improved biclique cryptanalysis of the lightweight block...
TRANSCRIPT
Research ArticleImproved Biclique Cryptanalysis of the Lightweight BlockCipher Piccolo
Guoyong Han12 andWenying Zhang1
1School of Information Science and Engineering Shandong Normal University Jinan China2School of Management Engineering Shandong Jianzhu University Jinan China
Correspondence should be addressed to Wenying Zhang wenyingzhsohucom
Received 6 June 2016 Accepted 12 February 2017 Published 2 March 2017
Academic Editor Nidal Nasser
Copyright copy 2017 Guoyong Han and Wenying Zhang This is an open access article distributed under the Creative CommonsAttribution License which permits unrestricted use distribution and reproduction in any medium provided the original work isproperly cited
Biclique cryptanalysis is a typical attack through finding a biclique which is a type of bipartite diagram to reduce the computationalcomplexity By investigating the subkey distribution and the encryption structure we find out a weakness in the key schedule ofPiccolo-80 A 6-round biclique is constructed for Piccolo-80 and a 7-round biclique for Piccolo-128 Then a full round bicliquecryptanalysis of Piccolo is presented The results of the attacks are with data complexity of 240 and 224 chosen ciphertexts and withcomputational complexity of 27922 and 212714 respectively They are superior to other known results of biclique cryptanalytic onPiccolo
1 Introduction
In ASIACRYPT 2011 Bogdanov et al proposed a bicliqueon recovering the keys of the full AES-128192256 [1]which is a type of meet-in-the-middle attack and the recentcryptanalysis technique of block ciphers In [1] they gavetwo techniques by constructing bicliques for AES One is theindependent related-key differentials biclique and the other isthe long biclique Soon after the paper was published a greatdeal of cryptanalytical results on the other block ciphers weresuggested
The crucial issue of the technology is to construct a supe-rior biclique structure at the ciphertext (or plaintext) In abiclique one top set comprises 21198891 ciphertexts (or plaintexts)while the other set is composed of 21198892 intermediate states If1198891 = 1198892 = 119889 the biclique structure is called a d-dimension(119889 = 1198891 = 1198892 = 8 in this paper) In some constrainedenvironments for example RFID tags or sensor nodes thesize of the secret key is typically 64 80 or 128 bits A lotof attacks on lightweight block cipher by using biclique havebeen published such as Piccolo [2] IDEA [3] HIGHT [4 5]LED [6] PRESENT [7 8] TWINE [9 10] and KLEIN [11]
The meet-in-the-middle (MITM) attack is a represen-tative method which is used in the security evaluation of
block cipher and its exceptional property is only a minimaldata complexity In recent years many varieties emerged forexample 3-subset MITM [12] Many methods carry out thepreimage attack to the hash function [13] and they consistof spice-and-cut frame and partial matching and so forthUsing the key expansion algorithm opponent can construct astructure and pick out wrong keys through partial matchingwhich is the important idea of the method
Piccolo is a 64-bit block cipher In accordance withthe different length of the key we signify the ciphers byPiccolo-80128 respectively [14] In ISPEC 2012 Wang etal presented a biclique attack on reduced round Piccolo[2] They attacked a 25-round Piccolo-80 with 248 chosenplaintexts and 27895 computations In the case of a 28-round Piccolo-128 this attack required 224 chosen plaintextsand 212679 computations However the authors consideredPiccolo-80 without the postwhitening key and Piccolo-128without the prewhitening key In [5] Song et al proposeda full round biclique cryptanalysis on Piccolo-80 demanding248 chosen plaintexts and 27934 computations and on Piccolo-128 requiring 224 chosen plaintexts and 212736 computationsIn [15] we find two faults which are detailed in Section 41in this paper Compared to these results ours are superior totheirs
HindawiSecurity and Communication NetworksVolume 2017 Article ID 7589306 12 pageshttpsdoiorg10115520177589306
2 Security and Communication Networks
Table 1 Summary of previous results of different method on Piccolo
Piccolo-80 rounds Piccolo-128 rounds Method Reference7 7 Differential Reference [14]8 8 Linear Reference [14]9 9 Boomerang Reference [14]9 9 Impossible differential Reference [14]14 21 MITM Reference [17]19 23 MITM expectation Reference [14]25 28 Biclique cryptanalysis Reference [2]25 31 Biclique cryptanalysis This paper
Table 2 Summary of biclique cryptanalytic results on Piccolo
Target algorithm Round Data Computations Attack type ReferencePiccolo-80 25 (without the postwhitening key) 248 27895 Biclique Reference [2]Piccolo-80 25 (full) 248 27934 Biclique Reference [5]Piccolo-80 25 (full) 240 27922 Biclique Section 42Piccolo-128 28 (without the prewhitening key) 224 212679 Biclique Reference [2]Piccolo-128 31 (full) 248 212736 Biclique Reference [5]Piccolo-128 31 (full) 224 212714 Biclique Section 43Piccolo-128 31 (full) 28 212730 Biclique Section 44
In this paper we detect a weakness in the key scheduleon Piccolo-80 that is the round key rk47 can offset the post-whitening key partially Based on this the data complexitycan be decreased greatly We apply some observations onPiccolo in [16] and construct an independent related-keydifferentials biclique for the last several rounds Then an 8-dimensional biclique structure of 6 rounds is constructedfor Piccolo-80 and an 8-dimensional biclique structure of7 rounds for Piccolo-128 The attacks are respectively withdata complexity of 240 and 224 and with computationalcomplexity of 27922 and 212714 which are the best resultscurrently The attack results on Piccolo are summarized inTables 1 and 2
The structure of the paper is as follows Section 2describes the structures of Piccolo-80 and Piccolo-128 Sec-tion 3 introduces briefly biclique cryptanalysis Then Sec-tion 4 presents the cryptanalysis with an 8-dimensionalbiclique of 6 rounds on full round Piccolo-80 and with abiclique structure of 7 rounds on full round Piccolo-128 Thedata complexity and computational complexity on Piccolo-80and Piccolo-128 are given respectively Finally we draw ourconclusion in Section 5
2 Piccolo Specifications
21 Notations
oplus bit-wise exclusive or (XOR)119903 iterative rounds concatenation119870[119894] the 119894th 16-bit group of the key 119870 (0 le 119894 le 4 forPiccolo-80 0 le 119894 le 7 for Piccolo-128)
WK119894 the 16-bit whitening key (0 le 119894 le 3)rk119894 the 16-bit round key (0 le 119894 le 49 for Piccolo-800 le 119894 le 61 for Piccolo-128)con80119894 a 16-bit round constant119886(119887) 119887 denoting the bit length of 119886119875 64-bit plaintext 119875 including four 16-bit words119875[119894] (0 le 119894 le 3)119862 64-bit ciphertext 119862 including four 16-bit words119862[119894] (0 le 119894 le 3)119865119903119894119895(64) the 119894th and 119895th byte of the state after F-Function in 119903th round
22 Description of Piccolo The structure of Piccolo is avariation of generalized Feistel as shown in Figure 1 Piccolo-80128 supports 80-bit and 128-bit key sizes along with 25 and31 rounds respectively
The detailed descriptions of Piccolo are in [14] and eachround of Piccolo consists of the following 3 steps
(1) F-Function (FF) 0 116 rarr 0 116 being composedof two S-box layers and a diffusion matrixM
(2) AddRoundKey (AK) the 64-bit intermediate stateXORs a round key
(3) RoundPermutation (RP) which splits a 64-bit inputinto eight bytes and then maps them
23 Key Schedule The key schedule of Piccolo is straightfor-ward and simple Firstly the 80-bit master key of Piccolo-80 is represented by concatenation of five 2 bytes that is119870 = 119870[0] 119870[1] 119870[2] 119870[3] 119870[4] where 119870[119895] =
Security and Communication Networks 3
P[0](16) P[1](16) P[2](16) P[3](16)
C[0](16) C[1](16) C[2](16) C[3](16)
F
F
F
F
F
F
F
F
Round 0
Round 1
Round r minus 2
Round r minus 1
WK0(16)
WK2(16)
rk0(16)
rk2(16)
rk2rminus2
rk2r
WK1(16)
WK3(16)
rk1(16)
rk3(16)
rk2rminus1
rk2r+1
Figure 1 The structure of Piccolo
(119870[119895]119871119870[119895]119877)The whitening keys (WK0WK1WK2WK3)and the subkey (rk2119894 rk2119894+1) of 25 rounds are engendered asfollows
WK0 = 119870[0]119871 119870[1]119877 WK1 = 119870[1]119871 119870[0]119877 WK2= 119870[4]119871 119870[3]119877 WK3 = 119870[3]119871 119870[4]119877For 119894 = 0 to 119903 minus 1(rk2119894 rk2119894+1)= (con802119894 con802119894+1)
oplus
(119870 [2] 119870 [3]) (119894 mod 5) equiv 0 or 2
(119870 [0] 119870 [1]) (119894 mod 5) equiv 1 or 4(119870 [4] 119870 [4]) (119894 mod 5) equiv 3
(1)
For Piccolo-128 the distribution of subkey is similar tothat of Piccolo-80 The 128-bit master key is denoted by 119870 =119870[0] 119870[1] 119870[2] 119870[3] 119870[4] 119870[5] 119870[6] 119870[7] where 119870[119895]= (119870[119895]119871 119870[119895]119877) The whitening keys and31-round subkey are computed as follows
WK0 = 119870[0]119871 119870[1]119877 WK1 = 119870[1]119871 119870[0]119877 WK2= 119870[4]119871 119870[7]119877 WK3 = 119870[7]119871 119870[4]119877For 119894 = 0 to 2119903 minus 1
if ((i + 2) mod 8 equiv 0) then
(119870[0] 119870[1] 119870[2] 119870[3] 119870[4] 119870[5] 119870[6] 119870[7]) = (119870[2] 119870[1] 119870[6] 119870[7] 119870[0] 119870[3] 119870[4] 119870[5])
rk119894 = 119870[(119894 + 2) mod 8] oplus con128119894 The specific subkeys of Piccolo-80128 are illustrated in
Table 3
3 Biclique Attack on Piccolo
31 Definition of Biclique Biclique cryptanalysis is an attackbased on MITM The major idea is to build bicliques on thetarget subcipher and promote the computational efficiencyThe basic principles of the biclique attack are explained in [1]Let 119891 be a several-round subcipher and 119891minus1 is the inverse of119891 The 119891 maps 2119889 intermediate states 119878119895 to 2119889 ciphertexts119862119894 with 22119889 keys 119870[119894119895]
119870[119894119895] =[[[[[
119870[00] 119870[01] sdot sdot sdot 119870[02119889minus1] d
119870[2119889minus10] 119870[2119889minus11] sdot sdot sdot 119870[2119889minus12119889minus1]
]]]]] (2)
The 3-tuple [119862119894 119878119895 119870[119894119895]] is named a biclique withd-dimension if
119862119894 = 119891119870[119894119895] (119904119895) forall119894 119895 isin 0 1119889 (3)
To avoid duplication we do not explicate the detailedattack basis but three stages of the attack are described inmore detail
32 Biclique Cryptanalysis of Piccolo-80
321 Phase 1 Key Partitioning For greater clarity we dividethe key into 264 groups which have 216 keys The 119870[00]enumerates 64-bit keys and fixes 16-bit keys with 016 Asdepicted in Section 23 each round has 32-bit subkey whichis generated by master keys K[i] and K[j] By investigatingthe subkey distribution (Table 3) an 8-dimensional bicliquestructure of 6 rounds is constructed by each right half of119870[4]and 119870[2] that is 119870[4]119877 and 119870[2]119877 We find 119870[4]119877 of theround key rk47 can offset 119870[4]119877 of the postwhitening key soit can decrease the data complexity greatly By calculation thecomputational complexity is optimal so far
The keys 119870[00] 119870[0119895] 119870[1198940] and 119870[119894119895] of each group aredepicted as shown below
119870[00] = [119883119883119883119883119883119860119883119883119883119860] where 119883 isin 0 18 119860 = 011990900
119870[0119895] = 119870[00] oplus [00 00 0119895 00 00]
where 119895 isin 0 18
4 Security and Communication Networks
Table 3 Key schedule of Piccolo
Piccolo-80 Piccolo-128Round i Round key Master key Round i Round key Master keyInitial (WK0WK1) (119870[0]119871 119870[1]119877 119870[1]119871 119870[0]119877) Initial (WK0WK1) (119870[0]119871 119870[1]119877 119870[1]119871 119870[0]119877)0 (rk0 rk1) (119870[2] 119870[3]) 0 (rk0 rk1) (119870[2] 119870[3])1 (rk2 rk3) (119870[0] 119870[1]) 1 (rk2 rk3) (119870[4] 119870[5])2 (rk4 rk5) (119870[2] 119870[3]) 2 (rk4 rk5) (119870[6] 119870[7])3 (rk6 rk7) (119870[4] 119870[4]) 3 (rk6 rk7) (119870[2] 119870[1])4 (rk8 rk9) (119870[0] 119870[1]) 4 (rk8 rk9) (119870[6] 119870[7])5 (rk10 rk11) (119870[2] 119870[3]) 5 (rk10 rk11) (119870[0] 119870[3])6 (rk12 rk13) (119870[0] 119870[1]) 6 (rk12 rk13) (119870[4] 119870[5]) 18 (rk36 rk37) (119870[4] 119870[4]) 24 (rk48 rk49) (119870[4] 119870[3])19 (rk38 rk39) (119870[0] 119870[1]) 25 (rk50 rk51) (119870[2] 119870[5])20 (rk40 rk41) (119870[2] 119870[3]) 26 (rk52 rk53) (119870[0] 119870[7])21 (rk42 rk43) (119870[0] 119870[1]) 27 (rk54 rk55) (119870[4] 119870[1])22 (rk44 rk45) (119870[2] 119870[3]) 28 (rk56 rk57) (119870[0] 119870[7])23 (rk46 rk47) (119870[4] 119870[4]) 29 (rk58 rk59) (119870[6] 119870[3])24 (rk48 rk49) (119870[0] 119870[1]) 30 (rk60 rk61) (119870[2] 119870[5])Final (WK2WK3) (119870[4]119871 119870[3]119877 119870[3]119871 119870[4]119877) Final (WK2WK3) (119870[4]119871 119870[7]119877 119870[7]119871 119870[4]119877)
119870[1198940] = 119870[00] oplus [00 00 00 00 0119894] where 119894 isin 0 18
(4)Finally
119870[119894119895] = 119870[00] oplus 119870[0119895] oplus 119870[1198940]= 119870[00] oplus [00 00 0119895 00 0119894]
(5)
Thus the space of119870 is divided into 264 groups of 216 keyseach
322 Phase 2 8-Dimensional Biclique Structure of 6 RoundsWe construct an 8-dimensional biclique structure of 6 roundsfor Piccolo-80 with whitening keys for each group (Fig-ure 2) The biclique structure connects 28 ciphertexts to 28intermediate states in each group of keys The process ofcalculating the ciphertexts and intermediate states consists ofthe following 3 steps
Step 1 Let 1198620 = 0(64) and decrypt 1198620 for 6 rounds to obtain1198780 (Figure 2(a)) that is 1198780 = 119891minus1119870[00](1198620) The procedure isnamed basic calculation
Step 2 In order to get the corresponding ciphertext 119862119894encrypt 1198780 using different keys 119870[1198940] for 119894 isin 0 18 (Fig-ure 2(c)) The differences between 119870[1198940] and 119870[00] can leadto the gray intermediate statesrsquo differences and cause thecomputational complexity The gray intermediate states needto be computed 28minus1 times whereas the remaining states arecalculated just once because they have been already computed
in Step 1 This step derives 119891(1198780) 119870[1198940]997888997888997888rarr 119862119894
Step 3 To get the corresponding states 119878119895 decrypt 1198620 usingdifferent keys 119870[0119895] for 119895 isin 0 18 (Figure 2(b)) Thedifferences between119870[0119895] and119870[00] can bring about the grayintermediate statesrsquo differences The gray intermediate statesneed to be computed 28 minus 1 times whereas the remaining
states have been already computed As a result119891minus1(1198620)119870[0119895]997888997888997888997888rarr
(119878119895) has been constructed
Thanks to the simplicity of the distribution of the subkeyof Piccolo the two differential paths do not share any active
state Fortunately it is so easy to verify that 119891(119878119895)119870[119894119895]997888997888997888rarr 119862119894 is
always true for all 119894 119895 isin 0 18 Up to now for each key groupwe get a corresponding 8-dimensional biclique structure asdiscussed above
From Figure 2 we find a weakness in the key scheduleof Piccolo-80 that is 119870[4]119877 of the round key rk47 canoffset 119870[4]119877 of the postwhitening key So it can reduce thedata complexity greatly The calculations of complexities arepresented in Section 42
323 Phase 3 Meeting in the Middle over 19 Rounds Choosea 16-bit internal state (119881 = 119865914) after F-Function in round9 as the intermediate matching variable (see Figure 3) Thechoice is made according to the total number of F-Functionand an effective filtering of the wrong keys Next we calculatethese matching variates in both directions in order to obtainthe accurate key
Backward Direction Each value of the state 119878119895 is decryptedunder the key 119870[0119895] to derive larr9978889978881198810119895
119870[0119895]larr997888997888997888997888 119878119895 After that
Security and Communication Networks 5
S0
C0
F
F
F
F
F
F
F
F
F
F
F
F
19
20
21
22
23
24K[4]LK[3]R
K[0]LK[0]R
K[2]LK[2]R
K[0]LK[0]R
K[2]LK[2]R
K[4]LK[4]R
K[0]LK[0]R
K[1]LK[1]R
K[3]LK[3]R
K[1]LK[1]R
K[3]LK[3]R
K[4]LK[4]R
K[1]LK[1]R
K[3]LK[4]R
(a)
Sj
C0
F
F
F
F
F
F
F
F
F
F
F
F
K[4]LK[3]R
K[0]LK[0]R
K[2]LK[2]R
K[0]LK[0]R
K[2]LK[2]R
K[4]LK[4]R
K[0]LK[0]R
K[1]LK[1]R
K[3]LK[3]R
K[1]LK[1]R
K[3]LK[3]R
K[4]LK[4]R
K[1]LK[1]R
K[3]LK[4]R
K|2|R
activ
e
(b)
S0
Ci
F
F
F
F
F
F
F
F
F
F
F
F
K[4]LK[3]R
K[0]LK[0]R
K[2]LK[2]R
K[0]LK[0]R
K[2]LK[2]R
K[4]LK[4]R
K[0]LK[0]R
K[1]LK[1]R
K[3]LK[3]R
K[1]LK[1]R
K[3]LK[3]R
K[4]LK[4]R
K[1]LK[1]R
K[3]LK[4]R
rk47
rk49
WK2 WK3
K|4|R
activ
e
(c)
Figure 2 6-round biclique construction of dimension 8 in Piccolo-80
119878119895 is decrypted using all the possible 2119889 minus 1 keys 119870[119894119895] toget larr997888997888119881119894119895
119870[119894119895]larr997888997888997888 119878119895 Because of the same beginning the key dif-ferences between119870[0119895] and119870[119894119895] can cause the computationalcomplexity On Figure 3(b) the gray bytes are active and thewhite bytes need not be computed
Forward Direction The procedure of forward direction is abit more complex than the backward direction in calculationFirstly we decrypt the ciphertexts 119862119894 for 119894 isin 0 18 toobtain 28 plaintexts 119875119894 Secondly each 119875119894 is encrypted under
the key 119870[1198940] to derive 119875119894 119870[1198940]997888997888997888rarr 997888997888rarr1198811198940 After that 119875119894 isencrypted using all the possible 2119889 minus 1 keys 119870[119894119895] to obtain
119875119894119870[119894119895]997888997888997888rarr 997888997888rarr119881119894119895 The differences between 119870[1198940] and 119870[119894119895] can
influence the computational complexity On Figure 3(a)the gray bytes are active and the white bytes need not becomputed
Search Candidates In the last session of the attack theadversary verifies the rest candidate key by the equality of 997888997888rarr119881119894119895andlarr997888997888119881119894119895 for all 119894 119895 isin 0 18 in each group exhaustively untilthe right key is discovered
33 Biclique Cryptanalysis of Piccolo-128
331 Phase 1 Key Partitioning We divide the 128-bit keyinto 2112 groups 119870[00] enumerates 112-bit keys and fixes 16-bit keys with 016 By investigating the subkey distribution(Table 3) an 8-dimensional biclique structure of 7 rounds isconstructed by each left half of 119870[6] and 119870[7] that is 119870[6]119871and119870[7]119871 The computational complexity of this structure isless than othersrsquo
Similar to Piccolo-80 the keys 119870[00] 119870[0119895] 119870[1198940] and119870[119894119895] of each group are depicted as shown below
119870[00] = [119883119883119883119883119883119883119883119883119883119883119883119883119860119883119860119883] where 119883 isin 0 18 119860 = 011990900
119870[0119895] = 119870[00] oplus [00 00 00 00 00 00 00 1198950] where 119895 isin 0 18
119870[1198940] = 119870[00] oplus [00 00 00 00 00 00 1198940 00] where 119894 isin 0 18
(6)
6 Security and Communication Networks
F F
F F
F F
F F
F F
F F
F F
F F
F F
F F
1
0
2
3
4
5
6
7
8
9
K[0]LK[1]R
K[2]LK[2]R
K[0]LK[0]R
K[2]LK[2]R
K[4]LK[4]R
K[0]LK[0]R
K[1]LK[0]R
K[3]LK[3]R
K[1]LK[1]R
K[0]LK[0]R K[1]LK[1]R
K[0]LK[0]R K[1]LK[1]R
K[3]LK[3]R
K[2]LK[2]R K[3]LK[3]R
K[2]LK[2]R K[3]LK[3]R
K[4]LK[4]R
K[4]LK[4]RK[4]LK[4]R
K[1]LK[1]R
K|2|R
activ
e
Pi
Pi
K[i j]Vij
Is computed onceIs computed 28 times
(a)
Sj
Sj
F F
F F
F F
F F
F F
F F
F F
F F
F F10
11
12
13
14
15
16
17
18
K[0]LK[0]R K[1]LK[1]R
K[0]LK[0]R K[1]LK[1]R
K[0]LK[0]R K[1]LK[1]R
K[2]LK[2]R K[3]LK[3]R
K[2]LK[2]R K[3]LK[3]R
K[2]LK[2]R K[3]LK[3]R
K[2]LK[2]R K[3]LK[3]R
K[4]LK[4]R K[4]LK[4]R
K[4]LK[4]R K[4]LK[4]R
K|4|R
activ
e
K[i j]Vij
Is computed onceIs computed 28 times
(b)
Figure 3 Recomputations in MITM for Piccolo-80
Security and Communication Networks 7
F F
F F
F F
F F
F F
F F
F F
25
24
26
27
28
29
30
K[0]LK[0]R
K[1]LK[1]R
K[3]LK[3]R
K[3]LK[3]R
K[2]LK[2]R
K[4]LK[7]R K[7]LK[4]R
K[2]LK[2]R K[5]LK[5]R
K[4]LK[4]R
K[4]LK[4]R
K[7]LK[7]R
K[0]LK[0]R
K[6]LK[6]R
K[5]LK[5]R
K[7]LK[7]R
S0
C0
(a)
F F
F F
F F
F F
F F
F F
F F
K[0]LK[0]R
K[1]LK[1]R
K[3]LK[3]R
K[3]LK[3]R
K[2]LK[2]R
K[4]LK[7]R K[7]LK[4]R
K[2]LK[2]R K[5]LK[5]R
K[4]LK[4]R
K[4]LK[4]R
K[7]LK[7]R
K[0]LK[0]R
K[6]LK[6]R
K[5]LK[5]R
K[7]LK[7]R
Sj
C0
K|7|L
activ
e
(b)
F F
F F
F F
F F
F F
F F
F F
K[0]LK[0]R
K[1]LK[1]R
K[3]LK[3]R
K[3]LK[3]R
K[2]LK[2]R
K[4]LK[7]R K[7]LK[4]R
K[2]LK[2]R K[5]LK[5]R
K[4]LK[4]R
K[4]LK[4]R
K[7]LK[7]R
K[0]LK[0]R
K[6]LK[6]R
K[5]LK[5]R
K[7]LK[7]R
S0
Ci
K|6|L
activ
e
(c)
Figure 4 7-round biclique construction of dimension 8 in Piccolo-128
Finally
119870[119894119895] = 119870[00] oplus 119870[0119895] oplus 119870[1198940]= 119870[00] oplus [00 00 00 00 00 00 1198940 1198950]
(7)
Thus the key space of K is divided into 2112 groups of 216keys each
332 Phase 2 8-Dimensional Biclique Structure of 7 RoundsWe construct an 8-dimensional biclique structure of 7 roundsfor Piccolo-128 for each group (Figure 4) Here 119892 is subci-phers for round 24sim30 and 119892minus1 is the inverse of 119892The processof calculating the ciphertexts and intermediate states consistsof the following 3 steps
Step 1 Let 1198620 = 0(64) and decrypt 1198620 for 7 rounds to obtain1198780 (Figure 4(a)) that is 1198780 = 119892minus1119870[00](1198620)Step 2 Encrypt 1198780 using different keys 119870[1198940] for 119894 isin 0 18(Figure 4(c)) The differences between 119870[1198940] and 119870[00] can
influence the gray intermediate statesrsquo differences This step
derives 119892(1198780) 119870[1198940]997888997888997888rarr 119862119894Step 3 Decrypt 1198620 using different keys 119870[0119895] for 119895 isin 0 18(Figure 4(b)) The differences between 119870[0119895] and 119870[00] canbring about the gray intermediate statesrsquo differences As a
result 119892minus1(1198620)119870[0119895]997888997888997888997888rarr (119878119895) has been constructed
Thanks to the simplicity of the distribution of the subkey
of Piccolo-128 it is also very easy to verify that 119892(119878119895)119870[119894119895]997888997888997888rarr
119862119894 is always true for all 119894 119895 isin 0 18 Up to now for eachkey group we get a corresponding 8-dimensional bicliquestructure
333 Phase 3 Meeting in the Middle over 24 Rounds Select a16-bit internal state (119880 = 1198651214) after F-Function in round 12as the intermediatematching variable (see Figure 5) Next wecalculate these matching variates in both directions in orderto obtain the right key
8 Security and Communication Networks
F F
F F
F F
F F
F F
F F
F F
F F
F F
F F
1
0
2
3
4
5
678
9
10
11
12
K[0]LK[0]R
K[1]LK[1]R
K[1]LK[1]R
K[2]LK[2]R
K[2]LK[2]R
K[2]LK[2]R
K[3]LK[3]R
K[1]LK[0]RK[0]LK[1]R
K[3]LK[3]R
K[0]LK[0]R K[3]LK[3]R
K[0]LK[0]R K[3]LK[3]R
K[4]LK[4]R
K[4]LK[4]R
Pi
Pi
K[i j]
K[5]LK[5]R
K[6]LK[6]R K[7]LK[7]R
K[6]LK[6]R K[7]LK[7]R
K[7]LK[7]R
K|7|L
activ
e
Uij
Is computed onceIs computed 28 times
(a)
Sj
Sj
F F
F F
F F
F F
F F
F F
F F
F F13
14
15
16
171819
20
21
22
23
K[1]LK[1]R
K[1]LK[1]R
K[2]LK[2]R
K[2]LK[2]R
K[0]LK[0]R
K[0]LK[0]R
K[3]LK[3]RK[4]LK[4]R
K[i j]
K[5]LK[5]R
K[5]LK[5]RK[6]LK[6]R
K[6]LK[6]R
K[6]LK[6]R
K[7]LK[7]R
K[7]LK[7]R
K[7]LK[7]R
K|6|L
activ
e
Is computed onceIs computed 28 times
Uij
(b)
Figure 5 Recomputations in MITM for Piccolo-128
Backward Direction Each value of the state 119878119895 is decrypt-
ed under the key 119870[0119895] to obtain larr9978889978881198800119895119870[0119895]larr997888997888997888997888 119878119895 After
that 119878119895 is decrypted using all the possible 2119889 minus 1 keys
119870[119894119895] to get larr997888997888119880119894119895119870[119894119895]larr997888997888997888 119878119895 On Figure 5(b) the gray
bytes are active and the white bytes do not need to becomputed
Forward Direction Firstly we decrypt the ciphertexts 119862119894 for119894 isin 0 18 to obtain 28 plaintexts 119875119894 Secondly each 119875119894 isencrypted under the key 119870[1198940] to obtain 119875119894 119870[1198940]997888997888997888rarr 997888997888rarr1198801198940 Then119875119894 is encrypted using all the possible 2119889 minus 1 keys 119870[119894119895] to get
119875119894119870[119894119895]997888997888997888rarr 997888997888rarr119880119894119895 On Figure 5(a) the gray bytes are active and the
white bytes do not need to be computed
Security and Communication Networks 9
F F
F F
F F
F F
F F
F F
F F
F F
F F
F F
F F
F F
F F
F F
F F
26
27
28
29
30
Sj
K[0]LK[0]R
K[1]LK[1]R
K[3]LK[3]R
K[2]LK[2]R
K[4]LK[7]R K[7]LK[4]R
K[4]LK[4]R
K[7]LK[7]R
K[0]LK[0]R K[7]LK[7]R
K[6]LK[6]R
K[5]LK[5]R
K[0]LK[0]R
K[1]LK[1]R
K[3]LK[3]R
K[2]LK[2]R
K[4]LK[7]R K[7]LK[4]R
K[4]LK[4]R
K[7]LK[7]R
K[0]LK[0]R K[7]LK[7]R
K[6]LK[6]R
K[5]LK[5]R
K[0]LK[0]R
K[1]LK[1]R
K[3]LK[3]R
K[2]LK[2]R
K[4]LK[7]R K[7]LK[4]R
K[4]LK[4]R
K[7]LK[7]R
K[0]LK[0]R K[7]LK[7]R
K[6]LK[6]R
K[5]LK[5]R
S0 S0
C0 C0
K|6|L
activ
e
K|2|L
activ
e
Ci[0] Ci[1] Ci[2] Ci[3]
Figure 6 5-round biclique construction of dimension 8 in Piccolo-128
Search Candidates In the last session of the attack theadversary verifies the equality of 997888997888rarr119880119894119895 and larr997888997888119880119894119895 for all 119894 119895 isin0 18 to discover the correct key34 Another Biclique Cryptanalysis of Piccolo-128 Similar toSection 33 we construct an 8-dimensional biclique structureof 5 rounds (26sim30) for Piccolo-128 by each left half of 119870[6]and119870[2] that is 119870[6]119871 and119870[2]119871 (Figure 6)
In the phase of meeting in the middle over 26 rounds weselect a 16-bit internal state (119880 = 1198651314) after F-Function inround 13 as the intermediate matching variable
4 Complexities
41 Comments on the Result of [15] Jeong et al appliedbiclique cryptanalysis to the lightweight block ciphers LEDPiccolo and PRESENT in [15] They used the concept ofindependent-biclique which included constructing bicliquestructure by independent related-key differentials andmatch-ing with precomputations They found a limited and slowdiffusion of the subkey distribution and encryption processAs a result their attacks can discover the master key withcomputational complexities superior to an exhaustive searchHowever we find two faults of their biclique cryptanalysis ofPiccolo as follows
(1) Jeong et al found that 119870[4]119871 and 119870[2]119871 gave theconstruction of an 8-dimensional biclique which was shownin Figure 10 of [15] The Δ 119894-differential affected only 6 bytes(119862[0]119871 119862[1]119871 119862[1]119877 119862[2]119871 119862[3]119871 and 119862[3]119877) which isdrawn on Figure 7(a) (including the grid line byte) in this
paper As a result the data complexity does not go beyond248
In the attack shown in Figure 7 it is clear that the left halfof the round key rk46 can offset the left half of WK2 (thepostwhitening key) that is there is no difference in the gridline byte (119862[0]119871) Based on this the biclique cryptanalysis ofJeong et al goes wrong
So the Δ 119894-differential affects only 5 bytes (119862[1]119871 119862[1]119877119862[2]119871 119862[3]119871 and 119862[3]119877) of the ciphertext and the datacomplexity does not go beyond 240 The correct differencepath does not include the grid line byte (119862[0]119871)
(2) Jeong et al thought that only 2 bytes were activein the decryption of 17th round in backward direction forPiccolo-80 of recomputation shown in Figure 11 of [15] 13F-Functions (without the grid line) were computed 28 timesand 4 F-Functions were computed once They are drawn onFigure 7(b) in this paper Then the total complexity of thisstep is 28 times (28 times 13 + 4) F-Functions
It is clear that 6 bytes of intermediate are active in thedecryption of 17th round in backward direction for Piccolo-80 of recomputation and all bytes are active of 16th roundBased on these their computational complexity of this stepgoes wrong
So 15 F-Functions (including the grid line) are computed28 times and 2 F-Functions are computed onceThen the totalcomplexity of this step is 28 times (28 times 15 + 2) F-Functions Thecorrect difference path includes the grid line bytes
Similarly 3 bytes but not one byte are active in thedecryption of 22nd round in backward direction for Piccolo-128 of recomputation and they are shown in Figure 13 of [15]
10 Security and Communication Networks
F F
F F
F F
F F
F F
F F
K[0]LK[0]R K[1]LK[1]R
K[0]LK[0]R K[1]LK[1]R
K[0]LK[0]R K[1]LK[1]R
K[2]LK[2]R K[3]LK[3]R
K[2]LK[2]R K[3]LK[3]R
K[4]LK[4]R K[4]LK[4]R
K|4|L
activ
e
K[4]LK[3]R K[3]LK[4]Rrk48 rk49
rk46 rk47
WK2 WK3
19
20
21
22
23
24
S0
C[0] C[1] C[2] C[3]
(a)
F F
F F
F F
F F
F F
F F10
11
12
131415
16
17
18
K[0]LK[0]R K[1]LK[1]R
K[0]LK[0]R K[1]LK[1]R
K[2]LK[2]R K[3]LK[3]R
K[2]LK[2]R K[3]LK[3]R
K[2]LK[2]R K[3]LK[3]R
K[4]LK[4]R K[4]LK[4]R
K|4|L
activ
e
(b)
Figure 7 Revision of the other solutions
20 rather than 18 F-Functions are computed 28 times and 3instead of 5 F-Functions are computed once
42 Complexities of Biclique Cryptanalysis on Piccolo-80
421 Data Complexity By analyzing the key schedule wefind a weakness in the key schedule on Piccolo-80 that is theround key rk47 can offset the postwhitening key partially (seeFigure 2) Based on this the data complexity can be reducedgreatly
The amount of ciphertexts to be decrypted dominates thedata complexity (Figure 2) For each biclique structure let1198620 = 0(64) All the ciphertexts share the equal values in 3bytes (119862119894[0] 119862119894[4] and 119862119894[5] ie white bytes) so the datacomplexity does not go beyond 240422 Computational Complexity The amount of the F-Functions to be computed determines the attack complexityEach round of Piccolo-80 takes 2 F-Functions computationsSo the single encryption equals computed 25 times 2 = 50F-Functions For each of 264 groups of keys the followingcalculation should be completed
Biclique Complexity 5 F-Functions (Figure 2(b) noted withgray) need to be computed 28 times and 2 F-Functions
(Figure 2(c) noted with gray) need to be computed 28times The remaining 5 F-Functions are computed onlyonce Thus this stage requires 28 times 7 + 5 F-Functionscomputations in total Then the computational complexityof a biclique structure is about 2517 full round Piccolo-80encryptions
Matching Complexity In forward direction the differencesbetween 119870[1198940] and 119870[119894119895] dominate the computational com-plexity On Figure 3(a) for a single 119875119894 14 F-Functions (notedwith gray) are computed 28 times 3 F-Functions (noted withgrid line) are computed only once and 3 F-Functions (notedwith white) do not need to be computed So the complexityof this process is 28times(28times14+3) F-Functions which is about21416 full round Piccolo-80 encryptions
In backward direction on Figure 3(b) for a single 119878119895 15F-Functions (noted with gray) are computed 28 times 2 F-Functions (noted with grid line) are computed only onceand 1 F-Function (noted with white) need not be computedSo the complexity of this process is 28 times (28 times 15 + 2)F-Functions which is about 21426 full round Piccolo-80encryptions
Finally 216 key candidates are verified by a matchingvariable (16 bits) in each group and the average of 216minus16 = 1candidate key needs to be rechecked
Security and Communication Networks 11
Thus the total computational complexity of this attack onPiccolo-80 is
119862 = 264 times (2517 + 21416 + 21426 + 1) asymp 27922 (8)
43 Complexities of Biclique Cryptanalysis on Piccolo-128
431 Data Complexity For each biclique structure let 1198620 =0(64) All the ciphertexts share the equal values in 5 bytes(119862119894[1] 119862119894[4] 119862119894[5] 119862119894[6] and 119862119894[7] ie white bytes) so thedata complexity does not go beyond 224 (See Figure 4)
432 Computational Complexity Each round of Piccolo-128takes 2 F-Functions computations So the single encryptionequals computed 31 times 2 = 62 F-Functions For each of2112 groups of keys the following calculation should becompleted
Biclique Complexity 13 F-Functions (Figure 4(b) noted withgray) need to be computed 28 times and 1 F-Function(Figure 4(c) noted with gray) needs to be computed 28 timesThus this stage requires 28 times 14 F-Functions computationsin total Then the computational complexity of a bicliquestructure is about 2585 full round Piccolo-128 encryptions
Matching Complexity In forward direction for a single 119875119894 16F-Functions (noted with gray) are computed 28 times 7 F-Functions (noted with grid line) are computed only once and3 F-Functions (notedwithwhite) do not need to be computedon Figure 5(a) So the complexity of this process is 28 times (28 times16 + 7) F-Functions which is about 21405 full round Piccolo-128 encryptions
In backward direction for a single 119878119895 18 F-functions(noted with gray) are computed 28 times 3 F-functions(noted with grid line) are computed only once and 1 F-Function (noted with white) need not be computed onFigure 5(b) So the complexity of this process is 28 times (28 times18 + 3) F-Functions which is about 21422 full round Piccolo-128 encryptions
Finally 216 key candidates are verified by a matchingvariate (16 bits) in each group and the average of 216minus16 = 1candidate key needs to be rechecked
Thus the total computational complexity of this attack onPiccolo-128 is
119862 = 2112 times (2585 + 21408 + 21422 + 1) asymp 212714 (9)
44 Complexities of Another Biclique Cryptanalysis on Piccolo-128
441 Data Complexity For each biclique structure let 1198620 =0(64) All the ciphertexts share the equal values in 7 bytes(119862119894[0] 119862119894[1] 119862119894[3] 119862119894[4] 119862119894[5] 119862119894[6] and 119862119894[7] ie whitebytes) so the data complexity does not go beyond 28 (SeeFigure 6)
442 Computational Complexity
Biclique ComplexityThis stage requires 28times5+5 F-Functionscomputations in total Then the computational complexityof a biclique structure is about 2438 full round Piccolo-128encryptions
Matching Complexity In forward direction the complexityis 28 times (28 times 18 + 7) F-Functions which is about 21422 fullround Piccolo-128 encryptions In backward direction thecomplexity is 28 times (28 times 20 + 3) F-Functions which is about21437 full round Piccolo-128 encryptions
Thus the total computational complexity of this attack onPiccolo-128 is
119862 = 2112 times (2438 + 21422 + 21437 + 1) asymp 212730 (10)
5 Conclusion
