New Biclique Cryptanalysis on Full-Round PRESENT-80 Block Cipher

Abstract

Biclique cryptanalysis is a recent technique developed for key retrieval of block ciphers. In this paper, biclique attack is carried out on full-round, PRESENT-80 block cipher. Here, the biclique is constructed using independent related key differential cryptanalysis. Matching with precomputation is used for the analysis for other rounds. The computational complexity for the successful implementation of the proposed attack is found less than that of attacks published so far. The data complexity and time complexity of the proposed attack are calculated as 2²³ and 2^79.63, respectively.

Introduction

Lightweight block ciphers [1,2,3,4,5,6] are developed for satisfying the security needs for resource-constrained devices like RFID tags. Lightweight block ciphers work efficiently in hardware and consume less amount of memory. Since there is a direct relation between hardware complexity and security, lightweight block ciphers may lead to poor security, if proper attention is not paid in the design phase. Conventional cryptographic strength evaluation is mainly based on linear and differential cryptanalysis, which is efficient, but fails in full-round cryptanalysis of most of the ciphers. Khovratovich et al. introduced biclique cryptanalysis [7], in 2011 as part of the preimage attack on SHA-2, which is an extension of splice and cut method [8]. The splice and cut framework is derived from the concept of meet in the middle attacks [9].

The biclique technique was introduced for the analysis of block cipher-based hash functions, but later cryptologists started using the same for block cipher key recovery. In 2011, for the first time, cryptanalysis of full-round AES [10] was successfully done by Bogdanov et al. using bicliques. Later, key recovery attacks were successfully proposed against various block ciphers including HIGHT [11], Piccolo [12], TWINE [13], SQUARE [14], AREA-256 [15], etc.

In 2007, Bogdanov et al. proposed the lightweight block cipher PRESENT [16], which supports the key lengths 80 and 128 denoted by PRESENT-80 and PRESENT-128, respectively. Because of its simple structure and security, PRESENT attracted the attention of the cryptographic society to a great extent. A differential cryptanalysis was proposed in 2008 [16] by Wang on 16-round PRESENT with a time complexity 2⁶⁵. In 2009, Kenji Ohkuma has proved linear cryptanalysis can be used to attack 24 rounds of PRESENT [17]. Using linear cryptanalysis, 25 rounds of PRESENT 80 were attacked by Cho [18] in 2010. Farzaneh et al. used biclique technique on full-round PRESENT in 2012 [19]. The keys of PRESENT 80 and PRESENT-128 are retrieved with time complexities 2^79.46 and 2^127.37, and data complexity 2⁶⁰ and 2⁴⁴ chosen plain texts, respectively. Jeong et al. published a different biclique analysis on both key variants of PRESENT [20] with time complexities 2^79.76 and 2^127.91.

In this paper, a new biclique attack on full-round PRESENT is proposed. A four-dimensional biclique is developed for rounds 1–3. For the remaining rounds, matching with precomputation is applied. The comparison of the results of the cryptanalysis proposed in this paper with the results achieved so far by other researchers is given in Table 1.

Table 1 Comparison on attack complexities on PRESENT-80

The paper is organized as follows. Section 2 gives an overall idea about PRESENT block cipher operation and functioning. This section focuses on the 80-bit key variant of PRESENT. Section 3 gives the theory behind biclique cryptanalysis. In Sect. 4 the proposed attack is presented with all computational details. Section 5 concludes the paper.

PRESENT-80 Block Cipher

PRESENT is an SPN-type block cipher with 64 data bits. The cipher has two key lengths, 80 bits and 128 bits, and the variants are denoted as PRESENT-80 and PRESENT-128, respectively. Except the key schedule, both invariants function similarly. The cipher takes 31 rounds to complete the encryption process. The operations performed in each round of the cipher are round transformation and key scheduling.

Round Transformation

In each round, partial data encryption is done in three steps

1. 1.

   Key addition: The most significant 64 bits of the key is exclusively ORed with the 64-bit data.

2. 2.

   Substitution: 4-bit bijective sboxes are used in PRESENT. Sixteen parallel sboxes are used, which substitute the entire 64 bits data in a clock cycle.

3. 3.

   Permutation: The substituted data in each round are permutated using the pLayer. The pictorial representation of data permutation is shown in Fig. 1. The positions of input and output of the pLayer are shown in Table 2.

