Linear Cryptanalysis of Reduced-Round PRESENT
Joo Yeon Cho
1
Helsinki University of Technology, Finland
2
Nokia A/S, Denmark
joo.cho@tkk.fi
Abstract. PRESENT is a hardware-oriented block cipher suitable for resource con-
strained environment. In this paper we analyze PRESENT by the multidimensional
linear cryptanalysis method. We claim that our attack can recover the 80-bit secret
key of PRESENT up to 25 rounds out of 31 rounds with around 2
62.4
data complex-
ity. Furthermore, we showed that the 26-round version of PRESENT can be attacked
faster than key exhaustive search with the 2
64
data complexity by an advanced key
search technique. Our results are sup erior to all the previous attacks. We demon-
strate our result by performing the linear attacks on reduced variants of PRESENT.
Our results exemplify that the performance of the multidimensional linear attack is
sup erior compared to the classical linear attack.
Keywords : Block Ciphers, Lightweight Cryptography, PRESENT, Multidimen-
sional Linear Cryptanalysis.
1 Introduction
PRESENT [3] is a lightweight SPN block cipher proposed by Bogdanov et al. at CHES
2007. PRESENT is designed for resource restricted applications such as RFID and sensor
networks. Due to the impressive hardware performance and the strong security, PRESENT
has drawn a lot of attention from the lightweight cryptographic community.
On the other hand, the cryptanalysis on PRESENT has b een also actively performed so far.
In [15], Wang presented a differential cryptanalysis that could attack the 16-round variant
with 2
64
chosen texts and 2
65
memory accesses. In [1], Albrecht et al. presented a differential
attack using algebraic techniques that can recover an 80-bit key of the 16-round variant with
similar complexity to [15] and a 128-bit key of the 19-round variant by 2
113
computations.
In [4], Collard et al. presented a statistical saturation attack that can recover the key of the
24 round variant with 2
57
chosen texts and 2
57
time complexity under the condition that
the parts of plaintexts are fixed to a constant value. More recently, Ohkuma presented a
linear attack on 24-round variant with 2
63.5
known texts [13]. He claimed that due to the
linear hull effect, the linear approximation of PRESENT using weak keys could have much
stronger correlation than the one expected by designers.
In this paper, we analyze PRESENT by a multidimensional linear attack method. We observe
that PRESENT has a large number of linear approximations that hold with the same order
of magnitude of correlations due to the simple structure of the round function. As shown
in [7], a multidimensional linear attack can be efficiently applied to such cipher. Our attack
is different from Ohkuma’s attack [13] since Ohkuma presented the linear attack using a
single linear approximation which can have the strongest correlation if weak keys are used.
According to our analysis, the 25-round variant of PRESENT using the 80-bit key can be
attacked faster than key exhaustive search with around 2
62.4
data complexity. Furthermore,
an advanced key search technique enables us to attack the 26-round version of PRESENT
2 J. Y. Cho
with 2
64
data complexity. Our results are superior to all the previous attacks presented in
the open literature. We demonstrate our claim by performing the multidimensional linear
attacks on reduced variants of PRESENT.
This paper is organized as follows. In Section 2, the structure of PRESENT is briefly de-
scribed and the framework of multidimensional linear attack is presented. In Section 3,
linear characteristics are derived and their capacities are computed. In Section 4, the attack
algorithm using linear characteristics is described. In Section 5, our attacks are applied to re-
duced variants of PRESENT and the experimental results are presented. Section 6 concludes
this paper.
2 Preliminaries
2.1 Brief Description of PRESENT
PRESENT is a SPN block cipher that consists of 31 rounds. The encryption block length
is 64 bits and the key lengths is 80 bits or 128 bits. Each of the 31 rounds consists of three
layers: addRoundKey, SboxLayer and pLayer. The AddRoundKey is a 64-bit eXclusiveOR
operation with a round key. The SboxLayer is a 64-bit nonlinear transform using a single
S-box 16 times in parallel. The S-box is a nonlinear bijective mapping S : F
4
2
7→ F
4
2
given
in Table 4. The pLayer is a bit-by-bit permutation P : F
64
2
7→ F
64
2
given in Table 5. The
design idea of SboxLayer and pLayer is adapted from Serpent [2] and DES blo ck cipher [10],
respectively. The structure of PRESENT is illustrated in Figure 1.
The key scheduling algorithm has two versions depending on whether the key size is 80 bits
or 128 bits. Since the key schedule is not directly relevant to out attack, we do not describe
the key schedule algorithm here. For complete description of PRESENT we refer to the
paper [3].
Plaintext
?
f
?
Round key 1
¾
Key Register
?
Update
?
sBoxLayer
pLayer
?
.
.
.
?
f
.
.
.
?
