Improved Biclique Cryptanalysis of the Lightweight Block Cipher Piccolo

Home , Biclique attack

Hindawi Security and Communication Networks Volume 2017, Article ID 7589306, 12 pages https://doi.org/10.1155/2017/7589306

Research Article Improved Biclique Cryptanalysis of the Lightweight Block Cipher Piccolo

Guoyong Han1,2 and Wenying Zhang1

1 School of Information Science and Engineering, Shandong Normal University, Jinan, China 2School of Management Engineering, Shandong Jianzhu University, Jinan, China

Correspondence should be addressed to Wenying Zhang; [email protected]

Received 6 June 2016; Accepted 12 February 2017; Published 2 March 2017

Academic Editor: Nidal Nasser

Copyright © 2017 Guoyong Han and Wenying Zhang. This is an open access article distributed under the Creative Commons Attribution License, which permits unrestricted use, distribution, and reproduction in any medium, provided the original work is properly cited.

Biclique cryptanalysis is a typical attack through finding a biclique which is a type of bipartite diagram to reduce the computational complexity. By investigating the subkey distribution and the encryption structure, we find out a weakness in the key schedule of Piccolo-80. A 6-round biclique is constructed for Piccolo-80 and a 7-round biclique for Piccolo-128. Then a full round biclique 40 24 cryptanalysis of Piccolo is presented. The results of the attacks are with data complexity of 2 and 2 chosen ciphertexts and with 79.22 127.14 computational complexity of 2 and 2 , respectively. They are superior to other known results of biclique cryptanalytic on Piccolo.

1. Introduction blockcipher,anditsexceptionalpropertyisonlyaminimal data complexity. In recent years, many varieties emerged, for In ASIACRYPT 2011, Bogdanov et al. proposed a biclique example, 3-subset MITM [12]. Many methods carry out the on recovering the keys of the full AES-128/192/256 [1], preimage attack to the hash function [13] and they consist which is a type of meet-in-the-middle attack and the recent of spice-and-cut frame and partial matching and so forth. cryptanalysis technique of block ciphers. In [1], they gave Using the key expansion algorithm, opponent can construct a two techniques by constructing bicliques for AES. One is the structure and pick out wrong keys through partial matching, independent related-key differentials biclique and the other is which is the important idea of the method. the long biclique. Soon after the paper was published, a great Piccolo is a 64-bit block cipher. In accordance with deal of cryptanalytical results on the other block ciphers were the different length of the key, we signify the ciphers by suggested. Piccolo-80/128, respectively [14]. In ISPEC 2012, Wang et The crucial issue of the technology is to construct a supe- al. presented a biclique attack on reduced round Piccolo 48 rior biclique structure at the ciphertext (or plaintext). In a [2]. They attacked a 25-round Piccolo-80 with 2 chosen 𝑑 78.95 biclique, one top set comprises 2 1 ciphertexts (or plaintexts) plaintexts and 2 computations. In the case of a 28- 𝑑 24 while the other set is composed of 2 2 intermediate states. If round Piccolo-128, this attack required 2 chosen plaintexts 126.79 𝑑1 =𝑑2 =𝑑, the biclique structure is called a d-dimension and 2 computations. However, the authors considered (𝑑=𝑑1 =𝑑2 =8in this paper). In some constrained Piccolo-80 without the postwhitening key and Piccolo-128 environments, for example, RFID tags or sensor nodes, the without the prewhitening key. In [5], Song et al. proposed sizeofthesecretkeyistypically64,80,or128bits.Alot a full round biclique cryptanalysis on Piccolo-80 demanding 48 79.34 of attacks on lightweight block cipher by using biclique have 2 chosen plaintexts and 2 computations and on Piccolo- 24 127.36 been published, such as Piccolo [2], IDEA [3], HIGHT [4, 5], 128 requiring 2 chosen plaintexts and 2 computations. LED [6], PRESENT [7, 8], TWINE [9, 10], and KLEIN [11]. In[15],wefindtwofaultswhicharedetailedinSection4.1 The meet-in-the-middle (MITM) attack is a represen- in this paper. Compared to these results, ours are superior to tative method which is used in the security evaluation of theirs. 2 Security and Communication Networks

Table 1: Summary of previous results of different method on Piccolo.

Piccolo-80 rounds Piccolo-128 rounds Method Reference 7 7 Differential Reference [14] 8 8 Linear Reference [14] 9 9 Boomerang Reference [14] 9 9 Impossible differential Reference [14] 14 21 MITM Reference [17] 19 23 MITM expectation Reference [14] 25 28 Biclique cryptanalysis Reference [2] 25 31 Biclique cryptanalysis This paper

Table 2: Summary of biclique cryptanalytic results on Piccolo.

Target algorithm Round Data Computations Attack type Reference 48 78.95 Piccolo-80 25 (without the postwhitening key) 2 2 Biclique Reference [2] 48 79.34 Piccolo-80 25 (full) 2 2 Biclique Reference [5] 40 79.22 Piccolo-80 25 (full) 2 2 Biclique Section 4.2 24 126.79 Piccolo-128 28 (without the prewhitening key) 2 2 Biclique Reference [2] 48 127.36 Piccolo-128 31 (full) 2 2 Biclique Reference [5] 24 127.14 Piccolo-128 31 (full) 2 2 Biclique Section 4.3 8 127.30 Piccolo-128 31 (full) 2 2 Biclique Section 4.4

