#### Abstract

Biclique cryptanalysis is an attack which reduces the computational complexity by finding a biclique which is a kind of bipartite graph. We show a single-key full-round attack of the Crypton-256 and mCrypton-128 by using biclique cryptanalysis. In this paper, 4-round bicliques are constructed for Crypton-256 and mCrypton-128. And these bicliques are used to recover master key for the full rounds of Crypton-256 and mCrypton-128 with the computational complexities of 2^{253.78} and 2^{126.5}, respectively. This is the first known single-key full-round attack on the Crypton-256. And our result on the mCrypton-128 has superiority over known result of biclique cryptanalysis on the mCrypton-128 which constructs 3-round bicliques in terms of computational time complexity.

#### 1. Introduction

The block cipher Crypton is one of candidates for the Advanced Encryption Standard (AES) in 1998 [1]. The cipher has been revised to Crypton V1.0 in FSE’99 [2]. Crypton is a 12-round and 128-bit block cipher that supports key sizes up to 256 bits. A miniversion of Crypton, mCrypton, is a 64-bit block cipher with three key size versions (64 bits, 96 bits, and 128 bits) [3]. mCrypton is a 64-bit lightweight block cipher designed to be used in low-cost and resource-constrained applications. Both of them have been designed based on the block cipher square [4]. The cipher has been designed to be resistant to differential and linear cryptanalysis. Therefore it has been assumed that the above two ciphers also have the property of resisting those attacks.

However, a related-key impossible differential attack on 9 rounds of Crypton-256 has been shown by Wei et al. in 2011 [5]. For mCrypton, a related-key rectangle attack on 8 rounds of mCrypton-128 has been shown by Park in 2009 [6]. In 2011, Mala et al. showed a related-key impossible differential attack on 9 rounds of mCrypton-96 and mCrypton-128 [7]. The summary of attacks on Crypton-256 and mCrypton-128 is described in Tables 1 and 2, respectively.

In ASIACRYPT 2011, Bogdanov et al. introduce a biclique cryptanalysis, which is a meet-in-the-middle attack with a biclique and the attack is efficient compared to brute force key search. They show two techniques of constructing bicliques for AES in [8]. One is from independent related-key differentials, which is called independent biclique and the other is from interleaving related-key differentials.

The biclique attack by using independent related-key differentials consists of two parts. The first part constructs an independent-biclique and the second is called matching with precomputations. In Section 2, we describe an overview of the steps of biclique cryptanalysis. The detailed technique to recover the 256-bit master key with computational complexity in 2^{253.78} is presented in Section 4. And in Section 5, the 128-bit key is recovered with computational complexity in 2^{126.5}.

#### 2. Biclique Cryptanalysis

In the biclique cryptanalysis, the biclique, which is a kind of a bipartite graph improve the computational efficiency of computation. First we will briefly describe biclique. The block cipher is considered as the composition of two subciphers: . Consider the subcipher maps an internal state to the ciphertext , where is a secret key of . The subcipher maps internal states to ciphertexts with keys , which are components of the following matrix:
This 3-tuple is called a* d-dimensional biclique*, if
In other words, as illustrated in Figure 1, a biclique is a complete bipartite graph with and as the two parts of vertices connected to edges, where each edge has degree .

Now we introduce the biclique cryptanalysis.

##### 2.1. Attack Procedure

The biclique attack procedure consists of the following phases.

*Key Partitioning.* The key space is partitioned into groups of keys each, where is the bit length of the secret key. Each key in the set is indexed as an element of a matrix: .

*Biclique Constructing.* For each group of keys, build a structure of ciphertexts , intermediate states , and such that for all the relation (2) is satisfied.

*Data Collecting.* An adversary obtains the plaintexts from the ciphertexts through the decryption oracle.

*Key Testing.* The secret key, which is an adversary try to recover, maps the plaintext to the intermediate state . From this fact, an adversary checks the following equation:
which proposes a key candidate. Note that implies that each is encrypted to with key (i.e., ). If there is no right key satisfying (3) in the selected key group, then another key group is chosen and repeats the above process.

##### 2.2. Biclique Construction by Independent Related-Key Differentials

In biclique cryptanalysis, there are two methods to construct a biclique. One is using independent related-key differentials and the other is using interleaving related-key differential trails. In this paper, we focus on the first of two methods, to construct biclique as described in [8].

Suppose that a secret key maps an intermediate state to a ciphertext . Then we consider the following two types of related-key differentials with respect to .

-*Differentials.* This is a related-key differential trail where the input difference is 0 and the output difference is under a key difference :

-*Differentials.* This is a related-key differential trail where the input difference is and the output difference is 0 under a key difference :
The 3-tuple conforms to both sets of differentials at the same time. If the two key differential trails, -differentials and -differentials, do not share active nonlinear components, then the tuple also conforms to combined -differentials:
This combined -differentials is derived from property of -box switch [14] and sandwich attack [15]. By using the combined differentials, an adversary reduces the computational complexity. The construction of a biclique requires less than computations of .