Designers have given several attacks including linear crypt-analysis impossible differential cryptanalysis and MITMattack on security analysis for Piccolo The best result was 3-subset MITM attacks on 1421-round Piccolo-80128 withoutthe whitening key The previous results and our results aresummarized on Piccolo in Tables 1 and 2 Some results didnot includewhitening key some attackswere reduced-roundHowever our results are full round Piccolo-80128
By analyzing the distribution of the subkey and thestructure of encryption we find two faults of the results in [15]and a weakness in the key schedule on Piccolo-80 The twofaults are depicted in Section 41 The weakness on Piccolo-80 is that the right half of the round key rk47 can offset theright half of the postwhitening key WK3 (Figure 2(c)) Basedon this the data complexity can be decreased greatly
We use biclique cryptanalysis to recover the masterkey for the full round Piccolo-80 with a 6-round bicliqueand the full round Piccolo-128 with a 7-round bicliquerespectively The attacks require data complexity of 240 and224 chosen ciphertexts and computational complexity of 27922and 212714 respectively These results are superior to otherbiclique cryptanalytic results on Piccolo
This result is that the biclique technology can attack someciphers with simple key schedule and slow diffusion So thedesigners of lightweight ciphers need to consider not only theimplementation efficiency but also key schedule complexityand diffusion speed
Conflicts of Interest
None of the authors declare any conflicts of interest
Acknowledgments
This work is partially supported by National Natural Sci-ence Foundation of China (nos 61272434 61672330 and61602287) and Nature Science Foundation of ShandongProvince (no ZR2013FQ021)
12 Security and Communication Networks
References
[1] A Bogdanov D Khovratovich and C Rechberger ldquoBicliquecryptanalysis of the full AESrdquo in Advances in CryptologymdashASIACRYPT 2011 vol 7073 of Lecture Notes in Comput Sci pp344ndash371 Springer Heidelberg Germany 2011
[2] Y Wang WWu and X Yu ldquoBiclique cryptanalysis of reduced-round piccolo block cipherrdquo in Proceedings of the 8th Interna-tional Conference on Information Security Practice and Experi-ence (ISPEC rsquo12) M R Dermot S Ben and G Wang Eds vol7232 ofLectureNotes inComputer Science pp 337ndash352 SpringerHeidelberg Germany 2012
[3] D Khovratovich G Leurent and C Rechberger ldquoNarrow-bicliques cryptanalysis of full IDEArdquo in Proceedings of the 31stAnnual International Conference on theTheory and Applicationsof Cryptographic Techniques (EUROCRYPT rsquo12) Lecture Notesin Computer Science pp 392ndash410 Springer Heidelberg Ger-many 2012
[4] D Hong B Koo and D Kwon ldquoBiclique attack on the fullHIGHTrdquo in Information Security and CryptologymdashICISC 2011vol 7259 of Lecture Notes in Computer Science pp 365ndash374Springer Berlin Germany 2012
[5] J Song K Lee and H Lee ldquoBiclique cryptanalysis onlightweight block cipher HIGHT and Piccolordquo InternationalJournal of ComputerMathematics vol 90 no 12 pp 2564ndash25802013
[6] F Abed C Forler E List S Lucks and J Wenzel ldquoBicliquecryptanalysis of the PRESENT and LED lightweight ciphersrdquoTech Rep 2012591 Cryptology ePrint Archive 2012
[7] M Sereshgi andM Shakiba ldquoBiclique cryptanalysis ofMIBS-80and PRESENT-80 block ciphersrdquo Security and CommunicationNetworks vol 9 no 1 pp 27ndash33 2016
[8] O Ozen K Varıcı C Tezcan and C Kocair ldquoLightweight blockciphers revisited cryptanalysis of reduced round PRESENTand HIGHTrdquo in Information Security and Privacy vol 5594 ofLecture Notes in Computer Science pp 90ndash107 Springer BerlinGermany 2009
[9] Y F Wang and W L Wu ldquoMeet-in-the-middle attack onTWINE block cipherrdquo Journal of Software vol 26 no 10 pp2684ndash2695 2015 (Chinese)
[10] M Coban F Karakoc and O Biztas ldquoBiclique cryptanalysis ofTWINErdquo Tech Rep 2012422 Cryptology ePrint Archive 2012
[11] ZAhmadianM Salmasizadeh andMRAref ldquoBiclique crypt-analysis of the full-round KLEIN block cipherrdquo IET InformationSecurity vol 9 no 5 pp 294ndash301 2015
[12] W Diffie and M E Hellman ldquoExhaustive Cryptanalysis of theNBS Data Encryption Standardrdquo Computer vol 10 no 6 pp74ndash84 1977
[13] Y Sasaki ldquoMeet-in-the-middle preimage attacks on AES hash-ingmodes and an application towhirlpoolrdquo inProceedings of theInternational Workshop on Fast Software Encryption (FSE rsquo11)A Joux Ed vol 6733 of Lecture Notes in Computer Science pp378ndash396 Springer Heidelberg Germany 2011
[14] K Shibutani T Isobe H Hiwatari A Mitsuda T Akishitaand T Shirai ldquoPiccolo an ultra-lightweight blockcipherrdquo inProceedings of the 13th InternationalWorkshop on CryptographicHardware and Embedded Systems (CHES rsquo11) B Preneel and TTakagi Eds vol 6917 of Lecture Notes in Computer Science pp342ndash357 Springer Heidelberg Germany 2011
[15] K Jeong H Kang C Lee J Sung and S Hong ldquoBicliquecryptanalysis of lightweight block ciphers PRESENT piccoloand LEDrdquo Tech Rep 2012621 Cryptology ePrint Archive 2012
[16] W Zhang J Zhang and X Zheng ldquoSome observations onthe lightweight block cipher piccolo-80rdquo in Proceedings of the6th International Conference on Trusted Systems (INTRUST rsquo14)vol 9473 of Lecture Notes in Computer Science pp 364ndash373Springer Cham Switzerland 2015
[17] T Isobe and K Shibutani ldquoSecurity analysis of the lightweightblock ciphers XTEA LED and piccolordquo in Information Securityand Privacy vol 7372 pp 71ndash86 Springer Berlin Germany2012
International Journal of
AerospaceEngineeringHindawi Publishing Corporationhttpwwwhindawicom Volume 2014
RoboticsJournal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Active and Passive Electronic Components
Control Scienceand Engineering
Journal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
International Journal of
RotatingMachinery
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporation httpwwwhindawicom
Journal ofEngineeringVolume 2014
Submit your manuscripts athttpswwwhindawicom
VLSI Design
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Shock and Vibration
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Civil EngineeringAdvances in
Acoustics and VibrationAdvances in
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Electrical and Computer Engineering
Journal of
Advances inOptoElectronics
Hindawi Publishing Corporation httpwwwhindawicom
Volume 2014
The Scientific World JournalHindawi Publishing Corporation httpwwwhindawicom Volume 2014
SensorsJournal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Modelling amp Simulation in EngineeringHindawi Publishing Corporation httpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Chemical EngineeringInternational Journal of Antennas and
Propagation
International Journal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Navigation and Observation
International Journal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
DistributedSensor Networks
International Journal of
2 Security and Communication Networks
Table 1 Summary of previous results of different method on Piccolo
Piccolo-80 rounds Piccolo-128 rounds Method Reference7 7 Differential Reference [14]8 8 Linear Reference [14]9 9 Boomerang Reference [14]9 9 Impossible differential Reference [14]14 21 MITM Reference [17]19 23 MITM expectation Reference [14]25 28 Biclique cryptanalysis Reference [2]25 31 Biclique cryptanalysis This paper
Table 2 Summary of biclique cryptanalytic results on Piccolo
Target algorithm Round Data Computations Attack type ReferencePiccolo-80 25 (without the postwhitening key) 248 27895 Biclique Reference [2]Piccolo-80 25 (full) 248 27934 Biclique Reference [5]Piccolo-80 25 (full) 240 27922 Biclique Section 42Piccolo-128 28 (without the prewhitening key) 224 212679 Biclique Reference [2]Piccolo-128 31 (full) 248 212736 Biclique Reference [5]Piccolo-128 31 (full) 224 212714 Biclique Section 43Piccolo-128 31 (full) 28 212730 Biclique Section 44
In this paper we detect a weakness in the key scheduleon Piccolo-80 that is the round key rk47 can offset the post-whitening key partially Based on this the data complexitycan be decreased greatly We apply some observations onPiccolo in [16] and construct an independent related-keydifferentials biclique for the last several rounds Then an 8-dimensional biclique structure of 6 rounds is constructedfor Piccolo-80 and an 8-dimensional biclique structure of7 rounds for Piccolo-128 The attacks are respectively withdata complexity of 240 and 224 and with computationalcomplexity of 27922 and 212714 which are the best resultscurrently The attack results on Piccolo are summarized inTables 1 and 2
The structure of the paper is as follows Section 2describes the structures of Piccolo-80 and Piccolo-128 Sec-tion 3 introduces briefly biclique cryptanalysis Then Sec-tion 4 presents the cryptanalysis with an 8-dimensionalbiclique of 6 rounds on full round Piccolo-80 and with abiclique structure of 7 rounds on full round Piccolo-128 Thedata complexity and computational complexity on Piccolo-80and Piccolo-128 are given respectively Finally we draw ourconclusion in Section 5
2 Piccolo Specifications
21 Notations
oplus bit-wise exclusive or (XOR)119903 iterative rounds concatenation119870[119894] the 119894th 16-bit group of the key 119870 (0 le 119894 le 4 forPiccolo-80 0 le 119894 le 7 for Piccolo-128)
WK119894 the 16-bit whitening key (0 le 119894 le 3)rk119894 the 16-bit round key (0 le 119894 le 49 for Piccolo-800 le 119894 le 61 for Piccolo-128)con80119894 a 16-bit round constant119886(119887) 119887 denoting the bit length of 119886119875 64-bit plaintext 119875 including four 16-bit words119875[119894] (0 le 119894 le 3)119862 64-bit ciphertext 119862 including four 16-bit words119862[119894] (0 le 119894 le 3)119865119903119894119895(64) the 119894th and 119895th byte of the state after F-Function in 119903th round
22 Description of Piccolo The structure of Piccolo is avariation of generalized Feistel as shown in Figure 1 Piccolo-80128 supports 80-bit and 128-bit key sizes along with 25 and31 rounds respectively
The detailed descriptions of Piccolo are in [14] and eachround of Piccolo consists of the following 3 steps
(1) F-Function (FF) 0 116 rarr 0 116 being composedof two S-box layers and a diffusion matrixM
(2) AddRoundKey (AK) the 64-bit intermediate stateXORs a round key
(3) RoundPermutation (RP) which splits a 64-bit inputinto eight bytes and then maps them
23 Key Schedule The key schedule of Piccolo is straightfor-ward and simple Firstly the 80-bit master key of Piccolo-80 is represented by concatenation of five 2 bytes that is119870 = 119870[0] 119870[1] 119870[2] 119870[3] 119870[4] where 119870[119895] =
Security and Communication Networks 3
P[0](16) P[1](16) P[2](16) P[3](16)
C[0](16) C[1](16) C[2](16) C[3](16)
F
F
F
F
F
F
F
F
Round 0
Round 1
Round r minus 2
Round r minus 1
WK0(16)
WK2(16)
rk0(16)
rk2(16)
rk2rminus2
rk2r
WK1(16)
WK3(16)
rk1(16)
rk3(16)
rk2rminus1
rk2r+1
Figure 1 The structure of Piccolo
(119870[119895]119871119870[119895]119877)The whitening keys (WK0WK1WK2WK3)and the subkey (rk2119894 rk2119894+1) of 25 rounds are engendered asfollows
WK0 = 119870[0]119871 119870[1]119877 WK1 = 119870[1]119871 119870[0]119877 WK2= 119870[4]119871 119870[3]119877 WK3 = 119870[3]119871 119870[4]119877For 119894 = 0 to 119903 minus 1(rk2119894 rk2119894+1)= (con802119894 con802119894+1)
oplus
(119870 [2] 119870 [3]) (119894 mod 5) equiv 0 or 2
(119870 [0] 119870 [1]) (119894 mod 5) equiv 1 or 4(119870 [4] 119870 [4]) (119894 mod 5) equiv 3
(1)
For Piccolo-128 the distribution of subkey is similar tothat of Piccolo-80 The 128-bit master key is denoted by 119870 =119870[0] 119870[1] 119870[2] 119870[3] 119870[4] 119870[5] 119870[6] 119870[7] where 119870[119895]= (119870[119895]119871 119870[119895]119877) The whitening keys and31-round subkey are computed as follows
WK0 = 119870[0]119871 119870[1]119877 WK1 = 119870[1]119871 119870[0]119877 WK2= 119870[4]119871 119870[7]119877 WK3 = 119870[7]119871 119870[4]119877For 119894 = 0 to 2119903 minus 1
if ((i + 2) mod 8 equiv 0) then
(119870[0] 119870[1] 119870[2] 119870[3] 119870[4] 119870[5] 119870[6] 119870[7]) = (119870[2] 119870[1] 119870[6] 119870[7] 119870[0] 119870[3] 119870[4] 119870[5])
rk119894 = 119870[(119894 + 2) mod 8] oplus con128119894 The specific subkeys of Piccolo-80128 are illustrated in
Table 3
3 Biclique Attack on Piccolo
31 Definition of Biclique Biclique cryptanalysis is an attackbased on MITM The major idea is to build bicliques on thetarget subcipher and promote the computational efficiencyThe basic principles of the biclique attack are explained in [1]Let 119891 be a several-round subcipher and 119891minus1 is the inverse of119891 The 119891 maps 2119889 intermediate states 119878119895 to 2119889 ciphertexts119862119894 with 22119889 keys 119870[119894119895]
119870[119894119895] =[[[[[
119870[00] 119870[01] sdot sdot sdot 119870[02119889minus1] d
119870[2119889minus10] 119870[2119889minus11] sdot sdot sdot 119870[2119889minus12119889minus1]
]]]]] (2)
The 3-tuple [119862119894 119878119895 119870[119894119895]] is named a biclique withd-dimension if
119862119894 = 119891119870[119894119895] (119904119895) forall119894 119895 isin 0 1119889 (3)
To avoid duplication we do not explicate the detailedattack basis but three stages of the attack are described inmore detail
32 Biclique Cryptanalysis of Piccolo-80
321 Phase 1 Key Partitioning For greater clarity we dividethe key into 264 groups which have 216 keys The 119870[00]enumerates 64-bit keys and fixes 16-bit keys with 016 Asdepicted in Section 23 each round has 32-bit subkey whichis generated by master keys K[i] and K[j] By investigatingthe subkey distribution (Table 3) an 8-dimensional bicliquestructure of 6 rounds is constructed by each right half of119870[4]and 119870[2] that is 119870[4]119877 and 119870[2]119877 We find 119870[4]119877 of theround key rk47 can offset 119870[4]119877 of the postwhitening key soit can decrease the data complexity greatly By calculation thecomputational complexity is optimal so far
The keys 119870[00] 119870[0119895] 119870[1198940] and 119870[119894119895] of each group aredepicted as shown below
119870[00] = [119883119883119883119883119883119860119883119883119883119860] where 119883 isin 0 18 119860 = 011990900
119870[0119895] = 119870[00] oplus [00 00 0119895 00 00]
where 119895 isin 0 18
4 Security and Communication Networks
Table 3 Key schedule of Piccolo
Piccolo-80 Piccolo-128Round i Round key Master key Round i Round key Master keyInitial (WK0WK1) (119870[0]119871 119870[1]119877 119870[1]119871 119870[0]119877) Initial (WK0WK1) (119870[0]119871 119870[1]119877 119870[1]119871 119870[0]119877)0 (rk0 rk1) (119870[2] 119870[3]) 0 (rk0 rk1) (119870[2] 119870[3])1 (rk2 rk3) (119870[0] 119870[1]) 1 (rk2 rk3) (119870[4] 119870[5])2 (rk4 rk5) (119870[2] 119870[3]) 2 (rk4 rk5) (119870[6] 119870[7])3 (rk6 rk7) (119870[4] 119870[4]) 3 (rk6 rk7) (119870[2] 119870[1])4 (rk8 rk9) (119870[0] 119870[1]) 4 (rk8 rk9) (119870[6] 119870[7])5 (rk10 rk11) (119870[2] 119870[3]) 5 (rk10 rk11) (119870[0] 119870[3])6 (rk12 rk13) (119870[0] 119870[1]) 6 (rk12 rk13) (119870[4] 119870[5]) 18 (rk36 rk37) (119870[4] 119870[4]) 24 (rk48 rk49) (119870[4] 119870[3])19 (rk38 rk39) (119870[0] 119870[1]) 25 (rk50 rk51) (119870[2] 119870[5])20 (rk40 rk41) (119870[2] 119870[3]) 26 (rk52 rk53) (119870[0] 119870[7])21 (rk42 rk43) (119870[0] 119870[1]) 27 (rk54 rk55) (119870[4] 119870[1])22 (rk44 rk45) (119870[2] 119870[3]) 28 (rk56 rk57) (119870[0] 119870[7])23 (rk46 rk47) (119870[4] 119870[4]) 29 (rk58 rk59) (119870[6] 119870[3])24 (rk48 rk49) (119870[0] 119870[1]) 30 (rk60 rk61) (119870[2] 119870[5])Final (WK2WK3) (119870[4]119871 119870[3]119877 119870[3]119871 119870[4]119877) Final (WK2WK3) (119870[4]119871 119870[7]119877 119870[7]119871 119870[4]119877)
119870[1198940] = 119870[00] oplus [00 00 00 00 0119894] where 119894 isin 0 18
(4)Finally
119870[119894119895] = 119870[00] oplus 119870[0119895] oplus 119870[1198940]= 119870[00] oplus [00 00 0119895 00 0119894]
(5)
Thus the space of119870 is divided into 264 groups of 216 keyseach
322 Phase 2 8-Dimensional Biclique Structure of 6 RoundsWe construct an 8-dimensional biclique structure of 6 roundsfor Piccolo-80 with whitening keys for each group (Fig-ure 2) The biclique structure connects 28 ciphertexts to 28intermediate states in each group of keys The process ofcalculating the ciphertexts and intermediate states consists ofthe following 3 steps
Step 1 Let 1198620 = 0(64) and decrypt 1198620 for 6 rounds to obtain1198780 (Figure 2(a)) that is 1198780 = 119891minus1119870[00](1198620) The procedure isnamed basic calculation
Step 2 In order to get the corresponding ciphertext 119862119894encrypt 1198780 using different keys 119870[1198940] for 119894 isin 0 18 (Fig-ure 2(c)) The differences between 119870[1198940] and 119870[00] can leadto the gray intermediate statesrsquo differences and cause thecomputational complexity The gray intermediate states needto be computed 28minus1 times whereas the remaining states arecalculated just once because they have been already computed
in Step 1 This step derives 119891(1198780) 119870[1198940]997888997888997888rarr 119862119894
Step 3 To get the corresponding states 119878119895 decrypt 1198620 usingdifferent keys 119870[0119895] for 119895 isin 0 18 (Figure 2(b)) Thedifferences between119870[0119895] and119870[00] can bring about the grayintermediate statesrsquo differences The gray intermediate statesneed to be computed 28 minus 1 times whereas the remaining
states have been already computed As a result119891minus1(1198620)119870[0119895]997888997888997888997888rarr
(119878119895) has been constructed
Thanks to the simplicity of the distribution of the subkeyof Piccolo the two differential paths do not share any active
state Fortunately it is so easy to verify that 119891(119878119895)119870[119894119895]997888997888997888rarr 119862119894 is
always true for all 119894 119895 isin 0 18 Up to now for each key groupwe get a corresponding 8-dimensional biclique structure asdiscussed above
From Figure 2 we find a weakness in the key scheduleof Piccolo-80 that is 119870[4]119877 of the round key rk47 canoffset 119870[4]119877 of the postwhitening key So it can reduce thedata complexity greatly The calculations of complexities arepresented in Section 42
323 Phase 3 Meeting in the Middle over 19 Rounds Choosea 16-bit internal state (119881 = 119865914) after F-Function in round9 as the intermediate matching variable (see Figure 3) Thechoice is made according to the total number of F-Functionand an effective filtering of the wrong keys Next we calculatethese matching variates in both directions in order to obtainthe accurate key
Backward Direction Each value of the state 119878119895 is decryptedunder the key 119870[0119895] to derive larr9978889978881198810119895
119870[0119895]larr997888997888997888997888 119878119895 After that
Security and Communication Networks 5
S0
C0
F
F
F
F
F
F
F
F
F
F
F
F
19
20
21
22
23
24K[4]LK[3]R
K[0]LK[0]R
K[2]LK[2]R
K[0]LK[0]R
K[2]LK[2]R
K[4]LK[4]R
K[0]LK[0]R
K[1]LK[1]R
K[3]LK[3]R
K[1]LK[1]R
K[3]LK[3]R
K[4]LK[4]R
K[1]LK[1]R
K[3]LK[4]R
(a)
Sj
C0
F
F
F
F
F
F
F
F
F
F
F
F
K[4]LK[3]R
K[0]LK[0]R
K[2]LK[2]R
K[0]LK[0]R
K[2]LK[2]R
K[4]LK[4]R
K[0]LK[0]R
K[1]LK[1]R
K[3]LK[3]R
K[1]LK[1]R
K[3]LK[3]R
K[4]LK[4]R
K[1]LK[1]R
K[3]LK[4]R
K|2|R
activ
e
(b)
S0
Ci
F
F
F
F
F
F
F
F
F
F
F
F
K[4]LK[3]R
K[0]LK[0]R
K[2]LK[2]R
K[0]LK[0]R
K[2]LK[2]R
K[4]LK[4]R
K[0]LK[0]R
K[1]LK[1]R
K[3]LK[3]R
K[1]LK[1]R
K[3]LK[3]R
K[4]LK[4]R
K[1]LK[1]R
K[3]LK[4]R
rk47
rk49
WK2 WK3
K|4|R
activ
e
(c)
Figure 2 6-round biclique construction of dimension 8 in Piccolo-80
119878119895 is decrypted using all the possible 2119889 minus 1 keys 119870[119894119895] toget larr997888997888119881119894119895
119870[119894119895]larr997888997888997888 119878119895 Because of the same beginning the key dif-ferences between119870[0119895] and119870[119894119895] can cause the computationalcomplexity On Figure 3(b) the gray bytes are active and thewhite bytes need not be computed
Forward Direction The procedure of forward direction is abit more complex than the backward direction in calculationFirstly we decrypt the ciphertexts 119862119894 for 119894 isin 0 18 toobtain 28 plaintexts 119875119894 Secondly each 119875119894 is encrypted under
the key 119870[1198940] to derive 119875119894 119870[1198940]997888997888997888rarr 997888997888rarr1198811198940 After that 119875119894 isencrypted using all the possible 2119889 minus 1 keys 119870[119894119895] to obtain
119875119894119870[119894119895]997888997888997888rarr 997888997888rarr119881119894119895 The differences between 119870[1198940] and 119870[119894119895] can
influence the computational complexity On Figure 3(a)the gray bytes are active and the white bytes need not becomputed
Search Candidates In the last session of the attack theadversary verifies the rest candidate key by the equality of 997888997888rarr119881119894119895andlarr997888997888119881119894119895 for all 119894 119895 isin 0 18 in each group exhaustively untilthe right key is discovered
33 Biclique Cryptanalysis of Piccolo-128
331 Phase 1 Key Partitioning We divide the 128-bit keyinto 2112 groups 119870[00] enumerates 112-bit keys and fixes 16-bit keys with 016 By investigating the subkey distribution(Table 3) an 8-dimensional biclique structure of 7 rounds isconstructed by each left half of 119870[6] and 119870[7] that is 119870[6]119871and119870[7]119871 The computational complexity of this structure isless than othersrsquo
Similar to Piccolo-80 the keys 119870[00] 119870[0119895] 119870[1198940] and119870[119894119895] of each group are depicted as shown below
119870[00] = [119883119883119883119883119883119883119883119883119883119883119883119883119860119883119860119883] where 119883 isin 0 18 119860 = 011990900
119870[0119895] = 119870[00] oplus [00 00 00 00 00 00 00 1198950] where 119895 isin 0 18
119870[1198940] = 119870[00] oplus [00 00 00 00 00 00 1198940 00] where 119894 isin 0 18
(6)
6 Security and Communication Networks
F F
F F
F F
F F
F F
F F
F F
F F
F F
F F
1
0
2
3
4
5
6
7
8
9
K[0]LK[1]R
K[2]LK[2]R
K[0]LK[0]R
K[2]LK[2]R
K[4]LK[4]R
K[0]LK[0]R
K[1]LK[0]R
K[3]LK[3]R
K[1]LK[1]R
K[0]LK[0]R K[1]LK[1]R
K[0]LK[0]R K[1]LK[1]R
K[3]LK[3]R
K[2]LK[2]R K[3]LK[3]R
K[2]LK[2]R K[3]LK[3]R
K[4]LK[4]R
K[4]LK[4]RK[4]LK[4]R
K[1]LK[1]R
K|2|R
activ
e
Pi
Pi
K[i j]Vij
Is computed onceIs computed 28 times
(a)
Sj
Sj
F F
F F
F F
F F
F F
F F
F F
F F
F F10
11
12
13
14
15
16
17
18
K[0]LK[0]R K[1]LK[1]R
K[0]LK[0]R K[1]LK[1]R
K[0]LK[0]R K[1]LK[1]R
K[2]LK[2]R K[3]LK[3]R
K[2]LK[2]R K[3]LK[3]R
K[2]LK[2]R K[3]LK[3]R
K[2]LK[2]R K[3]LK[3]R
K[4]LK[4]R K[4]LK[4]R
K[4]LK[4]R K[4]LK[4]R
K|4|R
activ
e
K[i j]Vij
Is computed onceIs computed 28 times
(b)
Figure 3 Recomputations in MITM for Piccolo-80
Security and Communication Networks 7
F F
F F
F F
F F
F F
F F
F F
25
24
26
27
28
29
30
K[0]LK[0]R
K[1]LK[1]R
K[3]LK[3]R
K[3]LK[3]R
K[2]LK[2]R
K[4]LK[7]R K[7]LK[4]R
K[2]LK[2]R K[5]LK[5]R
K[4]LK[4]R
K[4]LK[4]R
K[7]LK[7]R
K[0]LK[0]R
K[6]LK[6]R
K[5]LK[5]R
K[7]LK[7]R
S0
C0
(a)
F F
F F
F F
F F
F F
F F
F F
K[0]LK[0]R
K[1]LK[1]R
K[3]LK[3]R
K[3]LK[3]R
K[2]LK[2]R
K[4]LK[7]R K[7]LK[4]R
K[2]LK[2]R K[5]LK[5]R
K[4]LK[4]R
K[4]LK[4]R
K[7]LK[7]R
K[0]LK[0]R
K[6]LK[6]R
K[5]LK[5]R
K[7]LK[7]R
Sj
C0
K|7|L
activ
e
(b)
F F
F F
F F
F F
F F
F F
F F
K[0]LK[0]R
K[1]LK[1]R
K[3]LK[3]R
K[3]LK[3]R
K[2]LK[2]R
K[4]LK[7]R K[7]LK[4]R
K[2]LK[2]R K[5]LK[5]R
K[4]LK[4]R
K[4]LK[4]R
K[7]LK[7]R
K[0]LK[0]R
K[6]LK[6]R
K[5]LK[5]R
K[7]LK[7]R
S0
Ci
K|6|L
activ
e
(c)
Figure 4 7-round biclique construction of dimension 8 in Piccolo-128
Finally
119870[119894119895] = 119870[00] oplus 119870[0119895] oplus 119870[1198940]= 119870[00] oplus [00 00 00 00 00 00 1198940 1198950]
(7)
Thus the key space of K is divided into 2112 groups of 216keys each
332 Phase 2 8-Dimensional Biclique Structure of 7 RoundsWe construct an 8-dimensional biclique structure of 7 roundsfor Piccolo-128 for each group (Figure 4) Here 119892 is subci-phers for round 24sim30 and 119892minus1 is the inverse of 119892The processof calculating the ciphertexts and intermediate states consistsof the following 3 steps
Step 1 Let 1198620 = 0(64) and decrypt 1198620 for 7 rounds to obtain1198780 (Figure 4(a)) that is 1198780 = 119892minus1119870[00](1198620)Step 2 Encrypt 1198780 using different keys 119870[1198940] for 119894 isin 0 18(Figure 4(c)) The differences between 119870[1198940] and 119870[00] can
influence the gray intermediate statesrsquo differences This step
derives 119892(1198780) 119870[1198940]997888997888997888rarr 119862119894Step 3 Decrypt 1198620 using different keys 119870[0119895] for 119895 isin 0 18(Figure 4(b)) The differences between 119870[0119895] and 119870[00] canbring about the gray intermediate statesrsquo differences As a
result 119892minus1(1198620)119870[0119895]997888997888997888997888rarr (119878119895) has been constructed
Thanks to the simplicity of the distribution of the subkey
of Piccolo-128 it is also very easy to verify that 119892(119878119895)119870[119894119895]997888997888997888rarr
119862119894 is always true for all 119894 119895 isin 0 18 Up to now for eachkey group we get a corresponding 8-dimensional bicliquestructure
333 Phase 3 Meeting in the Middle over 24 Rounds Select a16-bit internal state (119880 = 1198651214) after F-Function in round 12as the intermediatematching variable (see Figure 5) Next wecalculate these matching variates in both directions in orderto obtain the right key
8 Security and Communication Networks
F F
F F
F F
F F
F F
F F
F F
F F
F F
F F
1
0
2
3
4
5
678
9
10
11
12
K[0]LK[0]R
K[1]LK[1]R
K[1]LK[1]R
K[2]LK[2]R
K[2]LK[2]R
K[2]LK[2]R
K[3]LK[3]R
K[1]LK[0]RK[0]LK[1]R
K[3]LK[3]R
K[0]LK[0]R K[3]LK[3]R
K[0]LK[0]R K[3]LK[3]R
K[4]LK[4]R
K[4]LK[4]R
Pi
Pi
K[i j]
K[5]LK[5]R
K[6]LK[6]R K[7]LK[7]R
K[6]LK[6]R K[7]LK[7]R
K[7]LK[7]R
K|7|L
activ
e
Uij
Is computed onceIs computed 28 times
(a)
Sj
Sj
F F
F F
F F
F F
F F
F F
F F
F F13
14
15
16
171819
20
21
22
23
K[1]LK[1]R
K[1]LK[1]R
K[2]LK[2]R
K[2]LK[2]R
K[0]LK[0]R
K[0]LK[0]R
K[3]LK[3]RK[4]LK[4]R
K[i j]
K[5]LK[5]R
K[5]LK[5]RK[6]LK[6]R
K[6]LK[6]R
K[6]LK[6]R
K[7]LK[7]R
K[7]LK[7]R
K[7]LK[7]R
K|6|L
activ
e
Is computed onceIs computed 28 times
Uij
(b)
Figure 5 Recomputations in MITM for Piccolo-128
Backward Direction Each value of the state 119878119895 is decrypt-
ed under the key 119870[0119895] to obtain larr9978889978881198800119895119870[0119895]larr997888997888997888997888 119878119895 After
that 119878119895 is decrypted using all the possible 2119889 minus 1 keys
119870[119894119895] to get larr997888997888119880119894119895119870[119894119895]larr997888997888997888 119878119895 On Figure 5(b) the gray
bytes are active and the white bytes do not need to becomputed
Forward Direction Firstly we decrypt the ciphertexts 119862119894 for119894 isin 0 18 to obtain 28 plaintexts 119875119894 Secondly each 119875119894 isencrypted under the key 119870[1198940] to obtain 119875119894 119870[1198940]997888997888997888rarr 997888997888rarr1198801198940 Then119875119894 is encrypted using all the possible 2119889 minus 1 keys 119870[119894119895] to get
119875119894119870[119894119895]997888997888997888rarr 997888997888rarr119880119894119895 On Figure 5(a) the gray bytes are active and the
white bytes do not need to be computed
Security and Communication Networks 9
F F
F F
F F
F F
F F
F F
F F
F F
F F
F F
F F
F F
F F
F F
F F
26
27
28
29
30
Sj
K[0]LK[0]R
K[1]LK[1]R
K[3]LK[3]R
K[2]LK[2]R
K[4]LK[7]R K[7]LK[4]R
K[4]LK[4]R
K[7]LK[7]R
K[0]LK[0]R K[7]LK[7]R
K[6]LK[6]R
K[5]LK[5]R
K[0]LK[0]R
K[1]LK[1]R
K[3]LK[3]R
K[2]LK[2]R
K[4]LK[7]R K[7]LK[4]R
K[4]LK[4]R
K[7]LK[7]R
K[0]LK[0]R K[7]LK[7]R
K[6]LK[6]R
K[5]LK[5]R
K[0]LK[0]R
K[1]LK[1]R
K[3]LK[3]R
K[2]LK[2]R
K[4]LK[7]R K[7]LK[4]R
K[4]LK[4]R
K[7]LK[7]R
K[0]LK[0]R K[7]LK[7]R
K[6]LK[6]R
K[5]LK[5]R
S0 S0
C0 C0
K|6|L
activ
e
K|2|L
activ
e
Ci[0] Ci[1] Ci[2] Ci[3]
Figure 6 5-round biclique construction of dimension 8 in Piccolo-128
Search Candidates In the last session of the attack theadversary verifies the equality of 997888997888rarr119880119894119895 and larr997888997888119880119894119895 for all 119894 119895 isin0 18 to discover the correct key34 Another Biclique Cryptanalysis of Piccolo-128 Similar toSection 33 we construct an 8-dimensional biclique structureof 5 rounds (26sim30) for Piccolo-128 by each left half of 119870[6]and119870[2] that is 119870[6]119871 and119870[2]119871 (Figure 6)
In the phase of meeting in the middle over 26 rounds weselect a 16-bit internal state (119880 = 1198651314) after F-Function inround 13 as the intermediate matching variable
4 Complexities
41 Comments on the Result of [15] Jeong et al appliedbiclique cryptanalysis to the lightweight block ciphers LEDPiccolo and PRESENT in [15] They used the concept ofindependent-biclique which included constructing bicliquestructure by independent related-key differentials andmatch-ing with precomputations They found a limited and slowdiffusion of the subkey distribution and encryption processAs a result their attacks can discover the master key withcomputational complexities superior to an exhaustive searchHowever we find two faults of their biclique cryptanalysis ofPiccolo as follows
(1) Jeong et al found that 119870[4]119871 and 119870[2]119871 gave theconstruction of an 8-dimensional biclique which was shownin Figure 10 of [15] The Δ 119894-differential affected only 6 bytes(119862[0]119871 119862[1]119871 119862[1]119877 119862[2]119871 119862[3]119871 and 119862[3]119877) which isdrawn on Figure 7(a) (including the grid line byte) in this
paper As a result the data complexity does not go beyond248
In the attack shown in Figure 7 it is clear that the left halfof the round key rk46 can offset the left half of WK2 (thepostwhitening key) that is there is no difference in the gridline byte (119862[0]119871) Based on this the biclique cryptanalysis ofJeong et al goes wrong
So the Δ 119894-differential affects only 5 bytes (119862[1]119871 119862[1]119877119862[2]119871 119862[3]119871 and 119862[3]119877) of the ciphertext and the datacomplexity does not go beyond 240 The correct differencepath does not include the grid line byte (119862[0]119871)
(2) Jeong et al thought that only 2 bytes were activein the decryption of 17th round in backward direction forPiccolo-80 of recomputation shown in Figure 11 of [15] 13F-Functions (without the grid line) were computed 28 timesand 4 F-Functions were computed once They are drawn onFigure 7(b) in this paper Then the total complexity of thisstep is 28 times (28 times 13 + 4) F-Functions
It is clear that 6 bytes of intermediate are active in thedecryption of 17th round in backward direction for Piccolo-80 of recomputation and all bytes are active of 16th roundBased on these their computational complexity of this stepgoes wrong
So 15 F-Functions (including the grid line) are computed28 times and 2 F-Functions are computed onceThen the totalcomplexity of this step is 28 times (28 times 15 + 2) F-Functions Thecorrect difference path includes the grid line bytes
Similarly 3 bytes but not one byte are active in thedecryption of 22nd round in backward direction for Piccolo-128 of recomputation and they are shown in Figure 13 of [15]
10 Security and Communication Networks
F F
F F
F F
F F
F F
F F
K[0]LK[0]R K[1]LK[1]R
K[0]LK[0]R K[1]LK[1]R
K[0]LK[0]R K[1]LK[1]R
K[2]LK[2]R K[3]LK[3]R
K[2]LK[2]R K[3]LK[3]R
K[4]LK[4]R K[4]LK[4]R
K|4|L
activ
e
K[4]LK[3]R K[3]LK[4]Rrk48 rk49
rk46 rk47
WK2 WK3
19
20
21
22
23
24
S0
C[0] C[1] C[2] C[3]
(a)
F F
F F
F F
F F
F F
F F10
11
12
131415
16
17
18
K[0]LK[0]R K[1]LK[1]R
K[0]LK[0]R K[1]LK[1]R
K[2]LK[2]R K[3]LK[3]R
K[2]LK[2]R K[3]LK[3]R
K[2]LK[2]R K[3]LK[3]R
K[4]LK[4]R K[4]LK[4]R
K|4|L
activ
e
(b)
Figure 7 Revision of the other solutions
20 rather than 18 F-Functions are computed 28 times and 3instead of 5 F-Functions are computed once
42 Complexities of Biclique Cryptanalysis on Piccolo-80
421 Data Complexity By analyzing the key schedule wefind a weakness in the key schedule on Piccolo-80 that is theround key rk47 can offset the postwhitening key partially (seeFigure 2) Based on this the data complexity can be reducedgreatly
The amount of ciphertexts to be decrypted dominates thedata complexity (Figure 2) For each biclique structure let1198620 = 0(64) All the ciphertexts share the equal values in 3bytes (119862119894[0] 119862119894[4] and 119862119894[5] ie white bytes) so the datacomplexity does not go beyond 240422 Computational Complexity The amount of the F-Functions to be computed determines the attack complexityEach round of Piccolo-80 takes 2 F-Functions computationsSo the single encryption equals computed 25 times 2 = 50F-Functions For each of 264 groups of keys the followingcalculation should be completed
Biclique Complexity 5 F-Functions (Figure 2(b) noted withgray) need to be computed 28 times and 2 F-Functions
(Figure 2(c) noted with gray) need to be computed 28times The remaining 5 F-Functions are computed onlyonce Thus this stage requires 28 times 7 + 5 F-Functionscomputations in total Then the computational complexityof a biclique structure is about 2517 full round Piccolo-80encryptions
Matching Complexity In forward direction the differencesbetween 119870[1198940] and 119870[119894119895] dominate the computational com-plexity On Figure 3(a) for a single 119875119894 14 F-Functions (notedwith gray) are computed 28 times 3 F-Functions (noted withgrid line) are computed only once and 3 F-Functions (notedwith white) do not need to be computed So the complexityof this process is 28times(28times14+3) F-Functions which is about21416 full round Piccolo-80 encryptions
In backward direction on Figure 3(b) for a single 119878119895 15F-Functions (noted with gray) are computed 28 times 2 F-Functions (noted with grid line) are computed only onceand 1 F-Function (noted with white) need not be computedSo the complexity of this process is 28 times (28 times 15 + 2)F-Functions which is about 21426 full round Piccolo-80encryptions
Finally 216 key candidates are verified by a matchingvariable (16 bits) in each group and the average of 216minus16 = 1candidate key needs to be rechecked
Security and Communication Networks 11
Thus the total computational complexity of this attack onPiccolo-80 is
119862 = 264 times (2517 + 21416 + 21426 + 1) asymp 27922 (8)
43 Complexities of Biclique Cryptanalysis on Piccolo-128
431 Data Complexity For each biclique structure let 1198620 =0(64) All the ciphertexts share the equal values in 5 bytes(119862119894[1] 119862119894[4] 119862119894[5] 119862119894[6] and 119862119894[7] ie white bytes) so thedata complexity does not go beyond 224 (See Figure 4)
432 Computational Complexity Each round of Piccolo-128takes 2 F-Functions computations So the single encryptionequals computed 31 times 2 = 62 F-Functions For each of2112 groups of keys the following calculation should becompleted
