Biclique Cryptanalysis on the Full Crypton-256 and mCrypton-128

. Biclique cryptanalysis is an attack which reduces the computational complexity by finding a biclique which is a kind of bipartite graph. We show a single-key full-round attack of the Crypton-256 and mCrypton-128 by using biclique cryptanalysis. In this paper, 4-round bicliques are constructed for Crypton-256 and mCrypton-128. And these bicliques are used to recover master key for the full rounds of Crypton-256 and mCrypton-128 with the computational complexities of 2 253.78 and 2 126.5 , respectively. This is the first known single-key full-round attack on the Crypton-256. And our result on the mCrypton-128 has superiority over known result of biclique cryptanalysis on the mCrypton-128 which constructs 3-round bicliques in terms of computational time complexity.


Introduction
The block cipher Crypton is one of candidates for the Advanced Encryption Standard (AES) in 1998 [1].The cipher has been revised to Crypton V1.0 in FSE'99 [2].Crypton is a 12-round and 128-bit block cipher that supports key sizes up to 256 bits.A miniversion of Crypton, mCrypton, is a 64-bit block cipher with three key size versions (64 bits, 96 bits, and 128 bits) [3].mCrypton is a 64-bit lightweight block cipher designed to be used in low-cost and resource-constrained applications.Both of them have been designed based on the block cipher square [4].The cipher has been designed to be resistant to differential and linear cryptanalysis.Therefore it has been assumed that the above two ciphers also have the property of resisting those attacks.
However, a related-key impossible differential attack on 9 rounds of Crypton-256 has been shown by Wei et al. in 2011 [5].For mCrypton, a related-key rectangle attack on 8 rounds of mCrypton-128 has been shown by Park in 2009 [6].In 2011, Mala et al. showed a related-key impossible differential attack on 9 rounds of mCrypton-96 and mCrypton-128 [7].The summary of attacks on Crypton-256 and mCrypton-128 is described in Tables 1 and 2, respectively.
In ASIACRYPT 2011, Bogdanov et al. introduce a biclique cryptanalysis, which is a meet-in-the-middle attack with a biclique and the attack is efficient compared to brute force key search.They show two techniques of constructing bicliques for AES in [8].One is from independent related-key differentials, which is called independent biclique and the other is from interleaving related-key differentials.
The biclique attack by using independent related-key differentials consists of two parts.The first part constructs an independent-biclique and the second is called matching with precomputations.In Section 2, we describe an overview of the steps of biclique cryptanalysis.The detailed technique to recover the 256-bit master key with computational complexity in 2 253.78 is presented in Section 4. And in Section 5, the 128-bit key is recovered with computational complexity in 2 126. 5 .

Biclique Cryptanalysis
In the biclique cryptanalysis, the biclique, which is a kind of a bipartite graph improve the computational efficiency of computation.First we will briefly describe biclique.The block cipher is considered as the composition of two subciphers:  = ∘.Consider the subcipher  maps an internal state  to the ciphertext  :   () = , where  is a secret key of .The subcipher  maps 2  internal states { 0 , . . .,    2−1 } to 2 In other words, as illustrated in Figure 1, a biclique is a complete bipartite graph with {  } and {  } as the two parts of vertices connected to 2 2 edges, where each edge has degree 2  .Now we introduce the biclique cryptanalysis.{ 0 , . . .,

Biclique Construction by
Independent Related-Key Differentials.In biclique cryptanalysis, there are two methods to construct a biclique.One is using independent related-key differentials and the other is using interleaving related-key differential trails.In this paper, we focus on the first of two methods, to construct biclique as described in [8].Suppose that a secret key  ⟨0,0⟩ maps an intermediate state  0 to a ciphertext  0 .Then we consider the following two types of 2  related-key differentials with respect to  0  ⟨0,0⟩ →   0 .
Δ  -Differentials.This is a related-key differential trail where the input difference is 0 and the output difference is Δ  under a key difference Δ   : ∇ j -Differentials.This is a related-key differential trail where the input difference is ∇  and the output difference is 0 under a key difference ∇   : The 3-tuple ( 0 ,  0 ,  ⟨0,0⟩ ) conforms to both sets of differentials at the same time.If the two key differential trails, Δ differentials and ∇  -differentials, do not share active nonlinear components, then the tuple also conforms to 2 2 combined (Δ  , ∇  )-differentials: This combined (Δ  , ∇  )-differentials is derived from property of -box switch [14] and sandwich attack [15].By using the combined differentials, an adversary reduces the computational complexity.The construction of a biclique requires less than 2 ⋅ 2  computations of .