Update
¾
Round key 31
?
sBoxLayer
pLayer
f
?
Round key 32
¾
Ciphertext
Fig. 1. Overview of PRESENT
2.2 Multidimensional Linear Cryptanalysis using χ
2
Method
Multidimensional linear cryptanalysis is an extension of Matsui’s classical linear crypt-
analysis [9] in which multiple linear approximations are optimally exploited. The general
Linear Cryptanalysis of Reduced-Round PRESENT 3
framework of the multidimensional linear cryptanalysis adapting Matsui’s algorithm 2 was
presented by Hermelin et al. in [8]. In their paper, Hermelin et al. studied two statistical
methods: the log-likelihood ratio (LLR) and the χ
2
. We apply the χ
2
statistic method to
PRESENT since the LLR method is not proper to PRESENT-like structure. The detailed
explanation will be given in Section 4.4.
The brief framework of the χ
2
method is as follows. Let V
n
denote the space of n-dimensional
binary vectors. A function f : V
n
→ V
m
with f = (f
1
, ··· , f
m
) where f
i
is a linear approxi-
mation is called a vectorial linear approximation of the dimension m. The correlation of f
i
is defined as c(f
i
) = 2
−n
[#(f
i
(a) = 0) − #(f
i
(a) = 1)] where a ∈ V
n
.
Let p be the probability distribution of m-dimensional linear approximations. The capacity
of p = (p
0
, . . . , p
2
m
−1
) is defined by C
p
=
2
m
−1
i=0
(p
i
−u
i
)
2
u
i
where u = (u
0
, . . . , u
2
m
−1
) is
the uniform distribution. It is well known that the C
p
is equal to the sum of the square of
correlations of all 2
m
− 1 linear approximations.
Suppose l is the length of the target key. For all values of k ∈ [0, 2
l
− 1], one obtains the
empirical probability distributions Q
k
= (q
k,0
, . . . , q
k,2
m
−1
) by measuring the frequency of
m-dimensional vectors which are Boolean values of m linear independent approximations.
Then the candidate keys are sorted according to their χ
2
-statistics defined as
D(k) = 2
m
M
i=0
(q
k,i
− 2
−m
)
2
, M = 2
m
− 1 (1)
which represents the l
2
-distance of the Q
k
from the uniform distribution.
If the right key is ranked in the position of d from the top out of 2
l
key candidates, we say
that the attack has the advantage of (l −log
2
d) [14]. The advantage of the χ
2
-method using
statistic (1) is derived in Theorem 1 in [8] by
advantage =
(NC
p
− 4Φ
−2
(2P
s
− 1))
2
8M
, Φ(x) =
x
−∞
1
√
2π
e
−t
2
/2
dt (2)
where P
s
is the success probability, N is the amount of data and C is the capacity.
2.3 Notations
Let S
i
denote the i-th S-b ox in the SboxLayer and P denote the permutation in the pLayer.
Let K
r
denote the r-th round key and K
[i]
r
denote the i-th bit of the K
r
. The K
[i..j]
r
denote
the bit string from K
[i]
r
to K
[j]
r
. We use E
K
(X) for representing the average value of X
over all possible values of K. In our notation of the bit masks, we identify F
4
2
with Z
16
. We
use the little endian for bit notation through the paper, that is, the least significant bit is
counted at the rightmost.
3 Linear Characteristics of PRESENT
We define a linear trail as a single path of linear approximations concatenated over multiple
rounds. It is a common belief that the linear characteristic with multiple linear trails has
a larger correlation than one with a single linear trail due to the linear hull effect [11]. In
this section, we derive a linear characteristic of PRESENT that has multiple linear trails.
Each linear trail exploits the linear approximations of S-boxes which have a single active bit
in the input and output masks. The linear masks having more than one active bit affect at
4 J. Y. Cho
least two S-boxes in the consecutive round due to the permutation layer, which yield much
less correlations in the multiple rounds of PRESENT.
Definition 1. A single-bit linear trail is a linear trail where the input and output masks of
linear approximations of all intermediate S-boxes are of Hamming weight one.
We call a single-bit linear trail as just a linear trail unless specified otherwise.
3.1 Single Bit Linear Trails
Let π(α, β) denote a linear approximation of S-box S where α, β ∈ F
4
2
are an input and
output mask of S, respectively. The correlation of π(α, β) is denoted by ρ(α, β). We observe
that the S-box has the following properties:
S1. For α, β ∈ {2, 4, 8}, ρ(α, β) = ±2
−2
except that ρ(8, 4) = 0;
S2. For α ∈ {1, 2, 4, 8}, ρ(α, 1) = ρ(1, α) = 0.
According to Property S1 and S2, the S-box holds eight linear approximations which has a
single active bit in both the input and output linear masks.