   Fig. 1

   

   PRESENT round function

   Table 2 Permutation table of PRESENT-80

Key Scheduling

Since this paper is focused on the biclique cryptanalysis on PRESENT-80, key scheduling of 80-bit key variant is given here. In every round, the key is scheduled to get the key bits for the next round. Since the encryption is done on 64 bits of data, only 64 bits of key is used in each round. Let the 80-bit initial key be

K = k₇₉k₇₈k₇₇…k₂k₁k₀. Then, ith round key is denoted as

K_i = K₆₄K₆₃K₆₂…..K₂K₁K₀ = k₇₉k₇₈k₇₇…k₁₈k₁₇k₁₆, where 1 ≤ i ≤ 32, where K₃₂ is used for post-whitening.

After extracting the round key K_i, the key register is updated in three steps:

1. 1.

   The key register bits are shifted 19 bit positions in the right circular direction.

2. 2.

   The most significant 4 bits of key register is applied to the substitution box and substituted by its output.

3. 3.

   Five key bits k₁₉k₁₈k₁₇k₁₆k₁₅ is exclusively ORed with 5-bit counter output with its MSB at the left end.

Biclique Cryptanalysis

The concept of Biclique cryptanalysis is derived from splice and cut at-tacks [23]. For proposing a biclique attack, the cipher is divided into subciphers and bicliques are constructed on the target subcipher, in such a way that the computational efficiency is increased.

Let S be the starting state of a set of elements, and C be the ending state of a set of another elements. Let the elements of S are denoted by S_j and the elements of C are denoted by C_i. If every element of S is connected with every element of C, using some key K[i, j], then 3-tuple of sets [{S_j},{C_i},{K[i, j]}] forms a d-dimensional biclique, if.

For all i,j Є {0,…2^d− 1}, C_i = f_K<i,j> (S_j).

A schematic view of biclique is shown in Fig. 2.

Fig. 2

Schematic view of bicliques

A group of keys K[i, j] is defined by a biclique and can be calculated using the base key K[0, 0] as well as the differences Δ_i and ∇_j.

$$ K\left[ {i,\,j} \right] = K\left[ {0,0} \right] \cdot \Delta_{i} \cdot \nabla_{j} $$

Let k be the key length and d be the dimension of the biclique. Initially, the total key space is divided into 2^k−2d subspaces of 2^2d keys. Now the cipher E is divided into three subciphers E₁, E₂ and B in such a way that E₁ converts a plain text P to the intermediate state V, E₂ converts V to another state S, and B converts S to cipher text C

$$ P\mathop \to \limits^{E1} V\mathop \to \limits^{E2} S\mathop \to \limits^{B} C $$

The adversary creates biclique on an arbitrary part of the cipher, and for the remaining part, meet-in-the-middle attack matching with precomputation is carried out. In this paper, independent biclique attack is applied against PRESENT-80 cipher

Independent Bicliques

Bicliques can be constructed over any subcipher B from two differentials, one in the forward direction and another in the reverse direction. Here, we take a base computation and two differentials in opposite directions in such a way that the differentials do not overlap, of d bits. Let a 3-tuple {S₀, C₀, K[0, 0]} be the base computation, where S₀ is converted to the cipher text C₀ by the key K[0,0], i.e.

$$ {S}_{0} \mathop{\longrightarrow}\limits^{{K\left[ {0,0} \right]}}{C}_{0} $$

Now we choose 2^d forward differentials Δ_i which produce cipher texts C_i from S₀

$$ {S}_{0} \mathop{\longrightarrow}\limits^{{{{K}[0,0] \oplus \Delta_{i}^{K} }}}C_{0} \cdot \Delta_{i} = C_{i} \,\left( {\text{through\, subcipher}}\,B \right) $$

2^d backward differentials ∇_j are also chosen which produce intermediate data S_i from cipher text C₀.

$$ {S}_{j} = {S}_{0} \cdot \nabla_{j} \mathop{\longleftarrow}\limits^{{K[0,0] \oplus \Delta_{j}^{K} }}{C}_{0} \left( {\text{through\,subcipher}}\,B^{ - 1} \right) $$

If no active linear operations are overlapped on the trails of forward differential Δ_i and reverse differential ∇_j, then each of the input difference ∇_j and output difference Δ_i can be connected to each other. So, 2^2d independent trails (Δ_i, ∇_j) are obtained here.

$$ {S}_{0} \cdot \nabla_{j} \mathop{\longleftrightarrow}\limits^{{K}[0,0] \oplus \Delta_{i}^{K} \oplus \Delta_{j}^{K} } {C}_{0} \cdot \Delta_{i} \quad {i,j} \in \left\{ {0 \ldots 2^{d} {-}{ }1} \right\} $$

From the above discussion, it is clear that, for a biclique of dimension d, 2^2d keys can be tested using 2 × 2^d computations. If the complete key space is divided into 22d keys, then the attack complexity comes down to 2^k−2d times of computation of E. The complexity of biclique construction and matching is to be taken in addition to this, for calculating the full complexity.

