New Analysis of Reduced-Version of Piccolo in the Single-Key Scenario

Abstract

The lightweight block cipher Piccolo adopts Generalized Feistel Network structure with 64 bits of block size. Its key supports 80 bits or 128 bits, expressed by Piccolo-80 or Piccolo-128, respectively. In this paper, we exploit the security of reduced version of Piccolo from the first round with the pre-whitening layer, which shows the vulnerability of original Piccolo. As a matter of fact, we first study some linear relations among the round subkeys and the properties of linear layer. Based on them, we evaluate the security of Piccolo-80/128 against the meet-in-the-middle attack. Finally, we attack 13 rounds of Piccolo-80 by applying a 5-round distinguisher, which requires $2^{44}$ chosen plaintexts, $2^{67.39}$ encryptions and $2^{64.91}$ blocks, respectively. Moreover, we also attack 17 rounds of Piccolo-128 by using a 7-round distinguisher, which requires $2^{44}$ chosen plaintexts, $2^{126}$ encryptions and $2^{125.49}$ blocks, respectively. Compared with the previous cryptanalytic results, our results are the currently best ones if considering Piccolo from the first round with the pre-whitening layer.

1. Introduction

 At CHES 2011, K. Shibutani and T. Isobe et al. worked in Sony corporation proposed a lightweight block cipher Piccolo [1]. It employs Generalized Feistel Network (GFN) structure with 64 bits of block length. Piccolo-80 and Piccolo-128 denote 80 bits of key length and 128 bits of key length, respectively. Meanwhile, the key size determines the number of rounds, i.e., 25 rounds for Piccolo-80 and 31 rounds for Piccolo-128. In addition, the pre-whitening and post-whitening layers are appended in order to improve its security. Since it was proposed, Piccolo has been evaluated by three cryptanalytic methods, i.e., impossible differential attacks, biclique cryptanalysis and meet-in-the-middle attacks. As for impossible differential cryptanalysis of Piccolo, K. Shibutani and T. Isobe attacked Piccolo-80 up to 14 rounds and Piccolo-128 up to 21 rounds not including pre-whitening and post-whitening keys in 2012 [2], M. Minier attacked Piccolo-80 up to 14 rounds and Piccolo-128 up to 21 rounds not including pre-whitening and post-whitening keys in the related-key setting in 2003 [3], S. Azimi et al. attacked 12 rounds of Piccolo-80 not including post-whitening keys, 13 rounds of Piccolo-80 not including pre- and post- whitening keys and 15 rounds of Piccolo-128 not including pre-whitening keys in 2004 [4]. As for meet-in-the-middle attack on Piccolo, M. Tolba et al. attacked 14 rounds of Piccolo-80 not including pre-whitening and post-whitening keys and 17 rounds of Piccolo-128 including post-whitening keys in 2005 [5], Y. Liu et al. attacked 14 rounds of Piccolo-80 not including pre-whitening and post-whitening layers and 18 rounds of Piccolo-128 including post-whitening layer in 2017 [6], respectively. Although T. Isobe and K. Shibutani could attack more rounds than other results, these attacks required full code book or more. Clearly, it is impractical. In addition, these results analyzed the security of reduced-round Piccolo which cannot start from the first round (round 0) except paper [4]. In addition, there are some other results on bruteforce-like cryptanalysis [7-13].