Biclique Complexity 13 F-Functions (Figure 4(b) noted withgray) need to be computed 28 times and 1 F-Function(Figure 4(c) noted with gray) needs to be computed 28 timesThus this stage requires 28 times 14 F-Functions computationsin total Then the computational complexity of a bicliquestructure is about 2585 full round Piccolo-128 encryptions
Matching Complexity In forward direction for a single 119875119894 16F-Functions (noted with gray) are computed 28 times 7 F-Functions (noted with grid line) are computed only once and3 F-Functions (notedwithwhite) do not need to be computedon Figure 5(a) So the complexity of this process is 28 times (28 times16 + 7) F-Functions which is about 21405 full round Piccolo-128 encryptions
In backward direction for a single 119878119895 18 F-functions(noted with gray) are computed 28 times 3 F-functions(noted with grid line) are computed only once and 1 F-Function (noted with white) need not be computed onFigure 5(b) So the complexity of this process is 28 times (28 times18 + 3) F-Functions which is about 21422 full round Piccolo-128 encryptions
Finally 216 key candidates are verified by a matchingvariate (16 bits) in each group and the average of 216minus16 = 1candidate key needs to be rechecked
Thus the total computational complexity of this attack onPiccolo-128 is
119862 = 2112 times (2585 + 21408 + 21422 + 1) asymp 212714 (9)
44 Complexities of Another Biclique Cryptanalysis on Piccolo-128
441 Data Complexity For each biclique structure let 1198620 =0(64) All the ciphertexts share the equal values in 7 bytes(119862119894[0] 119862119894[1] 119862119894[3] 119862119894[4] 119862119894[5] 119862119894[6] and 119862119894[7] ie whitebytes) so the data complexity does not go beyond 28 (SeeFigure 6)
442 Computational Complexity
Biclique ComplexityThis stage requires 28times5+5 F-Functionscomputations in total Then the computational complexityof a biclique structure is about 2438 full round Piccolo-128encryptions
Matching Complexity In forward direction the complexityis 28 times (28 times 18 + 7) F-Functions which is about 21422 fullround Piccolo-128 encryptions In backward direction thecomplexity is 28 times (28 times 20 + 3) F-Functions which is about21437 full round Piccolo-128 encryptions
Thus the total computational complexity of this attack onPiccolo-128 is
119862 = 2112 times (2438 + 21422 + 21437 + 1) asymp 212730 (10)
5 Conclusion
Designers have given several attacks including linear crypt-analysis impossible differential cryptanalysis and MITMattack on security analysis for Piccolo The best result was 3-subset MITM attacks on 1421-round Piccolo-80128 withoutthe whitening key The previous results and our results aresummarized on Piccolo in Tables 1 and 2 Some results didnot includewhitening key some attackswere reduced-roundHowever our results are full round Piccolo-80128
By analyzing the distribution of the subkey and thestructure of encryption we find two faults of the results in [15]and a weakness in the key schedule on Piccolo-80 The twofaults are depicted in Section 41 The weakness on Piccolo-80 is that the right half of the round key rk47 can offset theright half of the postwhitening key WK3 (Figure 2(c)) Basedon this the data complexity can be decreased greatly
We use biclique cryptanalysis to recover the masterkey for the full round Piccolo-80 with a 6-round bicliqueand the full round Piccolo-128 with a 7-round bicliquerespectively The attacks require data complexity of 240 and224 chosen ciphertexts and computational complexity of 27922and 212714 respectively These results are superior to otherbiclique cryptanalytic results on Piccolo
This result is that the biclique technology can attack someciphers with simple key schedule and slow diffusion So thedesigners of lightweight ciphers need to consider not only theimplementation efficiency but also key schedule complexityand diffusion speed
Conflicts of Interest
None of the authors declare any conflicts of interest
Acknowledgments
This work is partially supported by National Natural Sci-ence Foundation of China (nos 61272434 61672330 and61602287) and Nature Science Foundation of ShandongProvince (no ZR2013FQ021)
12 Security and Communication Networks
References
[1] A Bogdanov D Khovratovich and C Rechberger ldquoBicliquecryptanalysis of the full AESrdquo in Advances in CryptologymdashASIACRYPT 2011 vol 7073 of Lecture Notes in Comput Sci pp344ndash371 Springer Heidelberg Germany 2011
[2] Y Wang WWu and X Yu ldquoBiclique cryptanalysis of reduced-round piccolo block cipherrdquo in Proceedings of the 8th Interna-tional Conference on Information Security Practice and Experi-ence (ISPEC rsquo12) M R Dermot S Ben and G Wang Eds vol7232 ofLectureNotes inComputer Science pp 337ndash352 SpringerHeidelberg Germany 2012
[3] D Khovratovich G Leurent and C Rechberger ldquoNarrow-bicliques cryptanalysis of full IDEArdquo in Proceedings of the 31stAnnual International Conference on theTheory and Applicationsof Cryptographic Techniques (EUROCRYPT rsquo12) Lecture Notesin Computer Science pp 392ndash410 Springer Heidelberg Ger-many 2012
[4] D Hong B Koo and D Kwon ldquoBiclique attack on the fullHIGHTrdquo in Information Security and CryptologymdashICISC 2011vol 7259 of Lecture Notes in Computer Science pp 365ndash374Springer Berlin Germany 2012
[5] J Song K Lee and H Lee ldquoBiclique cryptanalysis onlightweight block cipher HIGHT and Piccolordquo InternationalJournal of ComputerMathematics vol 90 no 12 pp 2564ndash25802013
[6] F Abed C Forler E List S Lucks and J Wenzel ldquoBicliquecryptanalysis of the PRESENT and LED lightweight ciphersrdquoTech Rep 2012591 Cryptology ePrint Archive 2012
[7] M Sereshgi andM Shakiba ldquoBiclique cryptanalysis ofMIBS-80and PRESENT-80 block ciphersrdquo Security and CommunicationNetworks vol 9 no 1 pp 27ndash33 2016
[8] O Ozen K Varıcı C Tezcan and C Kocair ldquoLightweight blockciphers revisited cryptanalysis of reduced round PRESENTand HIGHTrdquo in Information Security and Privacy vol 5594 ofLecture Notes in Computer Science pp 90ndash107 Springer BerlinGermany 2009
[9] Y F Wang and W L Wu ldquoMeet-in-the-middle attack onTWINE block cipherrdquo Journal of Software vol 26 no 10 pp2684ndash2695 2015 (Chinese)
[10] M Coban F Karakoc and O Biztas ldquoBiclique cryptanalysis ofTWINErdquo Tech Rep 2012422 Cryptology ePrint Archive 2012
[11] ZAhmadianM Salmasizadeh andMRAref ldquoBiclique crypt-analysis of the full-round KLEIN block cipherrdquo IET InformationSecurity vol 9 no 5 pp 294ndash301 2015
[12] W Diffie and M E Hellman ldquoExhaustive Cryptanalysis of theNBS Data Encryption Standardrdquo Computer vol 10 no 6 pp74ndash84 1977
[13] Y Sasaki ldquoMeet-in-the-middle preimage attacks on AES hash-ingmodes and an application towhirlpoolrdquo inProceedings of theInternational Workshop on Fast Software Encryption (FSE rsquo11)A Joux Ed vol 6733 of Lecture Notes in Computer Science pp378ndash396 Springer Heidelberg Germany 2011
[14] K Shibutani T Isobe H Hiwatari A Mitsuda T Akishitaand T Shirai ldquoPiccolo an ultra-lightweight blockcipherrdquo inProceedings of the 13th InternationalWorkshop on CryptographicHardware and Embedded Systems (CHES rsquo11) B Preneel and TTakagi Eds vol 6917 of Lecture Notes in Computer Science pp342ndash357 Springer Heidelberg Germany 2011
[15] K Jeong H Kang C Lee J Sung and S Hong ldquoBicliquecryptanalysis of lightweight block ciphers PRESENT piccoloand LEDrdquo Tech Rep 2012621 Cryptology ePrint Archive 2012
[16] W Zhang J Zhang and X Zheng ldquoSome observations onthe lightweight block cipher piccolo-80rdquo in Proceedings of the6th International Conference on Trusted Systems (INTRUST rsquo14)vol 9473 of Lecture Notes in Computer Science pp 364ndash373Springer Cham Switzerland 2015
[17] T Isobe and K Shibutani ldquoSecurity analysis of the lightweightblock ciphers XTEA LED and piccolordquo in Information Securityand Privacy vol 7372 pp 71ndash86 Springer Berlin Germany2012
International Journal of
AerospaceEngineeringHindawi Publishing Corporationhttpwwwhindawicom Volume 2014
RoboticsJournal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Active and Passive Electronic Components
Control Scienceand Engineering
Journal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
International Journal of
RotatingMachinery
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporation httpwwwhindawicom
Journal ofEngineeringVolume 2014
Submit your manuscripts athttpswwwhindawicom
VLSI Design
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Shock and Vibration
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Civil EngineeringAdvances in
Acoustics and VibrationAdvances in
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Electrical and Computer Engineering
Journal of
Advances inOptoElectronics
Hindawi Publishing Corporation httpwwwhindawicom
Volume 2014
The Scientific World JournalHindawi Publishing Corporation httpwwwhindawicom Volume 2014
SensorsJournal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Modelling amp Simulation in EngineeringHindawi Publishing Corporation httpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Chemical EngineeringInternational Journal of Antennas and
Propagation
International Journal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Navigation and Observation
International Journal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
DistributedSensor Networks
International Journal of
Security and Communication Networks 3
P[0](16) P[1](16) P[2](16) P[3](16)
C[0](16) C[1](16) C[2](16) C[3](16)
F
F
F
F
F
F
F
F
Round 0
Round 1
Round r minus 2
Round r minus 1
WK0(16)
WK2(16)
rk0(16)
rk2(16)
rk2rminus2
rk2r
WK1(16)
WK3(16)
rk1(16)
rk3(16)
rk2rminus1
rk2r+1
Figure 1 The structure of Piccolo
(119870[119895]119871119870[119895]119877)The whitening keys (WK0WK1WK2WK3)and the subkey (rk2119894 rk2119894+1) of 25 rounds are engendered asfollows
WK0 = 119870[0]119871 119870[1]119877 WK1 = 119870[1]119871 119870[0]119877 WK2= 119870[4]119871 119870[3]119877 WK3 = 119870[3]119871 119870[4]119877For 119894 = 0 to 119903 minus 1(rk2119894 rk2119894+1)= (con802119894 con802119894+1)
oplus
(119870 [2] 119870 [3]) (119894 mod 5) equiv 0 or 2
(119870 [0] 119870 [1]) (119894 mod 5) equiv 1 or 4(119870 [4] 119870 [4]) (119894 mod 5) equiv 3
(1)
For Piccolo-128 the distribution of subkey is similar tothat of Piccolo-80 The 128-bit master key is denoted by 119870 =119870[0] 119870[1] 119870[2] 119870[3] 119870[4] 119870[5] 119870[6] 119870[7] where 119870[119895]= (119870[119895]119871 119870[119895]119877) The whitening keys and31-round subkey are computed as follows
WK0 = 119870[0]119871 119870[1]119877 WK1 = 119870[1]119871 119870[0]119877 WK2= 119870[4]119871 119870[7]119877 WK3 = 119870[7]119871 119870[4]119877For 119894 = 0 to 2119903 minus 1
if ((i + 2) mod 8 equiv 0) then
(119870[0] 119870[1] 119870[2] 119870[3] 119870[4] 119870[5] 119870[6] 119870[7]) = (119870[2] 119870[1] 119870[6] 119870[7] 119870[0] 119870[3] 119870[4] 119870[5])
rk119894 = 119870[(119894 + 2) mod 8] oplus con128119894 The specific subkeys of Piccolo-80128 are illustrated in
Table 3
3 Biclique Attack on Piccolo
31 Definition of Biclique Biclique cryptanalysis is an attackbased on MITM The major idea is to build bicliques on thetarget subcipher and promote the computational efficiencyThe basic principles of the biclique attack are explained in [1]Let 119891 be a several-round subcipher and 119891minus1 is the inverse of119891 The 119891 maps 2119889 intermediate states 119878119895 to 2119889 ciphertexts119862119894 with 22119889 keys 119870[119894119895]
119870[119894119895] =[[[[[
119870[00] 119870[01] sdot sdot sdot 119870[02119889minus1] d
119870[2119889minus10] 119870[2119889minus11] sdot sdot sdot 119870[2119889minus12119889minus1]
]]]]] (2)
The 3-tuple [119862119894 119878119895 119870[119894119895]] is named a biclique withd-dimension if
119862119894 = 119891119870[119894119895] (119904119895) forall119894 119895 isin 0 1119889 (3)
To avoid duplication we do not explicate the detailedattack basis but three stages of the attack are described inmore detail
32 Biclique Cryptanalysis of Piccolo-80
321 Phase 1 Key Partitioning For greater clarity we dividethe key into 264 groups which have 216 keys The 119870[00]enumerates 64-bit keys and fixes 16-bit keys with 016 Asdepicted in Section 23 each round has 32-bit subkey whichis generated by master keys K[i] and K[j] By investigatingthe subkey distribution (Table 3) an 8-dimensional bicliquestructure of 6 rounds is constructed by each right half of119870[4]and 119870[2] that is 119870[4]119877 and 119870[2]119877 We find 119870[4]119877 of theround key rk47 can offset 119870[4]119877 of the postwhitening key soit can decrease the data complexity greatly By calculation thecomputational complexity is optimal so far
The keys 119870[00] 119870[0119895] 119870[1198940] and 119870[119894119895] of each group aredepicted as shown below
119870[00] = [119883119883119883119883119883119860119883119883119883119860] where 119883 isin 0 18 119860 = 011990900
119870[0119895] = 119870[00] oplus [00 00 0119895 00 00]
where 119895 isin 0 18
4 Security and Communication Networks
Table 3 Key schedule of Piccolo
Piccolo-80 Piccolo-128Round i Round key Master key Round i Round key Master keyInitial (WK0WK1) (119870[0]119871 119870[1]119877 119870[1]119871 119870[0]119877) Initial (WK0WK1) (119870[0]119871 119870[1]119877 119870[1]119871 119870[0]119877)0 (rk0 rk1) (119870[2] 119870[3]) 0 (rk0 rk1) (119870[2] 119870[3])1 (rk2 rk3) (119870[0] 119870[1]) 1 (rk2 rk3) (119870[4] 119870[5])2 (rk4 rk5) (119870[2] 119870[3]) 2 (rk4 rk5) (119870[6] 119870[7])3 (rk6 rk7) (119870[4] 119870[4]) 3 (rk6 rk7) (119870[2] 119870[1])4 (rk8 rk9) (119870[0] 119870[1]) 4 (rk8 rk9) (119870[6] 119870[7])5 (rk10 rk11) (119870[2] 119870[3]) 5 (rk10 rk11) (119870[0] 119870[3])6 (rk12 rk13) (119870[0] 119870[1]) 6 (rk12 rk13) (119870[4] 119870[5]) 18 (rk36 rk37) (119870[4] 119870[4]) 24 (rk48 rk49) (119870[4] 119870[3])19 (rk38 rk39) (119870[0] 119870[1]) 25 (rk50 rk51) (119870[2] 119870[5])20 (rk40 rk41) (119870[2] 119870[3]) 26 (rk52 rk53) (119870[0] 119870[7])21 (rk42 rk43) (119870[0] 119870[1]) 27 (rk54 rk55) (119870[4] 119870[1])22 (rk44 rk45) (119870[2] 119870[3]) 28 (rk56 rk57) (119870[0] 119870[7])23 (rk46 rk47) (119870[4] 119870[4]) 29 (rk58 rk59) (119870[6] 119870[3])24 (rk48 rk49) (119870[0] 119870[1]) 30 (rk60 rk61) (119870[2] 119870[5])Final (WK2WK3) (119870[4]119871 119870[3]119877 119870[3]119871 119870[4]119877) Final (WK2WK3) (119870[4]119871 119870[7]119877 119870[7]119871 119870[4]119877)
119870[1198940] = 119870[00] oplus [00 00 00 00 0119894] where 119894 isin 0 18
(4)Finally
119870[119894119895] = 119870[00] oplus 119870[0119895] oplus 119870[1198940]= 119870[00] oplus [00 00 0119895 00 0119894]
(5)
Thus the space of119870 is divided into 264 groups of 216 keyseach
322 Phase 2 8-Dimensional Biclique Structure of 6 RoundsWe construct an 8-dimensional biclique structure of 6 roundsfor Piccolo-80 with whitening keys for each group (Fig-ure 2) The biclique structure connects 28 ciphertexts to 28intermediate states in each group of keys The process ofcalculating the ciphertexts and intermediate states consists ofthe following 3 steps
Step 1 Let 1198620 = 0(64) and decrypt 1198620 for 6 rounds to obtain1198780 (Figure 2(a)) that is 1198780 = 119891minus1119870[00](1198620) The procedure isnamed basic calculation
Step 2 In order to get the corresponding ciphertext 119862119894encrypt 1198780 using different keys 119870[1198940] for 119894 isin 0 18 (Fig-ure 2(c)) The differences between 119870[1198940] and 119870[00] can leadto the gray intermediate statesrsquo differences and cause thecomputational complexity The gray intermediate states needto be computed 28minus1 times whereas the remaining states arecalculated just once because they have been already computed
in Step 1 This step derives 119891(1198780) 119870[1198940]997888997888997888rarr 119862119894
Step 3 To get the corresponding states 119878119895 decrypt 1198620 usingdifferent keys 119870[0119895] for 119895 isin 0 18 (Figure 2(b)) Thedifferences between119870[0119895] and119870[00] can bring about the grayintermediate statesrsquo differences The gray intermediate statesneed to be computed 28 minus 1 times whereas the remaining
states have been already computed As a result119891minus1(1198620)119870[0119895]997888997888997888997888rarr
(119878119895) has been constructed
Thanks to the simplicity of the distribution of the subkeyof Piccolo the two differential paths do not share any active
state Fortunately it is so easy to verify that 119891(119878119895)119870[119894119895]997888997888997888rarr 119862119894 is
always true for all 119894 119895 isin 0 18 Up to now for each key groupwe get a corresponding 8-dimensional biclique structure asdiscussed above
From Figure 2 we find a weakness in the key scheduleof Piccolo-80 that is 119870[4]119877 of the round key rk47 canoffset 119870[4]119877 of the postwhitening key So it can reduce thedata complexity greatly The calculations of complexities arepresented in Section 42
323 Phase 3 Meeting in the Middle over 19 Rounds Choosea 16-bit internal state (119881 = 119865914) after F-Function in round9 as the intermediate matching variable (see Figure 3) Thechoice is made according to the total number of F-Functionand an effective filtering of the wrong keys Next we calculatethese matching variates in both directions in order to obtainthe accurate key
Backward Direction Each value of the state 119878119895 is decryptedunder the key 119870[0119895] to derive larr9978889978881198810119895
119870[0119895]larr997888997888997888997888 119878119895 After that
Security and Communication Networks 5
S0
C0
F
F
F
F
F
F
F
F
F
F
F
F
19
20
21
22
23
24K[4]LK[3]R
K[0]LK[0]R
K[2]LK[2]R
K[0]LK[0]R
K[2]LK[2]R
K[4]LK[4]R
K[0]LK[0]R
K[1]LK[1]R
K[3]LK[3]R
K[1]LK[1]R
K[3]LK[3]R
K[4]LK[4]R
K[1]LK[1]R
K[3]LK[4]R
(a)
Sj
C0
F
F
F
F
F
F
F
F
F
F
F
F
K[4]LK[3]R
K[0]LK[0]R
K[2]LK[2]R
K[0]LK[0]R
K[2]LK[2]R
K[4]LK[4]R
K[0]LK[0]R
K[1]LK[1]R
K[3]LK[3]R
K[1]LK[1]R
K[3]LK[3]R
K[4]LK[4]R
K[1]LK[1]R
K[3]LK[4]R
K|2|R
activ
e
(b)
S0
Ci
F
F
F
F
F
F
F
F
F
F
F
F
K[4]LK[3]R
K[0]LK[0]R
K[2]LK[2]R
K[0]LK[0]R
K[2]LK[2]R
K[4]LK[4]R
K[0]LK[0]R
K[1]LK[1]R
K[3]LK[3]R
K[1]LK[1]R
K[3]LK[3]R
K[4]LK[4]R
K[1]LK[1]R
K[3]LK[4]R
rk47
rk49
WK2 WK3
K|4|R
activ
e
(c)
Figure 2 6-round biclique construction of dimension 8 in Piccolo-80
119878119895 is decrypted using all the possible 2119889 minus 1 keys 119870[119894119895] toget larr997888997888119881119894119895
119870[119894119895]larr997888997888997888 119878119895 Because of the same beginning the key dif-ferences between119870[0119895] and119870[119894119895] can cause the computationalcomplexity On Figure 3(b) the gray bytes are active and thewhite bytes need not be computed
Forward Direction The procedure of forward direction is abit more complex than the backward direction in calculationFirstly we decrypt the ciphertexts 119862119894 for 119894 isin 0 18 toobtain 28 plaintexts 119875119894 Secondly each 119875119894 is encrypted under
the key 119870[1198940] to derive 119875119894 119870[1198940]997888997888997888rarr 997888997888rarr1198811198940 After that 119875119894 isencrypted using all the possible 2119889 minus 1 keys 119870[119894119895] to obtain
119875119894119870[119894119895]997888997888997888rarr 997888997888rarr119881119894119895 The differences between 119870[1198940] and 119870[119894119895] can
influence the computational complexity On Figure 3(a)the gray bytes are active and the white bytes need not becomputed
Search Candidates In the last session of the attack theadversary verifies the rest candidate key by the equality of 997888997888rarr119881119894119895andlarr997888997888119881119894119895 for all 119894 119895 isin 0 18 in each group exhaustively untilthe right key is discovered
33 Biclique Cryptanalysis of Piccolo-128
331 Phase 1 Key Partitioning We divide the 128-bit keyinto 2112 groups 119870[00] enumerates 112-bit keys and fixes 16-bit keys with 016 By investigating the subkey distribution(Table 3) an 8-dimensional biclique structure of 7 rounds isconstructed by each left half of 119870[6] and 119870[7] that is 119870[6]119871and119870[7]119871 The computational complexity of this structure isless than othersrsquo
Similar to Piccolo-80 the keys 119870[00] 119870[0119895] 119870[1198940] and119870[119894119895] of each group are depicted as shown below
119870[00] = [119883119883119883119883119883119883119883119883119883119883119883119883119860119883119860119883] where 119883 isin 0 18 119860 = 011990900
119870[0119895] = 119870[00] oplus [00 00 00 00 00 00 00 1198950] where 119895 isin 0 18
119870[1198940] = 119870[00] oplus [00 00 00 00 00 00 1198940 00] where 119894 isin 0 18
(6)
6 Security and Communication Networks
F F
F F
F F
F F
F F
F F
F F
F F
F F
F F
1
0
2
3
4
5
6
7
8
9
K[0]LK[1]R
K[2]LK[2]R
K[0]LK[0]R
K[2]LK[2]R
K[4]LK[4]R
K[0]LK[0]R
K[1]LK[0]R
K[3]LK[3]R
K[1]LK[1]R
K[0]LK[0]R K[1]LK[1]R
K[0]LK[0]R K[1]LK[1]R
K[3]LK[3]R
K[2]LK[2]R K[3]LK[3]R
K[2]LK[2]R K[3]LK[3]R
K[4]LK[4]R
K[4]LK[4]RK[4]LK[4]R
K[1]LK[1]R
K|2|R
activ
e
Pi
Pi
K[i j]Vij
Is computed onceIs computed 28 times
(a)
Sj
Sj
F F
F F
F F
F F
F F
F F
F F
F F
F F10
11
12
13
14
15
16
17
18
K[0]LK[0]R K[1]LK[1]R
K[0]LK[0]R K[1]LK[1]R
K[0]LK[0]R K[1]LK[1]R
K[2]LK[2]R K[3]LK[3]R
K[2]LK[2]R K[3]LK[3]R
K[2]LK[2]R K[3]LK[3]R
K[2]LK[2]R K[3]LK[3]R
K[4]LK[4]R K[4]LK[4]R
K[4]LK[4]R K[4]LK[4]R
K|4|R
activ
e
K[i j]Vij
Is computed onceIs computed 28 times
(b)
Figure 3 Recomputations in MITM for Piccolo-80
Security and Communication Networks 7
F F
F F
F F
F F
F F
F F
F F
25
24
26
27
28
29
30
K[0]LK[0]R
K[1]LK[1]R
K[3]LK[3]R
K[3]LK[3]R
K[2]LK[2]R
K[4]LK[7]R K[7]LK[4]R
K[2]LK[2]R K[5]LK[5]R
K[4]LK[4]R
K[4]LK[4]R
K[7]LK[7]R
K[0]LK[0]R
K[6]LK[6]R
K[5]LK[5]R
K[7]LK[7]R
S0
C0
(a)
F F
F F
F F
F F
F F
F F
F F
K[0]LK[0]R
K[1]LK[1]R
K[3]LK[3]R
K[3]LK[3]R
K[2]LK[2]R
K[4]LK[7]R K[7]LK[4]R
K[2]LK[2]R K[5]LK[5]R
K[4]LK[4]R
K[4]LK[4]R
K[7]LK[7]R
K[0]LK[0]R
K[6]LK[6]R
K[5]LK[5]R
K[7]LK[7]R
Sj
C0
K|7|L
activ
e
(b)
F F
F F
F F
F F
F F
F F
F F
K[0]LK[0]R
K[1]LK[1]R
K[3]LK[3]R
K[3]LK[3]R
K[2]LK[2]R
K[4]LK[7]R K[7]LK[4]R
K[2]LK[2]R K[5]LK[5]R
K[4]LK[4]R
K[4]LK[4]R
K[7]LK[7]R
K[0]LK[0]R
K[6]LK[6]R
K[5]LK[5]R
K[7]LK[7]R
S0
Ci
K|6|L
activ
e
(c)
Figure 4 7-round biclique construction of dimension 8 in Piccolo-128
Finally
119870[119894119895] = 119870[00] oplus 119870[0119895] oplus 119870[1198940]= 119870[00] oplus [00 00 00 00 00 00 1198940 1198950]
(7)
Thus the key space of K is divided into 2112 groups of 216keys each
332 Phase 2 8-Dimensional Biclique Structure of 7 RoundsWe construct an 8-dimensional biclique structure of 7 roundsfor Piccolo-128 for each group (Figure 4) Here 119892 is subci-phers for round 24sim30 and 119892minus1 is the inverse of 119892The processof calculating the ciphertexts and intermediate states consistsof the following 3 steps
Step 1 Let 1198620 = 0(64) and decrypt 1198620 for 7 rounds to obtain1198780 (Figure 4(a)) that is 1198780 = 119892minus1119870[00](1198620)Step 2 Encrypt 1198780 using different keys 119870[1198940] for 119894 isin 0 18(Figure 4(c)) The differences between 119870[1198940] and 119870[00] can
influence the gray intermediate statesrsquo differences This step
derives 119892(1198780) 119870[1198940]997888997888997888rarr 119862119894Step 3 Decrypt 1198620 using different keys 119870[0119895] for 119895 isin 0 18(Figure 4(b)) The differences between 119870[0119895] and 119870[00] canbring about the gray intermediate statesrsquo differences As a
result 119892minus1(1198620)119870[0119895]997888997888997888997888rarr (119878119895) has been constructed
Thanks to the simplicity of the distribution of the subkey
of Piccolo-128 it is also very easy to verify that 119892(119878119895)119870[119894119895]997888997888997888rarr
119862119894 is always true for all 119894 119895 isin 0 18 Up to now for eachkey group we get a corresponding 8-dimensional bicliquestructure
333 Phase 3 Meeting in the Middle over 24 Rounds Select a16-bit internal state (119880 = 1198651214) after F-Function in round 12as the intermediatematching variable (see Figure 5) Next wecalculate these matching variates in both directions in orderto obtain the right key
8 Security and Communication Networks
F F
F F
F F
F F
F F
F F
F F
F F
F F
F F
1
0
2
3
4
5
678
9
10
11
12
K[0]LK[0]R
K[1]LK[1]R
K[1]LK[1]R
K[2]LK[2]R
K[2]LK[2]R
K[2]LK[2]R
K[3]LK[3]R
K[1]LK[0]RK[0]LK[1]R
K[3]LK[3]R
K[0]LK[0]R K[3]LK[3]R
K[0]LK[0]R K[3]LK[3]R
K[4]LK[4]R
K[4]LK[4]R
Pi
Pi
K[i j]
K[5]LK[5]R
K[6]LK[6]R K[7]LK[7]R
K[6]LK[6]R K[7]LK[7]R
K[7]LK[7]R
K|7|L
activ
e
Uij
Is computed onceIs computed 28 times
(a)
Sj
Sj
F F
F F
F F
F F
F F
F F
F F
F F13
14
15
16
171819
20
21
22
23
K[1]LK[1]R
K[1]LK[1]R
K[2]LK[2]R
K[2]LK[2]R
K[0]LK[0]R
K[0]LK[0]R
K[3]LK[3]RK[4]LK[4]R
K[i j]
K[5]LK[5]R
K[5]LK[5]RK[6]LK[6]R
K[6]LK[6]R
K[6]LK[6]R
K[7]LK[7]R
K[7]LK[7]R
K[7]LK[7]R
K|6|L
activ
e
Is computed onceIs computed 28 times
Uij
(b)
Figure 5 Recomputations in MITM for Piccolo-128
Backward Direction Each value of the state 119878119895 is decrypt-
ed under the key 119870[0119895] to obtain larr9978889978881198800119895119870[0119895]larr997888997888997888997888 119878119895 After
that 119878119895 is decrypted using all the possible 2119889 minus 1 keys
119870[119894119895] to get larr997888997888119880119894119895119870[119894119895]larr997888997888997888 119878119895 On Figure 5(b) the gray
bytes are active and the white bytes do not need to becomputed
Forward Direction Firstly we decrypt the ciphertexts 119862119894 for119894 isin 0 18 to obtain 28 plaintexts 119875119894 Secondly each 119875119894 isencrypted under the key 119870[1198940] to obtain 119875119894 119870[1198940]997888997888997888rarr 997888997888rarr1198801198940 Then119875119894 is encrypted using all the possible 2119889 minus 1 keys 119870[119894119895] to get
119875119894119870[119894119895]997888997888997888rarr 997888997888rarr119880119894119895 On Figure 5(a) the gray bytes are active and the
white bytes do not need to be computed
Security and Communication Networks 9
F F
F F
F F
F F
F F
F F
F F
F F
F F
F F
F F
F F
F F
F F
F F
26
27
28
29
30
Sj
K[0]LK[0]R
K[1]LK[1]R
K[3]LK[3]R
K[2]LK[2]R
K[4]LK[7]R K[7]LK[4]R
K[4]LK[4]R
K[7]LK[7]R
K[0]LK[0]R K[7]LK[7]R
K[6]LK[6]R
K[5]LK[5]R
K[0]LK[0]R
K[1]LK[1]R
K[3]LK[3]R
K[2]LK[2]R
K[4]LK[7]R K[7]LK[4]R
K[4]LK[4]R
K[7]LK[7]R
K[0]LK[0]R K[7]LK[7]R
K[6]LK[6]R
K[5]LK[5]R
K[0]LK[0]R
K[1]LK[1]R
K[3]LK[3]R
K[2]LK[2]R
K[4]LK[7]R K[7]LK[4]R
K[4]LK[4]R
K[7]LK[7]R
K[0]LK[0]R K[7]LK[7]R
K[6]LK[6]R
K[5]LK[5]R
S0 S0
C0 C0
K|6|L
activ
e
K|2|L
activ
e
Ci[0] Ci[1] Ci[2] Ci[3]
Figure 6 5-round biclique construction of dimension 8 in Piccolo-128
Search Candidates In the last session of the attack theadversary verifies the equality of 997888997888rarr119880119894119895 and larr997888997888119880119894119895 for all 119894 119895 isin0 18 to discover the correct key34 Another Biclique Cryptanalysis of Piccolo-128 Similar toSection 33 we construct an 8-dimensional biclique structureof 5 rounds (26sim30) for Piccolo-128 by each left half of 119870[6]and119870[2] that is 119870[6]119871 and119870[2]119871 (Figure 6)
In the phase of meeting in the middle over 26 rounds weselect a 16-bit internal state (119880 = 1198651314) after F-Function inround 13 as the intermediate matching variable
4 Complexities
41 Comments on the Result of [15] Jeong et al appliedbiclique cryptanalysis to the lightweight block ciphers LEDPiccolo and PRESENT in [15] They used the concept ofindependent-biclique which included constructing bicliquestructure by independent related-key differentials andmatch-ing with precomputations They found a limited and slowdiffusion of the subkey distribution and encryption processAs a result their attacks can discover the master key withcomputational complexities superior to an exhaustive searchHowever we find two faults of their biclique cryptanalysis ofPiccolo as follows
(1) Jeong et al found that 119870[4]119871 and 119870[2]119871 gave theconstruction of an 8-dimensional biclique which was shownin Figure 10 of [15] The Δ 119894-differential affected only 6 bytes(119862[0]119871 119862[1]119871 119862[1]119877 119862[2]119871 119862[3]119871 and 119862[3]119877) which isdrawn on Figure 7(a) (including the grid line byte) in this
paper As a result the data complexity does not go beyond248
In the attack shown in Figure 7 it is clear that the left halfof the round key rk46 can offset the left half of WK2 (thepostwhitening key) that is there is no difference in the gridline byte (119862[0]119871) Based on this the biclique cryptanalysis ofJeong et al goes wrong
So the Δ 119894-differential affects only 5 bytes (119862[1]119871 119862[1]119877119862[2]119871 119862[3]119871 and 119862[3]119877) of the ciphertext and the datacomplexity does not go beyond 240 The correct differencepath does not include the grid line byte (119862[0]119871)
(2) Jeong et al thought that only 2 bytes were activein the decryption of 17th round in backward direction forPiccolo-80 of recomputation shown in Figure 11 of [15] 13F-Functions (without the grid line) were computed 28 timesand 4 F-Functions were computed once They are drawn onFigure 7(b) in this paper Then the total complexity of thisstep is 28 times (28 times 13 + 4) F-Functions
It is clear that 6 bytes of intermediate are active in thedecryption of 17th round in backward direction for Piccolo-80 of recomputation and all bytes are active of 16th roundBased on these their computational complexity of this stepgoes wrong
So 15 F-Functions (including the grid line) are computed28 times and 2 F-Functions are computed onceThen the totalcomplexity of this step is 28 times (28 times 15 + 2) F-Functions Thecorrect difference path includes the grid line bytes
Similarly 3 bytes but not one byte are active in thedecryption of 22nd round in backward direction for Piccolo-128 of recomputation and they are shown in Figure 13 of [15]
10 Security and Communication Networks
F F
F F
F F
F F
F F
F F
K[0]LK[0]R K[1]LK[1]R
K[0]LK[0]R K[1]LK[1]R
K[0]LK[0]R K[1]LK[1]R
K[2]LK[2]R K[3]LK[3]R
K[2]LK[2]R K[3]LK[3]R
K[4]LK[4]R K[4]LK[4]R
K|4|L
activ
e
K[4]LK[3]R K[3]LK[4]Rrk48 rk49
rk46 rk47
WK2 WK3
19
20
21
22
23
24
S0
C[0] C[1] C[2] C[3]
(a)
F F
F F
F F
F F
F F
F F10
11
12
131415
16
17
18
K[0]LK[0]R K[1]LK[1]R
K[0]LK[0]R K[1]LK[1]R
K[2]LK[2]R K[3]LK[3]R
K[2]LK[2]R K[3]LK[3]R
K[2]LK[2]R K[3]LK[3]R
K[4]LK[4]R K[4]LK[4]R
K|4|L
activ
e
(b)
Figure 7 Revision of the other solutions
20 rather than 18 F-Functions are computed 28 times and 3instead of 5 F-Functions are computed once
42 Complexities of Biclique Cryptanalysis on Piccolo-80
421 Data Complexity By analyzing the key schedule wefind a weakness in the key schedule on Piccolo-80 that is theround key rk47 can offset the postwhitening key partially (seeFigure 2) Based on this the data complexity can be reducedgreatly
The amount of ciphertexts to be decrypted dominates thedata complexity (Figure 2) For each biclique structure let1198620 = 0(64) All the ciphertexts share the equal values in 3bytes (119862119894[0] 119862119894[4] and 119862119894[5] ie white bytes) so the datacomplexity does not go beyond 240422 Computational Complexity The amount of the F-Functions to be computed determines the attack complexityEach round of Piccolo-80 takes 2 F-Functions computationsSo the single encryption equals computed 25 times 2 = 50F-Functions For each of 264 groups of keys the followingcalculation should be completed
Biclique Complexity 5 F-Functions (Figure 2(b) noted withgray) need to be computed 28 times and 2 F-Functions
(Figure 2(c) noted with gray) need to be computed 28times The remaining 5 F-Functions are computed onlyonce Thus this stage requires 28 times 7 + 5 F-Functionscomputations in total Then the computational complexityof a biclique structure is about 2517 full round Piccolo-80encryptions
Matching Complexity In forward direction the differencesbetween 119870[1198940] and 119870[119894119895] dominate the computational com-plexity On Figure 3(a) for a single 119875119894 14 F-Functions (notedwith gray) are computed 28 times 3 F-Functions (noted withgrid line) are computed only once and 3 F-Functions (notedwith white) do not need to be computed So the complexityof this process is 28times(28times14+3) F-Functions which is about21416 full round Piccolo-80 encryptions
In backward direction on Figure 3(b) for a single 119878119895 15F-Functions (noted with gray) are computed 28 times 2 F-Functions (noted with grid line) are computed only onceand 1 F-Function (noted with white) need not be computedSo the complexity of this process is 28 times (28 times 15 + 2)F-Functions which is about 21426 full round Piccolo-80encryptions
Finally 216 key candidates are verified by a matchingvariable (16 bits) in each group and the average of 216minus16 = 1candidate key needs to be rechecked
Security and Communication Networks 11
Thus the total computational complexity of this attack onPiccolo-80 is
119862 = 264 times (2517 + 21416 + 21426 + 1) asymp 27922 (8)
43 Complexities of Biclique Cryptanalysis on Piccolo-128
431 Data Complexity For each biclique structure let 1198620 =0(64) All the ciphertexts share the equal values in 5 bytes(119862119894[1] 119862119894[4] 119862119894[5] 119862119894[6] and 119862119894[7] ie white bytes) so thedata complexity does not go beyond 224 (See Figure 4)
432 Computational Complexity Each round of Piccolo-128takes 2 F-Functions computations So the single encryptionequals computed 31 times 2 = 62 F-Functions For each of2112 groups of keys the following calculation should becompleted
Biclique Complexity 13 F-Functions (Figure 4(b) noted withgray) need to be computed 28 times and 1 F-Function(Figure 4(c) noted with gray) needs to be computed 28 timesThus this stage requires 28 times 14 F-Functions computationsin total Then the computational complexity of a bicliquestructure is about 2585 full round Piccolo-128 encryptions
Matching Complexity In forward direction for a single 119875119894 16F-Functions (noted with gray) are computed 28 times 7 F-Functions (noted with grid line) are computed only once and3 F-Functions (notedwithwhite) do not need to be computedon Figure 5(a) So the complexity of this process is 28 times (28 times16 + 7) F-Functions which is about 21405 full round Piccolo-128 encryptions
In backward direction for a single 119878119895 18 F-functions(noted with gray) are computed 28 times 3 F-functions(noted with grid line) are computed only once and 1 F-Function (noted with white) need not be computed onFigure 5(b) So the complexity of this process is 28 times (28 times18 + 3) F-Functions which is about 21422 full round Piccolo-128 encryptions
