Research Article  Open Access
Biclique Cryptanalysis on the Full Crypton256 and mCrypton128
Abstract
Biclique cryptanalysis is an attack which reduces the computational complexity by finding a biclique which is a kind of bipartite graph. We show a singlekey fullround attack of the Crypton256 and mCrypton128 by using biclique cryptanalysis. In this paper, 4round bicliques are constructed for Crypton256 and mCrypton128. And these bicliques are used to recover master key for the full rounds of Crypton256 and mCrypton128 with the computational complexities of 2^{253.78} and 2^{126.5}, respectively. This is the first known singlekey fullround attack on the Crypton256. And our result on the mCrypton128 has superiority over known result of biclique cryptanalysis on the mCrypton128 which constructs 3round bicliques in terms of computational time complexity.
1. Introduction
The block cipher Crypton is one of candidates for the Advanced Encryption Standard (AES) in 1998 [1]. The cipher has been revised to Crypton V1.0 in FSE’99 [2]. Crypton is a 12round and 128bit block cipher that supports key sizes up to 256 bits. A miniversion of Crypton, mCrypton, is a 64bit block cipher with three key size versions (64 bits, 96 bits, and 128 bits) [3]. mCrypton is a 64bit lightweight block cipher designed to be used in lowcost and resourceconstrained applications. Both of them have been designed based on the block cipher square [4]. The cipher has been designed to be resistant to differential and linear cryptanalysis. Therefore it has been assumed that the above two ciphers also have the property of resisting those attacks.
However, a relatedkey impossible differential attack on 9 rounds of Crypton256 has been shown by Wei et al. in 2011 [5]. For mCrypton, a relatedkey rectangle attack on 8 rounds of mCrypton128 has been shown by Park in 2009 [6]. In 2011, Mala et al. showed a relatedkey impossible differential attack on 9 rounds of mCrypton96 and mCrypton128 [7]. The summary of attacks on Crypton256 and mCrypton128 is described in Tables 1 and 2, respectively.
 
Rel.: related key, Imp.: impossible, Diff.: differential, Trunc.: truncated. 
In ASIACRYPT 2011, Bogdanov et al. introduce a biclique cryptanalysis, which is a meetinthemiddle attack with a biclique and the attack is efficient compared to brute force key search. They show two techniques of constructing bicliques for AES in [8]. One is from independent relatedkey differentials, which is called independent biclique and the other is from interleaving relatedkey differentials.
The biclique attack by using independent relatedkey differentials consists of two parts. The first part constructs an independentbiclique and the second is called matching with precomputations. In Section 2, we describe an overview of the steps of biclique cryptanalysis. The detailed technique to recover the 256bit master key with computational complexity in 2^{253.78} is presented in Section 4. And in Section 5, the 128bit key is recovered with computational complexity in 2^{126.5}.
2. Biclique Cryptanalysis
In the biclique cryptanalysis, the biclique, which is a kind of a bipartite graph improve the computational efficiency of computation. First we will briefly describe biclique. The block cipher is considered as the composition of two subciphers: . Consider the subcipher maps an internal state to the ciphertext , where is a secret key of . The subcipher maps internal states to ciphertexts with keys , which are components of the following matrix: This 3tuple is called a ddimensional biclique, if In other words, as illustrated in Figure 1, a biclique is a complete bipartite graph with and as the two parts of vertices connected to edges, where each edge has degree .
Now we introduce the biclique cryptanalysis.
2.1. Attack Procedure
The biclique attack procedure consists of the following phases.
Key Partitioning. The key space is partitioned into groups of keys each, where is the bit length of the secret key. Each key in the set is indexed as an element of a matrix: .
Biclique Constructing. For each group of keys, build a structure of ciphertexts , intermediate states , and such that for all the relation (2) is satisfied.
Data Collecting. An adversary obtains the plaintexts from the ciphertexts through the decryption oracle.
