Related-Key Cryptanalysis on the Full PRINTcipher Suitable for IC-Printing

PRINTcipher-48/96 are 48/96-bit block ciphers proposed in CHES 2010 which support the 80/160-bit secret keys, respectively. In this paper, we propose related-key cryptanalysis of PRINTcipher. To recover the 80-bit secret key of PRINTcipher-48, our attack requires 247 related-key chosen plaintexts with a computational complexity of 2 60 · 62 . In the case of PRINTcipher-96, we require 295 related-key chosen plaintexts with a computational complexity of 2107. These results are the first known related-key cryptanalytic results on them.


Introduction
Recently, the security of constrained hardware environments such as RFID tags and sensor nodes is major topic in cryptography [1,2].The research on lightweight block ciphers suitable for the efficient implementation in constrained hardware environments such as RFID tags and sensor nodes has been studied.As a result, PRESENT [3], LED [4], HIGHT [5], PRINTcipher [6], and Piccolo [7] were proposed.
PRINTcipher is a 48/96-bit block cipher proposed in CHES 2010 thst supports the 80/160-bit secret keys.According to the block size, they are denoted by PRINTcipher-48 and PRINTcipher-96, respectively.The attractive properties of PRINTcipher are that all rounds use the same round key and differ only by a round counter and that the linear layer is partially key-dependent.Because of these properties, most known cryptanalytic results on PRINTcipher are based on weak keys (see Table 1).The best attack results on PRINTcipher are invariance subspace attacks on the full PRINTcipher-48/96 [8].In detail, the attack on the full PRINTcipher-48 is applicable to 2 52 weak keys and requires 5 chosen plaintexts with a negligible computational complexity.In the case of the full PRINTcipher-96, it is applicable to 2 102 weak keys and requires 5 chosen plaintexts with a negligible computational complexity.
In this paper, we find weakness of PRINTcipher-48/96 on related-key attacks.To construct related-key differential characteristics, we focus on related keys that have different values in the part related to a key-dependent permutation.Thus, we can construct -round related-key differential characteristics with a probability of 2 − .By using these characteristics, we can recover the secret keys of PRINTcipher-48/96.Our results are summarized in Table 1.In detail, to recover the 80-bit secret key of PRINTcipher-48, our attack requires 4 related keys, 2 47 related-key chosen plaintexts, and a computational complexity of 2 60.62 .In the case of PRINTcipher-96, we require 4 related keys, 2 95 related-key chosen plaintexts, and a computational complexity of 2 107 .These results are the first known related-key cryptanalytic results on them.
This paper is organized as follows.In Section 2, we describe briefly the structure of PRINTcipher.In Section 3, we explain how to construct related-key differential characteristics on PRINTcipher.Related-key attacks on PRINTcipher-48 and PRINTcipher-96 are proposed in Sections 4 and 5, respectively.Finally, we give our conclusion in Section 6.

Description of PRINTcipher
PRINTcipher-48/96 are 48/96-bit block ciphers supporting the 80/160-bit secret keys.Note that PRINTcipher uses the same round key ( 1 ,  2 ) for all rounds.In detail, the secret key  is divided into ( 1 ,  2 ). 1 is used to XORing with an intermediate value, and  2 controls a key-dependent permutation.
With a bit permutation , a value of the bit position  is moved to the bit position , where In a key-dependent permutation , an intermediate value  is arranged in /3 blocks of 3 bits each, which are permuted individually according to a 2-bit  2  .Out of 6 possible permutations on 3 bits, only four permutations are valid for PRINTcipher.In detail, as shown in Table 2, a 3bit input value ( 0 ,  1 ,  2 ) is permuted to the corresponding output value according to a 2-bit ( 2 ,0 ,  2 ,1 ).Here,    means   in the case that ( 2 ,0 ,  2 ,1 ) = (, ).

Construction of Related-Key Differential Characteristics on PRINTcipher
In this section, we present how to construct -round relatedkey differential characteristics on PRINTcipher-48/96 by using properties of a key-dependent permutation  and box.

Related-Key Properties on Key-Dependent Permutation
and -Box.We consider a 3-bit input value ( 0 ,  1 ,  2 ) of ) is equal to (0, 0) or (0, 1), from Table 2, the corresponding output value is computed as follows: In the above relations, if  0 is equal to  1 , each permutation outputs the same value and vice versa.That is, the following equation holds: In total, we can obtain the following six properties of .
Furthermore, from the definition of -box , we can obtain the following property.
Case 1 (l).Consider the following: Case 2 (l).Consider the following: Case 3 (l).Consider the following: We assume that the input difference of the target round is zero.If a related-key pair (,  * ) satisfies Case 1 (0),  0 has a nonzero related-key difference.Here, from Property 1, it can be easily shown that the output difference of  0 is zero with a probability of 2 −1 (i.e., the probability that  0 is equal to  1 ).Since the output differences of other   's except  0 are zero, as shown in Figure 2, we can construct a 1-round related-key → 0 with a probability of 2 −1 under Case 1 (0).Since PRINTcipher-48 uses the same round key for all rounds, we can easily extend this result to a -round related-key differential characteristic.That is, we can construct a -round related-key differential characteristic   → 0 with a probability of 2 − , respectively.
Note that we cannot control the exact values of the related-key pair (,  * ) under a related-key attack scenario.In other words, we cannot apply the above related-key differential characteristics to our attack directly.To solve this problem, for each   , we consider the following four related keys simultaneously.Here,  means the right secret key of PRINTcipher-48.From these four related keys, we can combine six related-key pairs.For each value of  2  , a related-key pair is satisfied one among three cases, Case 1 (), Case 2 (), and Case 3 () (see Table 3).For example, we assume that  2   is equal to (1, 0).Then, four related keys are computed as follows.

