Improved Biclique Cryptanalysis of the Lightweight Block Cipher Piccolo

. Biclique cryptanalysis is a typical attack through finding a biclique which is a type of bipartite diagram to reduce the computational complexity. By investigating the subkey distribution and the encryption structure, we find out a weakness in the key schedule of Piccolo-80. A 6-round biclique is constructed for Piccolo-80 and a 7-round biclique for Piccolo-128. Then a full round biclique cryptanalysis of Piccolo is presented. The results of the attacks are with data complexity of 2 40 and 2 24 chosen ciphertexts and with computational complexity of 2 79.22 and 2 127.14 , respectively. They are superior to other known results of biclique cryptanalytic on Piccolo.


Introduction
In ASIACRYPT 2011, Bogdanov et al. proposed a biclique on recovering the keys of the full AES-128/192/256 [1], which is a type of meet-in-the-middle attack and the recent cryptanalysis technique of block ciphers. In [1], they gave two techniques by constructing bicliques for AES. One is the independent related-key differentials biclique and the other is the long biclique. Soon after the paper was published, a great deal of cryptanalytical results on the other block ciphers were suggested.
The crucial issue of the technology is to construct a superior biclique structure at the ciphertext (or plaintext). In a biclique, one top set comprises 2 1 ciphertexts (or plaintexts) while the other set is composed of 2 2 intermediate states. If 1 = 2 = , the biclique structure is called a d-dimension ( = 1 = 2 = 8 in this paper). In some constrained environments, for example, RFID tags or sensor nodes, the size of the secret key is typically 64, 80, or 128 bits. A lot of attacks on lightweight block cipher by using biclique have been published, such as Piccolo [2], IDEA [3], HIGHT [4,5], LED [6], PRESENT [7,8], TWINE [9,10], and KLEIN [11].
The meet-in-the-middle (MITM) attack is a representative method which is used in the security evaluation of block cipher, and its exceptional property is only a minimal data complexity. In recent years, many varieties emerged, for example, 3-subset MITM [12]. Many methods carry out the preimage attack to the hash function [13] and they consist of spice-and-cut frame and partial matching and so forth. Using the key expansion algorithm, opponent can construct a structure and pick out wrong keys through partial matching, which is the important idea of the method.
Piccolo is a 64-bit block cipher. In accordance with the different length of the key, we signify the ciphers by Piccolo-80/128, respectively [14]. In ISPEC 2012, Wang et al. presented a biclique attack on reduced round Piccolo [2]. They attacked a 25-round Piccolo-80 with 2 48 chosen plaintexts and 2 78.95 computations. In the case of a 28round Piccolo-128, this attack required 2 24 chosen plaintexts and 2 126.79 computations. However, the authors considered Piccolo-80 without the postwhitening key and Piccolo-128 without the prewhitening key. In [5], Song et al. proposed a full round biclique cryptanalysis on Piccolo-80 demanding 2 48 chosen plaintexts and 2 79.34 computations and on Piccolo-128 requiring 2 24 chosen plaintexts and 2 127.36 computations. In [15], we find two faults which are detailed in Section 4.1 in this paper. Compared to these results, ours are superior to theirs. In this paper, we detect a weakness in the key schedule on Piccolo-80; that is, the round key rk 47 can offset the postwhitening key partially. Based on this, the data complexity can be decreased greatly. We apply some observations on Piccolo in [16] and construct an independent related-key differentials biclique for the last several rounds. Then an 8dimensional biclique structure of 6 rounds is constructed for Piccolo-80 and an 8-dimensional biclique structure of 7 rounds for Piccolo-128. The attacks are, respectively, with data complexity of 2 40 and 2 24 , and with computational complexity of 2 79.22 and 2 127.14 , which are the best results currently. The attack results on Piccolo are summarized in Tables 1 and 2. The structure of the paper is as follows. Section 2 describes the structures of Piccolo-80 and Piccolo-128. Section 3 introduces briefly biclique cryptanalysis. Then, Section 4 presents the cryptanalysis with an 8-dimensional biclique of 6 rounds on full round Piccolo-80 and with a biclique structure of 7 rounds on full round Piccolo-128. The data complexity and computational complexity on Piccolo-80 and Piccolo-128 are given, respectively. Finally, we draw our conclusion in Section 5.

