The PRINCE cipher is the result of a cooperation between the Technical University of Denmark (DTU), NXP Semiconductors and the Ruhr University Bochum. The cipher was designed to reach an extremely low-latency encryption and instant response time. PRINCE has already gained a lot of attention from the academic community, however, most of the attacks are theoretical, usually with very high time or data complexity. Our work helps to fill the gap in more practically oriented attacks, with more realistic scenarios and complexities. We present new attacks, up to 7 rounds, relying on integral and higher-order differential cryptanalysis.A need of low-cost cryptosystems for several fast-growing applications, such as RFID tags, sensor networks or Internet of Things, has drawn great attention to the area of lightweight cryptographic primitives over the last decade. It has been a vibrant research area, where a good trade-off between security and efficiency is a particularly challenging task. Some well established algorithms (e.g., AES[5]) may not meet the basic requirements of constrained devices -low cost hardware implementation, low power usage and latency.Recently, at Asiacrypt 2012 conference, a new lightweight block cipher called PRINCE has been proposed [2]. PRINCE is the result of a cooperation between the Technical University of Denmark (DTU), NXP Semiconductors and the Ruhr University Bochum. The cipher was designed to reach an extremely low-latency encryption and instant response time. These requirements are highly desirable for applications such as instant authentication or block-wise read/write access to memory devices, e.g., in solid-state hard disks.For PRINCE -a serious proposal with a clear motivation from industry -it is very important to estimate the security margin, particularly for practical settings, regarding a future deployment of the cipher. Too conservative design (e.g., too many rounds) might result in the algorithm below industry expectations. On the other hand, insufficient level of security will make the users and customers reluctant to deploy and use the algorithm.PRINCE has already gained a lot of attention from the academic community and some interesting cryptanalysis has been published [3,7,10,11]. However, most of the attacks are theoretical, usually with very high time or data complexity. To spur on more practically oriented research, PRINCE designers launched 'PRINCE challenge' [1] -a competition where cryptanalysts are encouraged to find key recovery attacks with time complexity below 2 64 and a number of plaintexts set to a more realistic scenario.Our contribution helps to fill the gap in the practical attacks on PRINCE, giving a better estimation of the security margin. Table 1 summarizes our results.
Related workAs stated, most of published work on PRINCE are theoretical attacks. Though, there are a few attack with practical complexities. In [7], the integral attack was described, up to 6 rounds.