Embed Size (px)
Citation preview
Di�erential ryptanalysis of PUFFIN and PUFFIN2Céline Blondeau1,2 and Benoît Gérard31 INRIA proje t-team SECRET
2 Aalto University S hool of S ien e3 Université atholique de Louvain, UCL Crypto GroupECRYPT Workshop on Lightweight ryptography-28/11/2011C. Blondeau and B. Gérard Di�erential ryptanalysis of PUFFIN and PUFFIN2 1 / 21
Preliminary remarksMain ontributions◮ Breaking both versions of PUFFIN.◮ Tree-based te hni for estimating time omplexity.Tree-based estimate relies on strong assumptions:◮ provides a lower bound on omplexity,◮ may not be the most relevant tool for ryptanalysis,◮ does not threaten the �rst ontribution,◮ is the relevant tool for se urity analysis.This presentation is se urity analysis oriented.C. Blondeau and B. Gérard Di�erential ryptanalysis of PUFFIN and PUFFIN2 2 / 21
OutlineIntrodu ing PUFFIN1/2 and PRESENTBasi s of di�erential ryptanalysisA �rst glan e at PUFFIN1/2 di�erential resistan eAtta ks on PUFFIN and PUFFIN2Con lusionC. Blondeau and B. Gérard Di�erential ryptanalysis of PUFFIN and PUFFIN2 3 / 21
SummaryIntrodu ing PUFFIN1/2 and PRESENTBasi s of di�erential ryptanalysisA �rst glan e at PUFFIN1/2 di�erential resistan eAtta ks on PUFFIN and PUFFIN2Con lusion
Lightweight SPN iphersRound fun tion omposed of:◮ a key mixing (key addition);◮ a non-linear layer (S-boxes);◮ a di�usion layer (permutation).Most known and studied: PRESENT.Design goal for PUFFIN: PRESENT-like involutional ipher.PUFFIN1/2 se urity issuesPUFFIN: broken in [Leander EUROCRYPT 2011℄.PUFFIN2: pat hed version of PUFFIN.C. Blondeau and B. Gérard Di�erential ryptanalysis of PUFFIN and PUFFIN2 4 / 21
PRESENT, PUFFIN and PUFFIN 2?
?...?
?
?
Add subkey 1SubstitutionPermutationAdd subkey 31SubstitutionPermutationAdd subkey 32|
|
PRESENT?
?
?...?
?
Add subkey 0PermutationSubstitutionAdd subkey 1PermutationSubstitutionAdd subkey 32Permutation|
|
PUFFIN?
?...?
?
?
SubstitutionPermutationAdd subkey 1SubstitutionPermutationAdd subkey 34Substitution|
|
PUFFIN 2
C. Blondeau and B. Gérard Di�erential ryptanalysis of PUFFIN and PUFFIN2 5 / 21
PRESENT permutation layer⊕⊕⊕⊕⊕⊕⊕⊕⊕⊕⊕⊕⊕⊕⊕⊕⊕⊕⊕⊕⊕⊕⊕⊕⊕⊕⊕⊕⊕⊕⊕⊕⊕⊕⊕⊕⊕⊕⊕⊕⊕⊕⊕⊕⊕⊕⊕⊕⊕⊕⊕⊕⊕⊕⊕⊕⊕⊕⊕⊕⊕⊕⊕⊕
S15 S14 S13 S12 S11 S10 S9 S8 S7 S6 S5 S4 S3 S2 S1 S0
MMMMMMMMMMMMMMMMMMMMMMMMM
VVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVV
YYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYY
�������������
HHHHHHHHHHHHHHHHHHHHH
UUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUU
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
AAAA
AAAA
AAAA
AAAA
AA
TTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTT
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
}}}}
}}}}
}}}}
}}}}
}}
5555
5555
5555
555
RRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRR
WWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWW
vvvvvvvvvvvvvvvvvvvvv
****
****
****
*
PPPPPPPPPPPPPPPPPPPPPPPPPPPP
WWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWW
qqqqqqqqqqqqqqqqqqqqqqqqq
MMMMMMMMMMMMMMMMMMMMMMMMM
VVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVV
