Meet-in-the-Middle Attacks on Reduced Round Piccolo

Piccolo is a lightweight block cipher designed by Sony Corporation and published in CHES 2011. It inherits the Generalized Feistel Network GFN structure and operates on a 64-bit state. It has two versions; Piccolo-80 and Piccolo-128 with 80-bit and 128-bit keys, respectively. In this paper, we propose meet-in-the-middle attacks on 14-round reduced Piccolo-80 and 16, 17-round reduced Piccolo-128. First, we build a 5-round distinguisher by using specific properties of the linear transformation of Piccolo. This 5-round distinguisher is then used to launch a 14-round attack on Piccolo-80. As Piccolo-128 uses a different key schedule than what is used in Piccolo-80, we utilize the key dependent sieving technique to construct a 7-round distinguisher which is then employed to mount an attack on 16-round reduced Piccolo-128. To extend the attack to 17 rounds, we build a different 6-round distinguisher. For Piccolo-80, the time, data, and memory complexities of the 14-round attack are $$2^{75.39}$$ encryptions, $$2^{48}$$ chosen plaintexts, and $$2^{73.49}$$ 64-bit blocks, respectively. For Piccolo-128, the data complexity of both the 16-round and 17-round attacks is $$2^{48}$$ chosen plaintexts. The time and memory complexities of the 16-round resp. 17-round attack are $$2^{123}$$ resp. $$2^{126.87}$$ encryptions, and $$2^{113.49}$$ resp. $$2^{125.99}$$ 64-bit blocks. To the best of our knowledge, these are currently the best published attacks on both Piccolo-80 and Piccolo-128.

[1]  Kitae Jeong Cryptanalysis of block cipher Piccolo suitable for cloud computing , 2013, The Journal of Supercomputing.

[2]  Jongsung Kim,et al.  HIGHT: A New Block Cipher Suitable for Low-Resource Device , 2006, CHES.

[3]  Amr M. Youssef,et al.  Preimage Attacks on Reduced-Round Stribog , 2014, AFRICACRYPT.

[4]  Li Lin,et al.  Improved Meet-in-the-Middle Distinguisher on Feistel Schemes , 2015, SAC.

[5]  Whitfield Diffie,et al.  Special Feature Exhaustive Cryptanalysis of the NBS Data Encryption Standard , 1977, Computer.

[6]  Adi Shamir,et al.  Improved Single-Key Attacks on 8-Round AES-192 and AES-256 , 2010, Journal of Cryptology.

[7]  Jérémy Jean,et al.  Improved Key Recovery Attacks on Reduced-Round AES in the Single-Key Setting , 2013, IACR Cryptol. ePrint Arch..

[8]  Christophe De Cannière,et al.  KATAN and KTANTAN - A Family of Small and Efficient Hardware-Oriented Block Ciphers , 2009, CHES.

[9]  Yu Sasaki,et al.  Meet-in-the-Middle Attacks on Generic Feistel Constructions , 2014, ASIACRYPT.

[10]  Amr M. Youssef,et al.  Meet-in-the-Middle Attacks on Round-Reduced Khudra , 2015, SPACE.

[11]  Andrey Bogdanov,et al.  A 3-Subset Meet-in-the-Middle Attack: Cryptanalysis of the Lightweight Block Cipher KTANTAN , 2010, IACR Cryptol. ePrint Arch..

[12]  Léo Perrin,et al.  Meet-in-the-Middle Attacks and Structural Analysis of Round-Reduced PRINCE , 2015, Journal of Cryptology.

[13]  Amr M. Youssef,et al.  Meet-in-the-Middle Attacks on Reduced-Round Hierocrypt-3 , 2015, LATINCRYPT.

[14]  Xiaoli Yu,et al.  Biclique Cryptanalysis of Reduced-Round Piccolo Block Cipher , 2012, ISPEC.

[15]  Kyoji Shibutani,et al.  Piccolo: An Ultra-Lightweight Blockcipher , 2011, CHES.

[16]  Mohammad Reza Aref,et al.  Impossible differential cryptanalysis of Piccolo lightweight block cipher , 2014, 2014 11th International ISC Conference on Information Security and Cryptology.

[17]  Keting Jia,et al.  Improved Meet-in-the-Middle Attacks on AES-192 and PRINCE , 2013, IACR Cryptol. ePrint Arch..

[18]  S. Kyoji,et al.  Piccolo: An Ultra-Lightweight Blockcipher , 2011 .

[19]  Matthew J. B. Robshaw,et al.  PRINTcipher: A Block Cipher for IC-Printing , 2010, CHES.

[20]  Ali Aydin Selçuk,et al.  A Meet-in-the-Middle Attack on 8-Round AES , 2008, FSE.

[21]  Amr M. Youssef,et al.  Improved Key Recovery Attack on Round-reduced Hierocrypt-L1 in the Single-Key Setting , 2015, SPACE.

[22]  Shuang Wu,et al.  Investigating Fundamental Security Requirements on Whirlpool: Improved Preimage and Collision Attacks , 2012, ASIACRYPT.

[23]  Jung Hwan Song,et al.  Biclique cryptanalysis on lightweight block cipher: HIGHT and Piccolo , 2013, Int. J. Comput. Math..

[24]  Marine Minier,et al.  On the Security of Piccolo Lightweight Block Cipher against Related-Key Impossible Differentials , 2013, INDOCRYPT.

[25]  Alex Biryukov,et al.  Differential Analysis and Meet-in-the-Middle Attack Against Round-Reduced TWINE , 2015, FSE.

[26]  Christof Paar,et al.  New Lightweight DES Variants , 2007, FSE.

[27]  Vincent Rijmen,et al.  The Block Cipher Square , 1997, FSE.

[28]  Kyoji Shibutani,et al.  Security Analysis of the Lightweight Block Ciphers XTEA, LED and Piccolo , 2012, ACISP.

[29]  Chae Hoon Lim,et al.  mCrypton - A Lightweight Block Cipher for Security of Low-Cost RFID Tags and Sensors , 2005, WISA.

[30]  Seokhie Hong,et al.  Biclique Cryptanalysis of Lightweight Block Ciphers PRESENT, Piccolo and LED , 2012, IACR Cryptol. ePrint Arch..

[31]  Andrey Bogdanov,et al.  PRESENT: An Ultra-Lightweight Block Cipher , 2007, CHES.