Matching with Precomputations.
The technique of matching with precomputations is an efficient method to check (3) in biclique cryptanalysis procedure.Let V be some selected bytes of an internal state between {  } and {  }.The flow of matching with precomputation procedure is as the following.
First, an adversary computes and stores in memory the following for all , : Then for particular  and , which is not in stored memory, the adversary checks the matching at V by recomputing only those parts of the cipher which differ from the stored one.

Description the Crypton and mCrypton
In this section, we describe Crypton and mCrypton, briefly.

Description of Crypton.
Crypton is a 128-bit block cipher supports key sizes up to 256 bits.The standard number of rounds is 12.Let us represent the 128-bit block  as a 4 × 4 matrix of bytes: Crypton uses component functions, , , , and .
Nonlinear Substitution .  and   are bytewise nonlinear substitutions which are applied to odd rounds and even rounds, respectively.
Bit Permutation .  and   are linear transformations for odd rounds and even rounds, respectively.The two bit permutations mix each byte column of 4 × 4 byte array using four masking bytes   .We denote "⋅" and "⊕" bitwise logical operations for AND and XOR, respectively.  is given as follows: and   is given as shown below:

Description of mCrypton.
mCrypton is a 12-round and 64-bit block cipher with three key size options (64 bits, 96 bits, and 128 bits).Since mCrypton is based on Crypton, the main concepts of description are very similar to ones of Crypton.The round function of mCrypton also consists of four steps as follows.
Bit Permutation .It mixes each column 4 × 4 array  using column permutation   for each column  (0 ≤  ≤ 3): where   [] are the th column of .

Byte Transposition
Like Crypton, mCrypton also can be described as where  =  ∘  ∘ .
In this paper, we focus on the 128-bit key version of the mCrypton that is composed of 12 rounds.

Biclique Cryptanalysis of Crypton-256
In this section, we describe a biclique attack with dimension 8 ( = 8) on the full 12-round Crypton-256.We recover secret key by constructing biclique using independent related-key differentials.
Δ  -Differentials.The Δ  -differentials are derived from the difference Δ   where the difference of the expanded key is  in the following positions: i i 9 and 10) = (Round K Δ i ∇  -Differentials.The ∇  -differentials are derived from the difference ∇   where the difference of the expanded key is  in the following positions: j j ∇ K j (round 9 and 10) = Both Δ  -differentials and ∇  -differentials are depicted in Figure 2. Since those two differentials do not share active boxes, one can easily obtain the following differentials with respect to the ( 0 ,  0 ,  ⟨0,0⟩ ): Hence we can confirm a construction of biclique with dimension 8.

Key Recovery for the Crypton-256.
We describe the key recovery procedure using constructed 4-round biclique for the full Crypton-256.For further explanation, let  be a composition of  1 and  2 ,  =  2 ∘  1 .Then Crypton-256, , is the composition of the subciphers as follows: where  1 is the subcipher from Round 0 to 4, and  2 is the subcipher from Round 5 to 8 of Crypton-256.Assume that the plaintext   corresponding to each ciphertext   in a constructed 4-round biclique is obtained by a decryption oracle.
The adversary finds a candidate key in the following key testing step by computing the only 1 byte of intermediate variable V: One can perform key recovery procedure by the following steps, precomputation and recomputations.
Precomputation.This step is a preparation phase for an efficient meet-in-the-middle attack.As in Section 2.3, one computes and stores (7) ←   .This difference is influenced by the key difference between  ⟨,⟩ and  ⟨0,⟩ .By key schedule of Crypton-256, the difference in the subkey of Round 8 is two bytes of 16 bytes.The bytes to be recomputed, which include 29 -boxes, are illustrated in Figure 3.

Forward Recomputation. Recomputing difference, between
is influenced by the key difference between  ⟨,⟩ and  ⟨,0⟩ By the key schedule, the difference in the subkey of Round 8 is two bytes of 16 bytes.The bytes to be recomputed, which include 10 -boxes, are depicted in Figure 4.
By these recomputations of two directions, the adversary would make sure whether corresponding key  ⟨,⟩ satisfies (16).If it satisfies (16), the adversary should check matching the whole bytes at output of Round 4 (input of Round 5) for  ⟨,⟩ ,   , and   .If the adversary cannot find the right key, then one should choose another key group and repeat the above procedures.
Although the Δ  -differential affects all bytes of the ciphertext, only two bytes have 8-bit difference and the remaining bytes have only 6-bit difference.So, 28-bit ciphertext has no difference.As a result, the data complexity does not exceed 2 100 .