nnnnnnnnnnnnnnnnnnnnnnnnnnnn
�������������
HHHHHHHHHHHHHHHHHHHHH
UUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUU
llllllllllllllllllllllllllllllll
AAAA
AAAA
AAAA
AAAA
AA
TTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTT
jjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjj
}}}}
}}}}
}}}}
}}}}
}}
5555
5555
5555
555
RRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRR
iiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiii
vvvvvvvvvvvvvvvvvvvvv
****
****
****
*
PPPPPPPPPPPPPPPPPPPPPPPPPPPP
hhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhh
qqqqqqqqqqqqqqqqqqqqqqqqq
MMMMMMMMMMMMMMMMMMMMMMMMM
gggggggggggggggggggggggggggggggggggggggggggggggg
nnnnnnnnnnnnnnnnnnnnnnnnnnnn
�������������
HHHHHHHHHHHHHHHHHHHHH
gggggggggggggggggggggggggggggggggggggggggggggggggggg
llllllllllllllllllllllllllllllll
AAAA
AAAA
AAAA
AAAA
AA
ffffffffffffffffffffffffffffffffffffffffffffffffffffffff
jjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjj
}}}}
}}}}
}}}}
}}}}
}}
5555
5555
5555
555
fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
iiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiii
vvvvvvvvvvvvvvvvvvvvv
****
****
****
*
eeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeee
hhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhh
qqqqqqqqqqqqqqqqqqqqqqqqq
C. Blondeau and B. Gérard Di�erential ryptanalysis of PUFFIN and PUFFIN2 6 / 21
PUFFIN1/2 permutation layerS0S1S2S3S4S5S6S7S8S9S10S11S12S13S14S15
C. Blondeau and B. Gérard Di�erential ryptanalysis of PUFFIN and PUFFIN2 7 / 21
PUFFIN1/2 permutation layerS0S1S2S3S4S5S6S7S8S9S10S11S12S13S14S15
C. Blondeau and B. Gérard Di�erential ryptanalysis of PUFFIN and PUFFIN2 7 / 21
PRESENT and PUFFIN1/2 S-boxPRESENT S-box
x 0 1 2 3 4 5 6 7 8 9 A B C D E FS(x) C 5 6 B 9 0 A D 3 E F 8 4 7 1 2PUFFIN1/2 S-boxx 0 1 2 3 4 5 6 7 8 9 A B C D E FS(x) D 7 3 2 9 A C 1 F 4 5 E 6 0 B 8
C. Blondeau and B. Gérard Di�erential ryptanalysis of PUFFIN and PUFFIN2 8 / 21
PRESENT and PUFFIN1/2 S-boxPRESENT S-box
x 0 1 2 3 4 5 6 7 8 9 A B C D E FS(x) C 5 6 B 9 0 A D 3 E F 8 4 7 1 2PUFFIN1/2 S-boxx 0 1 2 3 4 5 6 7 8 9 A B C D E FS(x) D 7 3 2 9 A C 1 F 4 5 E 6 0 B 8
C. Blondeau and B. Gérard Di�erential ryptanalysis of PUFFIN and PUFFIN2 8 / 21
PRESENT and PUFFIN1/2 S-boxPRESENT S-box
x 0 1 2 3 4 5 6 7 8 9 A B C D E FS(x) C 5 6 B 9 0 A D 3 E F 8 4 7 1 2PUFFIN1/2 S-boxx 0 1 2 3 4 5 6 7 8 9 A B C D E FS(x) D 7 3 2 9 A C 1 F 4 5 E 6 0 B 8
C. Blondeau and B. Gérard Di�erential ryptanalysis of PUFFIN and PUFFIN2 8 / 21
SummaryIntrodu ing PUFFIN1/2 and PRESENTBasi s of di�erential ryptanalysisA �rst glan e at PUFFIN1/2 di�erential resistan eAtta ks on PUFFIN and PUFFIN2Con lusion
Di�erential atta ks on iterated iphersFK FK
- - . . . - -
FK FK- - . . . - -
6?δ0 6
?δr
︸ ︷︷ ︸
r roundsDi�erential probabilityPr [δ0 → δr]
def= PrX,K [F r
K(X)⊕ F rK(X ⊕ δ0) = δr] .C. Blondeau and B. Gérard Di�erential ryptanalysis of PUFFIN and PUFFIN2 9 / 21
Di�erential atta ks on iterated iphersFK FK FKx′ - - . . . - - F r
K(x′) - - y′
FK FK FKx - - . . . - - F rK(x) - - y
6?δ0 6
??
