×

Known-key distinguisher on full \(\mathtt{PRESENT}\). (English) Zbl 1375.94104

Gennaro, Rosario (ed.) et al., Advances in cryptology – CRYPTO 2015. 35th annual cryptology conference, Santa Barbara, CA, USA, August 16–20, 2015. Proceedings. Part I. Berlin: Springer (ISBN 978-3-662-47988-9/pbk; 978-3-662-47989-6/ebook). Lecture Notes in Computer Science 9215, 455-474 (2015).
Summary: In this article, we analyse the known-key security of the standardized PRESENT lightweight block cipher. Namely, we propose a known-key distinguisher on the full PRESENT, both 80- and 128-bit key versions. We first leverage the very latest advances in differential cryptanalysis on PRESENT, which are as strong as the best linear cryptanalysis in terms of number of attacked rounds. Differential properties are much easier to handle for a known-key distinguisher than linear properties, and we use a bias on the number of collisions on some predetermined input/output bits as distinguishing property. In order to reach the full PRESENT, we eventually introduce a new meet-in-the-middle layer to propagate the differential properties as far as possible. Our techniques have been implemented and verified on the small scale variant of PRESENT. While the known-key security model is very generous with the attacker, it makes sense in practice since PRESENT has been proposed as basic building block to design lightweight hash functions, where no secret is manipulated. Our distinguisher can for example apply to the compression function obtained by placing PRESENT in a Davies-Meyer mode. We emphasize that this is the very first attack that can reach the full number of rounds of the PRESENT block cipher.
For the entire collection see [Zbl 1319.94002].

MSC:

94A60 Cryptography

Software:

PRESENT; Quark; LED; KTANTAN
PDFBibTeX XMLCite
Full Text: DOI

References:

This reference list is based on information provided by the publisher or from digital mathematics libraries. Its items are heuristically matched to zbMATH identifiers and may contain data conversion errors. In some cases that data have been complemented/enhanced by data from zbMATH Open. This attempts to reflect the references listed in the original paper as accurately as possible without claiming completeness or a perfect matching.