Matching with Precomputation

For the remaining part of the cipher, other than biclique, matching with precomputation is an efficient method to perform matching [10, 20] of selected bits. Between E₁ and E₂, an internal state V is selected by the adversary. The steps for the matching are given below

1. 1.

   Using K[i, 0], the adversary calculates the value of least significant 4 bits of round 18 output, in the forward direction, for all i = 0 to \( 2^{4} \) − 1. These values are stored as \( \mathop \to \limits_{{v_{i} }} \) in memory, along with the intermediate values. Mathematically,

   $$ {\text{Pi}} \mathop \to \limits^{{K\left[ {i, 0} \right]}} \overrightarrow {{v_{i,0} }} \;\;({\text{using}}\,{\text{the}}\,{\text{sub}}\,{\text{cipher}}\,E_{1} ) $$
2. 2.

   Calculation of 2^d values in the backward direction, from the state S_j, is also done

   $$ \overleftarrow {{v_{0,j} }} \mathop \leftarrow \limits^{{K\left[ {0,j} \right]}} {\text{S}}_{\text{j}} \;\;({\text{using}}\,{\text{the}}\,{\text{sub}}\,{\text{cipher}}\,E_{2} ) $$
3. 3.

   For the remaining 2^2d − 2^d computations, the above calculated values are reused

   \( {\text{Pi }}\mathop \to \limits^{{K\left[ {i, j} \right]}} \overrightarrow {{v_{i,j} }} \;{\text{and}}\;\overleftarrow {{v_{i,j} }} \mathop \leftarrow \limits^{{K\left[ {i,j} \right]}} S_{j} \;\;({\text{using}}\,{\text{both}}\,E_{1} \,{\text{and}}\,E_{2} ) \)

Only part of the key schedule and round transformations which differ from the stored values needs to be recomputed. So, the computational complexity gets reduced significantly.

Complexity Calculations

The advantage of biclique cryptanalysis is the fact that 2^2d keys can be tested with 2 × 2d computations. To cover the full key space, the adversary constructs 2^k−2d biclique. The full complexity of the analysis is

$$ C_{\text{full}} = 2^{k - 2d} \left( {C_{\text{biclique}} + C_{\text{decrypt}} + C_{\text{precompute}} + C_{\text{recompute}} + C_{\text{falsepos}} } \right), $$

where C_biclique is the cost for the construction of biclique, C_decrypt is the complexity of the oracle for decryption of 2^d cipher text, C_precompute is the cost for computation of v, C_recompute is the complexity of recomputation of 2^2d values \( v_{i,j} \), C_falsepos is the complexity for elimination of false positives.

Proposed Attack

Construction of Biclique

Here, we propose an attack on PRESENT-80. First, we need to construct biclique over certain number of rounds. Here, rounds 1–3 are selected to construct a four-dimensional biclique. In rounds 0–3, partial secret keys used are

• RoundKey 1: k₇₉k₇₈….k₁₇k₁₆

• RoundKey 2: k₁₈k₁₇…k₁k₀k₇₉….k₃₆k₃₅

• RoundKey 3: k₃₇k₃₆…k₁k₀k₇₉…k₅₅k₅₄

• RoundKey 4: k₅₆k₅₅…k₁k₀k₇₉…k₇₄k₇₃

The key bit groups selected to construct biclique on full PRESENT-80 over rounds 1–3 are {k₁₀, k₁₁, k₁₂, k₁₃} and {k₆₉, k₇₀, k₇₁, k₇₂}. That means the forward differential Δ_i and the reverse differential ∇_j are created using {k₁₀, k₁₁, k₁₂, k₁₃} and {k₆₉, k₇₀, k₇₁, k₇₂}, respectively. We take a subcipher f with rounds 1–3. Here, C₀ is fixed first and S₀ is derived from C₀, i.e. S₀ = \( f_{{K\left\langle {0,0} \right\rangle }}^{ - 1} \)(C₀). In each round, the {k₁₀, k₁₁, k₁₂, k₁₃} has a difference i and {k₆₉, k₇₀, k₇₁, k₇₂} has a difference j. All other bits will have a zero difference.