Finally 216 key candidates are verified by a matchingvariate (16 bits) in each group and the average of 216minus16 = 1candidate key needs to be rechecked
Thus the total computational complexity of this attack onPiccolo-128 is
119862 = 2112 times (2585 + 21408 + 21422 + 1) asymp 212714 (9)
44 Complexities of Another Biclique Cryptanalysis on Piccolo-128
441 Data Complexity For each biclique structure let 1198620 =0(64) All the ciphertexts share the equal values in 7 bytes(119862119894[0] 119862119894[1] 119862119894[3] 119862119894[4] 119862119894[5] 119862119894[6] and 119862119894[7] ie whitebytes) so the data complexity does not go beyond 28 (SeeFigure 6)
442 Computational Complexity
Biclique ComplexityThis stage requires 28times5+5 F-Functionscomputations in total Then the computational complexityof a biclique structure is about 2438 full round Piccolo-128encryptions
Matching Complexity In forward direction the complexityis 28 times (28 times 18 + 7) F-Functions which is about 21422 fullround Piccolo-128 encryptions In backward direction thecomplexity is 28 times (28 times 20 + 3) F-Functions which is about21437 full round Piccolo-128 encryptions
Thus the total computational complexity of this attack onPiccolo-128 is
119862 = 2112 times (2438 + 21422 + 21437 + 1) asymp 212730 (10)
5 Conclusion
Designers have given several attacks including linear crypt-analysis impossible differential cryptanalysis and MITMattack on security analysis for Piccolo The best result was 3-subset MITM attacks on 1421-round Piccolo-80128 withoutthe whitening key The previous results and our results aresummarized on Piccolo in Tables 1 and 2 Some results didnot includewhitening key some attackswere reduced-roundHowever our results are full round Piccolo-80128
By analyzing the distribution of the subkey and thestructure of encryption we find two faults of the results in [15]and a weakness in the key schedule on Piccolo-80 The twofaults are depicted in Section 41 The weakness on Piccolo-80 is that the right half of the round key rk47 can offset theright half of the postwhitening key WK3 (Figure 2(c)) Basedon this the data complexity can be decreased greatly
We use biclique cryptanalysis to recover the masterkey for the full round Piccolo-80 with a 6-round bicliqueand the full round Piccolo-128 with a 7-round bicliquerespectively The attacks require data complexity of 240 and224 chosen ciphertexts and computational complexity of 27922and 212714 respectively These results are superior to otherbiclique cryptanalytic results on Piccolo
This result is that the biclique technology can attack someciphers with simple key schedule and slow diffusion So thedesigners of lightweight ciphers need to consider not only theimplementation efficiency but also key schedule complexityand diffusion speed
Conflicts of Interest
None of the authors declare any conflicts of interest
Acknowledgments
This work is partially supported by National Natural Sci-ence Foundation of China (nos 61272434 61672330 and61602287) and Nature Science Foundation of ShandongProvince (no ZR2013FQ021)
12 Security and Communication Networks
References
[1] A Bogdanov D Khovratovich and C Rechberger ldquoBicliquecryptanalysis of the full AESrdquo in Advances in CryptologymdashASIACRYPT 2011 vol 7073 of Lecture Notes in Comput Sci pp344ndash371 Springer Heidelberg Germany 2011
[2] Y Wang WWu and X Yu ldquoBiclique cryptanalysis of reduced-round piccolo block cipherrdquo in Proceedings of the 8th Interna-tional Conference on Information Security Practice and Experi-ence (ISPEC rsquo12) M R Dermot S Ben and G Wang Eds vol7232 ofLectureNotes inComputer Science pp 337ndash352 SpringerHeidelberg Germany 2012
[3] D Khovratovich G Leurent and C Rechberger ldquoNarrow-bicliques cryptanalysis of full IDEArdquo in Proceedings of the 31stAnnual International Conference on theTheory and Applicationsof Cryptographic Techniques (EUROCRYPT rsquo12) Lecture Notesin Computer Science pp 392ndash410 Springer Heidelberg Ger-many 2012
[4] D Hong B Koo and D Kwon ldquoBiclique attack on the fullHIGHTrdquo in Information Security and CryptologymdashICISC 2011vol 7259 of Lecture Notes in Computer Science pp 365ndash374Springer Berlin Germany 2012
[5] J Song K Lee and H Lee ldquoBiclique cryptanalysis onlightweight block cipher HIGHT and Piccolordquo InternationalJournal of ComputerMathematics vol 90 no 12 pp 2564ndash25802013
[6] F Abed C Forler E List S Lucks and J Wenzel ldquoBicliquecryptanalysis of the PRESENT and LED lightweight ciphersrdquoTech Rep 2012591 Cryptology ePrint Archive 2012
[7] M Sereshgi andM Shakiba ldquoBiclique cryptanalysis ofMIBS-80and PRESENT-80 block ciphersrdquo Security and CommunicationNetworks vol 9 no 1 pp 27ndash33 2016
[8] O Ozen K Varıcı C Tezcan and C Kocair ldquoLightweight blockciphers revisited cryptanalysis of reduced round PRESENTand HIGHTrdquo in Information Security and Privacy vol 5594 ofLecture Notes in Computer Science pp 90ndash107 Springer BerlinGermany 2009
[9] Y F Wang and W L Wu ldquoMeet-in-the-middle attack onTWINE block cipherrdquo Journal of Software vol 26 no 10 pp2684ndash2695 2015 (Chinese)
[10] M Coban F Karakoc and O Biztas ldquoBiclique cryptanalysis ofTWINErdquo Tech Rep 2012422 Cryptology ePrint Archive 2012
[11] ZAhmadianM Salmasizadeh andMRAref ldquoBiclique crypt-analysis of the full-round KLEIN block cipherrdquo IET InformationSecurity vol 9 no 5 pp 294ndash301 2015
[12] W Diffie and M E Hellman ldquoExhaustive Cryptanalysis of theNBS Data Encryption Standardrdquo Computer vol 10 no 6 pp74ndash84 1977
[13] Y Sasaki ldquoMeet-in-the-middle preimage attacks on AES hash-ingmodes and an application towhirlpoolrdquo inProceedings of theInternational Workshop on Fast Software Encryption (FSE rsquo11)A Joux Ed vol 6733 of Lecture Notes in Computer Science pp378ndash396 Springer Heidelberg Germany 2011
[14] K Shibutani T Isobe H Hiwatari A Mitsuda T Akishitaand T Shirai ldquoPiccolo an ultra-lightweight blockcipherrdquo inProceedings of the 13th InternationalWorkshop on CryptographicHardware and Embedded Systems (CHES rsquo11) B Preneel and TTakagi Eds vol 6917 of Lecture Notes in Computer Science pp342ndash357 Springer Heidelberg Germany 2011
[15] K Jeong H Kang C Lee J Sung and S Hong ldquoBicliquecryptanalysis of lightweight block ciphers PRESENT piccoloand LEDrdquo Tech Rep 2012621 Cryptology ePrint Archive 2012
[16] W Zhang J Zhang and X Zheng ldquoSome observations onthe lightweight block cipher piccolo-80rdquo in Proceedings of the6th International Conference on Trusted Systems (INTRUST rsquo14)vol 9473 of Lecture Notes in Computer Science pp 364ndash373Springer Cham Switzerland 2015
[17] T Isobe and K Shibutani ldquoSecurity analysis of the lightweightblock ciphers XTEA LED and piccolordquo in Information Securityand Privacy vol 7372 pp 71ndash86 Springer Berlin Germany2012
International Journal of
AerospaceEngineeringHindawi Publishing Corporationhttpwwwhindawicom Volume 2014
RoboticsJournal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Active and Passive Electronic Components
Control Scienceand Engineering
Journal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
International Journal of
RotatingMachinery
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporation httpwwwhindawicom
Journal ofEngineeringVolume 2014
Submit your manuscripts athttpswwwhindawicom
VLSI Design
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Shock and Vibration
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Civil EngineeringAdvances in
Acoustics and VibrationAdvances in
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Electrical and Computer Engineering
Journal of
Advances inOptoElectronics
Hindawi Publishing Corporation httpwwwhindawicom
Volume 2014
The Scientific World JournalHindawi Publishing Corporation httpwwwhindawicom Volume 2014
SensorsJournal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Modelling amp Simulation in EngineeringHindawi Publishing Corporation httpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Chemical EngineeringInternational Journal of Antennas and
Propagation
International Journal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Navigation and Observation
International Journal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
DistributedSensor Networks
International Journal of
4 Security and Communication Networks
Table 3 Key schedule of Piccolo
Piccolo-80 Piccolo-128Round i Round key Master key Round i Round key Master keyInitial (WK0WK1) (119870[0]119871 119870[1]119877 119870[1]119871 119870[0]119877) Initial (WK0WK1) (119870[0]119871 119870[1]119877 119870[1]119871 119870[0]119877)0 (rk0 rk1) (119870[2] 119870[3]) 0 (rk0 rk1) (119870[2] 119870[3])1 (rk2 rk3) (119870[0] 119870[1]) 1 (rk2 rk3) (119870[4] 119870[5])2 (rk4 rk5) (119870[2] 119870[3]) 2 (rk4 rk5) (119870[6] 119870[7])3 (rk6 rk7) (119870[4] 119870[4]) 3 (rk6 rk7) (119870[2] 119870[1])4 (rk8 rk9) (119870[0] 119870[1]) 4 (rk8 rk9) (119870[6] 119870[7])5 (rk10 rk11) (119870[2] 119870[3]) 5 (rk10 rk11) (119870[0] 119870[3])6 (rk12 rk13) (119870[0] 119870[1]) 6 (rk12 rk13) (119870[4] 119870[5]) 18 (rk36 rk37) (119870[4] 119870[4]) 24 (rk48 rk49) (119870[4] 119870[3])19 (rk38 rk39) (119870[0] 119870[1]) 25 (rk50 rk51) (119870[2] 119870[5])20 (rk40 rk41) (119870[2] 119870[3]) 26 (rk52 rk53) (119870[0] 119870[7])21 (rk42 rk43) (119870[0] 119870[1]) 27 (rk54 rk55) (119870[4] 119870[1])22 (rk44 rk45) (119870[2] 119870[3]) 28 (rk56 rk57) (119870[0] 119870[7])23 (rk46 rk47) (119870[4] 119870[4]) 29 (rk58 rk59) (119870[6] 119870[3])24 (rk48 rk49) (119870[0] 119870[1]) 30 (rk60 rk61) (119870[2] 119870[5])Final (WK2WK3) (119870[4]119871 119870[3]119877 119870[3]119871 119870[4]119877) Final (WK2WK3) (119870[4]119871 119870[7]119877 119870[7]119871 119870[4]119877)
119870[1198940] = 119870[00] oplus [00 00 00 00 0119894] where 119894 isin 0 18
(4)Finally
119870[119894119895] = 119870[00] oplus 119870[0119895] oplus 119870[1198940]= 119870[00] oplus [00 00 0119895 00 0119894]
(5)
Thus the space of119870 is divided into 264 groups of 216 keyseach
322 Phase 2 8-Dimensional Biclique Structure of 6 RoundsWe construct an 8-dimensional biclique structure of 6 roundsfor Piccolo-80 with whitening keys for each group (Fig-ure 2) The biclique structure connects 28 ciphertexts to 28intermediate states in each group of keys The process ofcalculating the ciphertexts and intermediate states consists ofthe following 3 steps
Step 1 Let 1198620 = 0(64) and decrypt 1198620 for 6 rounds to obtain1198780 (Figure 2(a)) that is 1198780 = 119891minus1119870[00](1198620) The procedure isnamed basic calculation
Step 2 In order to get the corresponding ciphertext 119862119894encrypt 1198780 using different keys 119870[1198940] for 119894 isin 0 18 (Fig-ure 2(c)) The differences between 119870[1198940] and 119870[00] can leadto the gray intermediate statesrsquo differences and cause thecomputational complexity The gray intermediate states needto be computed 28minus1 times whereas the remaining states arecalculated just once because they have been already computed
in Step 1 This step derives 119891(1198780) 119870[1198940]997888997888997888rarr 119862119894
Step 3 To get the corresponding states 119878119895 decrypt 1198620 usingdifferent keys 119870[0119895] for 119895 isin 0 18 (Figure 2(b)) Thedifferences between119870[0119895] and119870[00] can bring about the grayintermediate statesrsquo differences The gray intermediate statesneed to be computed 28 minus 1 times whereas the remaining
states have been already computed As a result119891minus1(1198620)119870[0119895]997888997888997888997888rarr
(119878119895) has been constructed
Thanks to the simplicity of the distribution of the subkeyof Piccolo the two differential paths do not share any active
state Fortunately it is so easy to verify that 119891(119878119895)119870[119894119895]997888997888997888rarr 119862119894 is
always true for all 119894 119895 isin 0 18 Up to now for each key groupwe get a corresponding 8-dimensional biclique structure asdiscussed above
From Figure 2 we find a weakness in the key scheduleof Piccolo-80 that is 119870[4]119877 of the round key rk47 canoffset 119870[4]119877 of the postwhitening key So it can reduce thedata complexity greatly The calculations of complexities arepresented in Section 42
323 Phase 3 Meeting in the Middle over 19 Rounds Choosea 16-bit internal state (119881 = 119865914) after F-Function in round9 as the intermediate matching variable (see Figure 3) Thechoice is made according to the total number of F-Functionand an effective filtering of the wrong keys Next we calculatethese matching variates in both directions in order to obtainthe accurate key
Backward Direction Each value of the state 119878119895 is decryptedunder the key 119870[0119895] to derive larr9978889978881198810119895
119870[0119895]larr997888997888997888997888 119878119895 After that
Security and Communication Networks 5
S0
C0
F
F
F
F
F
F
F
F
F
F
F
F
19
20
21
22
23
24K[4]LK[3]R
K[0]LK[0]R
K[2]LK[2]R
K[0]LK[0]R
K[2]LK[2]R
K[4]LK[4]R
K[0]LK[0]R
K[1]LK[1]R
K[3]LK[3]R
K[1]LK[1]R
K[3]LK[3]R
K[4]LK[4]R
K[1]LK[1]R
K[3]LK[4]R
(a)
Sj
C0
F
F
F
F
F
F
F
F
F
F
F
F
K[4]LK[3]R
K[0]LK[0]R
K[2]LK[2]R
K[0]LK[0]R
K[2]LK[2]R
K[4]LK[4]R
K[0]LK[0]R
K[1]LK[1]R
K[3]LK[3]R
K[1]LK[1]R
K[3]LK[3]R
K[4]LK[4]R
K[1]LK[1]R
K[3]LK[4]R
K|2|R
activ
e
(b)
S0
Ci
F
F
F
F
F
F
F
F
F
F
F
F
K[4]LK[3]R
K[0]LK[0]R
K[2]LK[2]R
K[0]LK[0]R
K[2]LK[2]R
K[4]LK[4]R
K[0]LK[0]R
K[1]LK[1]R
K[3]LK[3]R
K[1]LK[1]R
K[3]LK[3]R
K[4]LK[4]R
K[1]LK[1]R
K[3]LK[4]R
rk47
rk49
WK2 WK3
K|4|R
activ
e
(c)
Figure 2 6-round biclique construction of dimension 8 in Piccolo-80
119878119895 is decrypted using all the possible 2119889 minus 1 keys 119870[119894119895] toget larr997888997888119881119894119895
119870[119894119895]larr997888997888997888 119878119895 Because of the same beginning the key dif-ferences between119870[0119895] and119870[119894119895] can cause the computationalcomplexity On Figure 3(b) the gray bytes are active and thewhite bytes need not be computed
Forward Direction The procedure of forward direction is abit more complex than the backward direction in calculationFirstly we decrypt the ciphertexts 119862119894 for 119894 isin 0 18 toobtain 28 plaintexts 119875119894 Secondly each 119875119894 is encrypted under
the key 119870[1198940] to derive 119875119894 119870[1198940]997888997888997888rarr 997888997888rarr1198811198940 After that 119875119894 isencrypted using all the possible 2119889 minus 1 keys 119870[119894119895] to obtain
119875119894119870[119894119895]997888997888997888rarr 997888997888rarr119881119894119895 The differences between 119870[1198940] and 119870[119894119895] can
influence the computational complexity On Figure 3(a)the gray bytes are active and the white bytes need not becomputed
Search Candidates In the last session of the attack theadversary verifies the rest candidate key by the equality of 997888997888rarr119881119894119895andlarr997888997888119881119894119895 for all 119894 119895 isin 0 18 in each group exhaustively untilthe right key is discovered
33 Biclique Cryptanalysis of Piccolo-128
331 Phase 1 Key Partitioning We divide the 128-bit keyinto 2112 groups 119870[00] enumerates 112-bit keys and fixes 16-bit keys with 016 By investigating the subkey distribution(Table 3) an 8-dimensional biclique structure of 7 rounds isconstructed by each left half of 119870[6] and 119870[7] that is 119870[6]119871and119870[7]119871 The computational complexity of this structure isless than othersrsquo
Similar to Piccolo-80 the keys 119870[00] 119870[0119895] 119870[1198940] and119870[119894119895] of each group are depicted as shown below
119870[00] = [119883119883119883119883119883119883119883119883119883119883119883119883119860119883119860119883] where 119883 isin 0 18 119860 = 011990900
119870[0119895] = 119870[00] oplus [00 00 00 00 00 00 00 1198950] where 119895 isin 0 18
119870[1198940] = 119870[00] oplus [00 00 00 00 00 00 1198940 00] where 119894 isin 0 18
(6)
6 Security and Communication Networks
F F
F F
F F
F F
F F
F F
F F
F F
F F
F F
1
0
2
3
4
5
6
7
8
9
K[0]LK[1]R
K[2]LK[2]R
K[0]LK[0]R
K[2]LK[2]R
K[4]LK[4]R
K[0]LK[0]R
K[1]LK[0]R
K[3]LK[3]R
K[1]LK[1]R
K[0]LK[0]R K[1]LK[1]R
K[0]LK[0]R K[1]LK[1]R
K[3]LK[3]R
K[2]LK[2]R K[3]LK[3]R
K[2]LK[2]R K[3]LK[3]R
K[4]LK[4]R
K[4]LK[4]RK[4]LK[4]R
K[1]LK[1]R
K|2|R
activ
e
Pi
Pi
K[i j]Vij
Is computed onceIs computed 28 times
(a)
Sj
Sj
F F
F F
F F
F F
F F
F F
F F
F F
F F10
11
12
13
14
15
16
17
18
K[0]LK[0]R K[1]LK[1]R
K[0]LK[0]R K[1]LK[1]R
K[0]LK[0]R K[1]LK[1]R
K[2]LK[2]R K[3]LK[3]R
K[2]LK[2]R K[3]LK[3]R
K[2]LK[2]R K[3]LK[3]R
K[2]LK[2]R K[3]LK[3]R
K[4]LK[4]R K[4]LK[4]R
K[4]LK[4]R K[4]LK[4]R
K|4|R
activ
e
K[i j]Vij
Is computed onceIs computed 28 times
(b)
Figure 3 Recomputations in MITM for Piccolo-80
Security and Communication Networks 7
F F
F F
F F
F F
F F
F F
F F
25
24
26
27
28
29
30
K[0]LK[0]R
K[1]LK[1]R
K[3]LK[3]R
K[3]LK[3]R
K[2]LK[2]R
K[4]LK[7]R K[7]LK[4]R
K[2]LK[2]R K[5]LK[5]R
K[4]LK[4]R
K[4]LK[4]R
K[7]LK[7]R
K[0]LK[0]R
K[6]LK[6]R
K[5]LK[5]R
K[7]LK[7]R
S0
C0
(a)
F F
F F
F F
F F
F F
F F
F F
K[0]LK[0]R
K[1]LK[1]R
K[3]LK[3]R
K[3]LK[3]R
K[2]LK[2]R
K[4]LK[7]R K[7]LK[4]R
K[2]LK[2]R K[5]LK[5]R
K[4]LK[4]R
K[4]LK[4]R
K[7]LK[7]R
K[0]LK[0]R
K[6]LK[6]R
K[5]LK[5]R
K[7]LK[7]R
Sj
C0
K|7|L
activ
e
(b)
F F
F F
F F
F F
F F
F F
F F
K[0]LK[0]R
K[1]LK[1]R
K[3]LK[3]R
K[3]LK[3]R
K[2]LK[2]R
K[4]LK[7]R K[7]LK[4]R
K[2]LK[2]R K[5]LK[5]R
K[4]LK[4]R
K[4]LK[4]R
K[7]LK[7]R
K[0]LK[0]R
K[6]LK[6]R
K[5]LK[5]R
K[7]LK[7]R
S0
Ci
K|6|L
activ
e
(c)
Figure 4 7-round biclique construction of dimension 8 in Piccolo-128
Finally
119870[119894119895] = 119870[00] oplus 119870[0119895] oplus 119870[1198940]= 119870[00] oplus [00 00 00 00 00 00 1198940 1198950]
(7)
Thus the key space of K is divided into 2112 groups of 216keys each
332 Phase 2 8-Dimensional Biclique Structure of 7 RoundsWe construct an 8-dimensional biclique structure of 7 roundsfor Piccolo-128 for each group (Figure 4) Here 119892 is subci-phers for round 24sim30 and 119892minus1 is the inverse of 119892The processof calculating the ciphertexts and intermediate states consistsof the following 3 steps
Step 1 Let 1198620 = 0(64) and decrypt 1198620 for 7 rounds to obtain1198780 (Figure 4(a)) that is 1198780 = 119892minus1119870[00](1198620)Step 2 Encrypt 1198780 using different keys 119870[1198940] for 119894 isin 0 18(Figure 4(c)) The differences between 119870[1198940] and 119870[00] can
influence the gray intermediate statesrsquo differences This step
derives 119892(1198780) 119870[1198940]997888997888997888rarr 119862119894Step 3 Decrypt 1198620 using different keys 119870[0119895] for 119895 isin 0 18(Figure 4(b)) The differences between 119870[0119895] and 119870[00] canbring about the gray intermediate statesrsquo differences As a
result 119892minus1(1198620)119870[0119895]997888997888997888997888rarr (119878119895) has been constructed
Thanks to the simplicity of the distribution of the subkey
of Piccolo-128 it is also very easy to verify that 119892(119878119895)119870[119894119895]997888997888997888rarr
119862119894 is always true for all 119894 119895 isin 0 18 Up to now for eachkey group we get a corresponding 8-dimensional bicliquestructure
333 Phase 3 Meeting in the Middle over 24 Rounds Select a16-bit internal state (119880 = 1198651214) after F-Function in round 12as the intermediatematching variable (see Figure 5) Next wecalculate these matching variates in both directions in orderto obtain the right key
8 Security and Communication Networks
F F
F F
F F
F F
F F
F F
F F
F F
F F
F F
1
0
2
3
4
5
678
9
10
11
12
K[0]LK[0]R
K[1]LK[1]R
K[1]LK[1]R
K[2]LK[2]R
K[2]LK[2]R
K[2]LK[2]R
K[3]LK[3]R
K[1]LK[0]RK[0]LK[1]R
K[3]LK[3]R
K[0]LK[0]R K[3]LK[3]R
K[0]LK[0]R K[3]LK[3]R
K[4]LK[4]R
K[4]LK[4]R
Pi
Pi
K[i j]
K[5]LK[5]R
K[6]LK[6]R K[7]LK[7]R
K[6]LK[6]R K[7]LK[7]R
K[7]LK[7]R
K|7|L
activ
e
Uij
Is computed onceIs computed 28 times
(a)
Sj
Sj
F F
F F
F F
F F
F F
F F
F F
F F13
14
15
16
171819
20
21
22
23
K[1]LK[1]R
K[1]LK[1]R
K[2]LK[2]R
K[2]LK[2]R
K[0]LK[0]R
K[0]LK[0]R
K[3]LK[3]RK[4]LK[4]R
K[i j]
K[5]LK[5]R
K[5]LK[5]RK[6]LK[6]R
K[6]LK[6]R
K[6]LK[6]R
K[7]LK[7]R
K[7]LK[7]R
K[7]LK[7]R
K|6|L
activ
e
Is computed onceIs computed 28 times
Uij
(b)
Figure 5 Recomputations in MITM for Piccolo-128
Backward Direction Each value of the state 119878119895 is decrypt-
ed under the key 119870[0119895] to obtain larr9978889978881198800119895119870[0119895]larr997888997888997888997888 119878119895 After
that 119878119895 is decrypted using all the possible 2119889 minus 1 keys
119870[119894119895] to get larr997888997888119880119894119895119870[119894119895]larr997888997888997888 119878119895 On Figure 5(b) the gray
bytes are active and the white bytes do not need to becomputed
Forward Direction Firstly we decrypt the ciphertexts 119862119894 for119894 isin 0 18 to obtain 28 plaintexts 119875119894 Secondly each 119875119894 isencrypted under the key 119870[1198940] to obtain 119875119894 119870[1198940]997888997888997888rarr 997888997888rarr1198801198940 Then119875119894 is encrypted using all the possible 2119889 minus 1 keys 119870[119894119895] to get
119875119894119870[119894119895]997888997888997888rarr 997888997888rarr119880119894119895 On Figure 5(a) the gray bytes are active and the
white bytes do not need to be computed
Security and Communication Networks 9
F F
F F
F F
F F
F F
F F
F F
F F
F F
F F
F F
F F
F F
F F
F F
26
27
28
29
30
Sj
K[0]LK[0]R
K[1]LK[1]R
K[3]LK[3]R
K[2]LK[2]R
K[4]LK[7]R K[7]LK[4]R
K[4]LK[4]R
K[7]LK[7]R
K[0]LK[0]R K[7]LK[7]R
K[6]LK[6]R
K[5]LK[5]R
K[0]LK[0]R
K[1]LK[1]R
K[3]LK[3]R
K[2]LK[2]R
K[4]LK[7]R K[7]LK[4]R
K[4]LK[4]R
K[7]LK[7]R
K[0]LK[0]R K[7]LK[7]R
K[6]LK[6]R
K[5]LK[5]R
K[0]LK[0]R
K[1]LK[1]R
K[3]LK[3]R
K[2]LK[2]R
K[4]LK[7]R K[7]LK[4]R
K[4]LK[4]R
K[7]LK[7]R
K[0]LK[0]R K[7]LK[7]R
K[6]LK[6]R
K[5]LK[5]R
S0 S0
C0 C0
K|6|L
activ
e
K|2|L
activ
e
Ci[0] Ci[1] Ci[2] Ci[3]
Figure 6 5-round biclique construction of dimension 8 in Piccolo-128
Search Candidates In the last session of the attack theadversary verifies the equality of 997888997888rarr119880119894119895 and larr997888997888119880119894119895 for all 119894 119895 isin0 18 to discover the correct key34 Another Biclique Cryptanalysis of Piccolo-128 Similar toSection 33 we construct an 8-dimensional biclique structureof 5 rounds (26sim30) for Piccolo-128 by each left half of 119870[6]and119870[2] that is 119870[6]119871 and119870[2]119871 (Figure 6)
In the phase of meeting in the middle over 26 rounds weselect a 16-bit internal state (119880 = 1198651314) after F-Function inround 13 as the intermediate matching variable
4 Complexities
41 Comments on the Result of [15] Jeong et al appliedbiclique cryptanalysis to the lightweight block ciphers LEDPiccolo and PRESENT in [15] They used the concept ofindependent-biclique which included constructing bicliquestructure by independent related-key differentials andmatch-ing with precomputations They found a limited and slowdiffusion of the subkey distribution and encryption processAs a result their attacks can discover the master key withcomputational complexities superior to an exhaustive searchHowever we find two faults of their biclique cryptanalysis ofPiccolo as follows
(1) Jeong et al found that 119870[4]119871 and 119870[2]119871 gave theconstruction of an 8-dimensional biclique which was shownin Figure 10 of [15] The Δ 119894-differential affected only 6 bytes(119862[0]119871 119862[1]119871 119862[1]119877 119862[2]119871 119862[3]119871 and 119862[3]119877) which isdrawn on Figure 7(a) (including the grid line byte) in this
paper As a result the data complexity does not go beyond248
In the attack shown in Figure 7 it is clear that the left halfof the round key rk46 can offset the left half of WK2 (thepostwhitening key) that is there is no difference in the gridline byte (119862[0]119871) Based on this the biclique cryptanalysis ofJeong et al goes wrong
So the Δ 119894-differential affects only 5 bytes (119862[1]119871 119862[1]119877119862[2]119871 119862[3]119871 and 119862[3]119877) of the ciphertext and the datacomplexity does not go beyond 240 The correct differencepath does not include the grid line byte (119862[0]119871)
(2) Jeong et al thought that only 2 bytes were activein the decryption of 17th round in backward direction forPiccolo-80 of recomputation shown in Figure 11 of [15] 13F-Functions (without the grid line) were computed 28 timesand 4 F-Functions were computed once They are drawn onFigure 7(b) in this paper Then the total complexity of thisstep is 28 times (28 times 13 + 4) F-Functions
It is clear that 6 bytes of intermediate are active in thedecryption of 17th round in backward direction for Piccolo-80 of recomputation and all bytes are active of 16th roundBased on these their computational complexity of this stepgoes wrong
So 15 F-Functions (including the grid line) are computed28 times and 2 F-Functions are computed onceThen the totalcomplexity of this step is 28 times (28 times 15 + 2) F-Functions Thecorrect difference path includes the grid line bytes
Similarly 3 bytes but not one byte are active in thedecryption of 22nd round in backward direction for Piccolo-128 of recomputation and they are shown in Figure 13 of [15]
10 Security and Communication Networks
F F
F F
F F
F F
F F
F F
K[0]LK[0]R K[1]LK[1]R
K[0]LK[0]R K[1]LK[1]R
K[0]LK[0]R K[1]LK[1]R
K[2]LK[2]R K[3]LK[3]R
K[2]LK[2]R K[3]LK[3]R
K[4]LK[4]R K[4]LK[4]R
K|4|L
activ
e
K[4]LK[3]R K[3]LK[4]Rrk48 rk49
rk46 rk47
WK2 WK3
19
20
21
22
23
24
S0
C[0] C[1] C[2] C[3]
(a)
F F
F F
F F
F F
F F
F F10
11
12
131415
16
17
18
K[0]LK[0]R K[1]LK[1]R
K[0]LK[0]R K[1]LK[1]R
K[2]LK[2]R K[3]LK[3]R
K[2]LK[2]R K[3]LK[3]R
K[2]LK[2]R K[3]LK[3]R
K[4]LK[4]R K[4]LK[4]R
K|4|L
activ
e
(b)
Figure 7 Revision of the other solutions
20 rather than 18 F-Functions are computed 28 times and 3instead of 5 F-Functions are computed once
42 Complexities of Biclique Cryptanalysis on Piccolo-80
421 Data Complexity By analyzing the key schedule wefind a weakness in the key schedule on Piccolo-80 that is theround key rk47 can offset the postwhitening key partially (seeFigure 2) Based on this the data complexity can be reducedgreatly
The amount of ciphertexts to be decrypted dominates thedata complexity (Figure 2) For each biclique structure let1198620 = 0(64) All the ciphertexts share the equal values in 3bytes (119862119894[0] 119862119894[4] and 119862119894[5] ie white bytes) so the datacomplexity does not go beyond 240422 Computational Complexity The amount of the F-Functions to be computed determines the attack complexityEach round of Piccolo-80 takes 2 F-Functions computationsSo the single encryption equals computed 25 times 2 = 50F-Functions For each of 264 groups of keys the followingcalculation should be completed
Biclique Complexity 5 F-Functions (Figure 2(b) noted withgray) need to be computed 28 times and 2 F-Functions
(Figure 2(c) noted with gray) need to be computed 28times The remaining 5 F-Functions are computed onlyonce Thus this stage requires 28 times 7 + 5 F-Functionscomputations in total Then the computational complexityof a biclique structure is about 2517 full round Piccolo-80encryptions
Matching Complexity In forward direction the differencesbetween 119870[1198940] and 119870[119894119895] dominate the computational com-plexity On Figure 3(a) for a single 119875119894 14 F-Functions (notedwith gray) are computed 28 times 3 F-Functions (noted withgrid line) are computed only once and 3 F-Functions (notedwith white) do not need to be computed So the complexityof this process is 28times(28times14+3) F-Functions which is about21416 full round Piccolo-80 encryptions
In backward direction on Figure 3(b) for a single 119878119895 15F-Functions (noted with gray) are computed 28 times 2 F-Functions (noted with grid line) are computed only onceand 1 F-Function (noted with white) need not be computedSo the complexity of this process is 28 times (28 times 15 + 2)F-Functions which is about 21426 full round Piccolo-80encryptions
Finally 216 key candidates are verified by a matchingvariable (16 bits) in each group and the average of 216minus16 = 1candidate key needs to be rechecked
Security and Communication Networks 11
Thus the total computational complexity of this attack onPiccolo-80 is
119862 = 264 times (2517 + 21416 + 21426 + 1) asymp 27922 (8)
43 Complexities of Biclique Cryptanalysis on Piccolo-128
431 Data Complexity For each biclique structure let 1198620 =0(64) All the ciphertexts share the equal values in 5 bytes(119862119894[1] 119862119894[4] 119862119894[5] 119862119894[6] and 119862119894[7] ie white bytes) so thedata complexity does not go beyond 224 (See Figure 4)
432 Computational Complexity Each round of Piccolo-128takes 2 F-Functions computations So the single encryptionequals computed 31 times 2 = 62 F-Functions For each of2112 groups of keys the following calculation should becompleted
Biclique Complexity 13 F-Functions (Figure 4(b) noted withgray) need to be computed 28 times and 1 F-Function(Figure 4(c) noted with gray) needs to be computed 28 timesThus this stage requires 28 times 14 F-Functions computationsin total Then the computational complexity of a bicliquestructure is about 2585 full round Piccolo-128 encryptions
Matching Complexity In forward direction for a single 119875119894 16F-Functions (noted with gray) are computed 28 times 7 F-Functions (noted with grid line) are computed only once and3 F-Functions (notedwithwhite) do not need to be computedon Figure 5(a) So the complexity of this process is 28 times (28 times16 + 7) F-Functions which is about 21405 full round Piccolo-128 encryptions
In backward direction for a single 119878119895 18 F-functions(noted with gray) are computed 28 times 3 F-functions(noted with grid line) are computed only once and 1 F-Function (noted with white) need not be computed onFigure 5(b) So the complexity of this process is 28 times (28 times18 + 3) F-Functions which is about 21422 full round Piccolo-128 encryptions
Finally 216 key candidates are verified by a matchingvariate (16 bits) in each group and the average of 216minus16 = 1candidate key needs to be rechecked
Thus the total computational complexity of this attack onPiccolo-128 is
119862 = 2112 times (2585 + 21408 + 21422 + 1) asymp 212714 (9)
44 Complexities of Another Biclique Cryptanalysis on Piccolo-128
441 Data Complexity For each biclique structure let 1198620 =0(64) All the ciphertexts share the equal values in 7 bytes(119862119894[0] 119862119894[1] 119862119894[3] 119862119894[4] 119862119894[5] 119862119894[6] and 119862119894[7] ie whitebytes) so the data complexity does not go beyond 28 (SeeFigure 6)
442 Computational Complexity
Biclique ComplexityThis stage requires 28times5+5 F-Functionscomputations in total Then the computational complexityof a biclique structure is about 2438 full round Piccolo-128encryptions
Matching Complexity In forward direction the complexityis 28 times (28 times 18 + 7) F-Functions which is about 21422 fullround Piccolo-128 encryptions In backward direction thecomplexity is 28 times (28 times 20 + 3) F-Functions which is about21437 full round Piccolo-128 encryptions
Thus the total computational complexity of this attack onPiccolo-128 is
119862 = 2112 times (2438 + 21422 + 21437 + 1) asymp 212730 (10)
5 Conclusion
Designers have given several attacks including linear crypt-analysis impossible differential cryptanalysis and MITMattack on security analysis for Piccolo The best result was 3-subset MITM attacks on 1421-round Piccolo-80128 withoutthe whitening key The previous results and our results aresummarized on Piccolo in Tables 1 and 2 Some results didnot includewhitening key some attackswere reduced-roundHowever our results are full round Piccolo-80128
By analyzing the distribution of the subkey and thestructure of encryption we find two faults of the results in [15]and a weakness in the key schedule on Piccolo-80 The twofaults are depicted in Section 41 The weakness on Piccolo-80 is that the right half of the round key rk47 can offset theright half of the postwhitening key WK3 (Figure 2(c)) Basedon this the data complexity can be decreased greatly
We use biclique cryptanalysis to recover the masterkey for the full round Piccolo-80 with a 6-round bicliqueand the full round Piccolo-128 with a 7-round bicliquerespectively The attacks require data complexity of 240 and224 chosen ciphertexts and computational complexity of 27922and 212714 respectively These results are superior to otherbiclique cryptanalytic results on Piccolo
This result is that the biclique technology can attack someciphers with simple key schedule and slow diffusion So thedesigners of lightweight ciphers need to consider not only theimplementation efficiency but also key schedule complexityand diffusion speed
Conflicts of Interest
None of the authors declare any conflicts of interest
Acknowledgments
This work is partially supported by National Natural Sci-ence Foundation of China (nos 61272434 61672330 and61602287) and Nature Science Foundation of ShandongProvince (no ZR2013FQ021)
12 Security and Communication Networks
References
[1] A Bogdanov D Khovratovich and C Rechberger ldquoBicliquecryptanalysis of the full AESrdquo in Advances in CryptologymdashASIACRYPT 2011 vol 7073 of Lecture Notes in Comput Sci pp344ndash371 Springer Heidelberg Germany 2011
[2] Y Wang WWu and X Yu ldquoBiclique cryptanalysis of reduced-round piccolo block cipherrdquo in Proceedings of the 8th Interna-tional Conference on Information Security Practice and Experi-ence (ISPEC rsquo12) M R Dermot S Ben and G Wang Eds vol7232 ofLectureNotes inComputer Science pp 337ndash352 SpringerHeidelberg Germany 2012
[3] D Khovratovich G Leurent and C Rechberger ldquoNarrow-bicliques cryptanalysis of full IDEArdquo in Proceedings of the 31stAnnual International Conference on theTheory and Applicationsof Cryptographic Techniques (EUROCRYPT rsquo12) Lecture Notesin Computer Science pp 392ndash410 Springer Heidelberg Ger-many 2012
[4] D Hong B Koo and D Kwon ldquoBiclique attack on the fullHIGHTrdquo in Information Security and CryptologymdashICISC 2011vol 7259 of Lecture Notes in Computer Science pp 365ndash374Springer Berlin Germany 2012
[5] J Song K Lee and H Lee ldquoBiclique cryptanalysis onlightweight block cipher HIGHT and Piccolordquo InternationalJournal of ComputerMathematics vol 90 no 12 pp 2564ndash25802013
[6] F Abed C Forler E List S Lucks and J Wenzel ldquoBicliquecryptanalysis of the PRESENT and LED lightweight ciphersrdquoTech Rep 2012591 Cryptology ePrint Archive 2012