︸ ︷︷ ︸
r roundsC. Blondeau and B. Gérard Di�erential ryptanalysis of PUFFIN and PUFFIN2 9 / 21
Di�erential atta ks on iterated iphersFK FK FK F−1
kx′ - - . . . - - F rK(x′) - - y′
� �6
k = K
-
FK FK FK F−1
kx - - . . . - - F r
K(x) - - y
� �?
k = K
-
6?δ0 6
?δr?6?
︸ ︷︷ ︸
r roundsC. Blondeau and B. Gérard Di�erential ryptanalysis of PUFFIN and PUFFIN2 9 / 21
Di�erential atta ks on iterated iphersFK FK FK F−1
kx′ - - . . . - - F rK(x′) - - y′
� �6
k = K
- -k 6= K
FK FK FK F−1
kx - - . . . - - F r
K(x) - - y
� �?
k = K
- -
k 6= K6?δ0 6
?δr?6?
6?δr?
︸ ︷︷ ︸
r roundsBasi Prin iple:For ea h last-round subkey andidate k, omputeD(k) = #{(y, y′) su h that F−1
k (y)⊕ F−1
k (y′) = δr}.C. Blondeau and B. Gérard Di�erential ryptanalysis of PUFFIN and PUFFIN2 9 / 21
Finding good di�erentialsDi�erentials and di�erential trails
S0S1S2S3
S0S1S2S3
S0S1S2S3
C. Blondeau and B. Gérard Di�erential ryptanalysis of PUFFIN and PUFFIN2 10 / 21
Finding good di�erentialsDi�erentials and di�erential trails
S0S1S2S3
S0S1S2S3
S0S1S2S3S3
1-round di�erential(δ0, δ1)
δ0 = 0x8000,
δ1 = 0x8000
C. Blondeau and B. Gérard Di�erential ryptanalysis of PUFFIN and PUFFIN2 10 / 21
Finding good di�erentialsDi�erentials and di�erential trails
S0S1S2S3
S0S1S2S3
S0S1S2S3S3
S3
2-round di�erential trail(δ0, δ1, δ2)
δ0 = 0x8000,
δ1 = 0x8000,
δ2 = 0x8000Trail probability for Markov iphers:Pr [δ0 → δ1 → δ2] = Pr [δ0 → δ1]·Pr [δ1 → δ2] .C. Blondeau and B. Gérard Di�erential ryptanalysis of PUFFIN and PUFFIN2 10 / 21
Finding good di�erentialsDi�erentials and di�erential trails
S0S1S2S3
S0S1S2S3
S0S1S2S3S3
S3
S3
3-round di�erential trail(δ0, δ1, δ2, δ3)
δ0 = 0x8000,
δ1 = 0x8000,
δ2 = 0x8000,
δ3 = 0x8000.
C. Blondeau and B. Gérard Di�erential ryptanalysis of PUFFIN and PUFFIN2 10 / 21
Finding good di�erentialsDi�erentials and di�erential trails
S0S1S2S3
S0S1S2S3
S0S1S2S3S3
S3
S3
S2 S1 S0
(0x8000, 0x8000, 0x8000, 0x8000)
(0x8000, 0x0800, 0x4000, 0x8000)
(0x8000, 0x0080, 0x2000, 0x8000)
(0x8000, 0x0008, 0x1000, 0x8000)C. Blondeau and B. Gérard Di�erential ryptanalysis of PUFFIN and PUFFIN2 10 / 21
Finding good di�erentialsDi�erentials and di�erential trails
S0S1S2S3
S0S1S2S3
S0S1S2S3S3
S3
S3
S1
(0x8000, 0x8080, 0xA000, 0x8000)
Pr [0x8080 → 0xA000] = (Pr [0x8 → 0x8])2 .More a tive S-boxes ⇒ smaller trail proba-bility.C. Blondeau and B. Gérard Di�erential ryptanalysis of PUFFIN and PUFFIN2 10 / 21
Finding good di�erentialsDi�erentials and di�erential trails
S0S1S2S3
S0S1S2S3
S0S1S2S3S3
S3
S3
S1
◮ The di�erential probability is the sumof trail probabilities:Pr [δ0 → δ3] =
∑
δ1,δ2
Pr [δ0 → δ1 → δ2 → δ3] .