In this paper, we detect a weakness in the key schedule WK𝑖: the 16-bit whitening key (0≤𝑖≤3). on Piccolo-80; that is, the round key rk47 can offset the post- rk𝑖:the16-bitroundkey(0≤𝑖≤49for Piccolo-80, whitening key partially. Based on this, the data complexity 0≤𝑖≤61for Piccolo-128). can be decreased greatly. We apply some observations on 80 Piccolo in [16] and construct an independent related-key con𝑖 : a 16-bit round constant. differentials biclique for the last several rounds. Then an8- 𝑎(𝑏): 𝑏 denoting the bit length of 𝑎. dimensional biclique structure of 6 rounds is constructed 𝑃: 64-bit plaintext, 𝑃 including four 16-bit words for Piccolo-80 and an 8-dimensional biclique structure of 𝑃[𝑖] (0 ≤ 𝑖 ≤3). 7 rounds for Piccolo-128. The attacks are, respectively, with 40 24 𝐶 𝐶 data complexity of 2 and 2 ,andwithcomputational : 64-bit ciphertext, including four 16-bit words 79.22 127.14 𝐶[𝑖](0≤𝑖≤3). complexity of 2 and 2 , which are the best results 𝑟 currently. The attack results on Piccolo are summarized in 𝐹𝑖,𝑗(64): the 𝑖th and 𝑗th byte of the state after F- Tables 1 and 2. Function in 𝑟th round. Thestructureofthepaperisasfollows.Section2 describes the structures of Piccolo-80 and Piccolo-128. Sec- 2.2. Description of Piccolo. The structure of Piccolo is a tion 3 introduces briefly biclique cryptanalysis. Then, Sec- variation of generalized Feistel, as shown in Figure 1. Piccolo- tion 4 presents the cryptanalysis with an 8-dimensional 80/128 supports 80-bit and 128-bit key sizes along with 25 and biclique of 6 rounds on full round Piccolo-80 and with a 31 rounds, respectively. biclique structure of 7 rounds on full round Piccolo-128. The The detailed descriptions of Piccolo are in [14], and each data complexity and computational complexity on Piccolo-80 round of Piccolo consists of the following 3 steps: and Piccolo-128 are given, respectively. Finally, we draw our 16 16 conclusion in Section 5. (1) F-Function (FF), {0, 1} → {0, 1} being composed of two S-box layers and a diffusion matrix M. 2. Piccolo Specifications (2) AddRoundKey (AK), the 64-bit intermediate state XORs a round key. 2.1. Notations (3) RoundPermutation (RP), which splits a 64-bit input ⊕: bit-wise exclusive or (XOR). into eight bytes and then maps them. 𝑟:iterativerounds. 2.3. Key Schedule. The key schedule of Piccolo is straightfor- ‖ : concatenation. ward and simple. Firstly, the 80-bit master key of Piccolo- 𝐾[𝑖]:the𝑖th 16-bit group of the key 𝐾(0≤𝑖≤4for 80 is represented by concatenation of five 2 bytes; that is, Piccolo-80, 0≤𝑖≤7for Piccolo-128). 𝐾=𝐾[0]‖𝐾[1]‖𝐾[2]‖𝐾[3]‖𝐾[4],where𝐾[𝑗] = Security and Communication Networks 3

P[0](16) P[1](16) P[2](16) P[3](16) 3. Biclique Attack on Piccolo WK WK 0(16) 1(16) 3.1. Definition of Biclique. Biclique cryptanalysis is an attack Round 0 F rk0(16) F rk1(16) based on MITM. The major idea is to build bicliques on the target subcipher and promote the computational efficiency. The basic principles of the biclique attack are explained in [1]. −1 Round 1 F rk2(16) F rk3(16) Let 𝑓 be a several-round subcipher and 𝑓 is the inverse of 𝑑 𝑑 𝑓.The𝑓 maps 2 intermediate states {𝑆𝑗} to 2 ciphertexts {𝐶 } 22𝑑 {𝐾 } . . . . 𝑖 with keys [𝑖,𝑗] : . . . .

Round r−2 F rk2r−2 F rk2r−1 𝐾[0,0] 𝐾[0,1] ⋅⋅⋅ 𝐾[0,2𝑑−1] [ ] [ . . . ] 𝐾 = [ . . . ] . [𝑖,𝑗] [ . . d . ] (2) Round r−1 F rk2r F rk2r+1 WK WK 2(16) 3(16) [𝐾[2𝑑−1,0] 𝐾[2𝑑−1,1] ⋅⋅⋅ 𝐾[2𝑑−1,2𝑑−1]]

C[0](16) C[1](16) C[2](16) C[3](16)

Figure 1: The structure of Piccolo. The 3-tuple [{𝐶𝑖}, {𝑆𝑗}, {𝐾[𝑖,𝑗]}]isnamedabicliquewith d-dimension, if 𝐿 𝑅 (𝐾[𝑗] , 𝐾[𝑗] ). The whitening keys (WK0, WK1, WK2, WK3) and the subkey (rk2𝑖, rk2𝑖+1) of 25 rounds are engendered as 𝐶 =𝑓 (𝑠 )∀𝑖,𝑗∈{0, 1}𝑑 . follows: 𝑖 𝐾[𝑖,𝑗] 𝑗 (3) 𝐿 𝑅 𝐿 𝑅 WK0 = 𝐾[0] ‖𝐾[1] ,WK1 = 𝐾[1] ‖𝐾[0] ,WK2 𝐿 𝑅 𝐿 𝑅 = 𝐾[4] ‖𝐾[3] ,WK3 = 𝐾[3] ‖𝐾[4] . To avoid duplication, we do not explicate the detailed For 𝑖 =0to𝑟−1 attack basis but three stages of the attack are described in

(rk2𝑖, rk2𝑖+1) more detail.

80 80 =(con2𝑖 , con2𝑖+1) 3.2. Biclique Cryptanalysis of Piccolo-80 (1) {(𝐾 [2] ,𝐾[3]) , (𝑖 mod 5) ≡0or 2, { 3.2.1. Phase 1: Key Partitioning. For greater clarity, we divide ⊕ (𝐾 [0] ,𝐾[1]) , (𝑖 5) ≡1 4, 64 16 { mod or the key into 2 groups which have 2 keys. The 𝐾[0,0] { enumerates 64-bit keys and fixes 16-bit keys with16 0 .As {(𝐾 [4] ,𝐾[4]) , (𝑖 mod 5) ≡3. depicted in Section 2.3, each round has 32-bit subkey which is generated by master keys K[i]andK[j]. By investigating For Piccolo-128, the distribution of subkey is similar to 𝐾= the subkey distribution (Table 3), an 8-dimensional biclique that of Piccolo-80. The 128-bit master key is denoted by structure of 6 rounds is constructed by each right half of 𝐾[4] 𝐾[0] ‖ 𝐾[1] ‖ 𝐾[2] ‖ 𝐾[3] ‖ 𝐾[4] ‖ 𝐾[5] ‖𝐾[6] 𝑅 𝑅 𝑅 𝐾[7] 𝐾[𝑗] 𝐾[𝑗]𝐿,𝐾[𝑗]𝑅) and 𝐾[2],thatis,𝐾[4] and 𝐾[2] .Wefind𝐾[4] of the ,where =( . The whitening keys and 𝐾[4]𝑅 31-round subkey are computed as follows: round key rk47 can offset of the postwhitening key, so it can decrease the data complexity greatly. By calculation, the 𝐿 𝑅 𝐿 𝑅 WK0 = 𝐾[0] ‖𝐾[1] ,WK1 = 𝐾[1] ‖𝐾[0] ,WK2 computational complexity is optimal so far. 𝐿 𝑅 𝐿 𝑅 𝐾 ,𝐾 ,𝐾 𝐾 = 𝐾[4] ‖𝐾[7] ,WK3 = 𝐾[7] ‖𝐾[4] . The keys [0,0] [0,𝑗] [𝑖,0],and [𝑖,𝑗] of each group are depicted, as shown below: For 𝑖 =0to2𝑟 − 1

if ((i +2)mod8≡ 0), then 𝐾 = 𝑋𝑋, 𝑋𝑋, 𝑋𝐴, 𝑋𝑋,𝑋𝐴 , (𝐾[0] ‖ 𝐾[1] ‖ 𝐾[2] ‖ 𝐾[3] ‖𝐾[4] [0,0] [ ] 𝐾[5] ‖ 𝐾[6] ‖ 𝐾[7]) (𝐾[2] ‖ 𝐾[1] ‖ = 8 𝐾[6]‖𝐾[7]‖𝐾[0]‖𝐾[3]‖𝐾[4]‖𝐾[5]); where 𝑋∈{0, 1} , 𝐴 = 0𝑥00, 128 rk𝑖 =𝐾[(𝑖+2)mod 8] ⊕ con𝑖 . 𝐾[0,𝑗] =𝐾[0,0] ⊕ [00, 00, 0𝑗, 00, 00] , The specific subkeys of Piccolo-80/128 are illustrated in 8 Table 3. where 𝑗∈{0, 1} , 4 Security and Communication Networks

Table 3: Key schedule of Piccolo.