[7] M Sereshgi andM Shakiba ldquoBiclique cryptanalysis ofMIBS-80and PRESENT-80 block ciphersrdquo Security and CommunicationNetworks vol 9 no 1 pp 27ndash33 2016
[8] O Ozen K Varıcı C Tezcan and C Kocair ldquoLightweight blockciphers revisited cryptanalysis of reduced round PRESENTand HIGHTrdquo in Information Security and Privacy vol 5594 ofLecture Notes in Computer Science pp 90ndash107 Springer BerlinGermany 2009
[9] Y F Wang and W L Wu ldquoMeet-in-the-middle attack onTWINE block cipherrdquo Journal of Software vol 26 no 10 pp2684ndash2695 2015 (Chinese)
[10] M Coban F Karakoc and O Biztas ldquoBiclique cryptanalysis ofTWINErdquo Tech Rep 2012422 Cryptology ePrint Archive 2012
[11] ZAhmadianM Salmasizadeh andMRAref ldquoBiclique crypt-analysis of the full-round KLEIN block cipherrdquo IET InformationSecurity vol 9 no 5 pp 294ndash301 2015
[12] W Diffie and M E Hellman ldquoExhaustive Cryptanalysis of theNBS Data Encryption Standardrdquo Computer vol 10 no 6 pp74ndash84 1977
[13] Y Sasaki ldquoMeet-in-the-middle preimage attacks on AES hash-ingmodes and an application towhirlpoolrdquo inProceedings of theInternational Workshop on Fast Software Encryption (FSE rsquo11)A Joux Ed vol 6733 of Lecture Notes in Computer Science pp378ndash396 Springer Heidelberg Germany 2011
[14] K Shibutani T Isobe H Hiwatari A Mitsuda T Akishitaand T Shirai ldquoPiccolo an ultra-lightweight blockcipherrdquo inProceedings of the 13th InternationalWorkshop on CryptographicHardware and Embedded Systems (CHES rsquo11) B Preneel and TTakagi Eds vol 6917 of Lecture Notes in Computer Science pp342ndash357 Springer Heidelberg Germany 2011
[15] K Jeong H Kang C Lee J Sung and S Hong ldquoBicliquecryptanalysis of lightweight block ciphers PRESENT piccoloand LEDrdquo Tech Rep 2012621 Cryptology ePrint Archive 2012
[16] W Zhang J Zhang and X Zheng ldquoSome observations onthe lightweight block cipher piccolo-80rdquo in Proceedings of the6th International Conference on Trusted Systems (INTRUST rsquo14)vol 9473 of Lecture Notes in Computer Science pp 364ndash373Springer Cham Switzerland 2015
[17] T Isobe and K Shibutani ldquoSecurity analysis of the lightweightblock ciphers XTEA LED and piccolordquo in Information Securityand Privacy vol 7372 pp 71ndash86 Springer Berlin Germany2012
International Journal of
AerospaceEngineeringHindawi Publishing Corporationhttpwwwhindawicom Volume 2014
RoboticsJournal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Active and Passive Electronic Components
Control Scienceand Engineering
Journal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
International Journal of
RotatingMachinery
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporation httpwwwhindawicom
Journal ofEngineeringVolume 2014
Submit your manuscripts athttpswwwhindawicom
VLSI Design
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Shock and Vibration
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Civil EngineeringAdvances in
Acoustics and VibrationAdvances in
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Electrical and Computer Engineering
Journal of
Advances inOptoElectronics
Hindawi Publishing Corporation httpwwwhindawicom
Volume 2014
The Scientific World JournalHindawi Publishing Corporation httpwwwhindawicom Volume 2014
SensorsJournal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Modelling amp Simulation in EngineeringHindawi Publishing Corporation httpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Chemical EngineeringInternational Journal of Antennas and
Propagation
International Journal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Navigation and Observation
International Journal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
DistributedSensor Networks
International Journal of
Security and Communication Networks 5
S0
C0
F
F
F
F
F
F
F
F
F
F
F
F
19
20
21
22
23
24K[4]LK[3]R
K[0]LK[0]R
K[2]LK[2]R
K[0]LK[0]R
K[2]LK[2]R
K[4]LK[4]R
K[0]LK[0]R
K[1]LK[1]R
K[3]LK[3]R
K[1]LK[1]R
K[3]LK[3]R
K[4]LK[4]R
K[1]LK[1]R
K[3]LK[4]R
(a)
Sj
C0
F
F
F
F
F
F
F
F
F
F
F
F
K[4]LK[3]R
K[0]LK[0]R
K[2]LK[2]R
K[0]LK[0]R
K[2]LK[2]R
K[4]LK[4]R
K[0]LK[0]R
K[1]LK[1]R
K[3]LK[3]R
K[1]LK[1]R
K[3]LK[3]R
K[4]LK[4]R
K[1]LK[1]R
K[3]LK[4]R
K|2|R
activ
e
(b)
S0
Ci
F
F
F
F
F
F
F
F
F
F
F
F
K[4]LK[3]R
K[0]LK[0]R
K[2]LK[2]R
K[0]LK[0]R
K[2]LK[2]R
K[4]LK[4]R
K[0]LK[0]R
K[1]LK[1]R
K[3]LK[3]R
K[1]LK[1]R
K[3]LK[3]R
K[4]LK[4]R
K[1]LK[1]R
K[3]LK[4]R
rk47
rk49
WK2 WK3
K|4|R
activ
e
(c)
Figure 2 6-round biclique construction of dimension 8 in Piccolo-80
119878119895 is decrypted using all the possible 2119889 minus 1 keys 119870[119894119895] toget larr997888997888119881119894119895
119870[119894119895]larr997888997888997888 119878119895 Because of the same beginning the key dif-ferences between119870[0119895] and119870[119894119895] can cause the computationalcomplexity On Figure 3(b) the gray bytes are active and thewhite bytes need not be computed
Forward Direction The procedure of forward direction is abit more complex than the backward direction in calculationFirstly we decrypt the ciphertexts 119862119894 for 119894 isin 0 18 toobtain 28 plaintexts 119875119894 Secondly each 119875119894 is encrypted under
the key 119870[1198940] to derive 119875119894 119870[1198940]997888997888997888rarr 997888997888rarr1198811198940 After that 119875119894 isencrypted using all the possible 2119889 minus 1 keys 119870[119894119895] to obtain
119875119894119870[119894119895]997888997888997888rarr 997888997888rarr119881119894119895 The differences between 119870[1198940] and 119870[119894119895] can
influence the computational complexity On Figure 3(a)the gray bytes are active and the white bytes need not becomputed
Search Candidates In the last session of the attack theadversary verifies the rest candidate key by the equality of 997888997888rarr119881119894119895andlarr997888997888119881119894119895 for all 119894 119895 isin 0 18 in each group exhaustively untilthe right key is discovered
33 Biclique Cryptanalysis of Piccolo-128
331 Phase 1 Key Partitioning We divide the 128-bit keyinto 2112 groups 119870[00] enumerates 112-bit keys and fixes 16-bit keys with 016 By investigating the subkey distribution(Table 3) an 8-dimensional biclique structure of 7 rounds isconstructed by each left half of 119870[6] and 119870[7] that is 119870[6]119871and119870[7]119871 The computational complexity of this structure isless than othersrsquo
Similar to Piccolo-80 the keys 119870[00] 119870[0119895] 119870[1198940] and119870[119894119895] of each group are depicted as shown below
119870[00] = [119883119883119883119883119883119883119883119883119883119883119883119883119860119883119860119883] where 119883 isin 0 18 119860 = 011990900
119870[0119895] = 119870[00] oplus [00 00 00 00 00 00 00 1198950] where 119895 isin 0 18
119870[1198940] = 119870[00] oplus [00 00 00 00 00 00 1198940 00] where 119894 isin 0 18
(6)
6 Security and Communication Networks
F F
F F
F F
F F
F F
F F
F F
F F
F F
F F
1
0
2
3
4
5
6
7
8
9
K[0]LK[1]R
K[2]LK[2]R
K[0]LK[0]R
K[2]LK[2]R
K[4]LK[4]R
K[0]LK[0]R
K[1]LK[0]R
K[3]LK[3]R
K[1]LK[1]R
K[0]LK[0]R K[1]LK[1]R
K[0]LK[0]R K[1]LK[1]R
K[3]LK[3]R
K[2]LK[2]R K[3]LK[3]R
K[2]LK[2]R K[3]LK[3]R
K[4]LK[4]R
K[4]LK[4]RK[4]LK[4]R
K[1]LK[1]R
K|2|R
activ
e
Pi
Pi
K[i j]Vij
Is computed onceIs computed 28 times
(a)
Sj
Sj
F F
F F
F F
F F
F F
F F
F F
F F
F F10
11
12
13
14
15
16
17
18
K[0]LK[0]R K[1]LK[1]R
K[0]LK[0]R K[1]LK[1]R
K[0]LK[0]R K[1]LK[1]R
K[2]LK[2]R K[3]LK[3]R
K[2]LK[2]R K[3]LK[3]R
K[2]LK[2]R K[3]LK[3]R
K[2]LK[2]R K[3]LK[3]R
K[4]LK[4]R K[4]LK[4]R
K[4]LK[4]R K[4]LK[4]R
K|4|R
activ
e
K[i j]Vij
Is computed onceIs computed 28 times
(b)
Figure 3 Recomputations in MITM for Piccolo-80
Security and Communication Networks 7
F F
F F
F F
F F
F F
F F
F F
25
24
26
27
28
29
30
K[0]LK[0]R
K[1]LK[1]R
K[3]LK[3]R
K[3]LK[3]R
K[2]LK[2]R
K[4]LK[7]R K[7]LK[4]R
K[2]LK[2]R K[5]LK[5]R
K[4]LK[4]R
K[4]LK[4]R
K[7]LK[7]R
K[0]LK[0]R
K[6]LK[6]R
K[5]LK[5]R
K[7]LK[7]R
S0
C0
(a)
F F
F F
F F
F F
F F
F F
F F
K[0]LK[0]R
K[1]LK[1]R
K[3]LK[3]R
K[3]LK[3]R
K[2]LK[2]R
K[4]LK[7]R K[7]LK[4]R
K[2]LK[2]R K[5]LK[5]R
K[4]LK[4]R
K[4]LK[4]R
K[7]LK[7]R
K[0]LK[0]R
K[6]LK[6]R
K[5]LK[5]R
K[7]LK[7]R
Sj
C0
K|7|L
activ
e
(b)
F F
F F
F F
F F
F F
F F
F F
K[0]LK[0]R
K[1]LK[1]R
K[3]LK[3]R
K[3]LK[3]R
K[2]LK[2]R
K[4]LK[7]R K[7]LK[4]R
K[2]LK[2]R K[5]LK[5]R
K[4]LK[4]R
K[4]LK[4]R
K[7]LK[7]R
K[0]LK[0]R
K[6]LK[6]R
K[5]LK[5]R
K[7]LK[7]R
S0
Ci
K|6|L
activ
e
(c)
Figure 4 7-round biclique construction of dimension 8 in Piccolo-128
Finally
119870[119894119895] = 119870[00] oplus 119870[0119895] oplus 119870[1198940]= 119870[00] oplus [00 00 00 00 00 00 1198940 1198950]
(7)
Thus the key space of K is divided into 2112 groups of 216keys each
332 Phase 2 8-Dimensional Biclique Structure of 7 RoundsWe construct an 8-dimensional biclique structure of 7 roundsfor Piccolo-128 for each group (Figure 4) Here 119892 is subci-phers for round 24sim30 and 119892minus1 is the inverse of 119892The processof calculating the ciphertexts and intermediate states consistsof the following 3 steps
Step 1 Let 1198620 = 0(64) and decrypt 1198620 for 7 rounds to obtain1198780 (Figure 4(a)) that is 1198780 = 119892minus1119870[00](1198620)Step 2 Encrypt 1198780 using different keys 119870[1198940] for 119894 isin 0 18(Figure 4(c)) The differences between 119870[1198940] and 119870[00] can
influence the gray intermediate statesrsquo differences This step
derives 119892(1198780) 119870[1198940]997888997888997888rarr 119862119894Step 3 Decrypt 1198620 using different keys 119870[0119895] for 119895 isin 0 18(Figure 4(b)) The differences between 119870[0119895] and 119870[00] canbring about the gray intermediate statesrsquo differences As a
result 119892minus1(1198620)119870[0119895]997888997888997888997888rarr (119878119895) has been constructed
Thanks to the simplicity of the distribution of the subkey
of Piccolo-128 it is also very easy to verify that 119892(119878119895)119870[119894119895]997888997888997888rarr
119862119894 is always true for all 119894 119895 isin 0 18 Up to now for eachkey group we get a corresponding 8-dimensional bicliquestructure
333 Phase 3 Meeting in the Middle over 24 Rounds Select a16-bit internal state (119880 = 1198651214) after F-Function in round 12as the intermediatematching variable (see Figure 5) Next wecalculate these matching variates in both directions in orderto obtain the right key
8 Security and Communication Networks
F F
F F
F F
F F
F F
F F
F F
F F
F F
F F
1
0
2
3
4
5
678
9
10
11
12
K[0]LK[0]R
K[1]LK[1]R
K[1]LK[1]R
K[2]LK[2]R
K[2]LK[2]R
K[2]LK[2]R
K[3]LK[3]R
K[1]LK[0]RK[0]LK[1]R
K[3]LK[3]R
K[0]LK[0]R K[3]LK[3]R
K[0]LK[0]R K[3]LK[3]R
K[4]LK[4]R
K[4]LK[4]R
Pi
Pi
K[i j]
K[5]LK[5]R
K[6]LK[6]R K[7]LK[7]R
K[6]LK[6]R K[7]LK[7]R
K[7]LK[7]R
K|7|L
activ
e
Uij
Is computed onceIs computed 28 times
(a)
Sj
Sj
F F
F F
F F
F F
F F
F F
F F
F F13
14
15
16
171819
20
21
22
23
K[1]LK[1]R
K[1]LK[1]R
K[2]LK[2]R
K[2]LK[2]R
K[0]LK[0]R
K[0]LK[0]R
K[3]LK[3]RK[4]LK[4]R
K[i j]
K[5]LK[5]R
K[5]LK[5]RK[6]LK[6]R
K[6]LK[6]R
K[6]LK[6]R
K[7]LK[7]R
K[7]LK[7]R
K[7]LK[7]R
K|6|L
activ
e
Is computed onceIs computed 28 times
Uij
(b)
Figure 5 Recomputations in MITM for Piccolo-128
Backward Direction Each value of the state 119878119895 is decrypt-
ed under the key 119870[0119895] to obtain larr9978889978881198800119895119870[0119895]larr997888997888997888997888 119878119895 After
that 119878119895 is decrypted using all the possible 2119889 minus 1 keys
119870[119894119895] to get larr997888997888119880119894119895119870[119894119895]larr997888997888997888 119878119895 On Figure 5(b) the gray
bytes are active and the white bytes do not need to becomputed
Forward Direction Firstly we decrypt the ciphertexts 119862119894 for119894 isin 0 18 to obtain 28 plaintexts 119875119894 Secondly each 119875119894 isencrypted under the key 119870[1198940] to obtain 119875119894 119870[1198940]997888997888997888rarr 997888997888rarr1198801198940 Then119875119894 is encrypted using all the possible 2119889 minus 1 keys 119870[119894119895] to get
119875119894119870[119894119895]997888997888997888rarr 997888997888rarr119880119894119895 On Figure 5(a) the gray bytes are active and the
white bytes do not need to be computed
Security and Communication Networks 9
F F
F F
F F
F F
F F
F F
F F
F F
F F
F F
F F
F F
F F
F F
F F
26
27
28
29
30
Sj
K[0]LK[0]R
K[1]LK[1]R
K[3]LK[3]R
K[2]LK[2]R
K[4]LK[7]R K[7]LK[4]R
K[4]LK[4]R
K[7]LK[7]R
K[0]LK[0]R K[7]LK[7]R
K[6]LK[6]R
K[5]LK[5]R
K[0]LK[0]R
K[1]LK[1]R
K[3]LK[3]R
K[2]LK[2]R
K[4]LK[7]R K[7]LK[4]R
K[4]LK[4]R
K[7]LK[7]R
K[0]LK[0]R K[7]LK[7]R
K[6]LK[6]R
K[5]LK[5]R
K[0]LK[0]R
K[1]LK[1]R
K[3]LK[3]R
K[2]LK[2]R
K[4]LK[7]R K[7]LK[4]R
K[4]LK[4]R
K[7]LK[7]R
K[0]LK[0]R K[7]LK[7]R
K[6]LK[6]R
K[5]LK[5]R
S0 S0
C0 C0
K|6|L
activ
e
K|2|L
activ
e
Ci[0] Ci[1] Ci[2] Ci[3]
Figure 6 5-round biclique construction of dimension 8 in Piccolo-128
Search Candidates In the last session of the attack theadversary verifies the equality of 997888997888rarr119880119894119895 and larr997888997888119880119894119895 for all 119894 119895 isin0 18 to discover the correct key34 Another Biclique Cryptanalysis of Piccolo-128 Similar toSection 33 we construct an 8-dimensional biclique structureof 5 rounds (26sim30) for Piccolo-128 by each left half of 119870[6]and119870[2] that is 119870[6]119871 and119870[2]119871 (Figure 6)
In the phase of meeting in the middle over 26 rounds weselect a 16-bit internal state (119880 = 1198651314) after F-Function inround 13 as the intermediate matching variable
4 Complexities
41 Comments on the Result of [15] Jeong et al appliedbiclique cryptanalysis to the lightweight block ciphers LEDPiccolo and PRESENT in [15] They used the concept ofindependent-biclique which included constructing bicliquestructure by independent related-key differentials andmatch-ing with precomputations They found a limited and slowdiffusion of the subkey distribution and encryption processAs a result their attacks can discover the master key withcomputational complexities superior to an exhaustive searchHowever we find two faults of their biclique cryptanalysis ofPiccolo as follows
(1) Jeong et al found that 119870[4]119871 and 119870[2]119871 gave theconstruction of an 8-dimensional biclique which was shownin Figure 10 of [15] The Δ 119894-differential affected only 6 bytes(119862[0]119871 119862[1]119871 119862[1]119877 119862[2]119871 119862[3]119871 and 119862[3]119877) which isdrawn on Figure 7(a) (including the grid line byte) in this
paper As a result the data complexity does not go beyond248
In the attack shown in Figure 7 it is clear that the left halfof the round key rk46 can offset the left half of WK2 (thepostwhitening key) that is there is no difference in the gridline byte (119862[0]119871) Based on this the biclique cryptanalysis ofJeong et al goes wrong
So the Δ 119894-differential affects only 5 bytes (119862[1]119871 119862[1]119877119862[2]119871 119862[3]119871 and 119862[3]119877) of the ciphertext and the datacomplexity does not go beyond 240 The correct differencepath does not include the grid line byte (119862[0]119871)
(2) Jeong et al thought that only 2 bytes were activein the decryption of 17th round in backward direction forPiccolo-80 of recomputation shown in Figure 11 of [15] 13F-Functions (without the grid line) were computed 28 timesand 4 F-Functions were computed once They are drawn onFigure 7(b) in this paper Then the total complexity of thisstep is 28 times (28 times 13 + 4) F-Functions
It is clear that 6 bytes of intermediate are active in thedecryption of 17th round in backward direction for Piccolo-80 of recomputation and all bytes are active of 16th roundBased on these their computational complexity of this stepgoes wrong
So 15 F-Functions (including the grid line) are computed28 times and 2 F-Functions are computed onceThen the totalcomplexity of this step is 28 times (28 times 15 + 2) F-Functions Thecorrect difference path includes the grid line bytes
Similarly 3 bytes but not one byte are active in thedecryption of 22nd round in backward direction for Piccolo-128 of recomputation and they are shown in Figure 13 of [15]
10 Security and Communication Networks
F F
F F
F F
F F
F F
F F
K[0]LK[0]R K[1]LK[1]R
K[0]LK[0]R K[1]LK[1]R
K[0]LK[0]R K[1]LK[1]R
K[2]LK[2]R K[3]LK[3]R
K[2]LK[2]R K[3]LK[3]R
K[4]LK[4]R K[4]LK[4]R
K|4|L
activ
e
K[4]LK[3]R K[3]LK[4]Rrk48 rk49
rk46 rk47
WK2 WK3
19
20
21
22
23
24
S0
C[0] C[1] C[2] C[3]
(a)
F F
F F
F F
F F
F F
F F10
11
12
131415
16
17
18
K[0]LK[0]R K[1]LK[1]R
K[0]LK[0]R K[1]LK[1]R
K[2]LK[2]R K[3]LK[3]R
K[2]LK[2]R K[3]LK[3]R
K[2]LK[2]R K[3]LK[3]R
K[4]LK[4]R K[4]LK[4]R
K|4|L
activ
e
(b)
Figure 7 Revision of the other solutions
20 rather than 18 F-Functions are computed 28 times and 3instead of 5 F-Functions are computed once
42 Complexities of Biclique Cryptanalysis on Piccolo-80
421 Data Complexity By analyzing the key schedule wefind a weakness in the key schedule on Piccolo-80 that is theround key rk47 can offset the postwhitening key partially (seeFigure 2) Based on this the data complexity can be reducedgreatly
The amount of ciphertexts to be decrypted dominates thedata complexity (Figure 2) For each biclique structure let1198620 = 0(64) All the ciphertexts share the equal values in 3bytes (119862119894[0] 119862119894[4] and 119862119894[5] ie white bytes) so the datacomplexity does not go beyond 240422 Computational Complexity The amount of the F-Functions to be computed determines the attack complexityEach round of Piccolo-80 takes 2 F-Functions computationsSo the single encryption equals computed 25 times 2 = 50F-Functions For each of 264 groups of keys the followingcalculation should be completed
Biclique Complexity 5 F-Functions (Figure 2(b) noted withgray) need to be computed 28 times and 2 F-Functions
(Figure 2(c) noted with gray) need to be computed 28times The remaining 5 F-Functions are computed onlyonce Thus this stage requires 28 times 7 + 5 F-Functionscomputations in total Then the computational complexityof a biclique structure is about 2517 full round Piccolo-80encryptions
Matching Complexity In forward direction the differencesbetween 119870[1198940] and 119870[119894119895] dominate the computational com-plexity On Figure 3(a) for a single 119875119894 14 F-Functions (notedwith gray) are computed 28 times 3 F-Functions (noted withgrid line) are computed only once and 3 F-Functions (notedwith white) do not need to be computed So the complexityof this process is 28times(28times14+3) F-Functions which is about21416 full round Piccolo-80 encryptions
In backward direction on Figure 3(b) for a single 119878119895 15F-Functions (noted with gray) are computed 28 times 2 F-Functions (noted with grid line) are computed only onceand 1 F-Function (noted with white) need not be computedSo the complexity of this process is 28 times (28 times 15 + 2)F-Functions which is about 21426 full round Piccolo-80encryptions
Finally 216 key candidates are verified by a matchingvariable (16 bits) in each group and the average of 216minus16 = 1candidate key needs to be rechecked
Security and Communication Networks 11
Thus the total computational complexity of this attack onPiccolo-80 is
119862 = 264 times (2517 + 21416 + 21426 + 1) asymp 27922 (8)
43 Complexities of Biclique Cryptanalysis on Piccolo-128
431 Data Complexity For each biclique structure let 1198620 =0(64) All the ciphertexts share the equal values in 5 bytes(119862119894[1] 119862119894[4] 119862119894[5] 119862119894[6] and 119862119894[7] ie white bytes) so thedata complexity does not go beyond 224 (See Figure 4)
432 Computational Complexity Each round of Piccolo-128takes 2 F-Functions computations So the single encryptionequals computed 31 times 2 = 62 F-Functions For each of2112 groups of keys the following calculation should becompleted
Biclique Complexity 13 F-Functions (Figure 4(b) noted withgray) need to be computed 28 times and 1 F-Function(Figure 4(c) noted with gray) needs to be computed 28 timesThus this stage requires 28 times 14 F-Functions computationsin total Then the computational complexity of a bicliquestructure is about 2585 full round Piccolo-128 encryptions
Matching Complexity In forward direction for a single 119875119894 16F-Functions (noted with gray) are computed 28 times 7 F-Functions (noted with grid line) are computed only once and3 F-Functions (notedwithwhite) do not need to be computedon Figure 5(a) So the complexity of this process is 28 times (28 times16 + 7) F-Functions which is about 21405 full round Piccolo-128 encryptions
In backward direction for a single 119878119895 18 F-functions(noted with gray) are computed 28 times 3 F-functions(noted with grid line) are computed only once and 1 F-Function (noted with white) need not be computed onFigure 5(b) So the complexity of this process is 28 times (28 times18 + 3) F-Functions which is about 21422 full round Piccolo-128 encryptions
Finally 216 key candidates are verified by a matchingvariate (16 bits) in each group and the average of 216minus16 = 1candidate key needs to be rechecked
Thus the total computational complexity of this attack onPiccolo-128 is
119862 = 2112 times (2585 + 21408 + 21422 + 1) asymp 212714 (9)
44 Complexities of Another Biclique Cryptanalysis on Piccolo-128
441 Data Complexity For each biclique structure let 1198620 =0(64) All the ciphertexts share the equal values in 7 bytes(119862119894[0] 119862119894[1] 119862119894[3] 119862119894[4] 119862119894[5] 119862119894[6] and 119862119894[7] ie whitebytes) so the data complexity does not go beyond 28 (SeeFigure 6)
442 Computational Complexity
Biclique ComplexityThis stage requires 28times5+5 F-Functionscomputations in total Then the computational complexityof a biclique structure is about 2438 full round Piccolo-128encryptions
Matching Complexity In forward direction the complexityis 28 times (28 times 18 + 7) F-Functions which is about 21422 fullround Piccolo-128 encryptions In backward direction thecomplexity is 28 times (28 times 20 + 3) F-Functions which is about21437 full round Piccolo-128 encryptions
Thus the total computational complexity of this attack onPiccolo-128 is
119862 = 2112 times (2438 + 21422 + 21437 + 1) asymp 212730 (10)
5 Conclusion
Designers have given several attacks including linear crypt-analysis impossible differential cryptanalysis and MITMattack on security analysis for Piccolo The best result was 3-subset MITM attacks on 1421-round Piccolo-80128 withoutthe whitening key The previous results and our results aresummarized on Piccolo in Tables 1 and 2 Some results didnot includewhitening key some attackswere reduced-roundHowever our results are full round Piccolo-80128
By analyzing the distribution of the subkey and thestructure of encryption we find two faults of the results in [15]and a weakness in the key schedule on Piccolo-80 The twofaults are depicted in Section 41 The weakness on Piccolo-80 is that the right half of the round key rk47 can offset theright half of the postwhitening key WK3 (Figure 2(c)) Basedon this the data complexity can be decreased greatly
We use biclique cryptanalysis to recover the masterkey for the full round Piccolo-80 with a 6-round bicliqueand the full round Piccolo-128 with a 7-round bicliquerespectively The attacks require data complexity of 240 and224 chosen ciphertexts and computational complexity of 27922and 212714 respectively These results are superior to otherbiclique cryptanalytic results on Piccolo
This result is that the biclique technology can attack someciphers with simple key schedule and slow diffusion So thedesigners of lightweight ciphers need to consider not only theimplementation efficiency but also key schedule complexityand diffusion speed
Conflicts of Interest
None of the authors declare any conflicts of interest
Acknowledgments
This work is partially supported by National Natural Sci-ence Foundation of China (nos 61272434 61672330 and61602287) and Nature Science Foundation of ShandongProvince (no ZR2013FQ021)
12 Security and Communication Networks
References
[1] A Bogdanov D Khovratovich and C Rechberger ldquoBicliquecryptanalysis of the full AESrdquo in Advances in CryptologymdashASIACRYPT 2011 vol 7073 of Lecture Notes in Comput Sci pp344ndash371 Springer Heidelberg Germany 2011
[2] Y Wang WWu and X Yu ldquoBiclique cryptanalysis of reduced-round piccolo block cipherrdquo in Proceedings of the 8th Interna-tional Conference on Information Security Practice and Experi-ence (ISPEC rsquo12) M R Dermot S Ben and G Wang Eds vol7232 ofLectureNotes inComputer Science pp 337ndash352 SpringerHeidelberg Germany 2012
[3] D Khovratovich G Leurent and C Rechberger ldquoNarrow-bicliques cryptanalysis of full IDEArdquo in Proceedings of the 31stAnnual International Conference on theTheory and Applicationsof Cryptographic Techniques (EUROCRYPT rsquo12) Lecture Notesin Computer Science pp 392ndash410 Springer Heidelberg Ger-many 2012
[4] D Hong B Koo and D Kwon ldquoBiclique attack on the fullHIGHTrdquo in Information Security and CryptologymdashICISC 2011vol 7259 of Lecture Notes in Computer Science pp 365ndash374Springer Berlin Germany 2012
[5] J Song K Lee and H Lee ldquoBiclique cryptanalysis onlightweight block cipher HIGHT and Piccolordquo InternationalJournal of ComputerMathematics vol 90 no 12 pp 2564ndash25802013
[6] F Abed C Forler E List S Lucks and J Wenzel ldquoBicliquecryptanalysis of the PRESENT and LED lightweight ciphersrdquoTech Rep 2012591 Cryptology ePrint Archive 2012
[7] M Sereshgi andM Shakiba ldquoBiclique cryptanalysis ofMIBS-80and PRESENT-80 block ciphersrdquo Security and CommunicationNetworks vol 9 no 1 pp 27ndash33 2016
[8] O Ozen K Varıcı C Tezcan and C Kocair ldquoLightweight blockciphers revisited cryptanalysis of reduced round PRESENTand HIGHTrdquo in Information Security and Privacy vol 5594 ofLecture Notes in Computer Science pp 90ndash107 Springer BerlinGermany 2009
[9] Y F Wang and W L Wu ldquoMeet-in-the-middle attack onTWINE block cipherrdquo Journal of Software vol 26 no 10 pp2684ndash2695 2015 (Chinese)
[10] M Coban F Karakoc and O Biztas ldquoBiclique cryptanalysis ofTWINErdquo Tech Rep 2012422 Cryptology ePrint Archive 2012
[11] ZAhmadianM Salmasizadeh andMRAref ldquoBiclique crypt-analysis of the full-round KLEIN block cipherrdquo IET InformationSecurity vol 9 no 5 pp 294ndash301 2015
[12] W Diffie and M E Hellman ldquoExhaustive Cryptanalysis of theNBS Data Encryption Standardrdquo Computer vol 10 no 6 pp74ndash84 1977
[13] Y Sasaki ldquoMeet-in-the-middle preimage attacks on AES hash-ingmodes and an application towhirlpoolrdquo inProceedings of theInternational Workshop on Fast Software Encryption (FSE rsquo11)A Joux Ed vol 6733 of Lecture Notes in Computer Science pp378ndash396 Springer Heidelberg Germany 2011
[14] K Shibutani T Isobe H Hiwatari A Mitsuda T Akishitaand T Shirai ldquoPiccolo an ultra-lightweight blockcipherrdquo inProceedings of the 13th InternationalWorkshop on CryptographicHardware and Embedded Systems (CHES rsquo11) B Preneel and TTakagi Eds vol 6917 of Lecture Notes in Computer Science pp342ndash357 Springer Heidelberg Germany 2011
[15] K Jeong H Kang C Lee J Sung and S Hong ldquoBicliquecryptanalysis of lightweight block ciphers PRESENT piccoloand LEDrdquo Tech Rep 2012621 Cryptology ePrint Archive 2012
[16] W Zhang J Zhang and X Zheng ldquoSome observations onthe lightweight block cipher piccolo-80rdquo in Proceedings of the6th International Conference on Trusted Systems (INTRUST rsquo14)vol 9473 of Lecture Notes in Computer Science pp 364ndash373Springer Cham Switzerland 2015
[17] T Isobe and K Shibutani ldquoSecurity analysis of the lightweightblock ciphers XTEA LED and piccolordquo in Information Securityand Privacy vol 7372 pp 71ndash86 Springer Berlin Germany2012
International Journal of
AerospaceEngineeringHindawi Publishing Corporationhttpwwwhindawicom Volume 2014
RoboticsJournal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Active and Passive Electronic Components
Control Scienceand Engineering
Journal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
International Journal of
RotatingMachinery
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporation httpwwwhindawicom
Journal ofEngineeringVolume 2014
Submit your manuscripts athttpswwwhindawicom
VLSI Design
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Shock and Vibration
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Civil EngineeringAdvances in
Acoustics and VibrationAdvances in
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Electrical and Computer Engineering
Journal of
Advances inOptoElectronics
Hindawi Publishing Corporation httpwwwhindawicom
Volume 2014
The Scientific World JournalHindawi Publishing Corporation httpwwwhindawicom Volume 2014
SensorsJournal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Modelling amp Simulation in EngineeringHindawi Publishing Corporation httpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Chemical EngineeringInternational Journal of Antennas and
Propagation
International Journal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Navigation and Observation
International Journal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
DistributedSensor Networks
International Journal of
6 Security and Communication Networks
F F
F F
F F
F F
F F
F F
F F
F F
F F
F F
1
0
2
3
4
5
6
7
8
9
K[0]LK[1]R
K[2]LK[2]R
K[0]LK[0]R
K[2]LK[2]R
K[4]LK[4]R
K[0]LK[0]R
K[1]LK[0]R
K[3]LK[3]R
K[1]LK[1]R
K[0]LK[0]R K[1]LK[1]R
K[0]LK[0]R K[1]LK[1]R
K[3]LK[3]R
K[2]LK[2]R K[3]LK[3]R
K[2]LK[2]R K[3]LK[3]R
K[4]LK[4]R
K[4]LK[4]RK[4]LK[4]R
K[1]LK[1]R
K|2|R
activ
e
Pi
Pi
K[i j]Vij
Is computed onceIs computed 28 times
(a)
Sj
Sj
F F
F F
F F
F F
F F
F F
F F
F F
F F10
11
12
13
14
15
16
17
18
K[0]LK[0]R K[1]LK[1]R
K[0]LK[0]R K[1]LK[1]R
K[0]LK[0]R K[1]LK[1]R
K[2]LK[2]R K[3]LK[3]R
K[2]LK[2]R K[3]LK[3]R
K[2]LK[2]R K[3]LK[3]R
K[2]LK[2]R K[3]LK[3]R
K[4]LK[4]R K[4]LK[4]R
K[4]LK[4]R K[4]LK[4]R
K|4|R
activ
e
K[i j]Vij
Is computed onceIs computed 28 times
(b)
Figure 3 Recomputations in MITM for Piccolo-80
Security and Communication Networks 7
F F
F F
F F
F F
F F
F F
F F
25
24
26
27
28
29
30
K[0]LK[0]R
K[1]LK[1]R
K[3]LK[3]R
K[3]LK[3]R
K[2]LK[2]R
K[4]LK[7]R K[7]LK[4]R
K[2]LK[2]R K[5]LK[5]R
K[4]LK[4]R
K[4]LK[4]R
K[7]LK[7]R
K[0]LK[0]R
K[6]LK[6]R
K[5]LK[5]R
K[7]LK[7]R
S0
C0
(a)
F F
F F
F F
F F
F F
F F
F F
K[0]LK[0]R
K[1]LK[1]R
K[3]LK[3]R
K[3]LK[3]R
K[2]LK[2]R
K[4]LK[7]R K[7]LK[4]R
K[2]LK[2]R K[5]LK[5]R
K[4]LK[4]R
K[4]LK[4]R
K[7]LK[7]R
K[0]LK[0]R
K[6]LK[6]R
K[5]LK[5]R
K[7]LK[7]R
Sj
C0
K|7|L
activ
e
(b)
F F
F F
F F
F F
F F
F F
F F
K[0]LK[0]R
K[1]LK[1]R
K[3]LK[3]R
K[3]LK[3]R
K[2]LK[2]R
K[4]LK[7]R K[7]LK[4]R
K[2]LK[2]R K[5]LK[5]R
K[4]LK[4]R
K[4]LK[4]R
K[7]LK[7]R
K[0]LK[0]R
K[6]LK[6]R
K[5]LK[5]R
K[7]LK[7]R
S0
Ci
K|6|L
activ
e
(c)
Figure 4 7-round biclique construction of dimension 8 in Piccolo-128
Finally
119870[119894119895] = 119870[00] oplus 119870[0119895] oplus 119870[1198940]= 119870[00] oplus [00 00 00 00 00 00 1198940 1198950]
(7)
Thus the key space of K is divided into 2112 groups of 216keys each
332 Phase 2 8-Dimensional Biclique Structure of 7 RoundsWe construct an 8-dimensional biclique structure of 7 roundsfor Piccolo-128 for each group (Figure 4) Here 119892 is subci-phers for round 24sim30 and 119892minus1 is the inverse of 119892The processof calculating the ciphertexts and intermediate states consistsof the following 3 steps
Step 1 Let 1198620 = 0(64) and decrypt 1198620 for 7 rounds to obtain1198780 (Figure 4(a)) that is 1198780 = 119892minus1119870[00](1198620)Step 2 Encrypt 1198780 using different keys 119870[1198940] for 119894 isin 0 18(Figure 4(c)) The differences between 119870[1198940] and 119870[00] can
influence the gray intermediate statesrsquo differences This step
derives 119892(1198780) 119870[1198940]997888997888997888rarr 119862119894Step 3 Decrypt 1198620 using different keys 119870[0119895] for 119895 isin 0 18(Figure 4(b)) The differences between 119870[0119895] and 119870[00] canbring about the gray intermediate statesrsquo differences As a
result 119892minus1(1198620)119870[0119895]997888997888997888997888rarr (119878119895) has been constructed
Thanks to the simplicity of the distribution of the subkey
of Piccolo-128 it is also very easy to verify that 119892(119878119895)119870[119894119895]997888997888997888rarr
119862119894 is always true for all 119894 119895 isin 0 18 Up to now for eachkey group we get a corresponding 8-dimensional bicliquestructure
333 Phase 3 Meeting in the Middle over 24 Rounds Select a16-bit internal state (119880 = 1198651214) after F-Function in round 12as the intermediatematching variable (see Figure 5) Next wecalculate these matching variates in both directions in orderto obtain the right key
8 Security and Communication Networks
F F
F F
F F
F F
F F
F F
F F
F F
F F
F F
1
0
2
3
4
5
678
9
10
11
12
K[0]LK[0]R
K[1]LK[1]R
K[1]LK[1]R
K[2]LK[2]R
K[2]LK[2]R
K[2]LK[2]R
K[3]LK[3]R
K[1]LK[0]RK[0]LK[1]R
K[3]LK[3]R
K[0]LK[0]R K[3]LK[3]R
K[0]LK[0]R K[3]LK[3]R
K[4]LK[4]R
K[4]LK[4]R
Pi
Pi
K[i j]
K[5]LK[5]R
K[6]LK[6]R K[7]LK[7]R
K[6]LK[6]R K[7]LK[7]R
K[7]LK[7]R
K|7|L
activ
e
Uij
Is computed onceIs computed 28 times
(a)
Sj
Sj
F F
F F
F F
F F
F F
F F
F F
F F13
14
15
16
171819
20
21
22
23
K[1]LK[1]R
K[1]LK[1]R
K[2]LK[2]R
K[2]LK[2]R
K[0]LK[0]R
K[0]LK[0]R
K[3]LK[3]RK[4]LK[4]R
K[i j]
K[5]LK[5]R
K[5]LK[5]RK[6]LK[6]R
K[6]LK[6]R
K[6]LK[6]R
K[7]LK[7]R
K[7]LK[7]R
K[7]LK[7]R
K|6|L
activ
e
Is computed onceIs computed 28 times
Uij
(b)
Figure 5 Recomputations in MITM for Piccolo-128
Backward Direction Each value of the state 119878119895 is decrypt-
ed under the key 119870[0119895] to obtain larr9978889978881198800119895119870[0119895]larr997888997888997888997888 119878119895 After
that 119878119895 is decrypted using all the possible 2119889 minus 1 keys
119870[119894119895] to get larr997888997888119880119894119895119870[119894119895]larr997888997888997888 119878119895 On Figure 5(b) the gray
bytes are active and the white bytes do not need to becomputed
Forward Direction Firstly we decrypt the ciphertexts 119862119894 for119894 isin 0 18 to obtain 28 plaintexts 119875119894 Secondly each 119875119894 isencrypted under the key 119870[1198940] to obtain 119875119894 119870[1198940]997888997888997888rarr 997888997888rarr1198801198940 Then119875119894 is encrypted using all the possible 2119889 minus 1 keys 119870[119894119895] to get
119875119894119870[119894119895]997888997888997888rarr 997888997888rarr119880119894119895 On Figure 5(a) the gray bytes are active and the
white bytes do not need to be computed
Security and Communication Networks 9
F F
F F
F F
F F
F F
F F
F F
F F
F F
F F
F F
F F
F F
F F
F F
26
27
28
29
30
Sj
K[0]LK[0]R
K[1]LK[1]R
K[3]LK[3]R
K[2]LK[2]R
K[4]LK[7]R K[7]LK[4]R
K[4]LK[4]R
K[7]LK[7]R
K[0]LK[0]R K[7]LK[7]R