 Diffie and Hellman presented the meet-in-middle attack in 1977. After that, it attracted fewer attentions of researchers because it only broke less rounds of block ciphers. However, since K. Aoki et al. applied it for attacking several hash functions such as reduced versions of SHA-0/1 and MD5 in 2008, the meet-in-the-middle attack has paid more attentions again and improved further to exploit the security of several block ciphers, for example Camellia, AES, Kasumi, TWINE etc. There are two research lines about this attack. First, researchers split a block cipher \(E_k\) into two sub-ciphers \(​​E_{k_1}\) and \(​​E_{k_2}\) , i.e., \(E=E_{K_{2}} \circ E_{K_{1}}\) . For a chosen plaintext-ciphertext (P,C) , the adversary guesses the value of \(K_{1} \| K_{2}\). If \(E_{K_{I}}(P)=E_{K_{2}}^{-1}(C)\), then the guessed key might be right. Otherwise, it must be wrong. Taking enough plaintext-ciphertexts, the right key should be recovered. However, it is difficult to attack a large number of rounds by using this research idea. Thus, some skills including initial structure [14] and splic-and-cut [15] were proposed to improve the results. Second, Demirci and Selçuk studied this method further to improve cryptanalysis of reduced round AES-256 [16]. They treated a block cipher \(E_k\) as \(E_{K}=E_{K_{2}} \circ E_{K_{\mathrm{m}}} \circ E_{K_{1}}\). In \(​​E_{k_m}\), a distinguisher would be constructed in the offline phase. Then the subkeys \(K_1\) and \(K_2\) would be guessed and verified whether they satisfied the distinguisher or not. If so, the guessed subkeys (\(K_1 \),\(K_2\)) might be correct. According to this method, some wrong subkeys (\(K_1 \),\(K_2\)) will be removed. However, this attack requires a great deal of storage to perserve the precomputation table. To overcome this weakness, researchers proposed some skills such as multisets [17], differential enumeration [17], efficient tabulation [18] and a key-dependent sieve [19]. Moreover, J. Guo et al. evaluated the security of generic Feistel constructions by applying meet-in-the-middle attacks [20-22].

 In this submission, we put forward meet-in-the-middle attacks on Piccolo-80 up to 13 rounds and Piccolo-128 up to 17 rounds, which starts from round 0 and contain the pre-whitening layer. For Piccolo-80, we append three rounds and five rounds before and after the 5-round distinguisher proposed in [6], respectively. Based on this attack path, we attack 13 rounds of Piccolo-80 with \(2^{44}\) chosen plaintexts, \(2^{67.39}\) encryptions and \(2^{64.91}\) blocks. For Piccolo-128, we add three rounds and seven rounds before and after the 7-round distinguisher constructed in [6], respectively. On the basis of it, 17 rounds of Piccolo-128 was attacked, which requires \(2^{44}\) chosen plaintexts, \(2^{126}\) encryptions and \(2^{125.49}\) blocks, respectively. Our results achieve the best ones if only considering Picoolo from the first round including the pre-whitening layer. In our attacks, we shift the pre-whitening keys from the round 0 to the round 1, and apply the linear relations among round subkeys and the diffusion property of linear operation, which result in the decrease of the complexity. We give all results on Piccolo in the single-key scenario except some results on biclique cryptanalysis in Table 1. Among them, some results without noting ‡ are about some variants of Piccolo from the middle round.

 From Table 1, we can obtain some results as follows. First, the attacks in paper [2] require full codebook. It is impractical. Second, in papers [5,6] they attacked reduced-versions Piccolo-80/128 not starting from the round 0 and not considering the pre-whitening keys. Third, in paper [4] they only attacked 12-round Piccolo-80 for the same reduced-version Piccolo-80 with ours, while we can attack 13 rounds. Meanwhile, they also attacked 13 rounds of Piccolo-80 not including pre-whitening layer and 15 rounds of Piccolo-128 including post-whitening keys. If they put forward impossible differential cryptanalysis of Piccolo-80 up to 13 rounds including pre-whitening keys, they cannot apply the linear relations among the round subkeys and the early abort technique fully. Therefore, our attacks obtain the currently known best attack on Piccolo-80/128 from the round 0 with pre-whitening keys. These reduced-version Piccolo keeps the property of original Piccolo. Our results show the weakness of original Piccolo to some extend.

Table 1. Results on Piccolo-80/128 in the single key scenario not including biclique cryptanalysis

 This paper is organized in the following. In section 2, we introduce the notations and the Piccolo block cipher. In sections 3 and 4, we put forward meet-in-the-middle attacks on 13 rounds of Piccolo-80 and 17 rounds of Piccolo-128, respectively. In section 5, we summarize our results.