Piccolo-80 Piccolo-128 Round i Round key Master key Round i Round key Master key 𝐿 𝑅 𝐿 𝑅 𝐿 𝑅 𝐿 𝑅 Initial (WK0, WK1) (𝐾[0] ‖𝐾[1] ,𝐾[1] ‖𝐾[0] ) Initial (WK0, WK1) (𝐾[0] ‖𝐾[1] ,𝐾[1] ‖𝐾[0] )

0(rk0, rk1)(𝐾[2], 𝐾[3])0(rk0, rk1)(𝐾[2], 𝐾[3])

1(rk2, rk3)(𝐾[0], 𝐾[1])1(rk2, rk3)(𝐾[4], 𝐾[5])

2(rk4, rk5)(𝐾[2], 𝐾[3])2(rk4, rk5)(𝐾[6], 𝐾[7])

3(rk6, rk7)(𝐾[4], 𝐾[4])3(rk6, rk7)(𝐾[2], 𝐾[1])

4(rk8, rk9)(𝐾[0], 𝐾[1])4(rk8, rk9)(𝐾[6], 𝐾[7])

5(rk10, rk11)(𝐾[2], 𝐾[3])5(rk10, rk11)(𝐾[0], 𝐾[3])

6(rk12, rk13)(𝐾[0], 𝐾[1])6(rk12, rk13)(𝐾[4], 𝐾[5]) ......

18 (rk36, rk37)(𝐾[4], 𝐾[4])24(rk48, rk49)(𝐾[4], 𝐾[3])

19 (rk38, rk39)(𝐾[0], 𝐾[1])25(rk50, rk51)(𝐾[2], 𝐾[5])

20 (rk40, rk41)(𝐾[2], 𝐾[3])26(rk52, rk53)(𝐾[0], 𝐾[7])

21 (rk42, rk43)(𝐾[0], 𝐾[1])27(rk54, rk55)(𝐾[4], 𝐾[1])

22 (rk44, rk45)(𝐾[2], 𝐾[3])28(rk56, rk57)(𝐾[0], 𝐾[7])

23 (rk46, rk47)(𝐾[4], 𝐾[4])29(rk58, rk59)(𝐾[6], 𝐾[3])

24 (rk48, rk49)(𝐾[0], 𝐾[1])30(rk60, rk61)(𝐾[2], 𝐾[5]) 𝐿 𝑅 𝐿 𝑅 𝐿 𝑅 𝐿 𝑅 Final (WK2, WK3) (𝐾[4] ‖𝐾[3] ,𝐾[3] ‖𝐾[4] ) Final (WK2, WK3) (𝐾[4] ‖𝐾[7] ,𝐾[7] ‖𝐾[4] )

𝐾 =𝐾 ⊕ [00, 00, 00, 00, 0𝑖] , [𝑖,0] [0,0] Step 3. To get the corresponding states 𝑆𝑗,decrypt𝐶0 using 8 8 different keys 𝐾[0,𝑗] for 𝑗∈{0,1}(Figure 2(b)). The where 𝑖∈{0, 1} . differences between 𝐾[0,𝑗] and 𝐾[0,0] can bring about the gray (4) intermediate states’ differences. The gray intermediate states 8 Finally, need to be computed 2 −1times, whereas the remaining 𝐾 −1 [0,𝑗] 𝐾[𝑖,𝑗] =𝐾[0,0] ⊕𝐾[0,𝑗] ⊕𝐾[𝑖,0] states have been already computed. As a result, 𝑓 (𝐶0) 󳨀󳨀󳨀󳨀→ (5) (𝑆𝑗) has been constructed. =𝐾[0,0] ⊕ [00, 00, 0𝑗, 00, 0𝑖] . Thanks to the simplicity of the distribution of the subkey 𝐾 64 16 Thus, the space of is divided into 2 groups of 2 keys of Piccolo, the two differential paths do not share any active each. 𝐾[𝑖,𝑗] state. Fortunately, it is so easy to verify that 𝑓(𝑆𝑗) 󳨀󳨀󳨀→𝐶𝑖 is 8 3.2.2. Phase 2: 8-Dimensional Biclique Structure of 6 Rounds. always true for all 𝑖, 𝑗 ∈ {0, 1} .Uptonow,foreachkeygroup, We construct an 8-dimensional biclique structure of 6 rounds we get a corresponding 8-dimensional biclique structure as for Piccolo-80 with whitening keys for each group (Fig- discussed above. 8 8 ure 2). The biclique structure connects 2 ciphertexts to 2 From Figure 2, we find a weakness in the key schedule 𝑅 intermediate states in each group of keys. The process of of Piccolo-80; that is, 𝐾[4] of the round key rk47 can 𝑅 calculating the ciphertexts and intermediate states consists of offset 𝐾[4] ofthepostwhiteningkey.Soitcanreducethe the following 3 steps. data complexity greatly. The calculations of complexities are presented in Section 4.2. Step 1. Let 𝐶0 =0(64) and decrypt 𝐶0 for 6 rounds to obtain −1 𝑆0 (Figure 2(a)); that is, 𝑆0 = 𝑓 𝐾[0,0](𝐶0). The procedure is named basic calculation. 3.2.3. Phase 3: Meeting in the Middle over 19 Rounds. Choose 9 a16-bitinternalstate(𝑉=𝐹1,4)afterF-Function in round Step 2. In order to get the corresponding ciphertext 𝐶𝑖, 9, as the intermediate matching variable (see Figure 3). The 8 encrypt 𝑆0 using different keys 𝐾[𝑖,0] for 𝑖∈{0,1}(Fig- choice is made according to the total number of F-Function ure 2(c)). The differences between 𝐾[𝑖,0] and 𝐾[0,0] can lead and an effective filtering of the wrong keys. Next, we calculate to the gray intermediate states’ differences and cause the thesematchingvariatesinbothdirectionsinordertoobtain computational complexity. The gray intermediate states need theaccuratekey. 8 to be computed 2 −1times, whereas the remaining states are 𝑆 calculated just once because they have been already computed Backward Direction. Each value of the state 𝑗 is decrypted 𝐾[𝑖,0] ←󳨀󳨀 𝐾[0,𝑗] in Step 1. This step derives 𝑓(𝑆0) 󳨀󳨀󳨀→𝐶𝑖. under the key 𝐾[0,𝑗] to derive 𝑉0,𝑗 ←󳨀󳨀󳨀󳨀𝑆𝑗.Afterthat, Security and Communication Networks 5

