Skip to main content
SpringerLink
Log in

Full analysis of PRINTcipher with respect to invariant subspace attack: efficient key recovery and countermeasures

  • Published:
Designs, Codes and Cryptography Aims and scope Submit manuscript

Abstract

In this paper we investigate the invariant property of PRINTcipher initially discovered by Leander et al. in their CRYPTO 2011 paper. We provide a complete study of the attack and show that there exist 64 families of weak keys for PRINTcipher–48 and as many as 115,669 for PRINTcipher–96. Moreover, we show that searching the weak key space may be substantially sped up by splitting the search process into two consecutive steps. We show that for many classes of weak keys, key recovery can be done with very small time complexity in the chosen/known plaintext scenario. In fact, at least \(2^{45}\) weak keys can be recovered in less than 10 s per key on a single PC. Still, effective countermeasures exist against the attack. On the methodological level, the method of finding all weak key families has value on its own. It is based on Mixed Integer Linear Programming and can be adapted to solving other interesting problems on similar ciphers.

This is a preview of subscription content, log in via an institution to check access.

Access this article

Log in via an institution

Price excludes VAT (USA)
Tax calculation will be finalised during checkout.

Instant access to the full article PDF.

Institutional subscriptions

Fig. 1
Fig. 2

Similar content being viewed by others

Notes

  1. The best attack of [15] can break 31 out of 48 rounds of PRINTcipher–48 for the fraction of 0.036 % of keys using almost the entire code book.

  2. Note that the arithmetic is integer.

  3. IBM ILOG CPLEX 12.1 under the academic license.

  4. See http://sagemath.org/doc/reference/sage/numerical/mip.html?highlight=linear%20programming

  5. We need to make sure that this plaintext is not in \(U\), which is true with overwhelming probability.

References

  1. Abdelraheem M.A., Leander G., Zenner E.: Differential cryptanalysis of round-reduced PRINTcipher: Computing roots of permutations. In: Joux A. (ed.) FSE 2011. Lecture Notes in Computer Science, vol. 6733, pp. 1–17. Springer, Berlin (2011).

  2. Agren, M., Johansson, T.: Linear cryptanalysis of PRINTcipher—trails and samples everywhere. In: Bernstein D.J., Chatterjee S. (eds.) INDOCRYPT 2011. Lecture Notes in Computer Science, vol. 7107, pp. 114–133. Springer, Berlin (2011).

  3. Bard G.V.: Algebraic cryptanalysis, Springer, Dordrecht (2009).

  4. Bogdanov A.: On unbalanced Feistel networks with contracting MDS diffusion. Des. Codes Cryptogr. 59(1–3), 35–58 (2011).

    Google Scholar 

  5. Bogdanov A., Knudsen L.R., Leander G., Paar C., Poschmann A., Robshaw M.J.B., Seurin Y., Vikkelsoe C.: PRESENT—An ultra-lightweight block cipher. In: Pailier P., Verbauwhede I. (eds.) CHES 2007. Lecture Notes in Computer Science, vol. 4727, pp. 450–466. Springer, Berlin (2007).

  6. Borghoff J., Knudsen L.R., Stolpe M.: Bivium as a mixed-integer linear programming problem. In: IMA International Conference on Cryptography and Coding. Lecture Notes in Computer Science, vol. 5921, pp. 133–152. Springer, Berlin (2009).

  7. Bogdanov A., Knezević M., Leander G., Toz D., Varici K., Verbauwhede I.: SPONGENT: A lightweight hash function. In: Preneel B., Takagi T. (eds.) CHES 2011. Lecture Notes in Computer Science, vol. 6917, pp. 312–325. Springer, Berlin (2011).

  8. Borghoff J., Canteaut A., Gneysu T., Kavun E.B., Knezevic M., Knudsen L.R., Leander G., Nikov V., Paar C., Rechberger C., Rombouts P., Thomsen S.S., Yalcin T.: PRINCE—A low-latency block cipher for pervasive computing applications: Extended Abstract. In: Wang X., Sako K. (eds.) ASIACRYPT 2012. Lecture Notes in Computer Science, vol. 7658, pp. 208–225. Springer, Berlin (2012).

  9. Bulygin S., Buchmann J.: Algebraic cryptanalysis of the round-reduced and side channel analysis of the full PRINTcipher-48. In: Lin D., Tsudik G., Wang X. (eds.) CANS 2011. Lecture Notes in Computer Science, vol. 7092, pp. 54–75. Springer, Berlin (2011).

  10. Bulygin S., Walter M.: Study of the invariant coset attack on PRINTcipher: More weak keys with practical key recovery. http://eprint.iacr.org/2012/085 (2012). Accessed 15 June 2013.

  11. Bulygin S., Walter M., Buchmann J.: Many weak keys for PRINTcipher: Fast key recovery and countermeasures. In: Dawson E. (ed.) CT-RSA 2013. Lecture Notes in Computer Science, vol. 7779, pp. 189–206. Springer, Berlin (2013).