◮ Lower-bound by onsidering mostsigni� ant trails.◮ Signi� ant trails obtained usingBran h-and-Bound.C. Blondeau and B. Gérard Di�erential ryptanalysis of PUFFIN and PUFFIN2 10 / 21
Extensions of di�erential ryptanalysisMany extensions:◮ inverting r′ > 1 last rounds;◮ using more di�erentials;◮ using impossible di�erentials;◮ using unlikely di�erentials;◮ using higher order di�erentials;◮ using trun ated di�erentials;◮ . . .
C. Blondeau and B. Gérard Di�erential ryptanalysis of PUFFIN and PUFFIN2 11 / 21
Extensions of di�erential ryptanalysisMany extensions:◮ inverting r′ > 1 last rounds;◮ using more di�erentials;◮ using impossible di�erentials;◮ using unlikely di�erentials;◮ using higher order di�erentials;◮ using trun ated di�erentials;◮ . . .
C. Blondeau and B. Gérard Di�erential ryptanalysis of PUFFIN and PUFFIN2 11 / 21
SummaryIntrodu ing PUFFIN1/2 and PRESENTBasi s of di�erential ryptanalysisA �rst glan e at PUFFIN1/2 di�erential resistan eAtta ks on PUFFIN and PUFFIN2Con lusion
PRESENT permutation layer di�usionS0
S0S4S8S12
S0S1S2S3S4S5S6S7S8S9S10S11S12S13S14S15
C. Blondeau and B. Gérard Di�erential ryptanalysis of PUFFIN and PUFFIN2 12 / 21
PUFFIN1/2 permutation layer di�usionS11
S3S5S9S13
S0S4S4S4S8S10S10S10S11S11S11S11S12S13S14S14
S0S0S0S1S1S3S3S3S3S4S4S5S5S5S5S6S8S8S9S9S9S9S10S11S12S13S13S13S13S14S14S15
S0S0S0S0S1S1S1S2S2S2S3S3S3S3S4S4S4S4S5S5S5S5S6S6S7S7S8S8S8S8S9S9S9S9S10S10S10S10S11S11S11S11S12S12S12S12S13S13S13S13S14S14S14S14S15S15C. Blondeau and B. Gérard Di�erential ryptanalysis of PUFFIN and PUFFIN2 13 / 21
S-box di�erential uniformityDi�erential uniformityδ(a, b)
def= #{x ∈ F
d2, Sbox(x)⊕ Sbox(x⊕ a) = b}.
δ(Sbox)def= max
a,b6=0
δ(a, b).Criterion for evaluating S-box resistan e against di�erential ryptanalysis. For s a tive S-boxesTrail probability ≤ (δ(Sbox)
2d
)s
.For PRESENT and PUFFIN S-boxes, δ(Sbox) = 4 (optimal).C. Blondeau and B. Gérard Di�erential ryptanalysis of PUFFIN and PUFFIN2 14 / 21
PRESENT S-box di�erential table0 1 2 3 4 5 6 7 8 9 a b d e f0 16 0 0 0 0 0 0 0 0 0 0 0 0 0 0 01 0 0 0 4 0 0 0 4 0 4 0 0 0 4 0 02 0 0 0 2 0 4 2 0 0 0 2 0 2 2 2 03 0 2 0 2 2 0 4 2 0 0 2 2 0 0 0 04 0 0 0 0 0 4 2 2 0 2 2 0 2 0 2 05 0 2 0 0 2 0 0 0 0 2 2 2 4 2 0 06 0 0 2 0 0 0 2 0 2 0 0 4 2 0 0 47 0 4 2 0 0 0 2 0 2 0 0 0 2 0 0 48 0 0 0 2 0 0 0 2 0 2 0 4 0 2 0 49 0 0 2 0 4 0 2 0 2 0 0 0 2 0 4 0a 0 0 2 2 0 4 0 0 2 0 2 0 0 2 2 0b 0 2 0 0 2 0 0 0 4 2 2 2 0 2 0 0 0 0 2 0 0 4 0 2 2 2 2 0 0 0 2 0d 0 2 4 2 2 0 0 2 0 0 2 2 0 0 0 0e 0 0 2 2 0 0 2 2 2 2 0 0 2 2 0 0f 0 4 0 0 4 0 0 0 0 0 0 0 0 0 4 4C. Blondeau and B. Gérard Di�erential ryptanalysis of PUFFIN and PUFFIN2 15 / 21