S0 Sj S0

K[0]LK[0]R K[1]LK[1]R K[0]LK[0]R K[1]LK[1]R K[0]LK[0]R K[1]LK[1]R 19 F F F F F F

K[2]LK[2]R K[3]LK[3]R K[2]LK[2]R K[3]LK[3]R K[2]LK[2]R K[3]LK[3]R 20 F F F F F F

K[0]LK[0]R K[1]LK[1]R K[0]LK[0]R K[1]LK[1]R K[0]LK[0]R K[1]LK[1]R 21 F F F F F F active active R R K[2]LK[2]R K[3]LK[3]R K[2]LK[2]R K[3]LK[3]R K[2]LK[2]R K[3]LK[3]R K|4| 22 F F F F K|2| F F

K[4]LK[4]R K[4]LK[4]R K[4]LK[4]R K[4]LK[4]R K[4]LK[4]R K[4]LK[4]R 23 F F F F F F rk47

K[0]LK[0]R K[1]LK[1]R K[0]LK[0]R K[1]LK[1]R K[0]LK[0]R K[1]LK[1]R 24 F F F F F F rk K[4]LK[3]R K[3]LK[4]R K[4]LK[3]R K[3]LK[4]R K[4]LK[3]R K[3]LK[4]R 49

WK2 WK3

C0 C0 Ci

(a) (b) (c)

Figure 2: 6-round biclique construction of dimension 8 in Piccolo-80.

𝑑 𝑆𝑗 is decrypted using all the possible 2 −1keys 𝐾[𝑖,𝑗] to 3.3. Biclique Cryptanalysis of Piccolo-128 ←󳨀󳨀 𝐾[𝑖,𝑗] get 𝑉𝑖,𝑗 ←󳨀󳨀󳨀𝑆𝑗.Becauseofthesamebeginning,thekeydif- 3.3.1. Phase 1: Key Partitioning. We divide the 128-bit key 𝐾 𝐾 112 ferences between [0,𝑗] and [𝑖,𝑗] can cause the computational into 2 groups. 𝐾[0,0] enumerates 112-bit keys and fixes 16- complexity.OnFigure3(b),thegraybytesareactiveandthe bit keys with 016. By investigating the subkey distribution white bytes need not be computed. (Table 3), an 8-dimensional biclique structure of 7 rounds is 𝐿 constructed by each left half of 𝐾[6] and 𝐾[7],thatis,𝐾[6] Forward Direction. The procedure of forward direction isa 𝐿 and 𝐾[7] . The computational complexity of this structure is bit more complex than the backward direction in calculation. 8 less than others’. Firstly, we decrypt the ciphertexts 𝐶𝑖 for 𝑖∈{0,1}to Similar to Piccolo-80, the keys 𝐾[0,0],𝐾[0,𝑗],𝐾[𝑖,0],and 28 𝑃 𝑃 obtain plaintexts 𝑖. Secondly, each 𝑖 is encrypted under 𝐾[𝑖,𝑗] of each group are depicted, as shown below: 𝐾[𝑖,0] 󳨀󳨀→ the key 𝐾[𝑖,0] to derive 𝑃𝑖 󳨀󳨀󳨀→ 𝑉𝑖,0.Afterthat,𝑃𝑖 is 𝑑 encrypted using all the possible 2 −1keys 𝐾[𝑖,𝑗] to obtain 𝐾 = [𝑋𝑋, 𝑋𝑋, 𝑋𝑋, 𝑋𝑋, 𝑋𝑋,𝐴𝑋,𝐴𝑋] , 𝐾[𝑖,𝑗] 󳨀󳨀→ [0,0] 𝑃 󳨀󳨀󳨀→ 𝑉 𝐾 𝐾 𝑖 𝑖,𝑗. The differences between [𝑖,0] and [𝑖,𝑗] can 8 influence the computational complexity. On Figure 3(a), where 𝑋∈{0, 1} , 𝐴 = 0𝑥00, the gray bytes are active and the white bytes need not be 𝐾 =𝐾 ⊕ [00, 00, 00, 00, 00, 00, 00, 𝑗0] , computed. [0,𝑗] [0,0] (6) 8 where 𝑗∈{0, 1} , Search Candidates. In the last session of the attack,󳨀󳨀→ the 𝑉𝑖,𝑗 adversary verifies the rest candidate key by the equality of 𝐾[𝑖,0] =𝐾[0,0] ⊕ [00, 00, 00, 00, 00, 00, 𝑖0, 00] , ←󳨀󳨀 8 and 𝑉𝑖,𝑗 for all 𝑖, 𝑗 ∈ {0, 1} in each group exhaustively, until 𝑖∈ 0, 1 8 . the right key is discovered. where { } 6 Security and Communication Networks

K[0]LK[1]R K[1]LK[0]R

K[2]LK[2]R K[3]LK[3]R 0 FF K[i, j] Vi,j Sj

K[0]LK[0]R K[1]LK[1]R K[2]LK[2]R K[3]LK[3]R 1 FF 10 FF

K[2]LK[2]R K[3]LK[3]R K[0]LK[0]R K[1]LK[1]R 2 FF 11 FF

L R L R K[4] K[4] K[4] K[4] K[2]LK[2]R K[3]LK[3]R 3 F F 12 FF

L R L R K[0] K[0] K[1] K[1] K[4]LK[4]R K[4]LK[4]R 4 F F 13 FF active R

L R L R K[2] K[2] K[3] K[3] K[0]LK[0]R K[1]LK[1]R K|2| 5 F F 14 FF active R K|4| K[0]LK[0]R K[1]LK[1]R K[2]LK[2]R K[3]LK[3]R 6 FF 15 FF

L R L R K[2] K[2] K[3] K[3] K[0]LK[0]R K[1]LK[1]R 7 F F 16 FF

L R L R K[4] K[4] K[4] K[4] K[2]LK[2]R K[3]LK[3]R 8 F F 17 FF

L R L R K[0] K[0] K[1] K[1] K[4]LK[4]R K[4]LK[4]R 9 F F 18 FF

K[i, j] Sj Pi Vi,j

Is computed once Is computed once Is computed 28 times Is computed 28 times

(a) (b)

Figure 3: Recomputations in MITM for Piccolo-80. Security and Communication Networks 7