Let us define S = {S
5
, S
6
, S
7
, S
9
, S
10
, S
11
, S
13
, S
14
, S
15
} and B = {4i + 1, 4i + 2, 4i + 3|0 ≤
i ≤ 15, S
i
∈ S}. Then, the permutation P of the pLayer has the following properties:
P1. If x ∈ B, then P (x) ∈ B;
P2. All the outputs of S
0
, S
4
, S
8
and S
12
turn into the least significant bits of the inputs of
S-boxs next round by the permutation. Also, the outputs of S
1
, S
2
and S
3
turn into the
input of S
0
, S
4
, S
8
and S
12
next round.
Due to Property S2 and P2, the linear trails passing any bit position that does not included
in B do not have correlations. Hence, by Property S1 and P1, any r-round linear trail with
an input mask α and an output mask β takes the following path:
π(α, 2
v
1
) → π(2
u
2
, 2
v
2
) → ··· → π(2
u
r−1
, 2
v
r−1
) → π(2
u
r
, β)
where u
i
, v
i
∈ {1, 2, 3} and (u
i
, v
i
) 6= (3, 2) for 1 ≤ i ≤ r.
3.2 n-Round Linear Characteristic
Let Ω
(1)
denote the 1-round linear characteristic which has all the single bit linear trails of
nine S-boxes of S, as shown in Figure 2. Due to Property S1, the Ω
(1)
contains 9 × 8 = 72
linear trails, each of which has ±2
−2
correlation. Since x 7→ P(x) is a one-to-one mapping,
Property P1 implies that {P (x)|x ∈ B} = B. Hence, we can construct the n-round linear
characteristic, which is denoted by Ω
(n)
, by concatenating Ω
(1)
iteratively n times as follows:
Ω
(n)
= Ω
(1)
◦ ··· ◦ Ω
(1)
n times
.
We can expect that the number of linear trails grows exponentially according to the in-
crement of the number of rounds. Let ζ
(r)
(i, j) denote a bundle of linear trails which start
from the i-th bit of input and end up at the j-th bit of output over Ω
(r)
. Each ζ
(r)
(i, j) is
extended to ζ
(r+1)
(i, k) for some k ∈ B via two or three single-bit linear approximations of
the S-box.
Linear Cryptanalysis of Reduced-Round PRESENT 5
S
15
S
14
S
13
S
11
S
10
S
9
S
7
S
6
S
5
S
15
S
14
S
13
S
11
S
10
S
9
S
7
S
6
S
5
Fig. 2. Linear trails in the 1-round linear characteristic
Let θ
(r)
(i, j) denote the correlation of ζ
(r)
(i, j). If the θ
(r)
j
is defined as a summation of
the correlations of all linear trails that reach the j-th bit of output over Ω
(r)
, then θ
(r)
j
=
i∈B
θ
(r)
(i, j). The actual value of θ
(r)
j
depends on the round keys involved in each linear
trail. Suppose K is a user-supplied key. For any i, j ∈ B, the θ
(r)
j
(K) is recursively expressed
as
θ
(r)
j
(K) =
3
i=1
(−1)
K
[ν]
r
ρ(2
i
, 2
j mod 4
) θ
(r−1)
ν
(K), ν = P
−1
(4bj/4c + i) (3)
where P
−1
is an inverse mapping of P .
The average value of θ
(r)
j
over all possible values of K is recursively computed by the following
algorithm:
1. Initialize θ
(0)
j
= 1 for all j ∈ B. Set r = 1.
2. For each j ∈ B,
(a) compute θ
(r)
j
(K) using (3) for all possible values of K ∈ F
27
2
;
(b) assign θ
(r)
j
= E
K
(|θ
(r)
j
(K)|) = 2
−27
K
|θ
(r)
j
(K)|.
3. Repeat Step 2 for r = 2, 3, . . . , n.
Above the algorithm can be much simplified by the following theorem: (In this theorem, the
correlation potential means the square of the correlation.)
Theorem 1. (Theorem 7.9.1 [6], Theorem 1 [11]) The average correlation potential between
an input and an output selection pattern is the sum of the correlation potentials of all linear
trails between the input and output selection patterns.
By Theorem 1, the average value of |θ
(n)
j
| is obtained by summing the absolute values of
correlations of all linear trails in the ζ
(r)
(i, j) for all i ∈ B. Hence, the average value of |θ
(n)
j
|
can be computed simply by the following algorithm:
1. Initialize θ
(0)
j
= 1 for all j ∈ B. Set r = 1.
2. For each j ∈ B, compute
θ
(r)
j
=
3
i=1
|ρ(2
i
, 2
j mod 4
)| θ
(r)
ν
, ν = P
−1
(4bj/4c + i).