2. Preliminaries

2.1 Notations

• \(P\) and \(C\) denote the plaintext and ciphertext, respectively.

• \(W\| V\) denotes the concatenation of \(W\) and \(V\).

• \(K_l\) denotes the \(l\)-th 16-bit nibble of \(K\).

• \(rk_i\| rk_{i+1}\) denots 32 bits of key in round \(i\). 

• \(wk_0\|wk_1\) and \(wk_2\|wk_3\) denote the pre-whitening and post-whitening keys, respectively.

• \(X_j\) denotes the 64-bit input in the \(j\)-th round.

• \(Y_i\) denotes 64 bits of the state after the \(F\) function and the key addtion in the \(i\)-th round.

• \(X_i[l]\) denotes the \(l\)-th nibble of \(X_i\)for 0 ≤ \(l\) < 16.

• \(X_i[s:t]\) denotes from \(s\)-th to \(t\)-th nibbles of \(X_i\) for \(s\) < \(t\).

• \(X_i[s,t]\) denotes the \(s\)-th and \(t\)-th nibbles of \(X_i\).

• \(\Delta X_i\) and \(\Delta X_i[j]\) denote the differences of a state \(X_i\) and a nibbble \(X_i[j]\), respectively.

• \(X^j_i\)denotes the \(j\)-th value of \(X_i\) in the \(i\)-th round.

2.2 Piccolo

 The Piccolo block cipher adopts a GFN structure with the 64-bit block. It has two kinds of the key lengh and the number of round. Piccolo-80 has 80 bits of key size with 25 rounds, and Piccolo-128 has 128 bits of key size with 31 rounds. Their round functions consist of two Feistel Networks including a \(F\)-function and a key addition operation. In addition, the designers added the pre-whitening and post-whitening layers at the begining and at the end of the block cipher to improve its security. The encryption procedure can be shown in Fig. 1. The Encryption Procedure.

The Encryption Procedure.

• \(P=X_{0}=x_{0}\left\|x_{1}\right\| x_{2} \| x_{3}\),

• \(x_{0}=x_{0} \oplus w k_{0}, x_{2}=x_{2} \oplus w k_{1}\)

• \(For\ i=0\ to\ r-2, do\)

 —  \(y_{0}=x_{0}, y_{1}=x_{1} \oplus F\left(x_{0}\right) \oplus r k_{2 i}\),

 —  \(y_{2}=\mathrm{x}_{2}, y_{3}=x_{3} \oplus F\left(x_{2}\right) \oplus r k_{2 i+1}\),

 —  \(x_{0}\left\|x_{1}\right\| x_{2}\left\|x_{3}=R P\left(y_{0}\left\|y_{1}\right\| y_{2} \| y_{3}\right)\right.\)

• end

• \(y_{0}=x_{0} \oplus w k_{2}, y_{1}=x_{1} \oplus F\left(x_{0}\right) \oplus r k_{2 r-2}\),

• \(y_{2}=x_{2} \oplus w k_{3}, y_{3}=x_{3} \oplus F\left(x_{2}\right) \oplus r k_{2 r-l}\).

 Here, two 4 × 4-bit S-box layers and a diffusion matrix \(M\) constitute \(F\)-function, shown in Fig. 1. These two S-Boxes are the same and the matrix \(M\) operates over a finite field \(GF(2^4)\) as follows:

\(\left(z_{0}, z_{1}, z_{2}, z_{3}\right)^{t}=M \bullet\left(z_{0}, z_{1}, z_{2}, z_{3}\right)^{t}\) ,

 

Fig. 1. Structure of Piccolo

 

 The RP round permutation is defined as follows:

\(R P\left(x_{0}, x_{1}, \ldots, x_{7}\right)=\left(x_{2}, x_{7}, x_{4}, x_{1}, x_{6}, x_{3}, x_{0}, x_{5}\right)\)

 Key Schedule. For Piccolo-80, 80 bits of master key are divided into five 16-bit subkeys (\(k_0\), \(k_1\), \(k_2\), \(k_3\), \(k_4\)). For Piccolo-128, 128 bits of master key are divided into eight 16-bit subkeys (\(k_0\), \(k_1\), \(k_2\), \(k_3\), \(k_4\), \(k_5\), \(k_6\), \(k_7\)). The generating algorithms of whitening keys and round subkeys can be found in [1]

 

3. Cryptanalysis of 13 Rounds of Piccolo-80 from the First Round

 We apply 5 rounds of the meet-in-the-middle distinguisher proposed in [6] to perform an attack on 13 rounds of Piccolo-80 from the round 0 including the pre-whitening keys. Meanwhile, we analyze the complexity.