K[6]LK[6]R
K[5]LK[5]R
K[0]LK[0]R
K[1]LK[1]R
K[3]LK[3]R
K[2]LK[2]R
K[4]LK[7]R K[7]LK[4]R
K[4]LK[4]R
K[7]LK[7]R
K[0]LK[0]R K[7]LK[7]R
K[6]LK[6]R
K[5]LK[5]R
K[0]LK[0]R
K[1]LK[1]R
K[3]LK[3]R
K[2]LK[2]R
K[4]LK[7]R K[7]LK[4]R
K[4]LK[4]R
K[7]LK[7]R
K[0]LK[0]R K[7]LK[7]R
K[6]LK[6]R
K[5]LK[5]R
S0 S0
C0 C0
K|6|L
activ
e
K|2|L
activ
e
Ci[0] Ci[1] Ci[2] Ci[3]
Figure 6 5-round biclique construction of dimension 8 in Piccolo-128
Search Candidates In the last session of the attack theadversary verifies the equality of 997888997888rarr119880119894119895 and larr997888997888119880119894119895 for all 119894 119895 isin0 18 to discover the correct key34 Another Biclique Cryptanalysis of Piccolo-128 Similar toSection 33 we construct an 8-dimensional biclique structureof 5 rounds (26sim30) for Piccolo-128 by each left half of 119870[6]and119870[2] that is 119870[6]119871 and119870[2]119871 (Figure 6)
In the phase of meeting in the middle over 26 rounds weselect a 16-bit internal state (119880 = 1198651314) after F-Function inround 13 as the intermediate matching variable
4 Complexities
41 Comments on the Result of [15] Jeong et al appliedbiclique cryptanalysis to the lightweight block ciphers LEDPiccolo and PRESENT in [15] They used the concept ofindependent-biclique which included constructing bicliquestructure by independent related-key differentials andmatch-ing with precomputations They found a limited and slowdiffusion of the subkey distribution and encryption processAs a result their attacks can discover the master key withcomputational complexities superior to an exhaustive searchHowever we find two faults of their biclique cryptanalysis ofPiccolo as follows
(1) Jeong et al found that 119870[4]119871 and 119870[2]119871 gave theconstruction of an 8-dimensional biclique which was shownin Figure 10 of [15] The Δ 119894-differential affected only 6 bytes(119862[0]119871 119862[1]119871 119862[1]119877 119862[2]119871 119862[3]119871 and 119862[3]119877) which isdrawn on Figure 7(a) (including the grid line byte) in this
paper As a result the data complexity does not go beyond248
In the attack shown in Figure 7 it is clear that the left halfof the round key rk46 can offset the left half of WK2 (thepostwhitening key) that is there is no difference in the gridline byte (119862[0]119871) Based on this the biclique cryptanalysis ofJeong et al goes wrong
So the Δ 119894-differential affects only 5 bytes (119862[1]119871 119862[1]119877119862[2]119871 119862[3]119871 and 119862[3]119877) of the ciphertext and the datacomplexity does not go beyond 240 The correct differencepath does not include the grid line byte (119862[0]119871)
(2) Jeong et al thought that only 2 bytes were activein the decryption of 17th round in backward direction forPiccolo-80 of recomputation shown in Figure 11 of [15] 13F-Functions (without the grid line) were computed 28 timesand 4 F-Functions were computed once They are drawn onFigure 7(b) in this paper Then the total complexity of thisstep is 28 times (28 times 13 + 4) F-Functions
It is clear that 6 bytes of intermediate are active in thedecryption of 17th round in backward direction for Piccolo-80 of recomputation and all bytes are active of 16th roundBased on these their computational complexity of this stepgoes wrong
So 15 F-Functions (including the grid line) are computed28 times and 2 F-Functions are computed onceThen the totalcomplexity of this step is 28 times (28 times 15 + 2) F-Functions Thecorrect difference path includes the grid line bytes
Similarly 3 bytes but not one byte are active in thedecryption of 22nd round in backward direction for Piccolo-128 of recomputation and they are shown in Figure 13 of [15]
10 Security and Communication Networks
F F
F F
F F
F F
F F
F F
K[0]LK[0]R K[1]LK[1]R
K[0]LK[0]R K[1]LK[1]R
K[0]LK[0]R K[1]LK[1]R
K[2]LK[2]R K[3]LK[3]R
K[2]LK[2]R K[3]LK[3]R
K[4]LK[4]R K[4]LK[4]R
K|4|L
activ
e
K[4]LK[3]R K[3]LK[4]Rrk48 rk49
rk46 rk47
WK2 WK3
19
20
21
22
23
24
S0
C[0] C[1] C[2] C[3]
(a)
F F
F F
F F
F F
F F
F F10
11
12
131415
16
17
18
K[0]LK[0]R K[1]LK[1]R
K[0]LK[0]R K[1]LK[1]R
K[2]LK[2]R K[3]LK[3]R
K[2]LK[2]R K[3]LK[3]R
K[2]LK[2]R K[3]LK[3]R
K[4]LK[4]R K[4]LK[4]R
K|4|L
activ
e
(b)
Figure 7 Revision of the other solutions
20 rather than 18 F-Functions are computed 28 times and 3instead of 5 F-Functions are computed once
42 Complexities of Biclique Cryptanalysis on Piccolo-80
421 Data Complexity By analyzing the key schedule wefind a weakness in the key schedule on Piccolo-80 that is theround key rk47 can offset the postwhitening key partially (seeFigure 2) Based on this the data complexity can be reducedgreatly
The amount of ciphertexts to be decrypted dominates thedata complexity (Figure 2) For each biclique structure let1198620 = 0(64) All the ciphertexts share the equal values in 3bytes (119862119894[0] 119862119894[4] and 119862119894[5] ie white bytes) so the datacomplexity does not go beyond 240422 Computational Complexity The amount of the F-Functions to be computed determines the attack complexityEach round of Piccolo-80 takes 2 F-Functions computationsSo the single encryption equals computed 25 times 2 = 50F-Functions For each of 264 groups of keys the followingcalculation should be completed
Biclique Complexity 5 F-Functions (Figure 2(b) noted withgray) need to be computed 28 times and 2 F-Functions
(Figure 2(c) noted with gray) need to be computed 28times The remaining 5 F-Functions are computed onlyonce Thus this stage requires 28 times 7 + 5 F-Functionscomputations in total Then the computational complexityof a biclique structure is about 2517 full round Piccolo-80encryptions
Matching Complexity In forward direction the differencesbetween 119870[1198940] and 119870[119894119895] dominate the computational com-plexity On Figure 3(a) for a single 119875119894 14 F-Functions (notedwith gray) are computed 28 times 3 F-Functions (noted withgrid line) are computed only once and 3 F-Functions (notedwith white) do not need to be computed So the complexityof this process is 28times(28times14+3) F-Functions which is about21416 full round Piccolo-80 encryptions
In backward direction on Figure 3(b) for a single 119878119895 15F-Functions (noted with gray) are computed 28 times 2 F-Functions (noted with grid line) are computed only onceand 1 F-Function (noted with white) need not be computedSo the complexity of this process is 28 times (28 times 15 + 2)F-Functions which is about 21426 full round Piccolo-80encryptions
Finally 216 key candidates are verified by a matchingvariable (16 bits) in each group and the average of 216minus16 = 1candidate key needs to be rechecked
Security and Communication Networks 11
Thus the total computational complexity of this attack onPiccolo-80 is
119862 = 264 times (2517 + 21416 + 21426 + 1) asymp 27922 (8)
43 Complexities of Biclique Cryptanalysis on Piccolo-128
431 Data Complexity For each biclique structure let 1198620 =0(64) All the ciphertexts share the equal values in 5 bytes(119862119894[1] 119862119894[4] 119862119894[5] 119862119894[6] and 119862119894[7] ie white bytes) so thedata complexity does not go beyond 224 (See Figure 4)
432 Computational Complexity Each round of Piccolo-128takes 2 F-Functions computations So the single encryptionequals computed 31 times 2 = 62 F-Functions For each of2112 groups of keys the following calculation should becompleted
Biclique Complexity 13 F-Functions (Figure 4(b) noted withgray) need to be computed 28 times and 1 F-Function(Figure 4(c) noted with gray) needs to be computed 28 timesThus this stage requires 28 times 14 F-Functions computationsin total Then the computational complexity of a bicliquestructure is about 2585 full round Piccolo-128 encryptions
Matching Complexity In forward direction for a single 119875119894 16F-Functions (noted with gray) are computed 28 times 7 F-Functions (noted with grid line) are computed only once and3 F-Functions (notedwithwhite) do not need to be computedon Figure 5(a) So the complexity of this process is 28 times (28 times16 + 7) F-Functions which is about 21405 full round Piccolo-128 encryptions
In backward direction for a single 119878119895 18 F-functions(noted with gray) are computed 28 times 3 F-functions(noted with grid line) are computed only once and 1 F-Function (noted with white) need not be computed onFigure 5(b) So the complexity of this process is 28 times (28 times18 + 3) F-Functions which is about 21422 full round Piccolo-128 encryptions
Finally 216 key candidates are verified by a matchingvariate (16 bits) in each group and the average of 216minus16 = 1candidate key needs to be rechecked
Thus the total computational complexity of this attack onPiccolo-128 is
119862 = 2112 times (2585 + 21408 + 21422 + 1) asymp 212714 (9)
44 Complexities of Another Biclique Cryptanalysis on Piccolo-128
441 Data Complexity For each biclique structure let 1198620 =0(64) All the ciphertexts share the equal values in 7 bytes(119862119894[0] 119862119894[1] 119862119894[3] 119862119894[4] 119862119894[5] 119862119894[6] and 119862119894[7] ie whitebytes) so the data complexity does not go beyond 28 (SeeFigure 6)
442 Computational Complexity
Biclique ComplexityThis stage requires 28times5+5 F-Functionscomputations in total Then the computational complexityof a biclique structure is about 2438 full round Piccolo-128encryptions
Matching Complexity In forward direction the complexityis 28 times (28 times 18 + 7) F-Functions which is about 21422 fullround Piccolo-128 encryptions In backward direction thecomplexity is 28 times (28 times 20 + 3) F-Functions which is about21437 full round Piccolo-128 encryptions
Thus the total computational complexity of this attack onPiccolo-128 is
119862 = 2112 times (2438 + 21422 + 21437 + 1) asymp 212730 (10)
5 Conclusion
Designers have given several attacks including linear crypt-analysis impossible differential cryptanalysis and MITMattack on security analysis for Piccolo The best result was 3-subset MITM attacks on 1421-round Piccolo-80128 withoutthe whitening key The previous results and our results aresummarized on Piccolo in Tables 1 and 2 Some results didnot includewhitening key some attackswere reduced-roundHowever our results are full round Piccolo-80128
By analyzing the distribution of the subkey and thestructure of encryption we find two faults of the results in [15]and a weakness in the key schedule on Piccolo-80 The twofaults are depicted in Section 41 The weakness on Piccolo-80 is that the right half of the round key rk47 can offset theright half of the postwhitening key WK3 (Figure 2(c)) Basedon this the data complexity can be decreased greatly
We use biclique cryptanalysis to recover the masterkey for the full round Piccolo-80 with a 6-round bicliqueand the full round Piccolo-128 with a 7-round bicliquerespectively The attacks require data complexity of 240 and224 chosen ciphertexts and computational complexity of 27922and 212714 respectively These results are superior to otherbiclique cryptanalytic results on Piccolo
This result is that the biclique technology can attack someciphers with simple key schedule and slow diffusion So thedesigners of lightweight ciphers need to consider not only theimplementation efficiency but also key schedule complexityand diffusion speed
Conflicts of Interest
None of the authors declare any conflicts of interest
Acknowledgments
This work is partially supported by National Natural Sci-ence Foundation of China (nos 61272434 61672330 and61602287) and Nature Science Foundation of ShandongProvince (no ZR2013FQ021)
12 Security and Communication Networks
References
[1] A Bogdanov D Khovratovich and C Rechberger ldquoBicliquecryptanalysis of the full AESrdquo in Advances in CryptologymdashASIACRYPT 2011 vol 7073 of Lecture Notes in Comput Sci pp344ndash371 Springer Heidelberg Germany 2011
[2] Y Wang WWu and X Yu ldquoBiclique cryptanalysis of reduced-round piccolo block cipherrdquo in Proceedings of the 8th Interna-tional Conference on Information Security Practice and Experi-ence (ISPEC rsquo12) M R Dermot S Ben and G Wang Eds vol7232 ofLectureNotes inComputer Science pp 337ndash352 SpringerHeidelberg Germany 2012
[3] D Khovratovich G Leurent and C Rechberger ldquoNarrow-bicliques cryptanalysis of full IDEArdquo in Proceedings of the 31stAnnual International Conference on theTheory and Applicationsof Cryptographic Techniques (EUROCRYPT rsquo12) Lecture Notesin Computer Science pp 392ndash410 Springer Heidelberg Ger-many 2012
[4] D Hong B Koo and D Kwon ldquoBiclique attack on the fullHIGHTrdquo in Information Security and CryptologymdashICISC 2011vol 7259 of Lecture Notes in Computer Science pp 365ndash374Springer Berlin Germany 2012
[5] J Song K Lee and H Lee ldquoBiclique cryptanalysis onlightweight block cipher HIGHT and Piccolordquo InternationalJournal of ComputerMathematics vol 90 no 12 pp 2564ndash25802013
[6] F Abed C Forler E List S Lucks and J Wenzel ldquoBicliquecryptanalysis of the PRESENT and LED lightweight ciphersrdquoTech Rep 2012591 Cryptology ePrint Archive 2012
[7] M Sereshgi andM Shakiba ldquoBiclique cryptanalysis ofMIBS-80and PRESENT-80 block ciphersrdquo Security and CommunicationNetworks vol 9 no 1 pp 27ndash33 2016
[8] O Ozen K Varıcı C Tezcan and C Kocair ldquoLightweight blockciphers revisited cryptanalysis of reduced round PRESENTand HIGHTrdquo in Information Security and Privacy vol 5594 ofLecture Notes in Computer Science pp 90ndash107 Springer BerlinGermany 2009
[9] Y F Wang and W L Wu ldquoMeet-in-the-middle attack onTWINE block cipherrdquo Journal of Software vol 26 no 10 pp2684ndash2695 2015 (Chinese)
[10] M Coban F Karakoc and O Biztas ldquoBiclique cryptanalysis ofTWINErdquo Tech Rep 2012422 Cryptology ePrint Archive 2012
[11] ZAhmadianM Salmasizadeh andMRAref ldquoBiclique crypt-analysis of the full-round KLEIN block cipherrdquo IET InformationSecurity vol 9 no 5 pp 294ndash301 2015
[12] W Diffie and M E Hellman ldquoExhaustive Cryptanalysis of theNBS Data Encryption Standardrdquo Computer vol 10 no 6 pp74ndash84 1977
[13] Y Sasaki ldquoMeet-in-the-middle preimage attacks on AES hash-ingmodes and an application towhirlpoolrdquo inProceedings of theInternational Workshop on Fast Software Encryption (FSE rsquo11)A Joux Ed vol 6733 of Lecture Notes in Computer Science pp378ndash396 Springer Heidelberg Germany 2011
[14] K Shibutani T Isobe H Hiwatari A Mitsuda T Akishitaand T Shirai ldquoPiccolo an ultra-lightweight blockcipherrdquo inProceedings of the 13th InternationalWorkshop on CryptographicHardware and Embedded Systems (CHES rsquo11) B Preneel and TTakagi Eds vol 6917 of Lecture Notes in Computer Science pp342ndash357 Springer Heidelberg Germany 2011
[15] K Jeong H Kang C Lee J Sung and S Hong ldquoBicliquecryptanalysis of lightweight block ciphers PRESENT piccoloand LEDrdquo Tech Rep 2012621 Cryptology ePrint Archive 2012
[16] W Zhang J Zhang and X Zheng ldquoSome observations onthe lightweight block cipher piccolo-80rdquo in Proceedings of the6th International Conference on Trusted Systems (INTRUST rsquo14)vol 9473 of Lecture Notes in Computer Science pp 364ndash373Springer Cham Switzerland 2015
[17] T Isobe and K Shibutani ldquoSecurity analysis of the lightweightblock ciphers XTEA LED and piccolordquo in Information Securityand Privacy vol 7372 pp 71ndash86 Springer Berlin Germany2012
International Journal of
AerospaceEngineeringHindawi Publishing Corporationhttpwwwhindawicom Volume 2014
RoboticsJournal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Active and Passive Electronic Components
Control Scienceand Engineering
Journal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
International Journal of
RotatingMachinery
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporation httpwwwhindawicom
Journal ofEngineeringVolume 2014
Submit your manuscripts athttpswwwhindawicom
VLSI Design
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Shock and Vibration
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Civil EngineeringAdvances in
Acoustics and VibrationAdvances in
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Electrical and Computer Engineering
Journal of
Advances inOptoElectronics
Hindawi Publishing Corporation httpwwwhindawicom
Volume 2014
The Scientific World JournalHindawi Publishing Corporation httpwwwhindawicom Volume 2014
SensorsJournal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Modelling amp Simulation in EngineeringHindawi Publishing Corporation httpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Chemical EngineeringInternational Journal of Antennas and
Propagation
International Journal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Navigation and Observation
International Journal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
DistributedSensor Networks
International Journal of
Security and Communication Networks 7
F F
F F
F F
F F
F F
F F
F F
25
24
26
27
28
29
30
K[0]LK[0]R
K[1]LK[1]R
K[3]LK[3]R
K[3]LK[3]R
K[2]LK[2]R
K[4]LK[7]R K[7]LK[4]R
K[2]LK[2]R K[5]LK[5]R
K[4]LK[4]R
K[4]LK[4]R
K[7]LK[7]R
K[0]LK[0]R
K[6]LK[6]R
K[5]LK[5]R
K[7]LK[7]R
S0
C0
(a)
F F
F F
F F
F F
F F
F F
F F
K[0]LK[0]R
K[1]LK[1]R
K[3]LK[3]R
K[3]LK[3]R
K[2]LK[2]R
K[4]LK[7]R K[7]LK[4]R
K[2]LK[2]R K[5]LK[5]R
K[4]LK[4]R
K[4]LK[4]R
K[7]LK[7]R
K[0]LK[0]R
K[6]LK[6]R
K[5]LK[5]R
K[7]LK[7]R
Sj
C0
K|7|L
activ
e
(b)
F F
F F
F F
F F
F F
F F
F F
K[0]LK[0]R
K[1]LK[1]R
K[3]LK[3]R
K[3]LK[3]R
K[2]LK[2]R
K[4]LK[7]R K[7]LK[4]R
K[2]LK[2]R K[5]LK[5]R
K[4]LK[4]R
K[4]LK[4]R
K[7]LK[7]R
K[0]LK[0]R
K[6]LK[6]R
K[5]LK[5]R
K[7]LK[7]R
S0
Ci
K|6|L
activ
e
(c)
Figure 4 7-round biclique construction of dimension 8 in Piccolo-128
Finally
119870[119894119895] = 119870[00] oplus 119870[0119895] oplus 119870[1198940]= 119870[00] oplus [00 00 00 00 00 00 1198940 1198950]
(7)
Thus the key space of K is divided into 2112 groups of 216keys each
332 Phase 2 8-Dimensional Biclique Structure of 7 RoundsWe construct an 8-dimensional biclique structure of 7 roundsfor Piccolo-128 for each group (Figure 4) Here 119892 is subci-phers for round 24sim30 and 119892minus1 is the inverse of 119892The processof calculating the ciphertexts and intermediate states consistsof the following 3 steps
Step 1 Let 1198620 = 0(64) and decrypt 1198620 for 7 rounds to obtain1198780 (Figure 4(a)) that is 1198780 = 119892minus1119870[00](1198620)Step 2 Encrypt 1198780 using different keys 119870[1198940] for 119894 isin 0 18(Figure 4(c)) The differences between 119870[1198940] and 119870[00] can
influence the gray intermediate statesrsquo differences This step
derives 119892(1198780) 119870[1198940]997888997888997888rarr 119862119894Step 3 Decrypt 1198620 using different keys 119870[0119895] for 119895 isin 0 18(Figure 4(b)) The differences between 119870[0119895] and 119870[00] canbring about the gray intermediate statesrsquo differences As a
result 119892minus1(1198620)119870[0119895]997888997888997888997888rarr (119878119895) has been constructed
Thanks to the simplicity of the distribution of the subkey
of Piccolo-128 it is also very easy to verify that 119892(119878119895)119870[119894119895]997888997888997888rarr
119862119894 is always true for all 119894 119895 isin 0 18 Up to now for eachkey group we get a corresponding 8-dimensional bicliquestructure
333 Phase 3 Meeting in the Middle over 24 Rounds Select a16-bit internal state (119880 = 1198651214) after F-Function in round 12as the intermediatematching variable (see Figure 5) Next wecalculate these matching variates in both directions in orderto obtain the right key
8 Security and Communication Networks
F F
F F
F F
F F
F F
F F
F F
F F
F F
F F
1
0
2
3
4
5
678
9
10
11
12
K[0]LK[0]R
K[1]LK[1]R
K[1]LK[1]R
K[2]LK[2]R
K[2]LK[2]R
K[2]LK[2]R
K[3]LK[3]R
K[1]LK[0]RK[0]LK[1]R
K[3]LK[3]R
K[0]LK[0]R K[3]LK[3]R
K[0]LK[0]R K[3]LK[3]R
K[4]LK[4]R
K[4]LK[4]R
Pi
Pi
K[i j]
K[5]LK[5]R
K[6]LK[6]R K[7]LK[7]R
K[6]LK[6]R K[7]LK[7]R
K[7]LK[7]R
K|7|L
activ
e
Uij
Is computed onceIs computed 28 times
(a)
Sj
Sj
F F
F F
F F
F F
F F
F F
F F
F F13
14
15
16
171819
20
21
22
23
K[1]LK[1]R
K[1]LK[1]R
K[2]LK[2]R
K[2]LK[2]R
K[0]LK[0]R
K[0]LK[0]R
K[3]LK[3]RK[4]LK[4]R
K[i j]
K[5]LK[5]R
K[5]LK[5]RK[6]LK[6]R
K[6]LK[6]R
K[6]LK[6]R
K[7]LK[7]R
K[7]LK[7]R
K[7]LK[7]R
K|6|L
activ
e
Is computed onceIs computed 28 times
Uij
(b)
Figure 5 Recomputations in MITM for Piccolo-128
Backward Direction Each value of the state 119878119895 is decrypt-
ed under the key 119870[0119895] to obtain larr9978889978881198800119895119870[0119895]larr997888997888997888997888 119878119895 After
that 119878119895 is decrypted using all the possible 2119889 minus 1 keys
119870[119894119895] to get larr997888997888119880119894119895119870[119894119895]larr997888997888997888 119878119895 On Figure 5(b) the gray
bytes are active and the white bytes do not need to becomputed
Forward Direction Firstly we decrypt the ciphertexts 119862119894 for119894 isin 0 18 to obtain 28 plaintexts 119875119894 Secondly each 119875119894 isencrypted under the key 119870[1198940] to obtain 119875119894 119870[1198940]997888997888997888rarr 997888997888rarr1198801198940 Then119875119894 is encrypted using all the possible 2119889 minus 1 keys 119870[119894119895] to get
119875119894119870[119894119895]997888997888997888rarr 997888997888rarr119880119894119895 On Figure 5(a) the gray bytes are active and the
white bytes do not need to be computed
Security and Communication Networks 9
F F
F F
F F
F F
F F
F F
F F
F F
F F
F F
F F
F F
F F
F F
F F
26
27
28
29
30
Sj
K[0]LK[0]R
K[1]LK[1]R
K[3]LK[3]R
K[2]LK[2]R
K[4]LK[7]R K[7]LK[4]R
K[4]LK[4]R
K[7]LK[7]R
K[0]LK[0]R K[7]LK[7]R
K[6]LK[6]R
K[5]LK[5]R
K[0]LK[0]R
K[1]LK[1]R
K[3]LK[3]R
K[2]LK[2]R
K[4]LK[7]R K[7]LK[4]R
K[4]LK[4]R
K[7]LK[7]R
K[0]LK[0]R K[7]LK[7]R
K[6]LK[6]R
K[5]LK[5]R
K[0]LK[0]R
K[1]LK[1]R
K[3]LK[3]R
K[2]LK[2]R
K[4]LK[7]R K[7]LK[4]R
K[4]LK[4]R
K[7]LK[7]R
K[0]LK[0]R K[7]LK[7]R
K[6]LK[6]R
K[5]LK[5]R
S0 S0
C0 C0
K|6|L
activ
e
K|2|L
activ
e
Ci[0] Ci[1] Ci[2] Ci[3]
Figure 6 5-round biclique construction of dimension 8 in Piccolo-128
Search Candidates In the last session of the attack theadversary verifies the equality of 997888997888rarr119880119894119895 and larr997888997888119880119894119895 for all 119894 119895 isin0 18 to discover the correct key34 Another Biclique Cryptanalysis of Piccolo-128 Similar toSection 33 we construct an 8-dimensional biclique structureof 5 rounds (26sim30) for Piccolo-128 by each left half of 119870[6]and119870[2] that is 119870[6]119871 and119870[2]119871 (Figure 6)
In the phase of meeting in the middle over 26 rounds weselect a 16-bit internal state (119880 = 1198651314) after F-Function inround 13 as the intermediate matching variable
4 Complexities
41 Comments on the Result of [15] Jeong et al appliedbiclique cryptanalysis to the lightweight block ciphers LEDPiccolo and PRESENT in [15] They used the concept ofindependent-biclique which included constructing bicliquestructure by independent related-key differentials andmatch-ing with precomputations They found a limited and slowdiffusion of the subkey distribution and encryption processAs a result their attacks can discover the master key withcomputational complexities superior to an exhaustive searchHowever we find two faults of their biclique cryptanalysis ofPiccolo as follows
(1) Jeong et al found that 119870[4]119871 and 119870[2]119871 gave theconstruction of an 8-dimensional biclique which was shownin Figure 10 of [15] The Δ 119894-differential affected only 6 bytes(119862[0]119871 119862[1]119871 119862[1]119877 119862[2]119871 119862[3]119871 and 119862[3]119877) which isdrawn on Figure 7(a) (including the grid line byte) in this
paper As a result the data complexity does not go beyond248
In the attack shown in Figure 7 it is clear that the left halfof the round key rk46 can offset the left half of WK2 (thepostwhitening key) that is there is no difference in the gridline byte (119862[0]119871) Based on this the biclique cryptanalysis ofJeong et al goes wrong
So the Δ 119894-differential affects only 5 bytes (119862[1]119871 119862[1]119877119862[2]119871 119862[3]119871 and 119862[3]119877) of the ciphertext and the datacomplexity does not go beyond 240 The correct differencepath does not include the grid line byte (119862[0]119871)
(2) Jeong et al thought that only 2 bytes were activein the decryption of 17th round in backward direction forPiccolo-80 of recomputation shown in Figure 11 of [15] 13F-Functions (without the grid line) were computed 28 timesand 4 F-Functions were computed once They are drawn onFigure 7(b) in this paper Then the total complexity of thisstep is 28 times (28 times 13 + 4) F-Functions
It is clear that 6 bytes of intermediate are active in thedecryption of 17th round in backward direction for Piccolo-80 of recomputation and all bytes are active of 16th roundBased on these their computational complexity of this stepgoes wrong
So 15 F-Functions (including the grid line) are computed28 times and 2 F-Functions are computed onceThen the totalcomplexity of this step is 28 times (28 times 15 + 2) F-Functions Thecorrect difference path includes the grid line bytes
Similarly 3 bytes but not one byte are active in thedecryption of 22nd round in backward direction for Piccolo-128 of recomputation and they are shown in Figure 13 of [15]
10 Security and Communication Networks
F F
F F
F F
F F
F F
F F
K[0]LK[0]R K[1]LK[1]R
K[0]LK[0]R K[1]LK[1]R
K[0]LK[0]R K[1]LK[1]R
K[2]LK[2]R K[3]LK[3]R
K[2]LK[2]R K[3]LK[3]R
K[4]LK[4]R K[4]LK[4]R
K|4|L
activ
e
K[4]LK[3]R K[3]LK[4]Rrk48 rk49
rk46 rk47
WK2 WK3
19
20
21
22
23
24
S0
C[0] C[1] C[2] C[3]
(a)
F F
F F
F F
F F
F F
F F10
11
12
131415
16
17
18
K[0]LK[0]R K[1]LK[1]R
K[0]LK[0]R K[1]LK[1]R
K[2]LK[2]R K[3]LK[3]R
K[2]LK[2]R K[3]LK[3]R
K[2]LK[2]R K[3]LK[3]R
K[4]LK[4]R K[4]LK[4]R
K|4|L
activ
e
(b)
Figure 7 Revision of the other solutions
20 rather than 18 F-Functions are computed 28 times and 3instead of 5 F-Functions are computed once
42 Complexities of Biclique Cryptanalysis on Piccolo-80
421 Data Complexity By analyzing the key schedule wefind a weakness in the key schedule on Piccolo-80 that is theround key rk47 can offset the postwhitening key partially (seeFigure 2) Based on this the data complexity can be reducedgreatly
The amount of ciphertexts to be decrypted dominates thedata complexity (Figure 2) For each biclique structure let1198620 = 0(64) All the ciphertexts share the equal values in 3bytes (119862119894[0] 119862119894[4] and 119862119894[5] ie white bytes) so the datacomplexity does not go beyond 240422 Computational Complexity The amount of the F-Functions to be computed determines the attack complexityEach round of Piccolo-80 takes 2 F-Functions computationsSo the single encryption equals computed 25 times 2 = 50F-Functions For each of 264 groups of keys the followingcalculation should be completed
Biclique Complexity 5 F-Functions (Figure 2(b) noted withgray) need to be computed 28 times and 2 F-Functions
(Figure 2(c) noted with gray) need to be computed 28times The remaining 5 F-Functions are computed onlyonce Thus this stage requires 28 times 7 + 5 F-Functionscomputations in total Then the computational complexityof a biclique structure is about 2517 full round Piccolo-80encryptions
Matching Complexity In forward direction the differencesbetween 119870[1198940] and 119870[119894119895] dominate the computational com-plexity On Figure 3(a) for a single 119875119894 14 F-Functions (notedwith gray) are computed 28 times 3 F-Functions (noted withgrid line) are computed only once and 3 F-Functions (notedwith white) do not need to be computed So the complexityof this process is 28times(28times14+3) F-Functions which is about21416 full round Piccolo-80 encryptions
In backward direction on Figure 3(b) for a single 119878119895 15F-Functions (noted with gray) are computed 28 times 2 F-Functions (noted with grid line) are computed only onceand 1 F-Function (noted with white) need not be computedSo the complexity of this process is 28 times (28 times 15 + 2)F-Functions which is about 21426 full round Piccolo-80encryptions
Finally 216 key candidates are verified by a matchingvariable (16 bits) in each group and the average of 216minus16 = 1candidate key needs to be rechecked
Security and Communication Networks 11
Thus the total computational complexity of this attack onPiccolo-80 is
119862 = 264 times (2517 + 21416 + 21426 + 1) asymp 27922 (8)
43 Complexities of Biclique Cryptanalysis on Piccolo-128
431 Data Complexity For each biclique structure let 1198620 =0(64) All the ciphertexts share the equal values in 5 bytes(119862119894[1] 119862119894[4] 119862119894[5] 119862119894[6] and 119862119894[7] ie white bytes) so thedata complexity does not go beyond 224 (See Figure 4)
432 Computational Complexity Each round of Piccolo-128takes 2 F-Functions computations So the single encryptionequals computed 31 times 2 = 62 F-Functions For each of2112 groups of keys the following calculation should becompleted
Biclique Complexity 13 F-Functions (Figure 4(b) noted withgray) need to be computed 28 times and 1 F-Function(Figure 4(c) noted with gray) needs to be computed 28 timesThus this stage requires 28 times 14 F-Functions computationsin total Then the computational complexity of a bicliquestructure is about 2585 full round Piccolo-128 encryptions
Matching Complexity In forward direction for a single 119875119894 16F-Functions (noted with gray) are computed 28 times 7 F-Functions (noted with grid line) are computed only once and3 F-Functions (notedwithwhite) do not need to be computedon Figure 5(a) So the complexity of this process is 28 times (28 times16 + 7) F-Functions which is about 21405 full round Piccolo-128 encryptions
In backward direction for a single 119878119895 18 F-functions(noted with gray) are computed 28 times 3 F-functions(noted with grid line) are computed only once and 1 F-Function (noted with white) need not be computed onFigure 5(b) So the complexity of this process is 28 times (28 times18 + 3) F-Functions which is about 21422 full round Piccolo-128 encryptions
Finally 216 key candidates are verified by a matchingvariate (16 bits) in each group and the average of 216minus16 = 1candidate key needs to be rechecked
Thus the total computational complexity of this attack onPiccolo-128 is
119862 = 2112 times (2585 + 21408 + 21422 + 1) asymp 212714 (9)
44 Complexities of Another Biclique Cryptanalysis on Piccolo-128
441 Data Complexity For each biclique structure let 1198620 =0(64) All the ciphertexts share the equal values in 7 bytes(119862119894[0] 119862119894[1] 119862119894[3] 119862119894[4] 119862119894[5] 119862119894[6] and 119862119894[7] ie whitebytes) so the data complexity does not go beyond 28 (SeeFigure 6)
442 Computational Complexity
Biclique ComplexityThis stage requires 28times5+5 F-Functionscomputations in total Then the computational complexityof a biclique structure is about 2438 full round Piccolo-128encryptions
Matching Complexity In forward direction the complexityis 28 times (28 times 18 + 7) F-Functions which is about 21422 fullround Piccolo-128 encryptions In backward direction thecomplexity is 28 times (28 times 20 + 3) F-Functions which is about21437 full round Piccolo-128 encryptions
Thus the total computational complexity of this attack onPiccolo-128 is
119862 = 2112 times (2438 + 21422 + 21437 + 1) asymp 212730 (10)
5 Conclusion
Designers have given several attacks including linear crypt-analysis impossible differential cryptanalysis and MITMattack on security analysis for Piccolo The best result was 3-subset MITM attacks on 1421-round Piccolo-80128 withoutthe whitening key The previous results and our results aresummarized on Piccolo in Tables 1 and 2 Some results didnot includewhitening key some attackswere reduced-roundHowever our results are full round Piccolo-80128
By analyzing the distribution of the subkey and thestructure of encryption we find two faults of the results in [15]and a weakness in the key schedule on Piccolo-80 The twofaults are depicted in Section 41 The weakness on Piccolo-80 is that the right half of the round key rk47 can offset theright half of the postwhitening key WK3 (Figure 2(c)) Basedon this the data complexity can be decreased greatly
We use biclique cryptanalysis to recover the masterkey for the full round Piccolo-80 with a 6-round bicliqueand the full round Piccolo-128 with a 7-round bicliquerespectively The attacks require data complexity of 240 and224 chosen ciphertexts and computational complexity of 27922and 212714 respectively These results are superior to otherbiclique cryptanalytic results on Piccolo
This result is that the biclique technology can attack someciphers with simple key schedule and slow diffusion So thedesigners of lightweight ciphers need to consider not only theimplementation efficiency but also key schedule complexityand diffusion speed
Conflicts of Interest
None of the authors declare any conflicts of interest
Acknowledgments
This work is partially supported by National Natural Sci-ence Foundation of China (nos 61272434 61672330 and61602287) and Nature Science Foundation of ShandongProvince (no ZR2013FQ021)
12 Security and Communication Networks
References
[1] A Bogdanov D Khovratovich and C Rechberger ldquoBicliquecryptanalysis of the full AESrdquo in Advances in CryptologymdashASIACRYPT 2011 vol 7073 of Lecture Notes in Comput Sci pp344ndash371 Springer Heidelberg Germany 2011
[2] Y Wang WWu and X Yu ldquoBiclique cryptanalysis of reduced-round piccolo block cipherrdquo in Proceedings of the 8th Interna-tional Conference on Information Security Practice and Experi-ence (ISPEC rsquo12) M R Dermot S Ben and G Wang Eds vol7232 ofLectureNotes inComputer Science pp 337ndash352 SpringerHeidelberg Germany 2012
[3] D Khovratovich G Leurent and C Rechberger ldquoNarrow-bicliques cryptanalysis of full IDEArdquo in Proceedings of the 31stAnnual International Conference on theTheory and Applicationsof Cryptographic Techniques (EUROCRYPT rsquo12) Lecture Notesin Computer Science pp 392ndash410 Springer Heidelberg Ger-many 2012
[4] D Hong B Koo and D Kwon ldquoBiclique attack on the fullHIGHTrdquo in Information Security and CryptologymdashICISC 2011vol 7259 of Lecture Notes in Computer Science pp 365ndash374Springer Berlin Germany 2012
[5] J Song K Lee and H Lee ldquoBiclique cryptanalysis onlightweight block cipher HIGHT and Piccolordquo InternationalJournal of ComputerMathematics vol 90 no 12 pp 2564ndash25802013
[6] F Abed C Forler E List S Lucks and J Wenzel ldquoBicliquecryptanalysis of the PRESENT and LED lightweight ciphersrdquoTech Rep 2012591 Cryptology ePrint Archive 2012
[7] M Sereshgi andM Shakiba ldquoBiclique cryptanalysis ofMIBS-80and PRESENT-80 block ciphersrdquo Security and CommunicationNetworks vol 9 no 1 pp 27ndash33 2016