S0 Sj S0

K[4]LK[4]R K[3]LK[3]R K[4]LK[4]R K[3]LK[3]R K[4]LK[4]R K[3]LK[3]R 24 F F F F F F

K[2]LK[2]R K[5]LK[5]R K[2]LK[2]R K[5]LK[5]R K[2]LK[2]R K[5]LK[5]R 25 F F F F F F

K[0]LK[0]R K[7]LK[7]R K[0]LK[0]R K[7]LK[7]R K[0]LK[0]R K[7]LK[7]R 26 F F F F F F

K[4]LK[4]R K[1]LK[1]R K[4]LK[4]R K[1]LK[1]R K[4]LK[4]R K[1]LK[1]R 27 F F F F F F active active L L K|7| K|6|

K[0]LK[0]R K[7]LK[7]R K[0]LK[0]R K[7]LK[7]R K[0]LK[0]R K[7]LK[7]R 28 F F F F F F

K[6]LK[6]R K[3]LK[3]R K[6]LK[6]R K[3]LK[3]R K[6]LK[6]R K[3]LK[3]R 29 F F F F F F

K[2]LK[2]R K[5]LK[5]R K[2]LK[2]R K[5]LK[5]R K[2]LK[2]R K[5]LK[5]R 30 F F F F F F K[4]LK[7]R K[7]LK[4]R K[4]LK[7]R K[7]LK[4]R K[4]LK[7]R K[7]LK[4]R

C0 C0 Ci

(a) (b) (c)

Figure 4: 7-round biclique construction of dimension 8 in Piccolo-128.

Finally, influence the gray intermediate states’ differences. This step 𝐾 𝑔(𝑆 ) 󳨀󳨀󳨀[𝑖,0]→𝐶 𝐾[𝑖,𝑗] =𝐾[0,0] ⊕𝐾[0,𝑗] ⊕𝐾[𝑖,0] derives 0 𝑖. (7) 𝐶 𝐾 𝑗∈{0,1}8 =𝐾[0,0] ⊕ [00, 00, 00, 00, 00, 00, 𝑖0, 𝑗0] . Step 3. Decrypt 0 using different keys [0,𝑗] for (Figure 4(b)). The differences between 𝐾[0,𝑗] and 𝐾[0,0] can 112 16 Thus, the key space of K is divided into 2 groups of 2 bring about the gray intermediate states’ differences. As a 𝐾 keys each. −1 [0,𝑗] result, 𝑔 (𝐶0) 󳨀󳨀󳨀󳨀→(𝑆𝑗) has been constructed.

3.3.2. Phase 2: 8-Dimensional Biclique Structure of 7 Rounds. Thanks to the simplicity of the distribution of the subkey 𝐾 We construct an 8-dimensional biclique structure of 7 rounds 𝑔(𝑆 ) 󳨀󳨀󳨀[𝑖,𝑗]→ for Piccolo-128 for each group (Figure 4). Here, 𝑔 is subci- of Piccolo-128, it is also very easy to verify that 𝑗 −1 𝐶 𝑖, 𝑗 ∈ {0,8 1} phers for round 24∼30 and 𝑔 is the inverse of 𝑔.Theprocess 𝑖 is always true for all .Uptonow,foreach of calculating the ciphertexts and intermediate states consists key group, we get a corresponding 8-dimensional biclique of the following 3 steps. structure.

Step 1. Let 𝐶0 =0(64) and decrypt 𝐶0 for 7 rounds to obtain 3.3.3. Phase 3: Meeting in the Middle over 24 Rounds. Select a 𝑆 𝑆 𝑔−1𝐾 (𝐶 ) 12 0 (Figure 4(a)); that is, 0 = [0,0] 0 . 16-bit internal state (𝑈=𝐹1,4)afterF-Function in round 12, as the intermediate matching variable (see Figure 5). Next, we 8 Step 2. Encrypt 𝑆0 using different keys 𝐾[𝑖,0] for 𝑖∈{0,1} calculate these matching variates in both directions in order (Figure 4(c)). The differences between 𝐾[𝑖,0] and 𝐾[0,0] can to obtain the right key. 8 Security and Communication Networks

P K[0]LK[1]R K[1]LK[0]R i

K[2]LK[2]R K[3]LK[3]R 0 FF K[i, j] Ui,j Sj

K[4]LK[4]R K[5]LK[5]R 1 FF K[6]LK[6]R K[5]LK[5]R 13 FF

K[6]LK[6]R K[7]LK[7]R 2 FF K[2]LK[2]R K[7]LK[7]R 14 FF

K[2]LK[2]R K[1]LK[1]R 3 FF K[0]LK[0]R K[1]LK[1]R 15 FF

K[6]LK[6]R K[7]LK[7]R 4 FF K[2]LK[2]R K[7]LK[7]R 16 FF active L 17 . . . . K|7| . . . . K[0]LK[0]R K[3]LK[3]R 18 . . . . active 5 FF 19 L

K[6]LK[6]R K[5]LK[5]R K|6| 6 . . . . FF 7 . . . . 20 8

K[2]LK[2]R K[7]LK[7]R 9 FF

K[0]LK[0]R K[7]LK[7]R 21 FF

K[0]LK[0]R K[3]LK[3]R 10 FF

K[4]LK[4]R K[3]LK[3]R 22 FF

K[4]LK[4]R K[1]LK[1]R 11 FF

K[6]LK[6]R K[1]LK[1]R 23 FF

K[0]LK[0]R K[3]LK[3]R 12 FF K[i, j] Pi Ui,j Sj

Is computed once Is computed once Is computed 28 times Is computed 28 times

(a) (b)

Figure 5: Recomputations in MITM for Piccolo-128.

Backward Direction. Each value of the state 𝑆𝑗 is decrypt- Forward Direction.Firstly,wedecrypttheciphertexts𝐶𝑖 for 𝐾 8 8 ←󳨀󳨀 [0,𝑗] 𝑖∈{0,1}to obtain 2 plaintexts 𝑃𝑖. Secondly, each 𝑃𝑖 is 𝐾[0,𝑗] 𝑈0,𝑗 ←󳨀󳨀󳨀󳨀𝑆𝑗 ed under the key to obtain .After 𝐾[𝑖,0] 󳨀󳨀→ 𝑑 𝐾 𝑃 󳨀󳨀󳨀→ 𝑈 that, 𝑆𝑗 is decrypted using all the possible 2 −1keys encrypted under the key [𝑖,0] to obtain 𝑖 𝑖,0.Then, 𝑑 ←󳨀󳨀 𝐾[𝑖,𝑗] 𝑃𝑖 is encrypted using all the possible 2 −1keys 𝐾[𝑖,𝑗] to get 𝐾 𝑈 ←󳨀󳨀󳨀𝑆 [𝑖,𝑗] to get 𝑖,𝑗 𝑗. On Figure 5(b), the gray 𝐾[𝑖,𝑗] 󳨀󳨀→ bytes are active and the white bytes do not need to be 𝑃𝑖 󳨀󳨀󳨀→ 𝑈𝑖,𝑗. On Figure 5(a), the gray bytes are active and the computed. white bytes do not need to be computed. Security and Communication Networks 9