 

Fig. 2. The 5 Rounds of Meet-in-the-middle Distinguisher for Piccolo-80

 

Fig. 3. The diffusion property of \(M\)

 

 Proposition 1: [6] Encrypt a \(\delta\)-set {\(P^0\),\(P^1\),...,\(P^j\)} through 5-round Piccolo, where \(P^{i}=X_{0}^{i}[5,14,15]\left|X_{0}[0, \ldots, 4]\right| X_{0}[6, \ldots, 13],(0 \leq i \leq j)\). Take all possible values of three nibbles \(X_{0}^{i}[5,14,15]\) and the remaining nibbles take the constants. Then the ordered sequence \(X_{5}^{0}[6: 7] \oplus X_{5}^{1}[6: 7], X_{5}^{0}[6: 7] \oplus X_{5}^{2}[6: 7], \ldots, X_{5}^{0}[6: 7] \oplus X_{5}^{j}[6: 7]\) can be calculated from these variables, i.e., \(X_{1}^{0}[0: 3], X_{2}^{0}[0: 3], X_{2}^{0}[8: 11] \text { and } X_{3}^{0}[8: 11]\) . In Fig. 2, we show the detailed structure.

 Lemma 1: [5,6] If the input of linear operation \(M\) contains three active nibbles and its output has two active nibbles as shown in Fig. 3, then we found the number of such differences is 15 by enumerating all the possible values.

 As like paper [6], \(j\) =15 . Thus there are \(2^{4 \times 26}=2^{64}\) ordered sequences. In theory, there are 2^15x8=2¹²⁰ possible ones. By using this 5-round distinguisher above, 13 rounds of Piccolo-80 from the rounds 0 to 12 including the pre-whitening keys can be attacked successfully. In our attack, we shift \(rk_0\) and \(rk_1\) from the round 0 to the round 1 to decrease the data complexity, seen in Fig. 4. Our attack relies on Lemma 1 and the linear relations among the round subkeys. The attack procedure will be given as follows.

 • The pre-processing phase. According to Proposition 1, we build a precomputation table \(H\) to preserve \(2^{64}\) ordered sequences.

 • The online phase.

 1. Choose a plaintext \(P^0\) . By guessing the pre-whitening keys \(wk_0\) and \(wk_1\), we can compute the value of \(X_1^0\) . Next, guess the value of ( \(r k_{0}^{L}\left\|r k_{1}^{R}, r k_{1}^{L}\right\| r k_{0}^{R}, r k_{2}^{R}, r k_{3}^{L}\)) and calculate \(Y_{1}^{0}[0: 3]\left\|Y_{1}^{0}[6: 7]\right\| Y_{1}^{0}[12,13]\) . Therefore, we can know the value of \(X_{2}^{0}[8: 13]\) . Because \(X_{3}^{0}[4,5,14,15]=Y_{2}^{0}[8: 11]=X_{2}^{0}[8: 11]\) , we can get the value of \(X_{3}^{0}[4,5,14,15]\) .

 2. According to 15 differences in Lemma 1, we have obtained \(\Delta X_{3}^{i} \triangleq X_{3}^{0} \oplus X_{3}^{i} \ (1 \leq i \leq 15)\) , where three nibbles \(\Delta X_{3}^{i}[5,14,15]\) are non-zero and other nibbles equal zero. So the value of \(X_{3}^{i}[4,5,14,15]=X_{2}^{i}[8: 11](1 \leq i \leq 15)\) can be computed. Next, the value of \(\Delta X_{2}^{i} \triangleq X_{2}^{0} \oplus X_{2}^{i}\) and \(\Delta Y_{1}^{i} \triangleq Y_{1}^{i} \oplus Y_{1}^{0}(I \leq i \leq 15)\) can be calculated, too .