Key Testing. The secret key, which is an adversary try to recover, maps the plaintext to the intermediate state . From this fact, an adversary checks the following equation: which proposes a key candidate. Note that implies that each is encrypted to with key (i.e., ). If there is no right key satisfying (3) in the selected key group, then another key group is chosen and repeats the above process.
2.2. Biclique Construction by Independent RelatedKey Differentials
In biclique cryptanalysis, there are two methods to construct a biclique. One is using independent relatedkey differentials and the other is using interleaving relatedkey differential trails. In this paper, we focus on the first of two methods, to construct biclique as described in [8].
Suppose that a secret key maps an intermediate state to a ciphertext . Then we consider the following two types of relatedkey differentials with respect to .
Differentials. This is a relatedkey differential trail where the input difference is 0 and the output difference is under a key difference :
Differentials. This is a relatedkey differential trail where the input difference is and the output difference is 0 under a key difference : The 3tuple conforms to both sets of differentials at the same time. If the two key differential trails, differentials and differentials, do not share active nonlinear components, then the tuple also conforms to combined differentials: This combined differentials is derived from property of box switch [14] and sandwich attack [15]. By using the combined differentials, an adversary reduces the computational complexity. The construction of a biclique requires less than computations of .
2.3. Matching with Precomputations
The technique of matching with precomputations is an efficient method to check (3) in biclique cryptanalysis procedure. Let be some selected bytes of an internal state between and . The flow of matching with precomputation procedure is as the following. First, an adversary computes and stores in memory the following for all , : Then for particular and , which is not in stored memory, the adversary checks the matching at by recomputing only those parts of the cipher which differ from the stored one.
3. Description the Crypton and mCrypton
In this section, we describe Crypton and mCrypton, briefly.
3.1. Description of Crypton
Crypton is a 128bit block cipher supports key sizes up to 256 bits. The standard number of rounds is 12. Let us represent the 128bit block as a 4 × 4 matrix of bytes: Crypton uses component functions, , , , and .
Nonlinear Substitution . and are bytewise nonlinear substitutions which are applied to odd rounds and even rounds, respectively.
Bit Permutation . and are linear transformations for odd rounds and even rounds, respectively. The two bit permutations mix each byte column of 4 × 4 byte array using four masking bytes .
We denote “” and “” bitwise logical operations for AND and XOR, respectively. is given as follows: and is given as shown below:
Byte Transposition . is a byte transposition; it simply moves the byte at position to position; that is, .
Key Addition . is a bitwise key XOR with key . Let be the th encryption round key derived from a user key using the key schedule.
The block cipher Crypton can be described as , where odd round function and even round function are defined by and . Linear transformation is used after the last round.
3.2. Description of mCrypton
mCrypton is a 12round and 64bit block cipher with three key size options (64 bits, 96 bits, and 128 bits). Since mCrypton is based on Crypton, the main concepts of description are very similar to ones of Crypton. The round function of mCrypton also consists of four steps as follows.
Nonlinear Substitution . It consists of nibblewise substitutions on a 4 × 4 array using four 4bit boxes, , .
Bit Permutation . It mixes each column 4 × 4 array using column permutation for each column : where are the th column of .
Each is defined by where a column and a column .
Byte Transposition . It moves the nibble at the th position to the th position; that is, . So .
Key Addition . is defined by , where is a round key.
Like Crypton, mCrypton also can be described as where .
In this paper, we focus on the 128bit key version of the mCrypton that is composed of 12 rounds.
4. Biclique Cryptanalysis of Crypton256
In this section, we describe a biclique attack with dimension 8 on the full 12round Crypton256. We recover secret key by constructing biclique using independent relatedkey differentials.
4.1. Key Partitioning and Constructing Biclique for 4 Rounds
We describe how to partition key groups of Crypton256 in this section. Key schedule of Crypton256 expands master key, and then all of the round keys are uniquely determined by expanded keys. Therefore, if an expanded key is recovered, the mater key is derived. Indices of 32bit expanded keys used for generating round keys in each round are listed in Table 3.