𝑙
) satisfy Case 1 (), Case 2 (), and Case 3 (), respectively (see Table 3).It means that -round related-key differential characteristics → 0, and 0 Case 3 () → 0 are satisfied with a probability of 2 − , respectively.However, if  2  is not equal to (0, 0), only one of related-key pairs satisfies the corresponding condition.For example, it is assumed that the right  2   is (1, 0).Only one key pair, ( (0,0)  ,  (1,0)  ), among three related-key pairs is satisfied Case 2 () from Table 3.It means that the corresponding differential characteristic → 0 is satisfied with a probability of 2 − and that the other differential characteristics 0   → 0 are satisfied with a random probability (= 2 −2 ), respectively.In the case of PRINTcipher-96, we can construct 96(= 3 ⋅ 32) -round related-key differential characteristics with a probability 2 − by using the similar method on PRINTcipher-48.In detail, for each   , we can obtain the same six

Related-Key Cryptanalysis on PRINTcipher-48
We are ready to propose related-key cryptanalysis on PRINTcipher-48.Recall that we can construct -round related-key differential characteristics on PRINTcipher-48 with a probability of 2 − .These related-key differential characteristics depend on the concrete key value.However, the attacker did not control the exact key value under a relatedkey attack scenario.
Our attack procedure mainly consists of the following steps.First, we consider plaintext structures which are composed of 4 plaintexts each.Second, we discard the wrong ciphertext pairs from the difference between ciphertexts.Finally, we guess the partial secret key and determine relatedkey pairs satisfying Case 1 (0).

Collection of Ciphertexts.
First, we consider the following plaintext structures S  0 , 1 which are composed of 4 plaintexts each (see Figure 3).Among all possible sixteen plaintext pairs for each plaintext structure, we consider only the following 8 plaintext pairs: Recall that ( (0,0) 0 ,  (0,1)

0
) is assumed to satisfy Case 1 (0).Thus, for only four plaintext pairs in each plaintext structure, the input difference of round 2 is zero.Here, when we use 2 44 plaintext structures, the expected number of right pairs is 4(= 4 ⋅ 2 44 ⋅ 2 −44 ).Note that our related-key differential characteristics hold with a probability of 2 −44 .

Filtering the Wrong Pairs.
We discard the wrong ciphertext pairs by checking the difference between ciphertexts.For the right ciphertext pair, the output difference of round 45 should be zero as shown in Figure 3.
In round 46, from Property 7, the possible output difference of the first -box is 0 or 2 or 4. The differential propagation in round 47∼48 is shown in Figure 3.Then, we discard the wrong ciphertext pairs by checking the following three checkPoints.
(i) ℎ 1 .The difference between the rightmost 30 bits of ciphertext is zero.

Recovery of the Secret Key of PRINTcipher-48.
For each ciphertext pair passing the above steps, we guess the following 16-bit key: Then we recover 16-bit key by checking the following checkPoints (see Figure 3).(ii) ℎ 5 .Input differences of  0 and  1 in round 47 should be 0 or 4.
(iii) ℎ 6 .Output difference of the first -box in round 46 should be 0 or 2 or 4.

0
), the attack procedure can be explained in a similar fashion.Our attack procedure on the full PRINTcipher-48 is summarized as follows.
(4) Output the guessed key with the maximal count as the right key.
(5) Do an exhaustive search for the remaining secret key by using trial encryption.Step 3, we can recover the 17-bit information on the 80bit secret key of PRINTcipher-48.Thus, a computational complexity of Step 5 is 2 63 PRINTcipher-48 encryptions.Hence, a total computational complexity of our attack is 2 63 .In this subsection, we improve the basic related-key attack on the full PRINTcipher-48.To improve the basic attack, we consider 43-round related-key differential characteristic 0 Case 1 (0)   → 0 (from round 2 to round 44) with a probability of 2 −43 .The overall attack procedure is similar to the basic attack procedure.

𝑙
) and 2 47 related-key chosen plaintexts.Hence, a data complexity of our attack is 2 47 related-key chosen plaintexts.
The filtering probability of this step is computed as follows: ) .
Thus, 7 ⋅ 2 28 (= 8 ⋅ 2 43 ⋅ 7/2 18 ) ciphertext pairs remained on average.So, computational complexities of Step 2(b) and 3(b) are computed as follows: For each remaining ciphertext pair, we guess total 48-bit key ( ) in order to check ℎ 12 , ℎ 13 , and ℎ 14 .Similar to the basic attack, the expected number of the remaining ciphertext pairs is 1.5 for each guessed key.Note that the expected number of right pairs is 4 similar to the basic attack.

Related-Key Cryptanalysis on PRINTcipher-96
The overall attack procedure on the full PRINTcipher-96 is similar to that on the full PRINTcipher-48.Thus, we explain the attack procedure on the full PRINTcipher-96 briefly.
In this attack, we consider 91-round related-key differential characteristics 0 Case 1 (0) → 0 (from round 2 to round 92) with a probability of 2 −91 .The checkPoints used in this attack are as follows (see Figure 5).The attack procedure on the PRINTcipher-96 is summarized as follows.
(1) Select 2 91 plaintext structures which are composed of 4 plaintexts each and obtain the corresponding

2 International
Journal of Distributed Sensor Networks

Table 1 :
Summary of cryptanalytic results on PRINTcipher.

Table 3 :
The corresponding related-key pair according to the value of  2  .