##### 2.3. Matching with Precomputations

The technique of matching with precomputations is an efficient method to check (3) in biclique cryptanalysis procedure. Let be some selected bytes of an internal state between and . The flow of matching with precomputation procedure is as the following. First, an adversary computes and stores in memory the following for all , : Then for particular and , which is not in stored memory, the adversary checks the matching at by recomputing only those parts of the cipher which differ from the stored one.

#### 3. Description the Crypton and mCrypton

In this section, we describe Crypton and mCrypton, briefly.

##### 3.1. Description of Crypton

Crypton is a 128-bit block cipher supports key sizes up to 256 bits. The standard number of rounds is 12. Let us represent the 128-bit block as a 4 × 4 matrix of bytes: Crypton uses component functions, , , , and .

*Nonlinear Substitution **. * and are bytewise nonlinear substitutions which are applied to odd rounds and even rounds, respectively.

*Bit Permutation **. * and are linear transformations for odd rounds and even rounds, respectively. The two bit permutations mix each byte column of 4 × 4 byte array using four masking bytes .

We denote “” and “” bitwise logical operations for AND and XOR, respectively. is given as follows: and is given as shown below:

*Byte Transposition **. * is a byte transposition; it simply moves the byte at position to position; that is, .

*Key Addition **. * is a bitwise key XOR with key . Let be the th encryption round key derived from a user key using the key schedule.

The block cipher Crypton can be described as , where odd round function and even round function are defined by and . Linear transformation is used after the last round.

##### 3.2. Description of mCrypton

mCrypton is a 12-round and 64-bit block cipher with three key size options (64 bits, 96 bits, and 128 bits). Since mCrypton is based on Crypton, the main concepts of description are very similar to ones of Crypton. The round function of mCrypton also consists of four steps as follows.

*Nonlinear Substitution **.* It consists of nibblewise substitutions on a 4 × 4 array using four 4-bit -boxes, , .

*Bit Permutation **.* It mixes each column 4 × 4 array using column permutation for each column :
where are the th column of .

Each is defined by where a column and a column .

*Byte Transposition **.* It moves the nibble at the th position to the th position; that is, . So .

*Key Addition **. * is defined by , where is a round key.

Like Crypton, mCrypton also can be described as where .

In this paper, we focus on the 128-bit key version of the mCrypton that is composed of 12 rounds.

#### 4. Biclique Cryptanalysis of Crypton-256

In this section, we describe a biclique attack with dimension 8 on the full 12-round Crypton-256. We recover secret key by constructing biclique using independent related-key differentials.

##### 4.1. Key Partitioning and Constructing Biclique for 4 Rounds

We describe how to partition key groups of Crypton-256 in this section. Key schedule of Crypton-256 expands master key, and then all of the round keys are uniquely determined by expanded keys. Therefore, if an expanded key is recovered, the mater key is derived. Indices of 32-bit expanded keys used for generating round keys in each round are listed in Table 3.

The base keys are all 2^{240} 32-byte values with two bytes fixed to 0 ( and , which is derived from and , resp.), but the remaining 30 bytes changes over all values:

We Find second byte of and and fourth byte of and give construction of biclique. Therefore the set of keys which is considering combined -differentials with respect to the base key , is determined by all possible and in the following positions:

Now, we explain how to construct biclique for 4 rounds of Crypton-256 with dimension 8 . Let be the subcipher from Round 9 to final round of Crypton-256. Let the key maps an intermediate state to a ciphertext , . Consider previously explained two related-key differentials.

-*Differentials.* The -differentials are derived from the difference where the difference of the expanded key is in the following positions:

*-Differentials.* The -differentials are derived from the difference where the difference of the expanded key is in the following positions:

Both -differentials and -differentials are depicted in Figure 2. Since those two differentials do not share active -boxes, one can easily obtain the following differentials with respect to the : Hence we can confirm a construction of biclique with dimension 8.

##### 4.2. Key Recovery for the Crypton-256

We describe the key recovery procedure using constructed 4-round biclique for the full Crypton-256. For further explanation, let be a composition of and , . Then Crypton-256, , is the composition of the subciphers as follows: where is the subcipher from Round 0 to 4, and is the subcipher from Round 5 to 8 of Crypton-256. Assume that the plaintext corresponding to each ciphertext in a constructed 4-round biclique is obtained by a decryption oracle.

The adversary finds a candidate key in the following* key testing* step by computing the only 1 byte of intermediate variable :
One can perform key recovery procedure by the following steps, precomputation and recomputations.