 
Note: the * represents key space. 
The base keys are all 2^{240} 32byte values with two bytes fixed to 0 ( and , which is derived from and , resp.), but the remaining 30 bytes changes over all values:
We Find second byte of and and fourth byte of and give construction of biclique. Therefore the set of keys which is considering combined differentials with respect to the base key , is determined by all possible and in the following positions:
Now, we explain how to construct biclique for 4 rounds of Crypton256 with dimension 8 . Let be the subcipher from Round 9 to final round of Crypton256. Let the key maps an intermediate state to a ciphertext , . Consider previously explained two relatedkey differentials.
Differentials. The differentials are derived from the difference where the difference of the expanded key is in the following positions:
Differentials. The differentials are derived from the difference where the difference of the expanded key is in the following positions:
Both differentials and differentials are depicted in Figure 2. Since those two differentials do not share active boxes, one can easily obtain the following differentials with respect to the : Hence we can confirm a construction of biclique with dimension 8.
4.2. Key Recovery for the Crypton256
We describe the key recovery procedure using constructed 4round biclique for the full Crypton256. For further explanation, let be a composition of and , . Then Crypton256, , is the composition of the subciphers as follows: where is the subcipher from Round 0 to 4, and is the subcipher from Round 5 to 8 of Crypton256. Assume that the plaintext corresponding to each ciphertext in a constructed 4round biclique is obtained by a decryption oracle.
The adversary finds a candidate key in the following key testing step by computing the only 1 byte of intermediate variable : One can perform key recovery procedure by the following steps, precomputation and recomputations.
Precomputation. This step is a preparation phase for an efficient meetinthemiddle attack. As in Section 2.3, one computes and stores (7) with encryptions and decryptions. In Crypton256, we consider an intermediate matching variable byte in the output of Round 4 as the byte in the following position:
In precomputation step, first we consider forward direction, from an initial round to Round 4. For all , the adversary computes of the output in Round 4 from with . And one stores it as with the intermediate states and subkeys in memory. On the other hand, in backward direction, let us consider subcipher of Crypton256 from Round 5 to 8. For all , one computes from with and stores it as with the intermediate states and subkeys in memory. And then we check (16) for every , by recomputing those variables which differ from the bytes stored in memory, considering forward and backward directions.
Backward Recomputation. In this step, we explain how to recompute difference between and stored one, . This difference is influenced by the key difference between and . By key schedule of Crypton256, the difference in the subkey of Round 8 is two bytes of 16 bytes. The bytes to be recomputed, which include 29 boxes, are illustrated in Figure 3.
Forward Recomputation. Recomputing difference, between and stored one, , is influenced by the key difference between and . By the key schedule, the difference in the subkey of Round 8 is two bytes of 16 bytes. The bytes to be recomputed, which include 10 boxes, are depicted in Figure 4.
By these recomputations of two directions, the adversary would make sure whether corresponding key satisfies (16). If it satisfies (16), the adversary should check matching the whole bytes at output of Round 4 (input of Round 5) for , , and . If the adversary cannot find the right key, then one should choose another key group and repeat the above procedures.
4.3. Complexities
Let be the complexity of constructing a biclique. In our cryptanalysis, it is at most 8round computations, where and . Let be the complexity of the precomputation for the matching in (16). And is the complexity of the recomputation of the byte . Approximately 2.438 byte substitution operations (39 boxes) are required in recomputation. is the complexity caused by false positives, which have to be matched on other byte positions. Since the matching in (16) is performed on a single byte, is less than computations. Therefore, the total complexity of the biclique cryptanalysis on the full Cryption256 is as follows: where : , : , : , and : .