PRESENT S-box di�erential table0 1 2 3 4 5 6 7 8 9 a b d e f0 16 0 0 0 0 0 0 0 0 0 0 0 0 0 0 01 0 0 0 4 0 0 0 4 0 4 0 0 0 4 0 02 0 0 0 2 0 4 2 0 0 0 2 0 2 2 2 03 0 2 0 2 2 0 4 2 0 0 2 2 0 0 0 04 0 0 0 0 0 4 2 2 0 2 2 0 2 0 2 05 0 2 0 0 2 0 0 0 0 2 2 2 4 2 0 06 0 0 2 0 0 0 2 0 2 0 0 4 2 0 0 47 0 4 2 0 0 0 2 0 2 0 0 0 2 0 0 48 0 0 0 2 0 0 0 2 0 2 0 4 0 2 0 49 0 0 2 0 4 0 2 0 2 0 0 0 2 0 4 0a 0 0 2 2 0 4 0 0 2 0 2 0 0 2 2 0b 0 2 0 0 2 0 0 0 4 2 2 2 0 2 0 0 0 0 2 0 0 4 0 2 2 2 2 0 0 0 2 0d 0 2 4 2 2 0 0 2 0 0 2 2 0 0 0 0e 0 0 2 2 0 0 2 2 2 2 0 0 2 2 0 0f 0 4 0 0 4 0 0 0 0 0 0 0 0 0 4 4C. Blondeau and B. Gérard Di�erential ryptanalysis of PUFFIN and PUFFIN2 15 / 21
PUFFIN1/2 S-box di�erential table0 1 2 3 4 5 6 7 8 9 a b d e f0 16 0 0 0 0 0 0 0 0 0 0 0 0 0 0 01 0 2 0 4 0 0 2 0 0 0 2 4 0 2 0 02 0 0 0 0 0 4 0 0 2 0 4 2 0 2 2 03 0 4 0 0 2 0 2 0 2 0 0 2 0 0 2 24 0 0 0 2 4 0 2 0 0 2 0 0 0 2 2 25 0 0 4 0 0 2 0 2 0 0 0 0 0 2 4 26 0 2 0 2 2 0 2 0 2 0 2 0 2 0 2 07 0 0 0 0 0 2 0 2 2 2 0 4 2 0 0 28 0 0 2 2 0 0 2 2 0 2 2 0 2 0 0 29 0 0 0 0 2 0 0 2 2 4 2 0 2 2 0 0a 0 2 4 0 0 0 2 0 2 2 2 0 2 0 0 0b 0 4 2 2 0 0 0 4 0 0 0 0 2 2 0 0 0 0 0 0 0 0 2 2 2 2 2 2 0 0 2 2d 0 2 2 0 2 2 0 0 0 2 0 2 0 4 0 0e 0 0 2 2 2 4 2 0 0 0 0 0 2 0 0 2f 0 0 0 2 2 2 0 2 2 0 0 0 2 0 2 2C. Blondeau and B. Gérard Di�erential ryptanalysis of PUFFIN and PUFFIN2 16 / 21
PUFFIN1/2 S-box di�erential table0 1 2 3 4 5 6 7 8 9 a b d e f0 16 0 0 0 0 0 0 0 0 0 0 0 0 0 0 01 0 2 0 4 0 0 2 0 0 0 2 4 0 2 0 02 0 0 0 0 0 4 0 0 2 0 4 2 0 2 2 03 0 4 0 0 2 0 2 0 2 0 0 2 0 0 2 24 0 0 0 2 4 0 2 0 0 2 0 0 0 2 2 25 0 0 4 0 0 2 0 2 0 0 0 0 0 2 4 26 0 2 0 2 2 0 2 0 2 0 2 0 2 0 2 07 0 0 0 0 0 2 0 2 2 2 0 4 2 0 0 28 0 0 2 2 0 0 2 2 0 2 2 0 2 0 0 29 0 0 0 0 2 0 0 2 2 4 2 0 2 2 0 0a 0 2 4 0 0 0 2 0 2 2 2 0 2 0 0 0b 0 4 2 2 0 0 0 4 0 0 0 0 2 2 0 0 0 0 0 0 0 0 2 2 2 2 2 2 0 0 2 2d 0 2 2 0 2 2 0 0 0 2 0 2 0 4 0 0e 0 0 2 2 2 4 2 0 0 0 0 0 2 0 0 2f 0 0 0 2 2 2 0 2 2 0 0 0 2 0 2 2C. Blondeau and B. Gérard Di�erential ryptanalysis of PUFFIN and PUFFIN2 16 / 21
Best di�erential trails and se urity marginsBest di�erential trails:◮ 14-round PRESENT: 2−62,◮ 14-round PUFFIN1/2 : 2−28,◮ 31-round PUFFIN1/2 : 2−62.Best known di�erential atta k:◮ 18-round PRESENT,◮ ?31+4?-round PUFFIN1/2 .