Description of Piccolo.
The structure of Piccolo is a variation of generalized Feistel, as shown in Figure 1. Piccolo-80/128 supports 80-bit and 128-bit key sizes along with 25 and 31 rounds, respectively.

Definition of Biclique.
Biclique cryptanalysis is an attack based on MITM. The major idea is to build bicliques on the target subcipher and promote the computational efficiency. The basic principles of the biclique attack are explained in [1]. Let be a several-round subcipher and −1 is the inverse of . ] . (2) To avoid duplication, we do not explicate the detailed attack basis but three stages of the attack are described in more detail.  (Table 3), an 8-dimensional biclique structure of 6 rounds is constructed by each right half of [4] and [2], that is, [4] and [2] . We find [4] of the round key rk 47 can offset [4] of the postwhitening key, so it can decrease the data complexity greatly. By calculation, the computational complexity is optimal so far.

Biclique
The [ ,0] , and [ , ] of each group are depicted, as shown below: Finally, Thus, the space of is divided into 2 64 groups of 2 16 keys each.

Phase 2: 8-Dimensional Biclique Structure of 6 Rounds.
We construct an 8-dimensional biclique structure of 6 rounds for Piccolo-80 with whitening keys for each group ( Step 1. Let 0 = 0 (64) and decrypt 0 for 6 rounds to obtain . The procedure is named basic calculation.
Step 2. In order to get the corresponding ciphertext , encrypt 0 using different keys [ ,0] for ∈ {0,1} 8 (Figure 2(c)). The differences between [ Step 3. To get the corresponding states , decrypt 0 using different keys [0, ] for ∈ {0,1} 8 (Figure 2(b)). The differences between Thanks to the simplicity of the distribution of the subkey of Piccolo, the two differential paths do not share any active state. Fortunately, it is so easy to verify that ( ) [ , ] → is always true for all , ∈ {0, 1} 8 . Up to now, for each key group, we get a corresponding 8-dimensional biclique structure as discussed above.
From Figure 2, we find a weakness in the key schedule of Piccolo-80; that is, [4] of the round key rk 47 can offset [4] of the postwhitening key. So it can reduce the data complexity greatly. The calculations of complexities are presented in Section 4.2.

Phase 3: Meeting in the Middle over 19
Rounds. Choose a 16-bit internal state ( = 9 1,4 ) after F-Function in round 9, as the intermediate matching variable (see Figure 3). The choice is made according to the total number of F-Function and an effective filtering of the wrong keys. Next, we calculate these matching variates in both directions in order to obtain the accurate key.  ← . Because of the same beginning, the key differences between [0, ] and [ , ] can cause the computational complexity. On Figure 3(b), the gray bytes are active and the white bytes need not be computed.
Forward Direction. The procedure of forward direction is a bit more complex than the backward direction in calculation. Firstly, we decrypt the ciphertexts for ∈ {0,1} 8 to obtain 2 8 plaintexts . Secondly, each is encrypted under the key [ ,0] to derive After that, is encrypted using all the possible 2 − 1 keys [ , ] to obtain [ , ] → → , . The differences between [ ,0] and [ , ] can influence the computational complexity. On Figure 3(a), the gray bytes are active and the white bytes need not be computed.
Search Candidates. In the last session of the attack, the adversary verifies the rest candidate key by the equality of → , and ← , for all , ∈ {0, 1} 8 in each group exhaustively, until the right key is discovered.

Biclique Cryptanalysis of Piccolo-128
3.3.1. Phase 1: Key Partitioning. We divide the 128-bit key into 2 112 groups. [0,0] enumerates 112-bit keys and fixes 16bit keys with 0 16 . By investigating the subkey distribution (Table 3), an 8-dimensional biclique structure of 7 rounds is constructed by each left half of [6] and [7], that is, [6] and [7] . The computational complexity of this structure is less than others' . Similar to Piccolo-80, the keys Thus, the key space of K is divided into 2 112 groups of 2 16 keys each.