Consequentially, the total complexity is Although the differential affects all bytes of the ciphertext, only two bytes have 8bit difference and the remaining bytes have only 6bit difference. So, 28bit ciphertext has no difference. As a result, the data complexity does not exceed 2^{100}.
5. Biclique Cryptanalysis of mCrypton128
In this section, we describe a biclique cryptanalysis with dimension 8 on the full mCrypton128. We recover secret key by constructing a 4round biclique using independent relatedkey differentials.
5.1. Key Partitioning and Constructing Biclique for 4 Rounds
By the key schedule of mCrypton128 in Table 4, all of the round keys are uniquely determined by the master key . We find that some bits of , , , and give construction of a biclique. The base keys are all 2^{112} 32 nibbles at Round 11 and 12 with 16 bits fixed to 0, in the following positions:

And the set of keys , which is considering combined differentials with respect to the base key , is determined by all possible and in the following positions:
Now, we explain how to construct a biclique for 4 rounds of mCrypton128. Consider the following two relatedkey differentials. Let be the subcipher from Round 9 to final round of mCrypton128. Let the key maps an intermediate state to a ciphertext , . Consider the two relatedkey differentials.
Differentials. The differentials are derived from the following difference :
Differentials. The differentials are derived from the following difference :
differentials and differentials are depicted in Figure 5. We construct a 4round biclique with dimension 8.
5.2. Key Recovery for the mCrypton128
Let us explain the key recovery procedure using the 4round biclique for the full round of mCrypton128. The adversary finds the right key in the following key testing step by checking the only 1 nibble of intermediate variable in (16).
Precomputation. As explained in Section 4.2 for Crypton256, in mCrypton128, we consider an intermediate matching variable in the output of Round 4 as the byte in the following position:
In this step, we first consider forward direction, from initial round to Round 4 of mCrypton128. For all , the adversary computes of the output of Round 4, from and . And one stores it as with the intermediate states and subkeys in memory. On the other hand, in backward direction, we consider Rounds from 5 to 8. For all , one computes from and and stores it as with the intermediate states and subkeys in memory. Then we check (16) for every , by recomputing those variables which differ from the variables stored in memory considering forward and backward direction.
Backward Recomputation. In backward direction, we look at how the computation differs from stored one, . The area to be recomputed, which includes 25 boxes, is illustrated in Figure 6.
Forward Recomputation. Let us figure out how the computation differs from stored one, . The area to be recomputed, which includes 30 boxes, is depicted in Figure 7.
By those recomputations of two directions, the adversary would make sure whether corresponding key satisfies (16). If it is satisfied (16), the candidate key is right key with high probability. Otherwise, the adversary should choose another key group and repeat the above procedures again.
5.3. Complexities
We construct a biclique for 4 rounds of mCrypton128 where the dimension is 8. The differentials are based on the difference in 4bits of and , and differentials are based on the difference in 4 bits of and . Approximately 3.4375 nonlinear substitution operations (55 boxes) are required in recomputation: : , : , : , : .Consequentially, the total complexity is In ciphertext, four nibbles have 4bit difference and the remaining 12 nibbles have only 3bit difference. Also 12 bits of ciphertext have zero difference. Hence the data complexity does not exceed 2^{52}.
6. Conclusions
We use bicliques to recover master key for the full rounds of Crypton256 and mCrypton128 with the computation complexity of 2^{253.78} and 2^{126.5}, respectively. This is the first singlekey fullround attack for the Crypton256. And our result on the mCrypton128 with 4round bicliques is better than the known biclique cryptanalysis result with 3round bicliques in terms of computational time complexity.
Conflict of Interests
The authors declare that there is no conflict of interests regarding the publication of this paper.