[8] O Ozen K Varıcı C Tezcan and C Kocair ldquoLightweight blockciphers revisited cryptanalysis of reduced round PRESENTand HIGHTrdquo in Information Security and Privacy vol 5594 ofLecture Notes in Computer Science pp 90ndash107 Springer BerlinGermany 2009
[9] Y F Wang and W L Wu ldquoMeet-in-the-middle attack onTWINE block cipherrdquo Journal of Software vol 26 no 10 pp2684ndash2695 2015 (Chinese)
[10] M Coban F Karakoc and O Biztas ldquoBiclique cryptanalysis ofTWINErdquo Tech Rep 2012422 Cryptology ePrint Archive 2012
[11] ZAhmadianM Salmasizadeh andMRAref ldquoBiclique crypt-analysis of the full-round KLEIN block cipherrdquo IET InformationSecurity vol 9 no 5 pp 294ndash301 2015
[12] W Diffie and M E Hellman ldquoExhaustive Cryptanalysis of theNBS Data Encryption Standardrdquo Computer vol 10 no 6 pp74ndash84 1977
[13] Y Sasaki ldquoMeet-in-the-middle preimage attacks on AES hash-ingmodes and an application towhirlpoolrdquo inProceedings of theInternational Workshop on Fast Software Encryption (FSE rsquo11)A Joux Ed vol 6733 of Lecture Notes in Computer Science pp378ndash396 Springer Heidelberg Germany 2011
[14] K Shibutani T Isobe H Hiwatari A Mitsuda T Akishitaand T Shirai ldquoPiccolo an ultra-lightweight blockcipherrdquo inProceedings of the 13th InternationalWorkshop on CryptographicHardware and Embedded Systems (CHES rsquo11) B Preneel and TTakagi Eds vol 6917 of Lecture Notes in Computer Science pp342ndash357 Springer Heidelberg Germany 2011
[15] K Jeong H Kang C Lee J Sung and S Hong ldquoBicliquecryptanalysis of lightweight block ciphers PRESENT piccoloand LEDrdquo Tech Rep 2012621 Cryptology ePrint Archive 2012
[16] W Zhang J Zhang and X Zheng ldquoSome observations onthe lightweight block cipher piccolo-80rdquo in Proceedings of the6th International Conference on Trusted Systems (INTRUST rsquo14)vol 9473 of Lecture Notes in Computer Science pp 364ndash373Springer Cham Switzerland 2015
[17] T Isobe and K Shibutani ldquoSecurity analysis of the lightweightblock ciphers XTEA LED and piccolordquo in Information Securityand Privacy vol 7372 pp 71ndash86 Springer Berlin Germany2012
International Journal of
AerospaceEngineeringHindawi Publishing Corporationhttpwwwhindawicom Volume 2014
RoboticsJournal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Active and Passive Electronic Components
Control Scienceand Engineering
Journal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
International Journal of
RotatingMachinery
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporation httpwwwhindawicom
Journal ofEngineeringVolume 2014
Submit your manuscripts athttpswwwhindawicom
VLSI Design
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Shock and Vibration
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Civil EngineeringAdvances in
Acoustics and VibrationAdvances in
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Electrical and Computer Engineering
Journal of
Advances inOptoElectronics
Hindawi Publishing Corporation httpwwwhindawicom
Volume 2014
The Scientific World JournalHindawi Publishing Corporation httpwwwhindawicom Volume 2014
SensorsJournal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Modelling amp Simulation in EngineeringHindawi Publishing Corporation httpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Chemical EngineeringInternational Journal of Antennas and
Propagation
International Journal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Navigation and Observation
International Journal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
DistributedSensor Networks
International Journal of
8 Security and Communication Networks
F F
F F
F F
F F
F F
F F
F F
F F
F F
F F
1
0
2
3
4
5
678
9
10
11
12
K[0]LK[0]R
K[1]LK[1]R
K[1]LK[1]R
K[2]LK[2]R
K[2]LK[2]R
K[2]LK[2]R
K[3]LK[3]R
K[1]LK[0]RK[0]LK[1]R
K[3]LK[3]R
K[0]LK[0]R K[3]LK[3]R
K[0]LK[0]R K[3]LK[3]R
K[4]LK[4]R
K[4]LK[4]R
Pi
Pi
K[i j]
K[5]LK[5]R
K[6]LK[6]R K[7]LK[7]R
K[6]LK[6]R K[7]LK[7]R
K[7]LK[7]R
K|7|L
activ
e
Uij
Is computed onceIs computed 28 times
(a)
Sj
Sj
F F
F F
F F
F F
F F
F F
F F
F F13
14
15
16
171819
20
21
22
23
K[1]LK[1]R
K[1]LK[1]R
K[2]LK[2]R
K[2]LK[2]R
K[0]LK[0]R
K[0]LK[0]R
K[3]LK[3]RK[4]LK[4]R
K[i j]
K[5]LK[5]R
K[5]LK[5]RK[6]LK[6]R
K[6]LK[6]R
K[6]LK[6]R
K[7]LK[7]R
K[7]LK[7]R
K[7]LK[7]R
K|6|L
activ
e
Is computed onceIs computed 28 times
Uij
(b)
Figure 5 Recomputations in MITM for Piccolo-128
Backward Direction Each value of the state 119878119895 is decrypt-
ed under the key 119870[0119895] to obtain larr9978889978881198800119895119870[0119895]larr997888997888997888997888 119878119895 After
that 119878119895 is decrypted using all the possible 2119889 minus 1 keys
119870[119894119895] to get larr997888997888119880119894119895119870[119894119895]larr997888997888997888 119878119895 On Figure 5(b) the gray
bytes are active and the white bytes do not need to becomputed
Forward Direction Firstly we decrypt the ciphertexts 119862119894 for119894 isin 0 18 to obtain 28 plaintexts 119875119894 Secondly each 119875119894 isencrypted under the key 119870[1198940] to obtain 119875119894 119870[1198940]997888997888997888rarr 997888997888rarr1198801198940 Then119875119894 is encrypted using all the possible 2119889 minus 1 keys 119870[119894119895] to get
119875119894119870[119894119895]997888997888997888rarr 997888997888rarr119880119894119895 On Figure 5(a) the gray bytes are active and the
white bytes do not need to be computed
Security and Communication Networks 9
F F
F F
F F
F F
F F
F F
F F
F F
F F
F F
F F
F F
F F
F F
F F
26
27
28
29
30
Sj
K[0]LK[0]R
K[1]LK[1]R
K[3]LK[3]R
K[2]LK[2]R
K[4]LK[7]R K[7]LK[4]R
K[4]LK[4]R
K[7]LK[7]R
K[0]LK[0]R K[7]LK[7]R
K[6]LK[6]R
K[5]LK[5]R
K[0]LK[0]R
K[1]LK[1]R
K[3]LK[3]R
K[2]LK[2]R
K[4]LK[7]R K[7]LK[4]R
K[4]LK[4]R
K[7]LK[7]R
K[0]LK[0]R K[7]LK[7]R
K[6]LK[6]R
K[5]LK[5]R
K[0]LK[0]R
K[1]LK[1]R
K[3]LK[3]R
K[2]LK[2]R
K[4]LK[7]R K[7]LK[4]R
K[4]LK[4]R
K[7]LK[7]R
K[0]LK[0]R K[7]LK[7]R
K[6]LK[6]R
K[5]LK[5]R
S0 S0
C0 C0
K|6|L
activ
e
K|2|L
activ
e
Ci[0] Ci[1] Ci[2] Ci[3]
Figure 6 5-round biclique construction of dimension 8 in Piccolo-128
Search Candidates In the last session of the attack theadversary verifies the equality of 997888997888rarr119880119894119895 and larr997888997888119880119894119895 for all 119894 119895 isin0 18 to discover the correct key34 Another Biclique Cryptanalysis of Piccolo-128 Similar toSection 33 we construct an 8-dimensional biclique structureof 5 rounds (26sim30) for Piccolo-128 by each left half of 119870[6]and119870[2] that is 119870[6]119871 and119870[2]119871 (Figure 6)
In the phase of meeting in the middle over 26 rounds weselect a 16-bit internal state (119880 = 1198651314) after F-Function inround 13 as the intermediate matching variable
4 Complexities
41 Comments on the Result of [15] Jeong et al appliedbiclique cryptanalysis to the lightweight block ciphers LEDPiccolo and PRESENT in [15] They used the concept ofindependent-biclique which included constructing bicliquestructure by independent related-key differentials andmatch-ing with precomputations They found a limited and slowdiffusion of the subkey distribution and encryption processAs a result their attacks can discover the master key withcomputational complexities superior to an exhaustive searchHowever we find two faults of their biclique cryptanalysis ofPiccolo as follows
(1) Jeong et al found that 119870[4]119871 and 119870[2]119871 gave theconstruction of an 8-dimensional biclique which was shownin Figure 10 of [15] The Δ 119894-differential affected only 6 bytes(119862[0]119871 119862[1]119871 119862[1]119877 119862[2]119871 119862[3]119871 and 119862[3]119877) which isdrawn on Figure 7(a) (including the grid line byte) in this
paper As a result the data complexity does not go beyond248
In the attack shown in Figure 7 it is clear that the left halfof the round key rk46 can offset the left half of WK2 (thepostwhitening key) that is there is no difference in the gridline byte (119862[0]119871) Based on this the biclique cryptanalysis ofJeong et al goes wrong
So the Δ 119894-differential affects only 5 bytes (119862[1]119871 119862[1]119877119862[2]119871 119862[3]119871 and 119862[3]119877) of the ciphertext and the datacomplexity does not go beyond 240 The correct differencepath does not include the grid line byte (119862[0]119871)
(2) Jeong et al thought that only 2 bytes were activein the decryption of 17th round in backward direction forPiccolo-80 of recomputation shown in Figure 11 of [15] 13F-Functions (without the grid line) were computed 28 timesand 4 F-Functions were computed once They are drawn onFigure 7(b) in this paper Then the total complexity of thisstep is 28 times (28 times 13 + 4) F-Functions
It is clear that 6 bytes of intermediate are active in thedecryption of 17th round in backward direction for Piccolo-80 of recomputation and all bytes are active of 16th roundBased on these their computational complexity of this stepgoes wrong
So 15 F-Functions (including the grid line) are computed28 times and 2 F-Functions are computed onceThen the totalcomplexity of this step is 28 times (28 times 15 + 2) F-Functions Thecorrect difference path includes the grid line bytes
Similarly 3 bytes but not one byte are active in thedecryption of 22nd round in backward direction for Piccolo-128 of recomputation and they are shown in Figure 13 of [15]
10 Security and Communication Networks
F F
F F
F F
F F
F F
F F
K[0]LK[0]R K[1]LK[1]R
K[0]LK[0]R K[1]LK[1]R
K[0]LK[0]R K[1]LK[1]R
K[2]LK[2]R K[3]LK[3]R
K[2]LK[2]R K[3]LK[3]R
K[4]LK[4]R K[4]LK[4]R
K|4|L
activ
e
K[4]LK[3]R K[3]LK[4]Rrk48 rk49
rk46 rk47
WK2 WK3
19
20
21
22
23
24
S0
C[0] C[1] C[2] C[3]
(a)
F F
F F
F F
F F
F F
F F10
11
12
131415
16
17
18
K[0]LK[0]R K[1]LK[1]R
K[0]LK[0]R K[1]LK[1]R
K[2]LK[2]R K[3]LK[3]R
K[2]LK[2]R K[3]LK[3]R
K[2]LK[2]R K[3]LK[3]R
K[4]LK[4]R K[4]LK[4]R
K|4|L
activ
e
(b)
Figure 7 Revision of the other solutions
20 rather than 18 F-Functions are computed 28 times and 3instead of 5 F-Functions are computed once
42 Complexities of Biclique Cryptanalysis on Piccolo-80
421 Data Complexity By analyzing the key schedule wefind a weakness in the key schedule on Piccolo-80 that is theround key rk47 can offset the postwhitening key partially (seeFigure 2) Based on this the data complexity can be reducedgreatly
The amount of ciphertexts to be decrypted dominates thedata complexity (Figure 2) For each biclique structure let1198620 = 0(64) All the ciphertexts share the equal values in 3bytes (119862119894[0] 119862119894[4] and 119862119894[5] ie white bytes) so the datacomplexity does not go beyond 240422 Computational Complexity The amount of the F-Functions to be computed determines the attack complexityEach round of Piccolo-80 takes 2 F-Functions computationsSo the single encryption equals computed 25 times 2 = 50F-Functions For each of 264 groups of keys the followingcalculation should be completed
Biclique Complexity 5 F-Functions (Figure 2(b) noted withgray) need to be computed 28 times and 2 F-Functions
(Figure 2(c) noted with gray) need to be computed 28times The remaining 5 F-Functions are computed onlyonce Thus this stage requires 28 times 7 + 5 F-Functionscomputations in total Then the computational complexityof a biclique structure is about 2517 full round Piccolo-80encryptions
Matching Complexity In forward direction the differencesbetween 119870[1198940] and 119870[119894119895] dominate the computational com-plexity On Figure 3(a) for a single 119875119894 14 F-Functions (notedwith gray) are computed 28 times 3 F-Functions (noted withgrid line) are computed only once and 3 F-Functions (notedwith white) do not need to be computed So the complexityof this process is 28times(28times14+3) F-Functions which is about21416 full round Piccolo-80 encryptions
In backward direction on Figure 3(b) for a single 119878119895 15F-Functions (noted with gray) are computed 28 times 2 F-Functions (noted with grid line) are computed only onceand 1 F-Function (noted with white) need not be computedSo the complexity of this process is 28 times (28 times 15 + 2)F-Functions which is about 21426 full round Piccolo-80encryptions
Finally 216 key candidates are verified by a matchingvariable (16 bits) in each group and the average of 216minus16 = 1candidate key needs to be rechecked
Security and Communication Networks 11
Thus the total computational complexity of this attack onPiccolo-80 is
119862 = 264 times (2517 + 21416 + 21426 + 1) asymp 27922 (8)
43 Complexities of Biclique Cryptanalysis on Piccolo-128
431 Data Complexity For each biclique structure let 1198620 =0(64) All the ciphertexts share the equal values in 5 bytes(119862119894[1] 119862119894[4] 119862119894[5] 119862119894[6] and 119862119894[7] ie white bytes) so thedata complexity does not go beyond 224 (See Figure 4)
432 Computational Complexity Each round of Piccolo-128takes 2 F-Functions computations So the single encryptionequals computed 31 times 2 = 62 F-Functions For each of2112 groups of keys the following calculation should becompleted
Biclique Complexity 13 F-Functions (Figure 4(b) noted withgray) need to be computed 28 times and 1 F-Function(Figure 4(c) noted with gray) needs to be computed 28 timesThus this stage requires 28 times 14 F-Functions computationsin total Then the computational complexity of a bicliquestructure is about 2585 full round Piccolo-128 encryptions
Matching Complexity In forward direction for a single 119875119894 16F-Functions (noted with gray) are computed 28 times 7 F-Functions (noted with grid line) are computed only once and3 F-Functions (notedwithwhite) do not need to be computedon Figure 5(a) So the complexity of this process is 28 times (28 times16 + 7) F-Functions which is about 21405 full round Piccolo-128 encryptions
In backward direction for a single 119878119895 18 F-functions(noted with gray) are computed 28 times 3 F-functions(noted with grid line) are computed only once and 1 F-Function (noted with white) need not be computed onFigure 5(b) So the complexity of this process is 28 times (28 times18 + 3) F-Functions which is about 21422 full round Piccolo-128 encryptions
Finally 216 key candidates are verified by a matchingvariate (16 bits) in each group and the average of 216minus16 = 1candidate key needs to be rechecked
Thus the total computational complexity of this attack onPiccolo-128 is
119862 = 2112 times (2585 + 21408 + 21422 + 1) asymp 212714 (9)
44 Complexities of Another Biclique Cryptanalysis on Piccolo-128
441 Data Complexity For each biclique structure let 1198620 =0(64) All the ciphertexts share the equal values in 7 bytes(119862119894[0] 119862119894[1] 119862119894[3] 119862119894[4] 119862119894[5] 119862119894[6] and 119862119894[7] ie whitebytes) so the data complexity does not go beyond 28 (SeeFigure 6)
442 Computational Complexity
Biclique ComplexityThis stage requires 28times5+5 F-Functionscomputations in total Then the computational complexityof a biclique structure is about 2438 full round Piccolo-128encryptions
Matching Complexity In forward direction the complexityis 28 times (28 times 18 + 7) F-Functions which is about 21422 fullround Piccolo-128 encryptions In backward direction thecomplexity is 28 times (28 times 20 + 3) F-Functions which is about21437 full round Piccolo-128 encryptions
Thus the total computational complexity of this attack onPiccolo-128 is
119862 = 2112 times (2438 + 21422 + 21437 + 1) asymp 212730 (10)
5 Conclusion
Designers have given several attacks including linear crypt-analysis impossible differential cryptanalysis and MITMattack on security analysis for Piccolo The best result was 3-subset MITM attacks on 1421-round Piccolo-80128 withoutthe whitening key The previous results and our results aresummarized on Piccolo in Tables 1 and 2 Some results didnot includewhitening key some attackswere reduced-roundHowever our results are full round Piccolo-80128
By analyzing the distribution of the subkey and thestructure of encryption we find two faults of the results in [15]and a weakness in the key schedule on Piccolo-80 The twofaults are depicted in Section 41 The weakness on Piccolo-80 is that the right half of the round key rk47 can offset theright half of the postwhitening key WK3 (Figure 2(c)) Basedon this the data complexity can be decreased greatly
We use biclique cryptanalysis to recover the masterkey for the full round Piccolo-80 with a 6-round bicliqueand the full round Piccolo-128 with a 7-round bicliquerespectively The attacks require data complexity of 240 and224 chosen ciphertexts and computational complexity of 27922and 212714 respectively These results are superior to otherbiclique cryptanalytic results on Piccolo
This result is that the biclique technology can attack someciphers with simple key schedule and slow diffusion So thedesigners of lightweight ciphers need to consider not only theimplementation efficiency but also key schedule complexityand diffusion speed
Conflicts of Interest
None of the authors declare any conflicts of interest
Acknowledgments
This work is partially supported by National Natural Sci-ence Foundation of China (nos 61272434 61672330 and61602287) and Nature Science Foundation of ShandongProvince (no ZR2013FQ021)
12 Security and Communication Networks
References
[1] A Bogdanov D Khovratovich and C Rechberger ldquoBicliquecryptanalysis of the full AESrdquo in Advances in CryptologymdashASIACRYPT 2011 vol 7073 of Lecture Notes in Comput Sci pp344ndash371 Springer Heidelberg Germany 2011
[2] Y Wang WWu and X Yu ldquoBiclique cryptanalysis of reduced-round piccolo block cipherrdquo in Proceedings of the 8th Interna-tional Conference on Information Security Practice and Experi-ence (ISPEC rsquo12) M R Dermot S Ben and G Wang Eds vol7232 ofLectureNotes inComputer Science pp 337ndash352 SpringerHeidelberg Germany 2012
[3] D Khovratovich G Leurent and C Rechberger ldquoNarrow-bicliques cryptanalysis of full IDEArdquo in Proceedings of the 31stAnnual International Conference on theTheory and Applicationsof Cryptographic Techniques (EUROCRYPT rsquo12) Lecture Notesin Computer Science pp 392ndash410 Springer Heidelberg Ger-many 2012
[4] D Hong B Koo and D Kwon ldquoBiclique attack on the fullHIGHTrdquo in Information Security and CryptologymdashICISC 2011vol 7259 of Lecture Notes in Computer Science pp 365ndash374Springer Berlin Germany 2012
[5] J Song K Lee and H Lee ldquoBiclique cryptanalysis onlightweight block cipher HIGHT and Piccolordquo InternationalJournal of ComputerMathematics vol 90 no 12 pp 2564ndash25802013
[6] F Abed C Forler E List S Lucks and J Wenzel ldquoBicliquecryptanalysis of the PRESENT and LED lightweight ciphersrdquoTech Rep 2012591 Cryptology ePrint Archive 2012
[7] M Sereshgi andM Shakiba ldquoBiclique cryptanalysis ofMIBS-80and PRESENT-80 block ciphersrdquo Security and CommunicationNetworks vol 9 no 1 pp 27ndash33 2016
[8] O Ozen K Varıcı C Tezcan and C Kocair ldquoLightweight blockciphers revisited cryptanalysis of reduced round PRESENTand HIGHTrdquo in Information Security and Privacy vol 5594 ofLecture Notes in Computer Science pp 90ndash107 Springer BerlinGermany 2009
[9] Y F Wang and W L Wu ldquoMeet-in-the-middle attack onTWINE block cipherrdquo Journal of Software vol 26 no 10 pp2684ndash2695 2015 (Chinese)
[10] M Coban F Karakoc and O Biztas ldquoBiclique cryptanalysis ofTWINErdquo Tech Rep 2012422 Cryptology ePrint Archive 2012
[11] ZAhmadianM Salmasizadeh andMRAref ldquoBiclique crypt-analysis of the full-round KLEIN block cipherrdquo IET InformationSecurity vol 9 no 5 pp 294ndash301 2015
[12] W Diffie and M E Hellman ldquoExhaustive Cryptanalysis of theNBS Data Encryption Standardrdquo Computer vol 10 no 6 pp74ndash84 1977
[13] Y Sasaki ldquoMeet-in-the-middle preimage attacks on AES hash-ingmodes and an application towhirlpoolrdquo inProceedings of theInternational Workshop on Fast Software Encryption (FSE rsquo11)A Joux Ed vol 6733 of Lecture Notes in Computer Science pp378ndash396 Springer Heidelberg Germany 2011
[14] K Shibutani T Isobe H Hiwatari A Mitsuda T Akishitaand T Shirai ldquoPiccolo an ultra-lightweight blockcipherrdquo inProceedings of the 13th InternationalWorkshop on CryptographicHardware and Embedded Systems (CHES rsquo11) B Preneel and TTakagi Eds vol 6917 of Lecture Notes in Computer Science pp342ndash357 Springer Heidelberg Germany 2011
[15] K Jeong H Kang C Lee J Sung and S Hong ldquoBicliquecryptanalysis of lightweight block ciphers PRESENT piccoloand LEDrdquo Tech Rep 2012621 Cryptology ePrint Archive 2012
[16] W Zhang J Zhang and X Zheng ldquoSome observations onthe lightweight block cipher piccolo-80rdquo in Proceedings of the6th International Conference on Trusted Systems (INTRUST rsquo14)vol 9473 of Lecture Notes in Computer Science pp 364ndash373Springer Cham Switzerland 2015
[17] T Isobe and K Shibutani ldquoSecurity analysis of the lightweightblock ciphers XTEA LED and piccolordquo in Information Securityand Privacy vol 7372 pp 71ndash86 Springer Berlin Germany2012
International Journal of
AerospaceEngineeringHindawi Publishing Corporationhttpwwwhindawicom Volume 2014
RoboticsJournal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Active and Passive Electronic Components
Control Scienceand Engineering
Journal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
International Journal of
RotatingMachinery
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporation httpwwwhindawicom
Journal ofEngineeringVolume 2014
Submit your manuscripts athttpswwwhindawicom
VLSI Design
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Shock and Vibration
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Civil EngineeringAdvances in
Acoustics and VibrationAdvances in
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Electrical and Computer Engineering
Journal of
Advances inOptoElectronics
Hindawi Publishing Corporation httpwwwhindawicom
Volume 2014
The Scientific World JournalHindawi Publishing Corporation httpwwwhindawicom Volume 2014
SensorsJournal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Modelling amp Simulation in EngineeringHindawi Publishing Corporation httpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Chemical EngineeringInternational Journal of Antennas and
Propagation
International Journal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Navigation and Observation
International Journal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
DistributedSensor Networks
International Journal of
Security and Communication Networks 9
F F
F F
F F
F F
F F
F F
F F
F F
F F
F F
F F
F F
F F
F F
F F
26
27
28
29
30
Sj
K[0]LK[0]R
K[1]LK[1]R
K[3]LK[3]R
K[2]LK[2]R
K[4]LK[7]R K[7]LK[4]R
K[4]LK[4]R
K[7]LK[7]R
K[0]LK[0]R K[7]LK[7]R
K[6]LK[6]R
K[5]LK[5]R
K[0]LK[0]R
K[1]LK[1]R
K[3]LK[3]R
K[2]LK[2]R
K[4]LK[7]R K[7]LK[4]R
K[4]LK[4]R
K[7]LK[7]R
K[0]LK[0]R K[7]LK[7]R
K[6]LK[6]R
K[5]LK[5]R
K[0]LK[0]R
K[1]LK[1]R
K[3]LK[3]R
K[2]LK[2]R
K[4]LK[7]R K[7]LK[4]R
K[4]LK[4]R
K[7]LK[7]R
K[0]LK[0]R K[7]LK[7]R
K[6]LK[6]R
K[5]LK[5]R
S0 S0
C0 C0
K|6|L
activ
e
K|2|L
activ
e
Ci[0] Ci[1] Ci[2] Ci[3]
Figure 6 5-round biclique construction of dimension 8 in Piccolo-128
Search Candidates In the last session of the attack theadversary verifies the equality of 997888997888rarr119880119894119895 and larr997888997888119880119894119895 for all 119894 119895 isin0 18 to discover the correct key34 Another Biclique Cryptanalysis of Piccolo-128 Similar toSection 33 we construct an 8-dimensional biclique structureof 5 rounds (26sim30) for Piccolo-128 by each left half of 119870[6]and119870[2] that is 119870[6]119871 and119870[2]119871 (Figure 6)
In the phase of meeting in the middle over 26 rounds weselect a 16-bit internal state (119880 = 1198651314) after F-Function inround 13 as the intermediate matching variable
4 Complexities
41 Comments on the Result of [15] Jeong et al appliedbiclique cryptanalysis to the lightweight block ciphers LEDPiccolo and PRESENT in [15] They used the concept ofindependent-biclique which included constructing bicliquestructure by independent related-key differentials andmatch-ing with precomputations They found a limited and slowdiffusion of the subkey distribution and encryption processAs a result their attacks can discover the master key withcomputational complexities superior to an exhaustive searchHowever we find two faults of their biclique cryptanalysis ofPiccolo as follows
(1) Jeong et al found that 119870[4]119871 and 119870[2]119871 gave theconstruction of an 8-dimensional biclique which was shownin Figure 10 of [15] The Δ 119894-differential affected only 6 bytes(119862[0]119871 119862[1]119871 119862[1]119877 119862[2]119871 119862[3]119871 and 119862[3]119877) which isdrawn on Figure 7(a) (including the grid line byte) in this
paper As a result the data complexity does not go beyond248
In the attack shown in Figure 7 it is clear that the left halfof the round key rk46 can offset the left half of WK2 (thepostwhitening key) that is there is no difference in the gridline byte (119862[0]119871) Based on this the biclique cryptanalysis ofJeong et al goes wrong
So the Δ 119894-differential affects only 5 bytes (119862[1]119871 119862[1]119877119862[2]119871 119862[3]119871 and 119862[3]119877) of the ciphertext and the datacomplexity does not go beyond 240 The correct differencepath does not include the grid line byte (119862[0]119871)
(2) Jeong et al thought that only 2 bytes were activein the decryption of 17th round in backward direction forPiccolo-80 of recomputation shown in Figure 11 of [15] 13F-Functions (without the grid line) were computed 28 timesand 4 F-Functions were computed once They are drawn onFigure 7(b) in this paper Then the total complexity of thisstep is 28 times (28 times 13 + 4) F-Functions
It is clear that 6 bytes of intermediate are active in thedecryption of 17th round in backward direction for Piccolo-80 of recomputation and all bytes are active of 16th roundBased on these their computational complexity of this stepgoes wrong
So 15 F-Functions (including the grid line) are computed28 times and 2 F-Functions are computed onceThen the totalcomplexity of this step is 28 times (28 times 15 + 2) F-Functions Thecorrect difference path includes the grid line bytes
Similarly 3 bytes but not one byte are active in thedecryption of 22nd round in backward direction for Piccolo-128 of recomputation and they are shown in Figure 13 of [15]
10 Security and Communication Networks
F F
F F
F F
F F
F F
F F
K[0]LK[0]R K[1]LK[1]R
K[0]LK[0]R K[1]LK[1]R
K[0]LK[0]R K[1]LK[1]R
K[2]LK[2]R K[3]LK[3]R
K[2]LK[2]R K[3]LK[3]R
K[4]LK[4]R K[4]LK[4]R
K|4|L
activ
e
K[4]LK[3]R K[3]LK[4]Rrk48 rk49
rk46 rk47
WK2 WK3
19
20
21
22
23
24
S0
C[0] C[1] C[2] C[3]
(a)
F F
F F
F F
F F
F F
F F10
11
12
131415
16
17
18
K[0]LK[0]R K[1]LK[1]R
K[0]LK[0]R K[1]LK[1]R
K[2]LK[2]R K[3]LK[3]R
K[2]LK[2]R K[3]LK[3]R
K[2]LK[2]R K[3]LK[3]R
K[4]LK[4]R K[4]LK[4]R
K|4|L
activ
e
(b)
Figure 7 Revision of the other solutions
20 rather than 18 F-Functions are computed 28 times and 3instead of 5 F-Functions are computed once
42 Complexities of Biclique Cryptanalysis on Piccolo-80
421 Data Complexity By analyzing the key schedule wefind a weakness in the key schedule on Piccolo-80 that is theround key rk47 can offset the postwhitening key partially (seeFigure 2) Based on this the data complexity can be reducedgreatly
The amount of ciphertexts to be decrypted dominates thedata complexity (Figure 2) For each biclique structure let1198620 = 0(64) All the ciphertexts share the equal values in 3bytes (119862119894[0] 119862119894[4] and 119862119894[5] ie white bytes) so the datacomplexity does not go beyond 240422 Computational Complexity The amount of the F-Functions to be computed determines the attack complexityEach round of Piccolo-80 takes 2 F-Functions computationsSo the single encryption equals computed 25 times 2 = 50F-Functions For each of 264 groups of keys the followingcalculation should be completed
Biclique Complexity 5 F-Functions (Figure 2(b) noted withgray) need to be computed 28 times and 2 F-Functions
(Figure 2(c) noted with gray) need to be computed 28times The remaining 5 F-Functions are computed onlyonce Thus this stage requires 28 times 7 + 5 F-Functionscomputations in total Then the computational complexityof a biclique structure is about 2517 full round Piccolo-80encryptions
Matching Complexity In forward direction the differencesbetween 119870[1198940] and 119870[119894119895] dominate the computational com-plexity On Figure 3(a) for a single 119875119894 14 F-Functions (notedwith gray) are computed 28 times 3 F-Functions (noted withgrid line) are computed only once and 3 F-Functions (notedwith white) do not need to be computed So the complexityof this process is 28times(28times14+3) F-Functions which is about21416 full round Piccolo-80 encryptions
In backward direction on Figure 3(b) for a single 119878119895 15F-Functions (noted with gray) are computed 28 times 2 F-Functions (noted with grid line) are computed only onceand 1 F-Function (noted with white) need not be computedSo the complexity of this process is 28 times (28 times 15 + 2)F-Functions which is about 21426 full round Piccolo-80encryptions
Finally 216 key candidates are verified by a matchingvariable (16 bits) in each group and the average of 216minus16 = 1candidate key needs to be rechecked
Security and Communication Networks 11
Thus the total computational complexity of this attack onPiccolo-80 is
119862 = 264 times (2517 + 21416 + 21426 + 1) asymp 27922 (8)
43 Complexities of Biclique Cryptanalysis on Piccolo-128
431 Data Complexity For each biclique structure let 1198620 =0(64) All the ciphertexts share the equal values in 5 bytes(119862119894[1] 119862119894[4] 119862119894[5] 119862119894[6] and 119862119894[7] ie white bytes) so thedata complexity does not go beyond 224 (See Figure 4)
432 Computational Complexity Each round of Piccolo-128takes 2 F-Functions computations So the single encryptionequals computed 31 times 2 = 62 F-Functions For each of2112 groups of keys the following calculation should becompleted
Biclique Complexity 13 F-Functions (Figure 4(b) noted withgray) need to be computed 28 times and 1 F-Function(Figure 4(c) noted with gray) needs to be computed 28 timesThus this stage requires 28 times 14 F-Functions computationsin total Then the computational complexity of a bicliquestructure is about 2585 full round Piccolo-128 encryptions
Matching Complexity In forward direction for a single 119875119894 16F-Functions (noted with gray) are computed 28 times 7 F-Functions (noted with grid line) are computed only once and3 F-Functions (notedwithwhite) do not need to be computedon Figure 5(a) So the complexity of this process is 28 times (28 times16 + 7) F-Functions which is about 21405 full round Piccolo-128 encryptions
In backward direction for a single 119878119895 18 F-functions(noted with gray) are computed 28 times 3 F-functions(noted with grid line) are computed only once and 1 F-Function (noted with white) need not be computed onFigure 5(b) So the complexity of this process is 28 times (28 times18 + 3) F-Functions which is about 21422 full round Piccolo-128 encryptions
Finally 216 key candidates are verified by a matchingvariate (16 bits) in each group and the average of 216minus16 = 1candidate key needs to be rechecked
Thus the total computational complexity of this attack onPiccolo-128 is
119862 = 2112 times (2585 + 21408 + 21422 + 1) asymp 212714 (9)
44 Complexities of Another Biclique Cryptanalysis on Piccolo-128
441 Data Complexity For each biclique structure let 1198620 =0(64) All the ciphertexts share the equal values in 7 bytes(119862119894[0] 119862119894[1] 119862119894[3] 119862119894[4] 119862119894[5] 119862119894[6] and 119862119894[7] ie whitebytes) so the data complexity does not go beyond 28 (SeeFigure 6)
442 Computational Complexity
Biclique ComplexityThis stage requires 28times5+5 F-Functionscomputations in total Then the computational complexityof a biclique structure is about 2438 full round Piccolo-128encryptions
Matching Complexity In forward direction the complexityis 28 times (28 times 18 + 7) F-Functions which is about 21422 fullround Piccolo-128 encryptions In backward direction thecomplexity is 28 times (28 times 20 + 3) F-Functions which is about21437 full round Piccolo-128 encryptions
Thus the total computational complexity of this attack onPiccolo-128 is
119862 = 2112 times (2438 + 21422 + 21437 + 1) asymp 212730 (10)
5 Conclusion
Designers have given several attacks including linear crypt-analysis impossible differential cryptanalysis and MITMattack on security analysis for Piccolo The best result was 3-subset MITM attacks on 1421-round Piccolo-80128 withoutthe whitening key The previous results and our results aresummarized on Piccolo in Tables 1 and 2 Some results didnot includewhitening key some attackswere reduced-roundHowever our results are full round Piccolo-80128
By analyzing the distribution of the subkey and thestructure of encryption we find two faults of the results in [15]and a weakness in the key schedule on Piccolo-80 The twofaults are depicted in Section 41 The weakness on Piccolo-80 is that the right half of the round key rk47 can offset theright half of the postwhitening key WK3 (Figure 2(c)) Basedon this the data complexity can be decreased greatly
We use biclique cryptanalysis to recover the masterkey for the full round Piccolo-80 with a 6-round bicliqueand the full round Piccolo-128 with a 7-round bicliquerespectively The attacks require data complexity of 240 and224 chosen ciphertexts and computational complexity of 27922and 212714 respectively These results are superior to otherbiclique cryptanalytic results on Piccolo
This result is that the biclique technology can attack someciphers with simple key schedule and slow diffusion So thedesigners of lightweight ciphers need to consider not only theimplementation efficiency but also key schedule complexityand diffusion speed
Conflicts of Interest
None of the authors declare any conflicts of interest
Acknowledgments
This work is partially supported by National Natural Sci-ence Foundation of China (nos 61272434 61672330 and61602287) and Nature Science Foundation of ShandongProvince (no ZR2013FQ021)
12 Security and Communication Networks
References
[1] A Bogdanov D Khovratovich and C Rechberger ldquoBicliquecryptanalysis of the full AESrdquo in Advances in CryptologymdashASIACRYPT 2011 vol 7073 of Lecture Notes in Comput Sci pp344ndash371 Springer Heidelberg Germany 2011
[2] Y Wang WWu and X Yu ldquoBiclique cryptanalysis of reduced-round piccolo block cipherrdquo in Proceedings of the 8th Interna-tional Conference on Information Security Practice and Experi-ence (ISPEC rsquo12) M R Dermot S Ben and G Wang Eds vol7232 ofLectureNotes inComputer Science pp 337ndash352 SpringerHeidelberg Germany 2012