 3. Since \(Y_{1}^{0}[0: 3]\) and \(\Delta Y_{1}^{i}(I \leq i \leq 15)\) have been known, the value of \(X_{1}^{i} \oplus X_{1}^{0} \triangleq \Delta X_{1}^{i}(1 \leq i \leq 15)\) can be computed. So the value of \(Y_{0}^{i} \oplus Y_{0}^{0} \triangleq \Delta Y_{0}^{i}(I \leq i \leq 15)\) and \(\Delta X_{0}^{i}(1 \leq i \leq 15)\) can also be known.

 4. The other 15 plaintexts \(P^{1}, P^{2}, \ldots, P^{15}\) can be known from the value of \(\Delta X_{0}^{i}(1 \leq i \leq 15)\) and \(P^0\) .

 5. Ask for the corresponding ciphertexts \(C^{0}, C^{1}, \ldots, C^{15}\).

 6. Guess these subkeys \(r k_{24}, r k_{25}, r k_{22}, r k_{23}, r k_{20}, r k_{21}\) . Then we can decrypt the ciphertexts \(C^{0}, C^{1}, \ldots, C^{15}\) to get the value of \(X_{10}^{i}\left(\text { i.e. }, Y_{9}^{i}\right)(1 \leq i \leq 15)\) .

 7. Next, guess the value of \(r k_{18}^{R}, \quad r k_{19}^{L}\) . Then we can compute the value of \(X_{9}^{i}[6,7,10,11,12,13] \quad(1 \leq i \leq 15)\) . Thus the value of \(Y_{8}^{\prime}[0: 3] \quad \| \ Y_{8}^{i}[6,7] \quad(I \leq i \leq 15)\) can be known. Finally, the ordered sequence \(X_{8}^{0}[6: 7] \oplus X_{8}^{1}[6: 7], \quad X_{8}^{0}[6: 7] \oplus X_{8}^{2}[6: 7], \ldots, X_{8}^{0}[6: 7] \oplus X_{8}^{j}[6: 7]\) can be calculated.

 8. We verify whether the ordered sequence is in the precomputation table \(H\) or not.

Fig. 4. The attacking path of 13 rounds of Piccolo-80 from the first round with pre-whitening key

 During this attack, the subkeys \(w k_{0}, w k_{1}, r k_{0}, r k_{1}, r k_{2}^{R}, r k_{3}^{L}, r k_{18}^{R}, r k_{19}^{L}, r k_{20}, r k_{21}, r k_{22}, r k_{23}, r k_{24}, r k_{25}\) , are guessed. By the key schedule, we find these subkeys are related to \(k_{0}, k_{1}, k_2, k_3\) , i.e., \(2^{64}\) keys. Thus we expect that only \(2^{64-(120-64)}=2^{8}\) round subkeys are left after 8 steps. Finally, we retrieve the master key by applying two plaintext-ciphertext pairs.

 The memory complexity is determined by the size of \(H\) which consists of \(2^{64}\) ordered sequences. Hence, the memory complexity is \(2^{64} \times 120 / 64 \approx 2^{64.91}\) 64-bit blocks. As depicted in Fig. 4, we have \(2^{28}\) states in \(X_1\) and decrypt these states to obtain corresponding plaintexts. It is worth noting that \(P_{0}[12: 15]\) can be computed by decrypting \(Y_{0}[8: 11]\) while no keys will be involved. Hence, the number of \(P_{0}[12: 15]\) is equal to the number of \(Y_{0}[8: 11]\). In other word, \(P_{0}[12: 15]\) only have 2⁸ states. Finally, the data complexity is \(2^{12} \times 2^{16} \times 2^{8} \times 2^{8}=2^{44}\) chosen plaintexts. The time complexity in th pre-processing phase is about \(2^{64} \times 16 \times 4 /(2 \times 13) \approx 2^{65.3}\) , and the time complexity in the online phase is about \(2^{64} \times 16 \times(4+9) /(2 \times 13)+2 \times 2^{(64-(120-64))} \times 2^{16}=2^{67}+2^{25}\) . Totally, the time complexity is \(2^{65.3}+2^{67.1}+2^{25} \approx 2^{67.39}\) 13-round Piccolo-80 encryptions.