References
 C. H. Lim, “CRYPTON: a new 128bit block cipher,” in NIST AES Proposal, 1998. View at: Google Scholar
 C. H. Lim, “A revised version of CRYPTON: CRYPTON V1. 0,” in Fast Software Encryption, pp. 31–45, 1999. View at: Google Scholar
 C. H. Lim and T. Korkishko, “MCrypton—a lightweight block cipher for security of lowcost RFID tags and sensors,” in Information Security Applications, pp. 243–258, Springer, 2006. View at: Google Scholar
 J. Daemen, L. Knudsen, and V. Rijmen, “The block cipher square,” in Fast Software Encryption, pp. 149–165, 1997. View at: Google Scholar
 Y. Wei, C. Li, and B. Sun, “Relatedkey impossible differential cryptanalysis on crypton and crypton v1.0,” in Proceedings of the World Congress on Internet Security (WorldCIS '11), pp. 227–232, 2011. View at: Google Scholar
 J. H. Park, “Security analysis of mCrypton proper to lowcost ubiquitous computing devices and applications,” International Journal of Communication Systems, vol. 22, no. 8, pp. 959–969, 2009. View at: Publisher Site  Google Scholar
 H. Mala, M. Dakhilalian, and M. Shakiba, “Cryptanalysis of mCrypton—a lightweight block cipher for security of RFID tags and sensors,” International Journal of Communication Systems, vol. 25, no. 4, pp. 415–426, 2012. View at: Publisher Site  Google Scholar
 A. Bogdanov, D. Khovratovich, and C. Rechberger, “Biclique cryptanalysis of the full AES,” in Advances in Cryptology—ASIACRYPT 2011, pp. 344–371, Springer, Heidelberg, Germany, 2011. View at: Publisher Site  Google Scholar  Zentralblatt MATH  MathSciNet
 C. D’halluin, G. Bijnens, V. Rijmen, and B. Preneel, “Attack on six rounds of crypton,” in Fast Software Encryption, pp. 46–59, 1999. View at: Google Scholar  Zentralblatt MATH
 J. H. Cheon, M. Kim, K. Kim, L. JungYeun, and S. Kang, “Improved impossible differential cryptanalysis of rijndael and crypton,” in Information Security and Cryptology—ICISC 2001, pp. 39–49, Springer, Berlin, Germany, 2002. View at: Publisher Site  Google Scholar  Zentralblatt MATH  MathSciNet
 M. Minier and H. Gilbert, “Stochastic cryptanalysis of crypton,” in Fast Software Encryption, pp. 121–133, 2001. View at: Google Scholar  Zentralblatt MATH
 J. Kim, S. Hong, S. Lee, J. H. Song, and H. Yang, “Truncated differential attacks on 8round CRYPTON,” in Information Security and Cryptology—ICISC 2003, pp. 446–456, Springer, Berlin, Germany, 2004. View at: Publisher Site  Google Scholar  Zentralblatt MATH  MathSciNet
 K. Jeong, H. Kang, C. Lee, J. Sung, S. Hong, and J. Lim, “Weakness of lightweight block ciphers mCrypton and LED against biclique cryptanalysis,” in PeertoPeer Networking and Applications, pp. 1–17, 2013. View at: Publisher Site  Google Scholar
 A. Biryukov and D. Khovratovich, “Relatedkey cryptanalysis of the full AES192 and AES256,” in Advances in Cryptology—ASIACRYPT 2009, pp. 1–18, Springer, Berlin, Germany, 2009. View at: Publisher Site  Google Scholar  Zentralblatt MATH  MathSciNet
 O. Dunkelman, N. Keller, and A. Shamir, “A practicaltime relatedkey attack on the KASUMI cryptosystem used in GSM and 3G telephony,” in Advances in Cryptology—CRYPTO 2010, pp. 393–410, Springer, Heidelberg, Germany, 2010. View at: Publisher Site  Google Scholar  Zentralblatt MATH  MathSciNet
Copyright
Copyright © 2014 Junghwan Song et al. This is an open access article distributed under the Creative Commons Attribution License, which permits unrestricted use, distribution, and reproduction in any medium, provided the original work is properly cited.