  12. Cid C., Murphy S., Robshaw M.: Algebraic Aspects of the Advanced Encryption Standard. Springer, New York (2006).

  13. de Canniére C., Dunkelman O., Knezević M.: KATAN and KTANTAN : A family of small and efficient hardware-oriented block ciphers. In: Clavier C., Gaj K. (eds.) CHES 2009. Lecture Notes in Computer Science, vol. 5747, pp. 272–288. Springer, Berlin (2009).

  14. Guo J., Peyrin T., Poschmann A., Robshaw M.: The LED block cipher. In: Preneel B., Takagi T. (eds.) CHES 2011. Lecture Notes in Computer Science, vol. 6917, pp. 326–341. Springer, Berlin (2011).

  15. Karakoc F., Demirci H., Harmanci A.E.: Combined differential and linear cryptanalysis of reduced-round PRINTcipher. In: Miri A., Vaudenay S. (eds.) SAC 2011. Lecture Notes in Computer Science, vol. 7118, pp. 169–184. Springer, Berlin (2012).

  16. Knudsen L., Leander G., Poschmann A., Robshaw M.J.B.: PRINTcipher: A block cipher for IC-printing. In: Mangard S., Standaert F.-X. (eds.) CHES 2010. Lecture Notes in Computer Science, vol. 6225, pp. 16–32. Springer, Berlin (2010).

  17. Leander G., Abdelraheem M.A., AlKhzaimi H., Zenner E.: A cryptanalysis of PRINTcipher: The invariant subspace attack. In: Rogaway P. (ed.) CRYPTO 2011. Lecture Notes in Computer Science, vol. 6841, pp. 206–221. Springer, Berlin (2011).

  18. Mouha N., Wang Q., Gu D., Preneel B.: Differential and linear cryptanalysis using mixed-integer linear programming. In: Wu C.-K., Yung M., Lin D. (eds.) Inscypt 2011. Lecture Notes in Computer Science, vol. 7537, pp. 57–76. Springer, Berlin (2011).

  19. Stein S.W., et al.: SAGE mathematics software. The Sage Development Team. http://www.sagemath.org (2008). Accessed 15 June 2013.

  20. Walter M., Bulygin S., Buchmann J.: Optimizing guessing strategies for algebraic cryptanalysis with applications to EPCBC. In: Kutylowski M.,Yung M. (eds.) Lecture Notes in Computer Science. Springer, Berlin (2012).

  21. Wu W., Zhang L.: LBlock: A lightweight block cipher. In: Lopez J., Tsudik G. (eds.) ACNS 2011. Lecture Notes in Computer Science, vol. 6715, pp. 327–344. Springer, Berlin (2011).

  22. Yap H., Khoo K., Poschmann A., Henricksen M.: EPCBC—A block cipher suitable for electronic product code encryption. In: Lin D., Tsudik G., Wang X. (eds.) Lecture Notes in Computer Science, vol. 7092, pp. 76–97 Springer, Berlin (2011).

  23. Zhao X., Wang T., Guo S.: Fault propagate pattern based DFA on SPN structure block ciphers using bitwise permutation, with application to PRESENT and PRINTcipher. http://eprint.iacr.org/2011/086.pdf (2011). Accessed 15 June 2013.

Download references

Acknowledgments

The first author is supported by the German Science Foundation (DFG) Grant BU 630/22-1. The second author is supported in part by the NSF Grant CNS-1117936. We thank anonymous referees for their numerous valuable comments. The authors are also thankful to Yue Sun and especially to Gregor Leander for useful discussions and to Mohamed Ahmed Abdelraheem for providing a C implementation of PRINTcipher that was used in the implementation of the attacks.

Author information

Author notes

  1. Stanislav Bulygin

    Present address: KOBIL System GmbH, Worms, Germany

Authors and Affiliations

  1. Department of Computer Science, Technische Universität Darmstadt, Darmstadt, Germany

    Stanislav Bulygin & Johannes Buchmann

  2. Department of Computer Science and Engineering, University of California, San Diego, La Jolla, CA, USA

    Michael Walter

Authors
  1. Stanislav Bulygin
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Michael Walter
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Johannes Buchmann
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Stanislav Bulygin.

Additional information

Communicated by L. R. Knudsen.

Appendix: The list of defining sets of all possible invariant projected subsets of PRINTcipher–48

Appendix: The list of defining sets of all possible invariant projected subsets of PRINTcipher–48

Table 7 presents defining sets of all possible invariant projected sets for PRINTcipher–48.

Table 7 Defining sets of invariant projected subsets of PRINTcipher–48
Full size table

Rights and permissions

Reprints and permissions

About this article

Cite this article

Bulygin, S., Walter, M. & Buchmann, J. Full analysis of PRINTcipher with respect to invariant subspace attack: efficient key recovery and countermeasures. Des. Codes Cryptogr. 73, 997–1022 (2014). https://doi.org/10.1007/s10623-013-9840-5

Download citation

  • Received:

  • Revised:

  • Accepted:

  • Published:

  • Issue Date:

  • DOI: https://doi.org/10.1007/s10623-013-9840-5

Keywords

Mathematics Subject Classification

Search

Navigation