 

4. Cryptanalysis of 17 Rounds of Piccolo-128 from the First Round

 Similarly, we use 7 rounds of distinguisher proposed in [6] to attack 17 rounds of Piccolo-128 from the rounds 0 to 16 including the pre-whitening keys. In [6], the authors constructed a 7-round distinguisher as follows. In Fig. 5, we depict it in detail.

 Proposition 2: [6] Encrypt the \(\delta \text { -set }\left\{P^{0}, P^{1}, \ldots, P^{j}\right\}\) through 7-round Piccolo, where \(P^{i}=X_{0}^{i}[5,14,15]\left\|X_{0}^{i}[0, \ldots, 4]\right\| X_{0}^{i}[6, \ldots, 13](0 \leq i \leq j)\) . Take all possible vaues of three nibbles \(X_{0}^{i}[5,14,15](0 \leq i \leq j)\) and the other nibbles are taken constants. Then the ordered sequence \(X_{7}^{0}[5: 7] \oplus X_{7}^{1}[5: 7], X_{7}^{0}[5: 7] \oplus X_{7}^{2}[5: 7], \ldots, X_{7}^{0}[5: 7] \oplus X_{7}^{j}[5: 7]\) is calculated from the following parameters\(X_{1}^{0}[0: 3], X_{2}^{0}[0: 3], \quad X_{2}^{0}[8: 11], X_{3}^{0}[0: 3], X_{3}^{0}[8: 11], X_{4}^{0}[0: 3], X_{4}^{0}[8: 11]\) and \(X_{5}^{0}[8: 11]\) fully.

 Similarly, \(j=15\). Meanwhile, we obtain \(2^{8 \times 16}=2^{128}\) 180-bit ordered sequences. In theory, there are the \(2^{15 \times 8}=2^{180}\) possible ones.

 On the basis of 7-round distinguisher above, we attack on Piccolo-128 from round 0 to round 16 including the pre-whitening key. As like Section 3, \(r k_{0}\) and \(r k_{1}\) are shifted from the round 0 to the round 1 equivalently. In Fig. 6, we list the attacking path. The attack procedure contains the proprocessing phase and the online phase. In the pre-processing phase, we construct a pre-computation table to preserve the ordered sequence \(X_{10}^{0}[5: 7] \oplus X_{10}^{1}[5: 7], X_{10}^{0}[5: 7] \oplus X_{10}^{2}[5: 7], \ldots, \quad X_{10}^{0}[5: 7] \oplus X_{10}^{15}[5: 7]\) . In the online phase, select some plaintext-ciphertexts, encrypt or decrypt them and verify whether they satisfy \(H^{\prime}\) or not. We simply give this attacking procedure as follows.

 • The preprocessing phase. According to Proposition 2, we build a hash table \(H^{\prime}\) to store all \(2^{128}\) 180-bit ordered sequences.

 • The online phase.

 1. Take one plaintext \(P_0\) .

 2. Guess these round subkeys \(w k_{0}, w k_{1}, r k_{0}, r k_{1}, r k_{2}^{R}\) and \(rk^L_3\) to obtain a \(\delta \text { -set } P^{0}, P^{1}, \ldots, P^{15}.\)

 3. Encrypt these plaintexts to get the corresponding ciphertexts \(C^{0}, C^{1}, \ldots, C^{15}.\)

 4. Guess these round keys \(r k_{22}^{R}, r k_{22}^{L}, r k_{24}, r k_{25}, \dots, r k_{30}, r k_{31}, r k_{32}\) and \(rk_{33}\) . Decrypt these ciphertexts to calculate the ordered sequences \(X_{10}^{0}[5: 7] \oplus X_{10}^{1}[5: 7], X_{10}^{0}[5: 7] \oplus X_{10}^{2}[5: 7], \ldots, X_{10}^{0}[5: 7] \oplus X_{10}^{15}[5: 7]\) .