S0 Sj S0

L R L R K[0] K[0] K[7] K[7] K[0]LK[0]R K[7]LK[7]R K[0]LK[0]R K[7]LK[7]R 26 FF FF FF

L R L R K[4] K[4] K[1] K[1] K[4]LK[4]R K[1]LK[1]R K[4]LK[4]R K[1]LK[1]R 27 FF FF FF

L R L R K[0] K[0] K[7] K[7] K[0]LK[0]R K[7]LK[7]R K[0]LK[0]R K[7]LK[7]R active 28 FF FF FFactive L L K|6| K|2|

K[6]LK[6]R K[3]LK[3]R K[6]LK[6]R K[3]LK[3]R K[6]LK[6]R K[3]LK[3]R 29 FF FF FF

K[2]LK[2]R K[5]LK[5]R K[2]LK[2]R K[5]LK[5]R K[2]LK[2]R K[5]LK[5]R 30 FF FF FF K[4]LK[7]R K[7]LK[4]R K[4]LK[7]R K[7]LK[4]R K[4]LK[7]R K[7]LK[4]R

C0 C0 Ci[0] Ci[1] Ci[2] Ci[3]

Figure 6: 5-round biclique construction of dimension 8 in Piccolo-128.

Search Candidates. In the last session󳨀󳨀→ of←󳨀󳨀 the attack, the paper. As a result, the data complexity does not go beyond 248 adversary verifies the equality of 𝑈𝑖,𝑗 and 𝑈𝑖,𝑗 for all 𝑖, 𝑗 ∈ . 8 {0, 1} to discover the correct key. In the attack shown in Figure 7, it is clear that the left half of the round key rk46 can offset the left half2 ofWK (the postwhitening key); that is, there is no difference in the grid 3.4. Another Biclique Cryptanalysis of Piccolo-128. Similar to 𝐶[0]𝐿 Section 3.3, we construct an 8-dimensional biclique structure line byte ( ). Based on this, the biclique cryptanalysis of Jeong et al. goes wrong. of 5 rounds (26∼30) for Piccolo-128 by each left half of 𝐾[6] 𝐿 𝑅 𝐿 𝐿 So, the Δ 𝑖-differential affects only 5 bytes (𝐶[1] , 𝐶[1] , and 𝐾[2],thatis,𝐾[6] and 𝐾[2] (Figure 6). 𝐿 𝐿 𝑅 𝐶[2] , 𝐶[3] ,and𝐶[3] ) of the ciphertext and the data In the phase of meeting in the middle over 26 rounds, we 40 13 2 select a 16-bit internal state (𝑈=𝐹 )afterF-Function in complexity does not go beyond . The correct difference 1,4 𝐶[0]𝐿 round 13, as the intermediate matching variable. path does not include the grid line byte ( ). (2) Jeongetal.thoughtthatonly2byteswereactive in the decryption of 17th round in backward direction for 4. Complexities Piccolo-80 of recomputation, shown in Figure 11 of [15]. 13 28 4.1.CommentsontheResultof[15].Jeong et al. applied F-Functions(withoutthegridline)werecomputed times biclique cryptanalysis to the lightweight block ciphers LED, and 4 F-Functions were computed once. They are drawn on Piccolo, and PRESENT in [15]. They used the concept of Figure 7(b) in this paper. Then the total complexity of this 28 ×(28 ×13+4) independent-biclique which included constructing biclique step is F-Functions. structure by independent related-key differentials and match- It is clear that 6 bytes of intermediate are active in the ingwithprecomputations.Theyfoundalimitedandslow decryption of 17th round in backward direction for Piccolo- diffusion of the subkey distribution and encryption process. 80 of recomputation and all bytes are active of 16th round. As a result, their attacks can discover the master key with Based on these, their computational complexity of this step computational complexities superior to an exhaustive search. goes wrong. However, we find two faults of their biclique cryptanalysis of So, 15 F-Functions (including the grid line) are computed 8 Piccolo as follows: 2 times and 2 F-Functions are computed once. Then the total 𝐿 𝐿 8 8 (1) Jeong et al. found that 𝐾[4] and 𝐾[2] gave the complexity of this step is 2 ×(2 ×15+2)F-Functions. The construction of an 8-dimensional biclique which was shown correct difference path includes the grid line bytes. in Figure 10 of [15]. The Δ 𝑖-differential affected only 6 bytes Similarly, 3 bytes but not one byte are active in the 𝐿 𝐿 𝑅 𝐿 𝐿 𝑅 (𝐶[0] , 𝐶[1] , 𝐶[1] , 𝐶[2] , 𝐶[3] ,and𝐶[3] )whichis decryption of 22nd round in backward direction for Piccolo- drawn on Figure 7(a) (including the grid line byte) in this 128 of recomputation and they are shown in Figure 13 of [15]. 10 Security and Communication Networks

S0 K[2]LK[2]R K[3]LK[3]R K[0]LK[0]R K[1]LK[1]R 10 FF 19 FF

K[0]LK[0]R K[1]LK[1]R K[2]LK[2]R K[3]LK[3]R 11 FF 20 FF

K[2]LK[2]R K[3]LK[3]R K[0]LK[0]R K[1]LK[1]R 12 FF 21 FF

13 . . . . 14 . . . . active

L 15 L R L R K[2] K[2] K[3] K[3] active

22 FF L K|4| K[0]LK[0]R K[1]LK[1]R 16 FF K|4|

K[4]LK[4]R K[4]LK[4]R FF 23 L R L R rk rk K[2] K[2] K[3] K[3] 46 47 17 FF

K[0]LK[0]R K[1]LK[1]R FF 24 K[4]LK[4]R K[4]LK[4]R rk48 rk K[4]LK[3]R K[3]LK[4]R 49 18 FF

WK2 WK3

C[0] C[1] C[2] C[3]

(a) (b)

Figure 7: Revision of the other solutions.

