Impossible Differential Analysis on 8-Round PRINCE

PRINCE is a lightweight block cipher, which was proposed by Borghoff et al. in Asiacrypt 2012. Various cryptanalytic techniques have been employed to evaluate the security of PRINCE. In 2017, Ding et al. constructed a 4-round impossible differential based on some observations on M′ operation and launched impossible differential attacks on 6- and 7-round PRINCE and the underlying PRINCEcore. In this paper, we explore the differential distribution table (DDT) of the S-box employed in PRINCE and construct a more detailed DDT which contains the input/output values corresponding to each differential. Taking advantage of the table, we compute the subkeys instead of guessing them. With this technique, we extend the impossible differential attacks of PRINCE and PRINCEcore to eight rounds. The corresponding computational and complexities are \( 2^{110.7} \) and \( 2^{62.26} \) encryptions, respectively, which are much less than exhaustive search. And the data complexities are \( 2^{64} \) and \( 2^{60} \) chosen plaintexts, respectively.