Let us see how the forward differential key bits propagate in 1–4 rounds. Corresponding data bit position also is given

• 1st round: {k₁₀, k₁₁, k₁₂, k₁₃} – {-, -, -, -}

• 2nd round: {k₇₁, k₇₂, k₇₃, k₇₄} – {55, 56, 57, 58}

• 3rd round: {k₅₂, k₅₃, k₅₄, k₅₅} – {36, 37, 38, 39}

• 4th round: {k₃₃, k₃₄, k₃₅, k₃₆} – {17, 18, 19, 20}

The backward differential key bits propagate in 1–4 rounds

• 1st round: {k₆₉, k₇₀, k₇₁, k₇₂} – {53, 54, 55, 56}

• 2nd round: {k₅₀, k₅₁, k₅₂, k₅₃} – {34, 35,36, 37}

• 3rd round: {k₃₁, k₃₂, k₃₃, k₃₄} – {15, 16, 17, 18}

• 4th round: {k₄, k₅, k₆, k₇} – {-, -, -, -}

where ‘-’ denotes that the key bits do not appear in the operation. Figure 3 shows the four-dimensional biclique drawn from the above given calculations

Fig. 3

Four-dimensional biclique on PRESENT-80

From Fig. 3, it can be seen that only 23 bits are affected by the propagation of Δ_i. Thus, the data complexity can not exceed 2²³. Here, PRESENT-80 is divided into three subciphers B, E₁ and E₂ as explained in Sect. 3. Encryption of rounds 1–3, 4–17 and 18–31 is carried out by B, E₁ and E₂, respectively.

Matching for the Remaining Rounds

It can be calculated that recomputation in the forward direction starts from k₅₇, k₅₈, k₅₉ and k₆₀, from round 5 as shown in blue trails in Fig. 4. The 4th round is not considered because the key bits selected to do the matching do not appear in that round. Recomputation in the backward direction starts from k₄₅, k₄₆, k₄₇, k₄₈ from round 31 as shown in red trails in Fig. 4

Fig. 4

Recomputation in the forward and reverse directions

As explained in Sect. 3, matching with precomputation is applied on the remaining number of rounds. Figure 3 shows the forward and reverse computations for the rounds 4–17 and 18–31, respectively. Here, matching is done on the bits \( v_{3} \), \( v_{2} \), \( v_{1} \), \( v_{0} \) of round 17 where the intermediate state v is given by v = { \( v_{63} \), \( v_{62} \),… \( v_{1} \), \( v_{0} \) }.

Complexity of the Attack

As explained in Sect. 2, the total attack complexity is given by

$$ C_{\text{full}} = 2^{k - 2d} \left( {C_{\text{biclique}} + C_{\text{decrypt}} + C_{\text{precompute}} + C_{\text{recompute}} + C_{\text{falsepos}} } \right) $$

C_biclique is the cost for constructing the biclique. Since the biclique dimension is 4 and the number of rounds covered by the biclique is 3, C_biclique = 2.2⁴ × 3/31 = 2^1.63.

C_decrypt is computations required for decrypting d bits through a decryption oracle. So, here C_decrypt = 2⁴.

C_{precomputation} is the computational cost for the forward and reverse calculation through the subcipher E₁ and E₂, respectively, for the rounds which are not covered by biclique. Since in this attack 28 rounds are covered by E₁ and E₂, C_{precomputation} = 2⁴ × 28/31 = 2^3.85.

C_{recomputation} is the computational cost for recomputing those parts which differ from the stored values due to the injected key differences Δ_i and ∇_j in the forward and reverse direction, respectively. Here, we consider PRESENT cipher as a nibble-based one since the sbox is 4-bit input–4-bit output element. So, the number of sboxes in round transformation and key schedule is calculated here to find the recomputation complexity.

From Fig. 4,

The number of active sboxes in the forward direction is 2 + 4 + 9 × 16 + 4 = 154

The number of active sboxes in the reverse direction is 1 + 4 + 10 × 16 + 4 = 169

Since key diffusion is very slow, only one sbox is to be recomputed for the key schedule

So, the total sboxes to be recomputed = 154 + 169 + 1 = 324

Total number of sboxes in PRESENT-80 = 16 × 31 + 1 × 31 = 527 (16 sboxes for round transformation and 1 for key schedule in each round

So, the complexity of recomputation = 2⁸ × 324/527 = 2^7.3.

C_falsepos is the computational complexity to eliminate false positives. Since matching is done over 4 bits, C_falsepos will be 2⁴ full PRESENT 80 encryptions

Total complexity of biclique attack = 2^80−2.4(2^1.63 + 2⁴ + 2^3.85 + 2^7.3 + 2⁴) = 2^79.63. The data complexity is 2²³, and memory required is 2⁴ nibbles.

Conclusion

A new biclique attack on PRESENT-80 is proposed in this paper. We used the concept of independent bicliques here. A four-dimensional biclique is constructed over the rounds 1–3, and matching with precomputation is applied for the remaining rounds. The complexity of the attack is the lowest amongst the attacks published so far. The attack is successfully implemented with a data complexity of 2²³ and a time complexity of 2^79.63 encryption cycles.

Change history

• 28 September 2023

  A Correction to this paper has been published: https://doi.org/10.1007/s42979-023-02168-3