8 8 20 rather than 18 F-Functions are computed 2 times and 3 (Figure 2(c), noted with gray) need to be computed 2 instead of 5 F-Functions are computed once. times. The remaining 5 F-Functions are computed only 8 once. Thus, this stage requires 2 ×7+5F-Functions computations in total. Then, the computational complexity 4.2. Complexities of Biclique Cryptanalysis on Piccolo-80 5.17 of a biclique structure is about 2 full round Piccolo-80 4.2.1. Data Complexity. By analyzing the key schedule, we encryptions. find a weakness in the key schedule on Piccolo-80; that is, the round key rk47 can offset the postwhitening key partially (see Matching Complexity. In forward direction, the differences 𝐾 𝐾 Figure 2). Based on this, the data complexity can be reduced between [𝑖,0] and [𝑖,𝑗] dominate the computational complexity. On Figure 3(a), for a single 𝑃𝑖,14F-Functions (noted greatly. 8 The amount of ciphertexts to be decrypted dominates the with gray) are computed 2 times, 3 F-Functions (noted with data complexity (Figure 2). For each biclique structure, let grid line) are computed only once, and 3 F-Functions (noted 𝐶0 =0(64). All the ciphertexts share the equal values in 3 with white) do not need to be computed. So, the complexity 8 8 bytes (𝐶𝑖[0], 𝐶𝑖[4],and𝐶𝑖[5], i.e., white bytes), so the data of this process is 2 ×(2 ×14+3)F-Functions, which is about 40 14.16 complexity does not go beyond 2 . 2 full round Piccolo-80 encryptions. In backward direction, on Figure 3(b), for a single 𝑆𝑗,15 28 4.2.2. Computational Complexity. The amount of the F- F-Functions (noted with gray) are computed times, 2 F- Functions to be computed determines the attack complexity. Functions(notedwithgridline)arecomputedonlyonce, Each round of Piccolo-80 takes 2 F-Functions computations. and 1 F-Function (noted with white) need not be computed. 28 × 28 ×15+2 So, the single encryption equals computed 25 × 2 = 50 So, the complexity of this process is ( ) 64 214.26 F-Functions. For each of 2 groups of keys, the following F-Functions, which is about full round Piccolo-80 encryptions. calculation should be completed. 16 Finally, 2 key candidates are verified by a matching 16−16 Biclique Complexity.5F-Functions (Figure 2(b), noted with variable (16 bits) in each group, and the average of 2 =1 8 gray) need to be computed 2 times and 2 F-Functions candidate key needs to be rechecked. Security and Communication Networks 11

Thus, the total computational complexity of this attack on 4.4.2. Computational Complexity Piccolo-80 is 8 Biclique Complexity.Thisstagerequires2 ×5+5F-Functions 64 5.17 14.16 14.26 79.22 computations in total. Then, the computational complexity 𝐶=2 ×(2 +2 +2 +1)≈2 . 4.38 (8) of a biclique structure is about 2 full round Piccolo-128 encryptions.

4.3. Complexities of Biclique Cryptanalysis on Piccolo-128 Matching Complexity. In forward direction, the complexity 28 ×(28 ×18+7) 214.22 4.3.1. Data Complexity. For each biclique structure, let 𝐶0 = is F-Functions, which is about full 0(64). All the ciphertexts share the equal values in 5 bytes round Piccolo-128 encryptions. In backward direction, the 28 ×(28 ×20+3) (𝐶𝑖[1], 𝐶𝑖[4], 𝐶𝑖[5], 𝐶𝑖[6],and𝐶𝑖[7], i.e., white bytes), so the complexity is F-Functions, which is about 24 14.37 data complexity does not go beyond 2 (See Figure 4). 2 full round Piccolo-128 encryptions. Thus, the total computational complexity of this attack on Piccolo-128 is 4.3.2. Computational Complexity. Each round of Piccolo-128 takes 2 F-Functions computations. So, the single encryption 𝐶=2112 ×(24.38 +214.22 +214.37 +1)≈2127.30. equals computed 31 × 2 = 62 F-Functions. For each of (10) 112 2 groups of keys, the following calculation should be completed. 5. Conclusion Biclique Complexity.13F-Functions (Figure 4(b), noted with 8 Designers have given several attacks including linear crypt- gray) need to be computed 2 times and 1 F-Function analysis, impossible differential cryptanalysis, and MITM 8 (Figure 4(c), noted with gray) needs to be computed 2 times. attack on security analysis for Piccolo. The best result was 3- 8 Thus, this stage requires 2 ×14F-Functions computations subset MITM attacks on 14/21-round Piccolo-80/128 without in total. Then, the computational complexity of a biclique the whitening key. The previous results and our results are 5.85 structure is about 2 full round Piccolo-128 encryptions. summarized on Piccolo in Tables 1 and 2. Some results did not include whitening key; some attacks were reduced-round. Matching Complexity. In forward direction, for a single 𝑃𝑖,16 However, our results are full round Piccolo-80/128. 8 F-Functions (noted with gray) are computed 2 times, 7 F- By analyzing the distribution of the subkey and the Functions(notedwithgridline)arecomputedonlyonce,and structure of encryption, we find two faults of the results in [15] 3 F-Functions (noted with white) do not need to be computed and a weakness in the key schedule on Piccolo-80. The two 8 8 on Figure 5(a). So, the complexity of this process is 2 ×(2 × faults are depicted in Section 4.1. The weakness on Piccolo- 14.05 16 + 7) F-Functions, which is about 2 full round Piccolo- 80 is that the right half of the round key rk47 can offset the 128 encryptions. righthalfofthepostwhiteningkeyWK3 (Figure 2(c)). Based In backward direction, for a single 𝑆𝑗,18F-functions on this, the data complexity can be decreased greatly. 8 Weusebicliquecryptanalysistorecoverthemaster (noted with gray) are computed 2 times, 3 F-functions key for the full round Piccolo-80 with a 6-round biclique (noted with grid line) are computed only once, and 1 F- and the full round Piccolo-128 with a 7-round biclique, Function (noted with white) need not be computed on 240 28 ×(28 × respectively. The attacks require data complexity of and Figure 5(b). So, the complexity of this process is 224 279.22 18 + 3) 214.22 chosen ciphertexts and computational complexity of F-Functions, which is about full round Piccolo- 2127.14 128 encryptions. and , respectively. These results are superior to other 16 biclique cryptanalytic results on Piccolo. Finally, 2 keycandidatesareverifiedbyamatching 16−16 This result is that the biclique technology can attack some variate(16bits)ineachgroup,andtheaverageof2 =1 ciphers with simple key schedule and slow diffusion. So, the candidate key needs to be rechecked. designers of lightweight ciphers need to consider not only the Thus, the total computational complexity of this attack on implementation efficiency, but also key schedule complexity Piccolo-128 is and diffusion speed.

