot 2^3\cdot \frac{1}{16}\cdot \frac{1}{19} =2^{x+30.29}\) If the difference does not have the form ?000, discard the pair. Then the number of expected remaining pairs is \(2^{x+28.54}\).

2. 2.

   Guess \(K_0^{(7)}\) and compute the output difference of the 7th S-box for each remaining plaintext pair; i.e. \(S(P^{(7)} \oplus K_0^{(7)})+S(P'^{(7)} \oplus K_0^{(7)} \oplus \varDelta K_0^{(7)})\). This step has time complexity \(2\cdot 2^{x+31.54}\cdot 2^6\cdot \frac{1}{16}\cdot \frac{1}{19} =2^{x+30.29}\). If the difference does not have the form ?000, discard the pair. Then the number of expected remaining pairs is \(2^{x+28.54}\).

3. 3.

   Repeatedly guess \(K_0^{(3)}\), \(K_0^{(6)}\), \(K_0^{(8)}\), \(K_0^{(9)}\), \(K_0^{(10)}\), \(K_0^{(12)}\), \(K_0^{(13)}\). There are \(2^{x+8.54}\) right pairs left. This step has time complexity \(2\cdot (2^{x+38.54}\cdot 2^{x+39.54}\cdot 2^{x+40.54}\cdot 2^{x+41.54}\cdot 2^{x+42.54}\cdot 2^{x+43.54}\cdot 2^{x+44.54})\cdot \frac{1}{16}\cdot \frac{1}{19} = 2^{x+38.29}\).

Step 2: Guess the value of a part of subkey bits of \(K_0\) by guessing some bits of \(K_0\) and \(K_1\).

1. 1.

   Since many bits of \(K_1\) are obtained from \(K_0\) directly by shifting and adding constant, we only need to guess some bits for a column in \(K_1\). For the 3rd column of \(K_1\), by the key schedule we have (\(K_1^{(0,3)}\), \(K_1^{(1,3)}\), \(K_1^{(2,3)}\), \(K_1^{(3,3)}\)) = (\(K_0^{(0,16)}\), \(K_0^{(1,14)}\), \(K_0^{(2,12)}\), \(K_0^{(3,10)}\)) Therefore, we need to guess \(K_0^{(0,16)}\) = \(K_1^{(0,3)}\) and we also need \(K_0^{(3,10)}\) = \(K_1^{(3,3)}\) because \(K_1^{(3,3)}\) was flipped when we apply Substitution operation to \(K_1^{(2,7)}\), \(K_1^{(3,10)}\) are flipped when we apply Substitution operation to \(K_1^{(2,15)}\) because of Property 2. Then the number of expected remaining pairs is \(2^{x+4.54}\).

2. 2.

   Guess the bits \(K_0^{(1,1)}\), \(K_0^{(2,19)}\), \(K_0^{(3,17)}\), and then check up whether \(S(I_1^{(10)} \oplus K_1^{(10)}) \oplus S(I'^{(10)} \oplus K_1^{(10)} \oplus \varDelta K_1^{(10)}) = 1000\). On average, there are \(2^{x+0.54}\) right pairs left.

3. 3.

   Similarly, as the previous step, guess the bits \(K_0^{(0,2)}\), \(K_1^{(1,9)}\), \(K_0^{(2,18)}\), \(K_0^{(3,16)}\), then there are \(2^{x-3.46}\) right pairs left on average.

In step 2, time complexity is \(2\cdot (2^{x+45.54}\cdot 2^{x+44.54}\cdot 2^{x+44.54})\cdot \frac{1}{16}\cdot \frac{1}{19} = 2^{x+39.29}\).

Step 3: Guess the value of a part of subkey bits of \(K_{19}\). This step is identical to the Step 3 of [19] and has a time complexity of \(2^{38.55}\).

Step 4: The involved secret bits of \(K_{18}\) have guessed in Step 1–3, and we do not need to guess any other secret bits. Add one to the corresponding counter, if there is a right pair left. This step is identical to the Step 3 of [19] and has a time complexity of \(2^{28.54}\).

Step 5: If the counter is larger than 1, keep the guess of the subkey bits as the candidates of the right subkeys. For each survived candidate, compute the seed key by doing an exhaustive search for other secret bits.

Therefore, the total time complexity is \(2^{66.35}\) 19-round Rec-0 encryptions, data complexity is \(2^{62}\) chosen plaintexts since \(x=26\), and the memory complexity is \(2^{72}\) key counters.