Cryptanalysis of full PRIDE block cipher

PRIDE is a lightweight block cipher proposed at CRYPTO 2014 by Albrecht et al., who claimed that the construction of linear layers is efficient and secure. In this paper, we investigate the key schedule and find eight 2-round iterative related-key differential characteristics, which can be used to construct 18-round related-key differentials. A study of the first subkey derivation function reveals that there exist three weak-key classes, as a result of which all the differences of subkeys for each round are identical. For the weak-key classes, we also find eight 2-round iterative related-key differential characteristics. Based on one of the related-key differentials, we launch an attack on the full PRIDE block cipher. The data and time complexity are 2³⁹ chosen plaintexts and 2⁹² encryptions, respectively. Moreover, by using multiple related-key differentials, we improve the cryptanalysis, which then requires 2^41.6 chosen plaintexts and 2^42.7 encryptions, respectively. Finally, we use two 17-round related-key differentials to analyze full PRIDE, which requires 2³⁵ plaintexts and 2^54.7 encryptions. These are the first results on full PRIDE, and show that the PRIDE block cipher is not secure against related-key differential attack.