Linear cryptanalysis of reduced-round PRESENT
read more
Citations
SPONGENT: a lightweight hash function
KLEIN: a new family of lightweight block ciphers
KLEIN: A New Family of Lightweight Block Ciphers
RECTANGLE: a bit-slice lightweight block cipher suitable for multiple platforms
Quark: A Lightweight Hash
References
The Design of Rijndael: AES - The Advanced Encryption Standard
Linear cryptanalysis method for DES cipher
PRESENT: An Ultra-Lightweight Block Cipher
PRESENT: An Ultra-Lightweight Block Cipher
Related Papers (5)
Frequently Asked Questions (15)
Q2. What future works have the authors mentioned in the paper "Linear cryptanalysis of reduced-round present" ?
Even though a simple, iterative structure of the cipher is desirable for the hardware-oriented block ciphers, such ciphers may have possibility to retain a large number of linear approximations by which a multidimensional linear attack can be applied efficiently. It is interesting to see that their attack can be applied to some other ciphers that have simple structures, like AES.
Q3. What is the main reason why Ohkuma presented a linear attack on PRESENT?
He claimed that due to the linear hull effect, the linear approximation of PRESENT using weak keys could have much stronger correlation than the one expected by designers.
Q4. What is the probability distribution of the linear approximations?
The probability distribution of the linear approximations can be obtained by just measuring the frequencies of the concatenated value of input and output of the linear characteristic.
Q5. How can a multidimensional linear attack be performed on PRESENT?
According to their analysis, the 25-round variant of PRESENT using the 80-bit key can be attacked faster than key exhaustive search with around 262.4 data complexity.
Q6. How many bits of the round key can be recovered?
Without increasing the amount of data complexity, the authors can recover another 32 bits of the round key by changing the input S-boxes of U and the output S-boxes of V over the U ◦ Ω(n)◦V ; if the attack uses the linear characteristic starting with S7, S11, S15 and ending with S13, S14, S15, the authors can recover the K [48..63] 1 in the first round and the K [12..15] n ,K [28..31] n ,K [44..47] n and K [60..63]n in the last round.
Q7. How can the authors reduce the time complexity of the attack?
the time complexity of the attack can be reduced by at least a factor of m where m is the dimension of the linear approximations.
Q8. Why is the attack using the LLR method less complex than the estimate?
Due to the existence of large amount of linear trails in PRESENT, the data complexity of the attack is reduced significantly compared to the estimate by a correlation of a single linear approximation.
Q9. How many operations can be performed to recover the l2 distance?
Since computing the l2 distance requires 9 · 28 operations for each candidate key, the total time complexity of the attack is 264 + 9 · 28 · 232 ≈ 264.
Q10. How many ciphers are used to prove the resistance of linear cryptanalysis?
Modern block ciphers often prove the resistance of linear cryptanalysis by counting the minimum number of the active S-boxes involved in the best linear approximation.
Q11. What is the disadvantage of using Fast Fourier Transform?
Even though the bit permutation is desirable for efficient hardware implementation, it has a potential weakness that input bits and output bits have one-to-one4 The computational complexity may be further reduced by applying Fast Fourier Transform at the cost of the increased memory complexity.
Q12. How can one connect a linear approximation of an S-box to another?
a single-bit linear approximations of an S-box of any round can be connected to another single-bit linear approximation of next round through the permutation layer.
Q13. What is the solution to prevent the attack?
A simple remedy to prevent their attack is to revise the S-box in such a way that a single-bit linear approximations of S-box does not have significant correlations.
Q14. What is the average value of C(n+4)p?
By the definition of the capacity and due to Theorem 1, the average value of C(n+4)p is the sum of the square of correlations of all linear trails over the U ◦ Ω(n) ◦ V , which is calculated by the following theorem:Theorem 2.
Q15. What is the difference between the two types of ciphers?
Even though a simple, iterative structure of the cipher is desirable for the hardware-oriented block ciphers, such ciphers may havepossibility to retain a large number of linear approximations by which a multidimensional linear attack can be applied efficiently.