 5. Finally, check whether the ordered sequences belong to the table \(H^{\prime}\) or not.

 By the key schedule, we found that \(w k_{0}, w k_{1}, r k_{0}, r k_{1}, r k_{2}^{R}, r k_{3}^{L}, r k_{22}^{R}, r k_{23}^{L}, r k_{24}, r k_{25}, \ldots, r k_{30}, r k_{31}, r k_{32}\) and \(rk_{33}\) are determined by seven and half keys \(k_{0}, k_{1}, k_{2}, k_{3}, k_{4}^{R}, k_5, k_6\) and \(k_7\) . The detailed relations can be found in Table 2.

 

Fig. 5. The 7 Rounds of Distinguisher of Piccolo-128

 

Fig. 6. The attacking path of 17 rounds of Piccolo-128 from the first round with the pre-whitening keys

 We estimate that the memory complexity is \(2^{8 \times 16} \times(15 \times 12) / 64 \approx 2^{129.49}\) blocks. In order to decrease it, we can employ the time-memory trade-off skill. We choose a factor \(\alpha=2^{4}\) . So the memory complexity can be decrease to \(2^{125.49}\) blocks. The time complexity in the preprocessing phase is about \(2^{128-4} \times 16 \times 8 /(2 \times 17) \approx 2^{123.5}\) . In order to reduce the time complexity in the online phase, we compute the intermediate states step by step. By guessing the values of \(k_{2}, \ k_{3}, \ k_{4}^{R}\) and \( k_{5}^{L}\) , we identify the value of δ-set, which requires about \(2^{48} \times 16 \times 4 /(2 \times 17) \approx 2^{48.91}\) encryptions. Then, we decrypt round 16 by guessing \(k_7\) , which requires about \(2^{48+16} \times 16 \times 2 /(2 \times 17) \approx 2^{63.91}\) . Next, by guessing \(k_0\) , \(k_1\) , we can decrypt round 14 and round 15, which requires about \(2^{64+32} \times 16 \times 4 /(2 \times 17) \approx 2^{96.91}\) . Fourth, by guessing \(k_6\) and \(k_5^R\) , we can calculate the ordered sequence, which needs \(2^{96+24} \times 16 \times 7 /(2 \times 17) \approx 2^{121.72}\) encryptions. In all, the time complexity in the online phase is about \(2^{48.91}+2^{63.91}+2^{96.91}+2^{121.72} \approx 2^{121.72}\) . Since we use the time and memory trade-off and take the factor \(\alpha=2^4\) , the time complexity of our attack is about \(2^{125.72}\). In order to retrieve the master key, we use two plaintext-ciphertexts to verify whether it is correct, which requires \(2 \times 2^{120} \times 2^{128-180} \times 2^{8}=2^{77}\) encryptions. Finally, the time complexity is \(2^{123.5}+2^{125.72}+2^{77} \approx 2^{126}\) encryptions in total. In addition, this attack requires \(2^{44}\) chosen plaintexts.

Table 2. Relations between Subkeys and Master Key for Piccolo-128

 

5. Conclusion

 This paper first studies the diffusion properties of the linear operations M and RP and the linear relations among the round subkeys. Then, we apply a 5-round distinguisher and a 7-round distinguisher proposed in [6] to attack Piccolo-80 up to 13 rounds and Piccolo-128 up to 17 rounds, respectively. Their data complexities are the same, i.e., \(2^{44}\) chosen plaintexts. However, their time and memory complexities are different. The adversary requires \(2^{67.39}\) encryptions and \(2^{64.91}\) blocks in order to attack 13 rounds of Piccolo-80, and \(2^{126}\) encryptions and \(2^{125.49}\) blocks in order to attack 17 rounds of Piccolo-128. These results show the vulnerability of original Piccolo-80/128.