[3] D Khovratovich G Leurent and C Rechberger ldquoNarrow-bicliques cryptanalysis of full IDEArdquo in Proceedings of the 31stAnnual International Conference on theTheory and Applicationsof Cryptographic Techniques (EUROCRYPT rsquo12) Lecture Notesin Computer Science pp 392ndash410 Springer Heidelberg Ger-many 2012
[4] D Hong B Koo and D Kwon ldquoBiclique attack on the fullHIGHTrdquo in Information Security and CryptologymdashICISC 2011vol 7259 of Lecture Notes in Computer Science pp 365ndash374Springer Berlin Germany 2012
[5] J Song K Lee and H Lee ldquoBiclique cryptanalysis onlightweight block cipher HIGHT and Piccolordquo InternationalJournal of ComputerMathematics vol 90 no 12 pp 2564ndash25802013
[6] F Abed C Forler E List S Lucks and J Wenzel ldquoBicliquecryptanalysis of the PRESENT and LED lightweight ciphersrdquoTech Rep 2012591 Cryptology ePrint Archive 2012
[7] M Sereshgi andM Shakiba ldquoBiclique cryptanalysis ofMIBS-80and PRESENT-80 block ciphersrdquo Security and CommunicationNetworks vol 9 no 1 pp 27ndash33 2016
[8] O Ozen K Varıcı C Tezcan and C Kocair ldquoLightweight blockciphers revisited cryptanalysis of reduced round PRESENTand HIGHTrdquo in Information Security and Privacy vol 5594 ofLecture Notes in Computer Science pp 90ndash107 Springer BerlinGermany 2009
[9] Y F Wang and W L Wu ldquoMeet-in-the-middle attack onTWINE block cipherrdquo Journal of Software vol 26 no 10 pp2684ndash2695 2015 (Chinese)
[10] M Coban F Karakoc and O Biztas ldquoBiclique cryptanalysis ofTWINErdquo Tech Rep 2012422 Cryptology ePrint Archive 2012
[11] ZAhmadianM Salmasizadeh andMRAref ldquoBiclique crypt-analysis of the full-round KLEIN block cipherrdquo IET InformationSecurity vol 9 no 5 pp 294ndash301 2015
[12] W Diffie and M E Hellman ldquoExhaustive Cryptanalysis of theNBS Data Encryption Standardrdquo Computer vol 10 no 6 pp74ndash84 1977
[13] Y Sasaki ldquoMeet-in-the-middle preimage attacks on AES hash-ingmodes and an application towhirlpoolrdquo inProceedings of theInternational Workshop on Fast Software Encryption (FSE rsquo11)A Joux Ed vol 6733 of Lecture Notes in Computer Science pp378ndash396 Springer Heidelberg Germany 2011
[14] K Shibutani T Isobe H Hiwatari A Mitsuda T Akishitaand T Shirai ldquoPiccolo an ultra-lightweight blockcipherrdquo inProceedings of the 13th InternationalWorkshop on CryptographicHardware and Embedded Systems (CHES rsquo11) B Preneel and TTakagi Eds vol 6917 of Lecture Notes in Computer Science pp342ndash357 Springer Heidelberg Germany 2011
[15] K Jeong H Kang C Lee J Sung and S Hong ldquoBicliquecryptanalysis of lightweight block ciphers PRESENT piccoloand LEDrdquo Tech Rep 2012621 Cryptology ePrint Archive 2012
[16] W Zhang J Zhang and X Zheng ldquoSome observations onthe lightweight block cipher piccolo-80rdquo in Proceedings of the6th International Conference on Trusted Systems (INTRUST rsquo14)vol 9473 of Lecture Notes in Computer Science pp 364ndash373Springer Cham Switzerland 2015
[17] T Isobe and K Shibutani ldquoSecurity analysis of the lightweightblock ciphers XTEA LED and piccolordquo in Information Securityand Privacy vol 7372 pp 71ndash86 Springer Berlin Germany2012
International Journal of
AerospaceEngineeringHindawi Publishing Corporationhttpwwwhindawicom Volume 2014
RoboticsJournal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Active and Passive Electronic Components
Control Scienceand Engineering
Journal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
International Journal of
RotatingMachinery
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporation httpwwwhindawicom
Journal ofEngineeringVolume 2014
Submit your manuscripts athttpswwwhindawicom
VLSI Design
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Shock and Vibration
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Civil EngineeringAdvances in
Acoustics and VibrationAdvances in
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Electrical and Computer Engineering
Journal of
Advances inOptoElectronics
Hindawi Publishing Corporation httpwwwhindawicom
Volume 2014
The Scientific World JournalHindawi Publishing Corporation httpwwwhindawicom Volume 2014
SensorsJournal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Modelling amp Simulation in EngineeringHindawi Publishing Corporation httpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Chemical EngineeringInternational Journal of Antennas and
Propagation
International Journal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Navigation and Observation
International Journal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
DistributedSensor Networks
International Journal of
10 Security and Communication Networks
F F
F F
F F
F F
F F
F F
K[0]LK[0]R K[1]LK[1]R
K[0]LK[0]R K[1]LK[1]R
K[0]LK[0]R K[1]LK[1]R
K[2]LK[2]R K[3]LK[3]R
K[2]LK[2]R K[3]LK[3]R
K[4]LK[4]R K[4]LK[4]R
K|4|L
activ
e
K[4]LK[3]R K[3]LK[4]Rrk48 rk49
rk46 rk47
WK2 WK3
19
20
21
22
23
24
S0
C[0] C[1] C[2] C[3]
(a)
F F
F F
F F
F F
F F
F F10
11
12
131415
16
17
18
K[0]LK[0]R K[1]LK[1]R
K[0]LK[0]R K[1]LK[1]R
K[2]LK[2]R K[3]LK[3]R
K[2]LK[2]R K[3]LK[3]R
K[2]LK[2]R K[3]LK[3]R
K[4]LK[4]R K[4]LK[4]R
K|4|L
activ
e
(b)
Figure 7 Revision of the other solutions
20 rather than 18 F-Functions are computed 28 times and 3instead of 5 F-Functions are computed once
42 Complexities of Biclique Cryptanalysis on Piccolo-80
421 Data Complexity By analyzing the key schedule wefind a weakness in the key schedule on Piccolo-80 that is theround key rk47 can offset the postwhitening key partially (seeFigure 2) Based on this the data complexity can be reducedgreatly
The amount of ciphertexts to be decrypted dominates thedata complexity (Figure 2) For each biclique structure let1198620 = 0(64) All the ciphertexts share the equal values in 3bytes (119862119894[0] 119862119894[4] and 119862119894[5] ie white bytes) so the datacomplexity does not go beyond 240422 Computational Complexity The amount of the F-Functions to be computed determines the attack complexityEach round of Piccolo-80 takes 2 F-Functions computationsSo the single encryption equals computed 25 times 2 = 50F-Functions For each of 264 groups of keys the followingcalculation should be completed
Biclique Complexity 5 F-Functions (Figure 2(b) noted withgray) need to be computed 28 times and 2 F-Functions
(Figure 2(c) noted with gray) need to be computed 28times The remaining 5 F-Functions are computed onlyonce Thus this stage requires 28 times 7 + 5 F-Functionscomputations in total Then the computational complexityof a biclique structure is about 2517 full round Piccolo-80encryptions
Matching Complexity In forward direction the differencesbetween 119870[1198940] and 119870[119894119895] dominate the computational com-plexity On Figure 3(a) for a single 119875119894 14 F-Functions (notedwith gray) are computed 28 times 3 F-Functions (noted withgrid line) are computed only once and 3 F-Functions (notedwith white) do not need to be computed So the complexityof this process is 28times(28times14+3) F-Functions which is about21416 full round Piccolo-80 encryptions
In backward direction on Figure 3(b) for a single 119878119895 15F-Functions (noted with gray) are computed 28 times 2 F-Functions (noted with grid line) are computed only onceand 1 F-Function (noted with white) need not be computedSo the complexity of this process is 28 times (28 times 15 + 2)F-Functions which is about 21426 full round Piccolo-80encryptions
Finally 216 key candidates are verified by a matchingvariable (16 bits) in each group and the average of 216minus16 = 1candidate key needs to be rechecked
Security and Communication Networks 11
Thus the total computational complexity of this attack onPiccolo-80 is
119862 = 264 times (2517 + 21416 + 21426 + 1) asymp 27922 (8)
43 Complexities of Biclique Cryptanalysis on Piccolo-128
431 Data Complexity For each biclique structure let 1198620 =0(64) All the ciphertexts share the equal values in 5 bytes(119862119894[1] 119862119894[4] 119862119894[5] 119862119894[6] and 119862119894[7] ie white bytes) so thedata complexity does not go beyond 224 (See Figure 4)
432 Computational Complexity Each round of Piccolo-128takes 2 F-Functions computations So the single encryptionequals computed 31 times 2 = 62 F-Functions For each of2112 groups of keys the following calculation should becompleted
Biclique Complexity 13 F-Functions (Figure 4(b) noted withgray) need to be computed 28 times and 1 F-Function(Figure 4(c) noted with gray) needs to be computed 28 timesThus this stage requires 28 times 14 F-Functions computationsin total Then the computational complexity of a bicliquestructure is about 2585 full round Piccolo-128 encryptions
Matching Complexity In forward direction for a single 119875119894 16F-Functions (noted with gray) are computed 28 times 7 F-Functions (noted with grid line) are computed only once and3 F-Functions (notedwithwhite) do not need to be computedon Figure 5(a) So the complexity of this process is 28 times (28 times16 + 7) F-Functions which is about 21405 full round Piccolo-128 encryptions
In backward direction for a single 119878119895 18 F-functions(noted with gray) are computed 28 times 3 F-functions(noted with grid line) are computed only once and 1 F-Function (noted with white) need not be computed onFigure 5(b) So the complexity of this process is 28 times (28 times18 + 3) F-Functions which is about 21422 full round Piccolo-128 encryptions
Finally 216 key candidates are verified by a matchingvariate (16 bits) in each group and the average of 216minus16 = 1candidate key needs to be rechecked
Thus the total computational complexity of this attack onPiccolo-128 is
119862 = 2112 times (2585 + 21408 + 21422 + 1) asymp 212714 (9)
44 Complexities of Another Biclique Cryptanalysis on Piccolo-128
441 Data Complexity For each biclique structure let 1198620 =0(64) All the ciphertexts share the equal values in 7 bytes(119862119894[0] 119862119894[1] 119862119894[3] 119862119894[4] 119862119894[5] 119862119894[6] and 119862119894[7] ie whitebytes) so the data complexity does not go beyond 28 (SeeFigure 6)
442 Computational Complexity
Biclique ComplexityThis stage requires 28times5+5 F-Functionscomputations in total Then the computational complexityof a biclique structure is about 2438 full round Piccolo-128encryptions
Matching Complexity In forward direction the complexityis 28 times (28 times 18 + 7) F-Functions which is about 21422 fullround Piccolo-128 encryptions In backward direction thecomplexity is 28 times (28 times 20 + 3) F-Functions which is about21437 full round Piccolo-128 encryptions
Thus the total computational complexity of this attack onPiccolo-128 is
119862 = 2112 times (2438 + 21422 + 21437 + 1) asymp 212730 (10)
5 Conclusion
Designers have given several attacks including linear crypt-analysis impossible differential cryptanalysis and MITMattack on security analysis for Piccolo The best result was 3-subset MITM attacks on 1421-round Piccolo-80128 withoutthe whitening key The previous results and our results aresummarized on Piccolo in Tables 1 and 2 Some results didnot includewhitening key some attackswere reduced-roundHowever our results are full round Piccolo-80128
By analyzing the distribution of the subkey and thestructure of encryption we find two faults of the results in [15]and a weakness in the key schedule on Piccolo-80 The twofaults are depicted in Section 41 The weakness on Piccolo-80 is that the right half of the round key rk47 can offset theright half of the postwhitening key WK3 (Figure 2(c)) Basedon this the data complexity can be decreased greatly
We use biclique cryptanalysis to recover the masterkey for the full round Piccolo-80 with a 6-round bicliqueand the full round Piccolo-128 with a 7-round bicliquerespectively The attacks require data complexity of 240 and224 chosen ciphertexts and computational complexity of 27922and 212714 respectively These results are superior to otherbiclique cryptanalytic results on Piccolo
This result is that the biclique technology can attack someciphers with simple key schedule and slow diffusion So thedesigners of lightweight ciphers need to consider not only theimplementation efficiency but also key schedule complexityand diffusion speed
Conflicts of Interest
None of the authors declare any conflicts of interest
Acknowledgments
This work is partially supported by National Natural Sci-ence Foundation of China (nos 61272434 61672330 and61602287) and Nature Science Foundation of ShandongProvince (no ZR2013FQ021)
12 Security and Communication Networks
References
[1] A Bogdanov D Khovratovich and C Rechberger ldquoBicliquecryptanalysis of the full AESrdquo in Advances in CryptologymdashASIACRYPT 2011 vol 7073 of Lecture Notes in Comput Sci pp344ndash371 Springer Heidelberg Germany 2011
[2] Y Wang WWu and X Yu ldquoBiclique cryptanalysis of reduced-round piccolo block cipherrdquo in Proceedings of the 8th Interna-tional Conference on Information Security Practice and Experi-ence (ISPEC rsquo12) M R Dermot S Ben and G Wang Eds vol7232 ofLectureNotes inComputer Science pp 337ndash352 SpringerHeidelberg Germany 2012
[3] D Khovratovich G Leurent and C Rechberger ldquoNarrow-bicliques cryptanalysis of full IDEArdquo in Proceedings of the 31stAnnual International Conference on theTheory and Applicationsof Cryptographic Techniques (EUROCRYPT rsquo12) Lecture Notesin Computer Science pp 392ndash410 Springer Heidelberg Ger-many 2012
[4] D Hong B Koo and D Kwon ldquoBiclique attack on the fullHIGHTrdquo in Information Security and CryptologymdashICISC 2011vol 7259 of Lecture Notes in Computer Science pp 365ndash374Springer Berlin Germany 2012
[5] J Song K Lee and H Lee ldquoBiclique cryptanalysis onlightweight block cipher HIGHT and Piccolordquo InternationalJournal of ComputerMathematics vol 90 no 12 pp 2564ndash25802013
[6] F Abed C Forler E List S Lucks and J Wenzel ldquoBicliquecryptanalysis of the PRESENT and LED lightweight ciphersrdquoTech Rep 2012591 Cryptology ePrint Archive 2012
[7] M Sereshgi andM Shakiba ldquoBiclique cryptanalysis ofMIBS-80and PRESENT-80 block ciphersrdquo Security and CommunicationNetworks vol 9 no 1 pp 27ndash33 2016
[8] O Ozen K Varıcı C Tezcan and C Kocair ldquoLightweight blockciphers revisited cryptanalysis of reduced round PRESENTand HIGHTrdquo in Information Security and Privacy vol 5594 ofLecture Notes in Computer Science pp 90ndash107 Springer BerlinGermany 2009
[9] Y F Wang and W L Wu ldquoMeet-in-the-middle attack onTWINE block cipherrdquo Journal of Software vol 26 no 10 pp2684ndash2695 2015 (Chinese)
[10] M Coban F Karakoc and O Biztas ldquoBiclique cryptanalysis ofTWINErdquo Tech Rep 2012422 Cryptology ePrint Archive 2012
[11] ZAhmadianM Salmasizadeh andMRAref ldquoBiclique crypt-analysis of the full-round KLEIN block cipherrdquo IET InformationSecurity vol 9 no 5 pp 294ndash301 2015
[12] W Diffie and M E Hellman ldquoExhaustive Cryptanalysis of theNBS Data Encryption Standardrdquo Computer vol 10 no 6 pp74ndash84 1977
[13] Y Sasaki ldquoMeet-in-the-middle preimage attacks on AES hash-ingmodes and an application towhirlpoolrdquo inProceedings of theInternational Workshop on Fast Software Encryption (FSE rsquo11)A Joux Ed vol 6733 of Lecture Notes in Computer Science pp378ndash396 Springer Heidelberg Germany 2011
[14] K Shibutani T Isobe H Hiwatari A Mitsuda T Akishitaand T Shirai ldquoPiccolo an ultra-lightweight blockcipherrdquo inProceedings of the 13th InternationalWorkshop on CryptographicHardware and Embedded Systems (CHES rsquo11) B Preneel and TTakagi Eds vol 6917 of Lecture Notes in Computer Science pp342ndash357 Springer Heidelberg Germany 2011
[15] K Jeong H Kang C Lee J Sung and S Hong ldquoBicliquecryptanalysis of lightweight block ciphers PRESENT piccoloand LEDrdquo Tech Rep 2012621 Cryptology ePrint Archive 2012
[16] W Zhang J Zhang and X Zheng ldquoSome observations onthe lightweight block cipher piccolo-80rdquo in Proceedings of the6th International Conference on Trusted Systems (INTRUST rsquo14)vol 9473 of Lecture Notes in Computer Science pp 364ndash373Springer Cham Switzerland 2015
[17] T Isobe and K Shibutani ldquoSecurity analysis of the lightweightblock ciphers XTEA LED and piccolordquo in Information Securityand Privacy vol 7372 pp 71ndash86 Springer Berlin Germany2012
International Journal of
AerospaceEngineeringHindawi Publishing Corporationhttpwwwhindawicom Volume 2014
RoboticsJournal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Active and Passive Electronic Components
Control Scienceand Engineering
Journal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
International Journal of
RotatingMachinery
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporation httpwwwhindawicom
Journal ofEngineeringVolume 2014
Submit your manuscripts athttpswwwhindawicom
VLSI Design
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Shock and Vibration
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Civil EngineeringAdvances in
Acoustics and VibrationAdvances in
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Electrical and Computer Engineering
Journal of
Advances inOptoElectronics
Hindawi Publishing Corporation httpwwwhindawicom
Volume 2014
The Scientific World JournalHindawi Publishing Corporation httpwwwhindawicom Volume 2014
SensorsJournal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Modelling amp Simulation in EngineeringHindawi Publishing Corporation httpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Chemical EngineeringInternational Journal of Antennas and
Propagation
International Journal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Navigation and Observation
International Journal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
DistributedSensor Networks
International Journal of
Security and Communication Networks 11
Thus the total computational complexity of this attack onPiccolo-80 is
119862 = 264 times (2517 + 21416 + 21426 + 1) asymp 27922 (8)
43 Complexities of Biclique Cryptanalysis on Piccolo-128
431 Data Complexity For each biclique structure let 1198620 =0(64) All the ciphertexts share the equal values in 5 bytes(119862119894[1] 119862119894[4] 119862119894[5] 119862119894[6] and 119862119894[7] ie white bytes) so thedata complexity does not go beyond 224 (See Figure 4)
432 Computational Complexity Each round of Piccolo-128takes 2 F-Functions computations So the single encryptionequals computed 31 times 2 = 62 F-Functions For each of2112 groups of keys the following calculation should becompleted
Biclique Complexity 13 F-Functions (Figure 4(b) noted withgray) need to be computed 28 times and 1 F-Function(Figure 4(c) noted with gray) needs to be computed 28 timesThus this stage requires 28 times 14 F-Functions computationsin total Then the computational complexity of a bicliquestructure is about 2585 full round Piccolo-128 encryptions
Matching Complexity In forward direction for a single 119875119894 16F-Functions (noted with gray) are computed 28 times 7 F-Functions (noted with grid line) are computed only once and3 F-Functions (notedwithwhite) do not need to be computedon Figure 5(a) So the complexity of this process is 28 times (28 times16 + 7) F-Functions which is about 21405 full round Piccolo-128 encryptions
In backward direction for a single 119878119895 18 F-functions(noted with gray) are computed 28 times 3 F-functions(noted with grid line) are computed only once and 1 F-Function (noted with white) need not be computed onFigure 5(b) So the complexity of this process is 28 times (28 times18 + 3) F-Functions which is about 21422 full round Piccolo-128 encryptions
Finally 216 key candidates are verified by a matchingvariate (16 bits) in each group and the average of 216minus16 = 1candidate key needs to be rechecked
Thus the total computational complexity of this attack onPiccolo-128 is
119862 = 2112 times (2585 + 21408 + 21422 + 1) asymp 212714 (9)
44 Complexities of Another Biclique Cryptanalysis on Piccolo-128
441 Data Complexity For each biclique structure let 1198620 =0(64) All the ciphertexts share the equal values in 7 bytes(119862119894[0] 119862119894[1] 119862119894[3] 119862119894[4] 119862119894[5] 119862119894[6] and 119862119894[7] ie whitebytes) so the data complexity does not go beyond 28 (SeeFigure 6)
442 Computational Complexity
Biclique ComplexityThis stage requires 28times5+5 F-Functionscomputations in total Then the computational complexityof a biclique structure is about 2438 full round Piccolo-128encryptions
Matching Complexity In forward direction the complexityis 28 times (28 times 18 + 7) F-Functions which is about 21422 fullround Piccolo-128 encryptions In backward direction thecomplexity is 28 times (28 times 20 + 3) F-Functions which is about21437 full round Piccolo-128 encryptions
Thus the total computational complexity of this attack onPiccolo-128 is
119862 = 2112 times (2438 + 21422 + 21437 + 1) asymp 212730 (10)
5 Conclusion
Designers have given several attacks including linear crypt-analysis impossible differential cryptanalysis and MITMattack on security analysis for Piccolo The best result was 3-subset MITM attacks on 1421-round Piccolo-80128 withoutthe whitening key The previous results and our results aresummarized on Piccolo in Tables 1 and 2 Some results didnot includewhitening key some attackswere reduced-roundHowever our results are full round Piccolo-80128
By analyzing the distribution of the subkey and thestructure of encryption we find two faults of the results in [15]and a weakness in the key schedule on Piccolo-80 The twofaults are depicted in Section 41 The weakness on Piccolo-80 is that the right half of the round key rk47 can offset theright half of the postwhitening key WK3 (Figure 2(c)) Basedon this the data complexity can be decreased greatly
We use biclique cryptanalysis to recover the masterkey for the full round Piccolo-80 with a 6-round bicliqueand the full round Piccolo-128 with a 7-round bicliquerespectively The attacks require data complexity of 240 and224 chosen ciphertexts and computational complexity of 27922and 212714 respectively These results are superior to otherbiclique cryptanalytic results on Piccolo
This result is that the biclique technology can attack someciphers with simple key schedule and slow diffusion So thedesigners of lightweight ciphers need to consider not only theimplementation efficiency but also key schedule complexityand diffusion speed
Conflicts of Interest
None of the authors declare any conflicts of interest
Acknowledgments
This work is partially supported by National Natural Sci-ence Foundation of China (nos 61272434 61672330 and61602287) and Nature Science Foundation of ShandongProvince (no ZR2013FQ021)
12 Security and Communication Networks
References
[1] A Bogdanov D Khovratovich and C Rechberger ldquoBicliquecryptanalysis of the full AESrdquo in Advances in CryptologymdashASIACRYPT 2011 vol 7073 of Lecture Notes in Comput Sci pp344ndash371 Springer Heidelberg Germany 2011
[2] Y Wang WWu and X Yu ldquoBiclique cryptanalysis of reduced-round piccolo block cipherrdquo in Proceedings of the 8th Interna-tional Conference on Information Security Practice and Experi-ence (ISPEC rsquo12) M R Dermot S Ben and G Wang Eds vol7232 ofLectureNotes inComputer Science pp 337ndash352 SpringerHeidelberg Germany 2012
[3] D Khovratovich G Leurent and C Rechberger ldquoNarrow-bicliques cryptanalysis of full IDEArdquo in Proceedings of the 31stAnnual International Conference on theTheory and Applicationsof Cryptographic Techniques (EUROCRYPT rsquo12) Lecture Notesin Computer Science pp 392ndash410 Springer Heidelberg Ger-many 2012
[4] D Hong B Koo and D Kwon ldquoBiclique attack on the fullHIGHTrdquo in Information Security and CryptologymdashICISC 2011vol 7259 of Lecture Notes in Computer Science pp 365ndash374Springer Berlin Germany 2012
[5] J Song K Lee and H Lee ldquoBiclique cryptanalysis onlightweight block cipher HIGHT and Piccolordquo InternationalJournal of ComputerMathematics vol 90 no 12 pp 2564ndash25802013
[6] F Abed C Forler E List S Lucks and J Wenzel ldquoBicliquecryptanalysis of the PRESENT and LED lightweight ciphersrdquoTech Rep 2012591 Cryptology ePrint Archive 2012
[7] M Sereshgi andM Shakiba ldquoBiclique cryptanalysis ofMIBS-80and PRESENT-80 block ciphersrdquo Security and CommunicationNetworks vol 9 no 1 pp 27ndash33 2016
[8] O Ozen K Varıcı C Tezcan and C Kocair ldquoLightweight blockciphers revisited cryptanalysis of reduced round PRESENTand HIGHTrdquo in Information Security and Privacy vol 5594 ofLecture Notes in Computer Science pp 90ndash107 Springer BerlinGermany 2009
[9] Y F Wang and W L Wu ldquoMeet-in-the-middle attack onTWINE block cipherrdquo Journal of Software vol 26 no 10 pp2684ndash2695 2015 (Chinese)
[10] M Coban F Karakoc and O Biztas ldquoBiclique cryptanalysis ofTWINErdquo Tech Rep 2012422 Cryptology ePrint Archive 2012
[11] ZAhmadianM Salmasizadeh andMRAref ldquoBiclique crypt-analysis of the full-round KLEIN block cipherrdquo IET InformationSecurity vol 9 no 5 pp 294ndash301 2015
[12] W Diffie and M E Hellman ldquoExhaustive Cryptanalysis of theNBS Data Encryption Standardrdquo Computer vol 10 no 6 pp74ndash84 1977
[13] Y Sasaki ldquoMeet-in-the-middle preimage attacks on AES hash-ingmodes and an application towhirlpoolrdquo inProceedings of theInternational Workshop on Fast Software Encryption (FSE rsquo11)A Joux Ed vol 6733 of Lecture Notes in Computer Science pp378ndash396 Springer Heidelberg Germany 2011
[14] K Shibutani T Isobe H Hiwatari A Mitsuda T Akishitaand T Shirai ldquoPiccolo an ultra-lightweight blockcipherrdquo inProceedings of the 13th InternationalWorkshop on CryptographicHardware and Embedded Systems (CHES rsquo11) B Preneel and TTakagi Eds vol 6917 of Lecture Notes in Computer Science pp342ndash357 Springer Heidelberg Germany 2011
[15] K Jeong H Kang C Lee J Sung and S Hong ldquoBicliquecryptanalysis of lightweight block ciphers PRESENT piccoloand LEDrdquo Tech Rep 2012621 Cryptology ePrint Archive 2012
[16] W Zhang J Zhang and X Zheng ldquoSome observations onthe lightweight block cipher piccolo-80rdquo in Proceedings of the6th International Conference on Trusted Systems (INTRUST rsquo14)vol 9473 of Lecture Notes in Computer Science pp 364ndash373Springer Cham Switzerland 2015
[17] T Isobe and K Shibutani ldquoSecurity analysis of the lightweightblock ciphers XTEA LED and piccolordquo in Information Securityand Privacy vol 7372 pp 71ndash86 Springer Berlin Germany2012
International Journal of
AerospaceEngineeringHindawi Publishing Corporationhttpwwwhindawicom Volume 2014
RoboticsJournal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Active and Passive Electronic Components
Control Scienceand Engineering
Journal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
International Journal of
RotatingMachinery
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporation httpwwwhindawicom
Journal ofEngineeringVolume 2014
Submit your manuscripts athttpswwwhindawicom
VLSI Design
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Shock and Vibration
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Civil EngineeringAdvances in
Acoustics and VibrationAdvances in
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Electrical and Computer Engineering
Journal of
Advances inOptoElectronics
Hindawi Publishing Corporation httpwwwhindawicom
Volume 2014
The Scientific World JournalHindawi Publishing Corporation httpwwwhindawicom Volume 2014
SensorsJournal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Modelling amp Simulation in EngineeringHindawi Publishing Corporation httpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Chemical EngineeringInternational Journal of Antennas and
Propagation
International Journal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Navigation and Observation
International Journal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
DistributedSensor Networks
International Journal of
12 Security and Communication Networks
References
[1] A Bogdanov D Khovratovich and C Rechberger ldquoBicliquecryptanalysis of the full AESrdquo in Advances in CryptologymdashASIACRYPT 2011 vol 7073 of Lecture Notes in Comput Sci pp344ndash371 Springer Heidelberg Germany 2011
[2] Y Wang WWu and X Yu ldquoBiclique cryptanalysis of reduced-round piccolo block cipherrdquo in Proceedings of the 8th Interna-tional Conference on Information Security Practice and Experi-ence (ISPEC rsquo12) M R Dermot S Ben and G Wang Eds vol7232 ofLectureNotes inComputer Science pp 337ndash352 SpringerHeidelberg Germany 2012
[3] D Khovratovich G Leurent and C Rechberger ldquoNarrow-bicliques cryptanalysis of full IDEArdquo in Proceedings of the 31stAnnual International Conference on theTheory and Applicationsof Cryptographic Techniques (EUROCRYPT rsquo12) Lecture Notesin Computer Science pp 392ndash410 Springer Heidelberg Ger-many 2012
[4] D Hong B Koo and D Kwon ldquoBiclique attack on the fullHIGHTrdquo in Information Security and CryptologymdashICISC 2011vol 7259 of Lecture Notes in Computer Science pp 365ndash374Springer Berlin Germany 2012
[5] J Song K Lee and H Lee ldquoBiclique cryptanalysis onlightweight block cipher HIGHT and Piccolordquo InternationalJournal of ComputerMathematics vol 90 no 12 pp 2564ndash25802013
[6] F Abed C Forler E List S Lucks and J Wenzel ldquoBicliquecryptanalysis of the PRESENT and LED lightweight ciphersrdquoTech Rep 2012591 Cryptology ePrint Archive 2012
[7] M Sereshgi andM Shakiba ldquoBiclique cryptanalysis ofMIBS-80and PRESENT-80 block ciphersrdquo Security and CommunicationNetworks vol 9 no 1 pp 27ndash33 2016
[8] O Ozen K Varıcı C Tezcan and C Kocair ldquoLightweight blockciphers revisited cryptanalysis of reduced round PRESENTand HIGHTrdquo in Information Security and Privacy vol 5594 ofLecture Notes in Computer Science pp 90ndash107 Springer BerlinGermany 2009
[9] Y F Wang and W L Wu ldquoMeet-in-the-middle attack onTWINE block cipherrdquo Journal of Software vol 26 no 10 pp2684ndash2695 2015 (Chinese)
[10] M Coban F Karakoc and O Biztas ldquoBiclique cryptanalysis ofTWINErdquo Tech Rep 2012422 Cryptology ePrint Archive 2012
[11] ZAhmadianM Salmasizadeh andMRAref ldquoBiclique crypt-analysis of the full-round KLEIN block cipherrdquo IET InformationSecurity vol 9 no 5 pp 294ndash301 2015
[12] W Diffie and M E Hellman ldquoExhaustive Cryptanalysis of theNBS Data Encryption Standardrdquo Computer vol 10 no 6 pp74ndash84 1977
[13] Y Sasaki ldquoMeet-in-the-middle preimage attacks on AES hash-ingmodes and an application towhirlpoolrdquo inProceedings of theInternational Workshop on Fast Software Encryption (FSE rsquo11)A Joux Ed vol 6733 of Lecture Notes in Computer Science pp378ndash396 Springer Heidelberg Germany 2011
[14] K Shibutani T Isobe H Hiwatari A Mitsuda T Akishitaand T Shirai ldquoPiccolo an ultra-lightweight blockcipherrdquo inProceedings of the 13th InternationalWorkshop on CryptographicHardware and Embedded Systems (CHES rsquo11) B Preneel and TTakagi Eds vol 6917 of Lecture Notes in Computer Science pp342ndash357 Springer Heidelberg Germany 2011
[15] K Jeong H Kang C Lee J Sung and S Hong ldquoBicliquecryptanalysis of lightweight block ciphers PRESENT piccoloand LEDrdquo Tech Rep 2012621 Cryptology ePrint Archive 2012
[16] W Zhang J Zhang and X Zheng ldquoSome observations onthe lightweight block cipher piccolo-80rdquo in Proceedings of the6th International Conference on Trusted Systems (INTRUST rsquo14)vol 9473 of Lecture Notes in Computer Science pp 364ndash373Springer Cham Switzerland 2015
[17] T Isobe and K Shibutani ldquoSecurity analysis of the lightweightblock ciphers XTEA LED and piccolordquo in Information Securityand Privacy vol 7372 pp 71ndash86 Springer Berlin Germany2012
International Journal of
AerospaceEngineeringHindawi Publishing Corporationhttpwwwhindawicom Volume 2014
RoboticsJournal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Active and Passive Electronic Components
Control Scienceand Engineering
Journal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
International Journal of
RotatingMachinery
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporation httpwwwhindawicom
Journal ofEngineeringVolume 2014
Submit your manuscripts athttpswwwhindawicom
VLSI Design
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Shock and Vibration
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Civil EngineeringAdvances in
Acoustics and VibrationAdvances in
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Electrical and Computer Engineering
Journal of
Advances inOptoElectronics
Hindawi Publishing Corporation httpwwwhindawicom
Volume 2014
The Scientific World JournalHindawi Publishing Corporation httpwwwhindawicom Volume 2014
SensorsJournal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Modelling amp Simulation in EngineeringHindawi Publishing Corporation httpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Chemical EngineeringInternational Journal of Antennas and
Propagation
International Journal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Navigation and Observation
International Journal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
DistributedSensor Networks
International Journal of
International Journal of
AerospaceEngineeringHindawi Publishing Corporationhttpwwwhindawicom Volume 2014
RoboticsJournal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Active and Passive Electronic Components
Control Scienceand Engineering
Journal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
International Journal of
RotatingMachinery
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporation httpwwwhindawicom
Journal ofEngineeringVolume 2014
Submit your manuscripts athttpswwwhindawicom
VLSI Design
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Shock and Vibration
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Civil EngineeringAdvances in
Acoustics and VibrationAdvances in
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Electrical and Computer Engineering
Journal of
Advances inOptoElectronics
Hindawi Publishing Corporation httpwwwhindawicom
Volume 2014
The Scientific World JournalHindawi Publishing Corporation httpwwwhindawicom Volume 2014
SensorsJournal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Modelling amp Simulation in EngineeringHindawi Publishing Corporation httpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Chemical EngineeringInternational Journal of Antennas and
Propagation
International Journal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Navigation and Observation
International Journal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
DistributedSensor Networks
International Journal of