C. Blondeau and B. Gérard Di�erential ryptanalysis of PUFFIN and PUFFIN2 17 / 21
SummaryIntrodu ing PUFFIN1/2 and PRESENTBasi s of di�erential ryptanalysisA �rst glan e at PUFFIN1/2 di�erential resistan eAtta ks on PUFFIN and PUFFIN2Con lusion
Using a single di�erentialAtta ks on PUFFIN (32 rounds / 128-bit key)r′ Pr [δ0 → δr] N Time C. PS
3 2−53.59 257.49 285.10 0.754 2−52.07 256.04 276.84 0.795 2−49.71 252.45 2101.95 0.85Atta ks on PUFFIN2 (34 rounds / 80-bit key)r′ Pr [δ0 → δr] N Time C. PS
3 2−57.90 261.25 261.35 0.754 2−56.35 259.47 260.07 0.635 2−53.59 255.60 270.21 0.87C. Blondeau and B. Gérard Di�erential ryptanalysis of PUFFIN and PUFFIN2 18 / 21
Atta ks proposed on PUFFIN and PUFFIN2Atta ks on PUFFIN (32 rounds / 128-bit key)r′ |∆| N Time C. PS
4 830 252.16 295.40 0.775 954 249.42 2108.84 0.59Atta ks on PUFFIN2 (34 rounds / 80-bit key)r′ |∆| N Time C. PS
4 115 255.58 264.66 0.585 210 252.30 274.78 0.78- Both PUFFIN and PUFFIN2 are broken.- Are 36 rounds safe ?C. Blondeau and B. Gérard Di�erential ryptanalysis of PUFFIN and PUFFIN2 19 / 21
Atta ks proposed on PUFFIN and PUFFIN2Atta ks on PUFFIN (32 rounds / 128-bit key)r′ |∆| N Time C. PS
4 830 252.16 295.40 0.775 954 249.42 2108.84 0.59Atta ks on PUFFIN2 (34 rounds / 80-bit key)r′ |∆| N Time C. PS
4 115 255.58 264.66 0.585 210 252.30 274.78 0.78- Both PUFFIN and PUFFIN2 are broken.- Are 36 rounds safe ?
◮ No: at least 39 rounds are required.C. Blondeau and B. Gérard Di�erential ryptanalysis of PUFFIN and PUFFIN2 19 / 21
SummaryIntrodu ing PUFFIN1/2 and PRESENTBasi s of di�erential ryptanalysisA �rst glan e at PUFFIN1/2 di�erential resistan eAtta ks on PUFFIN and PUFFIN2Con lusion
Con lusion ipher (key bits) rnds Data C. Time C. Su ess P.PUFFIN (128) 32 258 2124 > 0.25 [Leander11℄PUFFIN (128) 32 252.16 295.40 0.77 this workPUFFIN (128) 32 249.42 2108.84 0.59 this workPUFFIN2 (80) 34 255.58 264.66 0.58 this workPUFFIN2 (80) 34 252.30 274.78 0.78 this workPUFFIN and PUFFIN2 were laimed to be se ure against linear anddi�erential atta ks.Why ?x Only onsidering one di�erential trail.x Impli itly assuming that atta ker will only invert one round.C. Blondeau and B. Gérard Di�erential ryptanalysis of PUFFIN and PUFFIN2 20 / 21
Di�erentials used, probability estimates . . .. . . and matlab ode an be found on my website.www.benoitgerard. om/LC2011.html
C. Blondeau and B. Gérard Di�erential ryptanalysis of PUFFIN and PUFFIN2 21 / 21