Phase 2: 8-Dimensional Biclique Structure of 7 Rounds.
We construct an 8-dimensional biclique structure of 7 rounds for Piccolo-128 for each group (Figure 4). Here, is subciphers for round 24∼30 and −1 is the inverse of . The process of calculating the ciphertexts and intermediate states consists of the following 3 steps.
Step 3. Decrypt 0 using different keys [0, ] for ∈ {0, 1} 8 (Figure 4(b)). The differences between Thanks to the simplicity of the distribution of the subkey of Piccolo-128, it is also very easy to verify that ( ) [ , ] → is always true for all , ∈ {0, 1} 8 . Up to now, for each key group, we get a corresponding 8-dimensional biclique structure.

Phase 3: Meeting in the Middle over 24
Rounds. Select a 16-bit internal state ( = 12 1,4 ) after F-Function in round 12, as the intermediate matching variable (see Figure 5). Next, we calculate these matching variates in both directions in order to obtain the right key. ← . On Figure 5(b), the gray bytes are active and the white bytes do not need to be computed.   Search Candidates. In the last session of the attack, the adversary verifies the equality of → , and ← , for all , ∈ {0, 1} 8 to discover the correct key.
In the phase of meeting in the middle over 26 rounds, we select a 16-bit internal state ( = 13 1,4 ) after F-Function in round 13, as the intermediate matching variable. [15]. Jeong et al. applied biclique cryptanalysis to the lightweight block ciphers LED, Piccolo, and PRESENT in [15]. They used the concept of independent-biclique which included constructing biclique structure by independent related-key differentials and matching with precomputations. They found a limited and slow diffusion of the subkey distribution and encryption process. As a result, their attacks can discover the master key with computational complexities superior to an exhaustive search. However, we find two faults of their biclique cryptanalysis of Piccolo as follows:
In the attack shown in Figure 7, it is clear that the left half of the round key rk 46 can offset the left half of WK 2 (the postwhitening key); that is, there is no difference in the grid line byte (

Complexities of Biclique Cryptanalysis on Piccolo-80
4.2.1. Data Complexity. By analyzing the key schedule, we find a weakness in the key schedule on Piccolo-80; that is, the round key rk 47 can offset the postwhitening key partially (see Figure 2). Based on this, the data complexity can be reduced greatly.

Computational Complexity
Biclique Complexity. This stage requires 2 8 ×5+5 F-Functions computations in total. Then, the computational complexity of a biclique structure is about 2 4.38 full round Piccolo-128 encryptions.

Conclusion
Designers have given several attacks including linear cryptanalysis, impossible differential cryptanalysis, and MITM attack on security analysis for Piccolo. The best result was 3subset MITM attacks on 14/21-round Piccolo-80/128 without the whitening key. The previous results and our results are summarized on Piccolo in Tables 1 and 2. Some results did not include whitening key; some attacks were reduced-round. However, our results are full round Piccolo-80/128. By analyzing the distribution of the subkey and the structure of encryption, we find two faults of the results in [15] and a weakness in the key schedule on Piccolo-80. The two faults are depicted in Section 4.1. The weakness on Piccolo-80 is that the right half of the round key rk 47 can offset the right half of the postwhitening key WK 3 (Figure 2(c)). Based on this, the data complexity can be decreased greatly.
We use biclique cryptanalysis to recover the master key for the full round Piccolo-80 with a 6-round biclique and the full round Piccolo-128 with a 7-round biclique, respectively. The attacks require data complexity of 2 40 and 2 24 chosen ciphertexts and computational complexity of 2 79.22 and 2 127.14 , respectively. These results are superior to other biclique cryptanalytic results on Piccolo.
This result is that the biclique technology can attack some ciphers with simple key schedule and slow diffusion. So, the designers of lightweight ciphers need to consider not only the implementation efficiency, but also key schedule complexity and diffusion speed.

Conflicts of Interest
None of the authors declare any conflicts of interest.