Cryptology ePrint Archive: Report 2015/575

Known-key Distinguisher on Full PRESENT

CÚline Blondeau and Thomas Peyrin and Lei Wang

Abstract: In this article, we analyse the known-key security of the standardized PRESENT lightweight block cipher. Namely, we propose a known-key distinguisher on the full PRESENT, both 80- and 128-bit key versions. We first leverage the very latest advances in differential cryptanalysis on PRESENT, which are as strong as the best linear cryptanalysis in terms of number of attacked rounds. Differential properties are much easier to handle for a known-key distinguisher than linear properties, and we use a bias on the number of collisions on some predetermined input/output bits as distinguishing property. In order to reach the full PRESENT, we eventually introduce a new meet-in-the-middle layer to propagate the differential properties as far as possible. Our techniques have been implemented and verified on the small scale variant of PRESENT. While the known-key security model is very generous with the attacker, it makes sense in practice since PRESENT has been proposed as basic building block to design lightweight hash functions, where no secret is manipulated. Our distinguisher can for example apply to the compression function obtained by placing PRESENT in a Davies-Meyer mode. We emphasize that this is the very first attack that can reach the full number of rounds of the PRESENT block cipher.

Category / Keywords: secret-key cryptography / PRESENT, known-key model, distinguisher, differential cryptanalysis, linear cryptanalysis

Original Publication (in the same form): IACR-CRYPTO-2015

Date: received 10 Jun 2015

Contact author: thomas peyrin at ntu edu sg

Available format(s): PDF | BibTeX Citation

Version: 20150617:160135 (All versions of this report)

Short URL: ia.cr/2015/575

Discussion forum: Show discussion | Start new discussion


[ Cryptology ePrint archive ]