Biclique Cryptanalysis of mCrypton-128
In this section, we describe a biclique cryptanalysis with dimension 8 ( = 8) on the full mCrypton-128.We recover secret key by constructing a 4-round biclique using independent related-key differentials.

Key Partitioning and Constructing Biclique for 4 Rounds.
By the key schedule of mCrypton-128 in Table 4, all of the round keys are uniquely determined by the master key  [𝑖].
We find that some bits of  [3],  [4],  [1], and  [2] give construction of a biclique.And the set of keys { ⟨,⟩ }, which is considering combined (Δ  , ∇  )-differentials with respect to the base key  ⟨0,0⟩ , is determined by all possible  =  1 ‖ 2 and  =  1 ‖ 2 in the following positions: Now, we explain how to construct a biclique for 4 rounds of mCrypton-128.Consider the following two related-key differentials.Let  be the subcipher from Round 9 to final round of mCrypton-128.Let the key  ⟨0,0⟩ maps an intermediate state  0 to a ciphertext  0 ,  0 =   ⟨0,0⟩ ( 0 ).Consider the two related-key differentials.v In this step, we first consider forward direction, from initial round to Round 4 of mCrypton-128.For all  = 0, . . ., 2 8 − 1, the adversary computes V of the output of Round 4, from   and  ⟨,0⟩ .And one stores it as → V with the intermediate states and subkeys in memory.On the other hand, in backward direction, we consider Rounds from 5 to 8.For all  = 0, . . ., 2  → → V  .The area to be recomputed, which includes 30 -boxes, is depicted in Figure 7.
By those recomputations of two directions, the adversary would make sure whether corresponding key  ⟨,⟩ satisfies (16).If it is satisfied (16), the candidate key is right key with high probability.Otherwise, the adversary should choose another key group and repeat the above procedures again.

Conclusions
We use bicliques to recover master key for the full rounds of Crypton-256 and mCrypton-128 with the computation complexity of 2 253.78 and 2 126.5 , respectively.This is the first singlekey full-round attack for the Crypton-256.And our result on the mCrypton-128 with 4-round bicliques is better than the known biclique cryptanalysis result with 3-round bicliques in terms of computational time complexity.

Table 1 :
Summary of the attacks of Crypton-256.

Table 2 :
Summary of the attacks of mCrypton-128.

)
Byte Transposition . is a byte transposition; it simply moves the byte at (, ) position to (, ) position; that is,  = () ⇔  , =  , .Key Addition .  is a bitwise key XOR with key .Let   be the th encryption round key derived from a user key  using the key schedule.The block cipher Crypton can be described as  ∘    12 ∘    11 ∘ ⋅ ⋅ ⋅ ∘    2 ∘    1 ∘  0 ,where odd round function    and even round function    are defined by    =   ∘  ∘   ∘   and    =   ∘  ∘   ∘   .Linear transformation   =  ∘   ∘  is used after the last round.

Table 3 :
Indices of expanded keys   [] of Crypton-256 associated with each round.
[3]structing Biclique for 4 Rounds.We describe how to partition key groups of Crypton-256 in this section.Key schedule of Crypton-256 expands master key, and then all of the round keys are uniquely determined by expanded keys.Therefore, if an expanded key   [] is recovered, the mater key [] (0 ≤  ≤ 7) is derived.Indices of 32-bit expanded keys   [] used for generating round keys in each round are listed in Table3.The base keys  ⟨0,0⟩ are all 2 240 32-byte values with two bytes fixed to 0 ( [38]and  [42], which is derived from  [6]and  [3], resp.), but the remaining 30 bytes changes over all values: In precomputation step, first we consider forward direction, from an initial round to Round 4. For all  = 0, . . ., 2 8 − 1, the adversary computes V of the output in Round 4 from   with  ⟨,0⟩ .And one stores it as → V with the intermediate states and subkeys in memory.On the other hand, in backward direction, let us consider subcipher of Crypton-256 from Round 5 to 8.For all  = 0, . . ., 2 8 − 1, one computes V from   with  ⟨0,⟩ and stores it as ←  V with the intermediate states and subkeys in memory.And then we check (16) for every ,  by recomputing those variables which differ from the bytes stored in memory, considering forward and backward directions.
with 2  encryptions and 2  decryptions.In Crypton-256, we consider an intermediate matching vari-able byte V in the output of Round 4 as the byte in the following position: v ←   and stored one,
The base keys  ⟨0,0⟩ are all 2 112 32 8−1, one computes V from   and  ⟨0,⟩ and stores it as ←  V with the intermediate states and subkeys in memory.Then we check (16) for every ,  by recomputing those variables which differ from the variables stored in memory considering forward and backward direction.