- Overview
- Cryptoanalysis Most practical attacks on reduce round versions
- References
- External links
| name = Prince
| image =
| caption =
| designers = Technical University of Denmark, INRIA, Ruhr University Bochum and NXP Semiconductors
| publish date = 2012
| derived from = AES, PRESENT
| derived to =
| key size = 128 bits
| block size = 64 bits
| structure = SPN
| rounds = 11 (but 12 non linear layers)
| cryptanalysis = a single key can be recovered with a computational complexity of 2125.47 using the structural linear relations.[1]
In the related key setting, the data complexity is 233 and the time complexity 264.[1]
Using related key boomerang attack the complexity is 239 for both data and time.[1]
}}Prince is a block cipher targeting low latency, unrolled hardware implementations. It is based on the so-called FX construction.[1] Its most notable feature is the "alpha reflection": the decryption is the encryption with a related key which is very cheap to compute. Unlike most other "lightweight" ciphers, it has a small number of rounds and the layers constituting a round have low logic depth. As a result, fully unrolled implementation are able to reach much higher frequencies than AES or PRESENT. According to the authors, for the same time constraints and technologies, PRINCE uses 6-7 times less area than PRESENT-80 and 14-15 times less area than AES-128.[2]
Overview
{{Unreferenced section|date=November 2016}}The block size is 64 bits and the key size is 128 bits. The key is split into two 64 bit keys 
and 
. The input is XORed with , then is processed by a core function using . The output of the core function is xored by 
to produce the final output (
is a value derived from ). The decryption is done by exchanging and and by feeding the core function with xored with a constant denoted alpha.
The core function contain 5 "forward" rounds, a middle round, and 5 "backward" rounds, for 11 rounds in total. The original paper mentions 12 rounds without explicitly depicting them; if the middle round is counted as two rounds (as it contains two nonlinear layers), then the total number of rounds is 12.
A forward round starts with a round constant XORed with , then a nonlinear layer 
, and finally a linear layer 
. The "backward" rounds are exactly the inverse of the "forward" rounds except for the round constants.
The nonlinear layer is based on a single 4-bit -box which can be chosen among the affine-equivalent of 8 specified 
-boxes.
The linear layer consists of multiplication by a 64x64 matrix 
and a shift row similar to the one in AES but operating on 4-bit nibbles rather than bytes.
is constructed from 16x16 matrices 
and 
in such a way that the multiplication by can be computed by four smaller multiplications, two using and two using .
The middle round consists of the layer followed by followed by the 
layer.
Cryptoanalysis
To encourage cryptoanalysis of the Prince cipher, the organizations behind it created the {{cite web|url=https://www.emsec.rub.de/research/research_startseite/prince-challenge/|title=Prince challenge}}
The paper "Security analysis of PRINCE"[3] presents several attacks on full and round reduced variants, in particular, an attack of complexity 2125.1 and a related key attack requiring 233 data.
A generic time-memory-data tradeoff for FX constructions has been published, with an application to Prince.[4] The paper argues that the FX construction is a fine solution to improve the security of a widely deployed cipher (like DES-X did for DES) but that it is a questionable choice for new designs. It presents a tweak to the Prince cipher to strengthen it against this particular kind of attack.
A biclique cryptanalysis attack has been published on the full cipher. It is somewhat inline with the estimation of the designers since it reduces the key search space by 21.28 (the original paper mentions a factor 2).
[5]The paper "Reflection Cryptanalysis of PRINCE-Like Ciphers" focuses on the alpha reflection and establishes choice criteria for the alpha constant. It shows that a poorly chosen alpha would lead to efficient attacks on the full cipher; but the value randomly chosen by the designers is not among the weak ones.[6]
Several meet-in-the-middle attacks have been published on round reduced versions.[7][8][9]
An attack in the multi-user setting can find the keys of 2 users among a set of 232 users in time 265.[10]
An attack on 10 rounds with overall complexity of 118.56 bits has been published.[11]
An attack on 7 rounds with time complexity of 257 operations has been published.[12]
A differential fault attack has been published using 7 faulty cipher texts under random 4 bit nibble fault model.[13]
The paper "New approaches for round-reduced PRINCE cipher cryptanalysis"[14] presents boomerang attack and known plaintext attack on reduced round versions up to 6 rounds.