𝐶=2112 ×(25.85 +214.08 +214.22 +1)≈2127.14. (9) Conflicts of Interest None of the authors declare any conflicts of interest. 4.4. Complexities of Another Biclique Cryptanalysis on Piccolo- 128 Acknowledgments 4.4.1. Data Complexity. For each biclique structure, let 𝐶0 = 0(64). All the ciphertexts share the equal values in 7 bytes ThisworkispartiallysupportedbyNationalNaturalSci- (𝐶𝑖[0], 𝐶𝑖[1], 𝐶𝑖[3], 𝐶𝑖[4], 𝐶𝑖[5], 𝐶𝑖[6],and𝐶𝑖[7], i.e., white ence Foundation of China (nos. 61272434, 61672330, and 8 bytes), so the data complexity does not go beyond 2 (See 61602287) and Nature Science Foundation of Shandong Figure 6). Province (no. ZR2013FQ021). 12 Security and Communication Networks

References [16] W. Zhang, J. Zhang, and X. Zheng, “Some observations on the lightweight block cipher piccolo-80,” in Proceedings of the [1] A. Bogdanov, D. Khovratovich, and C. Rechberger, “Biclique 6th International Conference on Trusted Systems (INTRUST ’14), cryptanalysis of the full AES,” in Advances in Cryptology— vol. 9473 of Lecture Notes in Computer Science,pp.364–373, ASIACRYPT 2011,vol.7073ofLecture Notes in Comput. Sci.,pp. Springer, Cham, Switzerland, 2015. 344–371, Springer, Heidelberg, Germany, 2011. [17] T. Isobe and K. Shibutani, “Security analysis of the lightweight [2] Y. Wang, W. Wu, and X. Yu, “Biclique cryptanalysis of reduced- block ciphers XTEA, LED and piccolo,” in Information Security round piccolo block cipher,” in Proceedings of the 8th Interna- and Privacy,vol.7372,pp.71–86,Springer,Berlin,Germany, tional Conference on Information Security Practice and Experi- 2012. ence (ISPEC ’12),M.R.Dermot,S.Ben,andG.Wang,Eds.,vol. 7232 of Lecture Notes in Computer Science,pp.337–352,Springer, Heidelberg, Germany, 2012. [3] D. Khovratovich, G. Leurent, and C. Rechberger, “Narrow- bicliques: cryptanalysis of full IDEA,” in Proceedings of the 31st Annual International Conference on the Theory and Applications of Cryptographic Techniques (EUROCRYPT ’12),LectureNotes in Computer Science, pp. 392–410, Springer, Heidelberg, Ger- many, 2012. [4]D.Hong,B.Koo,andD.Kwon,“Bicliqueattackonthefull HIGHT,” in Information Security and Cryptology—ICISC 2011, vol. 7259 of Lecture Notes in Computer Science,pp.365–374, Springer, Berlin, Germany, 2012. [5] J. Song, K. Lee, and H. Lee, “Biclique cryptanalysis on lightweight block cipher: HIGHT and Piccolo,” International Journal of Computer Mathematics,vol.90,no.12,pp.2564–2580, 2013. [6]F.Abed,C.Forler,E.List,S.Lucks,andJ.Wenzel,“Biclique cryptanalysis of the PRESENT and LED lightweight ciphers,” Tech.Rep.2012/591,CryptologyePrintArchive,2012. [7] M. Sereshgi and M. Shakiba, “Biclique cryptanalysis of MIBS-80 and PRESENT-80 block ciphers,” Security and Communication Networks,vol.9,no.1,pp.27–33,2016. [8] O. Ozen,¨ K. Varıcı, C. Tezcan, and C¸. Kocair, “Lightweight block ciphers revisited: cryptanalysis of reduced round PRESENT and HIGHT,” in Information Security and Privacy,vol.5594of Lecture Notes in Computer Science, pp. 90–107, Springer, Berlin, Germany, 2009. [9] Y. F. Wang and W. L. Wu, “Meet-in-the-middle attack on TWINE block cipher,” Journal of Software,vol.26,no.10,pp. 2684–2695, 2015 (Chinese). [10] M. C¸ oban, F. Karakoc, and O.¨ Biztas¸, “Biclique cryptanalysis of TWINE,”Tech. Rep. 2012/422, Cryptology ePrint Archive, 2012. [11] Z. Ahmadian, M. Salmasizadeh, and M. R. Aref, “Biclique cryptanalysis of the full-round KLEIN block cipher,” IET Information Security,vol.9,no.5,pp.294–301,2015. [12] W. Diffie and M. E. Hellman, “Exhaustive Cryptanalysis of the NBS Data Encryption Standard,” Computer,vol.10,no.6,pp. 74–84, 1977. [13] Y. Sasaki, “Meet-in-the-middle preimage attacks on AES hash- ing modes and an application to whirlpool,”in Proceedings of the International Workshop on Fast Software Encryption (FSE ’11), A.Joux,Ed.,vol.6733ofLecture Notes in Computer Science,pp. 378–396, Springer, Heidelberg, Germany, 2011. [14] K. Shibutani, T. Isobe, H. Hiwatari, A. Mitsuda, T. Akishita, and T. Shirai, “Piccolo: an ultra-lightweight blockcipher,” in Proceedings of the 13th International Workshop on Cryptographic Hardware and Embedded Systems (CHES ’11),B.PreneelandT. Takagi, Eds., vol. 6917 of Lecture Notes in Computer Science,pp. 342–357, Springer, Heidelberg, Germany, 2011. [15]K.Jeong,H.Kang,C.Lee,J.Sung,andS.Hong,“Biclique cryptanalysis of lightweight block ciphers PRESENT, piccolo and LED,”Tech. Rep. 2012/621, Cryptology ePrint Archive, 2012. International Journal of

Rotating Machinery

International Journal of Journal of The Scientific Journal of Distributed Engineering World Journal Sensors Sensor Networks Hindawi Publishing Corporation Hindawi Publishing Corporation Hindawi Publishing Corporation Hindawi Publishing Corporation Hindawi Publishing Corporation http://www.hindawi.com Volume 2014 http://www.hindawi.com Volume 2014 http://www.hindawi.com Volume 2014 http://www.hindawi.com Volume 2014 http://www.hindawi.com Volume 2014

Journal of Control Science and Engineering

Advances in Civil Engineering Hindawi Publishing Corporation Hindawi Publishing Corporation http://www.hindawi.com Volume 2014 http://www.hindawi.com Volume 2014

Submit your manuscripts at https://www.hindawi.com

Journal of Journal of Electrical and Computer Robotics Engineering Hindawi Publishing Corporation Hindawi Publishing Corporation http://www.hindawi.com Volume 2014 http://www.hindawi.com Volume 2014

VLSI Design Advances in OptoElectronics International Journal of Modelling & International Journal of Simulation Aerospace Navigation and in Engineering Observation Engineering

Hindawi Publishing Corporation Hindawi Publishing Corporation Hindawi Publishing Corporation Hindawi Publishing Corporation Volume 2014 http://www.hindawi.com Volume 2014 http://www.hindawi.com Volume 2014 http://www.hindawi.com Volume 2014 http://www.hindawi.com Hindawi Publishing Corporation http://www.hindawi.com Volume 2014

International Journal of International Journal of Antennas and Active and Passive Advances in Chemical Engineering Propagation Electronic Components Shock and Vibration Acoustics and Vibration

Hindawi Publishing Corporation Hindawi Publishing Corporation Hindawi Publishing Corporation Hindawi Publishing Corporation Hindawi Publishing Corporation http://www.hindawi.com Volume 2014 http://www.hindawi.com Volume 2014 http://www.hindawi.com Volume 2014 http://www.hindawi.com Volume 2014 http://www.hindawi.com Volume 2014