In 2015 few additional attacks have been published but are not freely available.[15][16]
Most practical attacks on reduce round versions
| Number of rounds | Time | Data | Method |
|---|---|---|---|
| 4 | 243.4 | 33 | Meet-in-the-Middle[7] |
| 4 | 5*28 | 80 | Integral[12] |
| 5 | 229 | 96 | Integral[12] |
| 6 | 225.1 | 30574 | Differential cryptanalysis[7] |
| 6 | 241 | 393216 | Integral[12] |
| 6 | 234 | 232 | Boomerang[14] |
| 8 | 250.7 | 216 | Meet-in-the-Middle[7] |
References
2. ^{{cite journal|first1=Julia|last1=Borghoff|first2=Anne|last2=Canteaut|first3=Tim|last3=Guneysu|first4=Elif|last4=Bilge Kavun|first5=Miroslav|last5=Knezevic|first6=Lars R.|last6=Knudsen|first7=Gregor|last7=Leander|first8=Ventzislav|last8=Nikov|first9=Christof|last9=Paar|first10=Christian|last10=Rechberger|first11=Peter|last11=Rombouts|first12=Søren S.|last12=Thomsen|first13=Tolga|last13=Yalcın|title=PRINCE – A Low-latency Block Cipher for Pervasive Computing Applications|url=http://eprint.iacr.org/2012/529.pdf}}
3. ^1 2 3 {{cite journal|first1=Jérémy|last1=Jean|first2=Ivica|last2=Nikolic|first3=Thomas|last3=Peyrin|first4=Lei|last4=Wang|first5=Shuang|last5=Wu|title=Security analysis of PRINCE|url=https://www.di.ens.fr/~jean/pub/fse2013.pdf}}
4. ^{{cite journal|first1=Itai|last1=Dinur|title=Cryptanalytic Time-Memory-Data Tradeoffs for FX-Constructions with Applications to PRINCE and PRIDE|url=https://eprint.iacr.org/2014/656.pdf}}
5. ^{{cite journal|first1=Farzaneh|last1=Abed|first2=Eik|last2=List|first3=Stefan|last3=Lucks|title=On the Security of the Core of PRINCE Against Biclique and Differential Cryptanalysis|url=https://eprint.iacr.org/2012/712.pdf}}
6. ^{{cite journal|first1=Hadi|last1=Soleimany|first2=Céline|last2=Blondeau|first3=Xiaoli|last3=Yu|first4=Wenling|last4=Wu|first5=Kaisa|last5=Nyberg|first6=Huiling|last6=Zhang|first7=Lei|last7=Zhang|first8=Yanfeng|last8=Wang|title=Reflection Cryptanalysis of PRINCE-Like Ciphers|url=http://research.ics.aalto.fi/publications/bibdb2012/public_pdfs/FSE2013.pdf}}
7. ^1 2 3 {{cite journal|first1=Leo|last1=Perrin|first2=P.|last2=Derbez|title=Meet-in-the-Middle Attacks and Structural Analysis of Round-Reduced PRINCE|url=https://eprint.iacr.org/2015/239.pdf}}
8. ^{{cite journal|first1=Leibo|last1=Li|first2=Keting|last2=Jia|first3=Xiaoyun|last3=Wang|title=Improved Meet-in-the-Middle Attacks on AES-192 and PRINCE|url=https://eprint.iacr.org/2013/573.pdf}}
9. ^{{cite journal|first1=A.|last1=Canteaut|first2=M.|last2=Naya-Plasencia|first3=B.|last3=Vayssière|title=Sieve-in-the-Middle: Improved MITM Attacks|journal=Advances in Cryptology–CRYPTO 2013, 222-240}}
10. ^{{cite journal|first1=Pierre-Alain|last1=Fouque|first2=Antoine|last2=Joux|first3=Chrysanthi|last3=Mavromati|title=Multi-user collisions: Applications to Discrete Logs, Even-Mansour and Prince|url=https://eprint.iacr.org/2013/761.pdf}}
11. ^{{cite journal|first1=Anne|last1=Canteaut|first2=Thomas|last2=Fuhr|first3=Henri|last3=Gilbert|first4=Maria|last4=Naya-Plasencia|first5=Jean-René|last5=Reinhard|title=Multiple Differential Cryptanalysis of Round-Reduced PRINCE|url=https://eprint.iacr.org/2014/089.pdf}}
12. ^1 2 3 {{cite journal|first1=P.|last1=Morawiecki|title=Practical Attacks on the Round-reduced PRINCE|url=https://eprint.iacr.org/2015/245.pdf}}
13. ^{{cite journal|first1=Ling|last1=Song|first2=Lei|last2=Hu|title=Differential Fault Attack on the PRINCE Block Cipher|url=https://eprint.iacr.org/2013/043.pdf}}
14. ^1 {{cite journal|first1=R.|last1=Posteuca|first2=C.|last2=Duta|first3=G.|last3=Negara|title=New approaches for round-reduced PRINCE cipher cryptanalysis|url=http://www.acad.ro/sectii2002/proceedings/doc2015-3s/01-Posteuca.pdf}}
15. ^{{cite journal|first1=R.|last1=Posteuca|first2=G.|last2=Negara|title=Integral cryptanalysis of round-reduced PRINCE cipher|journal=Proc. Rom. Acad. Ser. A Math. Phys. Tech. Sci. Inf. Sci. 16 (2015), Special issue, 265–269|url=http://www.ams.org/mathscinet-getitem?mr=3413385}}
16. ^{{cite journal|first1=G.|last1=Zhao|first2=B.|last2=Sun|first3=C.|last3=Li|first4=J.|last4=Su|title=Truncated differential cryptanalysis of PRINCE|journal=Security and Communication Networks |year=2015}}
External links
- http://eprint.iacr.org/2012/529.pdf original paper: "PRINCE – A Low-latency Block Cipher for Pervasive Computing Applications"
- https://www.emsec.rub.de/research/research_startseite/prince-challenge The Prince challenge home page
- https://github.com/sebastien-riou/prince-c-ref Software Implementations in C
- https://github.com/weedegee/prince Software Implementations in Python
- Kokou Tozoun
- Koko wa Greenwood
- Kokoyah District
- Koko Yimidir
- Koko Yimidir language
- Kokořín Castle
- Kokošovce
- Kokoʻolau
- Kokpar
- Kokradi
- Kokrady
- Kokrajhar college
- Kokrajhar District
- Kokrajhar Government College
- Kokrajhar (town)
- Kokrebellur
- Kokri Behniwal
- Kokri Vehniwal
- Kok River
- Kokroach
- Kokrobite
- Kokroch
- Koksan (artillery)
- Kokshaga
- Kokshaisk