*Precomputation.* This step is a preparation phase for an efficient meet-in-the-middle attack. As in Section 2.3, one computes and stores (7) with encryptions and decryptions. In Crypton-256, we consider an intermediate matching variable byte in the output of Round 4 as the byte in the following position:

In precomputation step, first we consider forward direction, from an initial round to Round 4. For all , the adversary computes of the output in Round 4 from with . And one stores it as with the intermediate states and subkeys in memory. On the other hand, in backward direction, let us consider subcipher of Crypton-256 from Round 5 to 8. For all , one computes from with and stores it as with the intermediate states and subkeys in memory. And then we check (16) for every , by recomputing those variables which differ from the bytes stored in memory, considering forward and backward directions.

*Backward Recomputation.* In this step, we explain how to recompute difference between and stored one, . This difference is influenced by the key difference between and . By key schedule of Crypton-256, the difference in the subkey of Round 8 is two bytes of 16 bytes. The bytes to be recomputed, which include 29 -boxes, are illustrated in Figure 3.

*Forward Recomputation.* Recomputing difference, between and stored one, , is influenced by the key difference between and . By the key schedule, the difference in the subkey of Round 8 is two bytes of 16 bytes. The bytes to be recomputed, which include 10 -boxes, are depicted in Figure 4.

By these recomputations of two directions, the adversary would make sure whether corresponding key satisfies (16). If it satisfies (16), the adversary should check matching the whole bytes at output of Round 4 (input of Round 5) for , , and . If the adversary cannot find the right key, then one should choose another key group and repeat the above procedures.

##### 4.3. Complexities

Let be the complexity of constructing a biclique. In our cryptanalysis, it is at most 8-round computations, where and . Let be the complexity of the precomputation for the matching in (16). And is the complexity of the recomputation of the byte . Approximately 2.438 byte substitution operations (39 -boxes) are required in recomputation. is the complexity caused by false positives, which have to be matched on other byte positions. Since the matching in (16) is performed on a single byte, is less than computations. Therefore, the total complexity of the biclique cryptanalysis on the full Cryption-256 is as follows: where : , : , : , and : .

Consequentially, the total complexity is
Although the -differential affects all bytes of the ciphertext, only two bytes have 8-bit difference and the remaining bytes have only 6-bit difference. So, 28-bit ciphertext has no difference. As a result, the data complexity does not exceed 2^{100}.

#### 5. Biclique Cryptanalysis of mCrypton-128

In this section, we describe a biclique cryptanalysis with dimension 8 on the full mCrypton-128. We recover secret key by constructing a 4-round biclique using independent related-key differentials.

##### 5.1. Key Partitioning and Constructing Biclique for 4 Rounds

By the key schedule of mCrypton-128 in Table 4, all of the round keys are uniquely determined by the master key . We find that some bits of , , , and give construction of a biclique. The base keys are all 2^{112} 32 nibbles at Round 11 and 12 with 16 bits fixed to 0, in the following positions:

And the set of keys , which is considering combined -differentials with respect to the base key , is determined by all possible and in the following positions:

Now, we explain how to construct a biclique for 4 rounds of mCrypton-128. Consider the following two related-key differentials. Let be the subcipher from Round 9 to final round of mCrypton-128. Let the key maps an intermediate state to a ciphertext , . Consider the two related-key differentials.

-*Differentials.* The -differentials are derived from the following difference :

-*Differentials.* The -differentials are derived from the following difference :

-differentials and -differentials are depicted in Figure 5. We construct a 4-round biclique with dimension 8.

##### 5.2. Key Recovery for the mCrypton-128

Let us explain the key recovery procedure using the 4-round biclique for the full round of mCrypton-128. The adversary finds the right key in the following* key testing* step by checking the only 1 nibble of intermediate variable in (16).

*Precomputation.* As explained in Section 4.2 for Crypton-256, in mCrypton-128, we consider an intermediate matching variable in the output of Round 4 as the byte in the following position:

In this step, we first consider forward direction, from initial round to Round 4 of mCrypton-128. For all , the adversary computes of the output of Round 4, from and . And one stores it as with the intermediate states and subkeys in memory. On the other hand, in backward direction, we consider Rounds from 5 to 8. For all , one computes from and and stores it as with the intermediate states and subkeys in memory. Then we check (16) for every , by recomputing those variables which differ from the variables stored in memory considering forward and backward direction.

*Backward Recomputation.* In backward direction, we look at how the computation differs from stored one, . The area to be recomputed, which includes 25 -boxes, is illustrated in Figure 6.

*Forward Recomputation.* Let us figure out how the computation differs from stored one, . The area to be recomputed, which includes 30 -boxes, is depicted in Figure 7.

By those recomputations of two directions, the adversary would make sure whether corresponding key satisfies (16). If it is satisfied (16), the candidate key is right key with high probability. Otherwise, the adversary should choose another key group and repeat the above procedures again.

##### 5.3. Complexities

We construct a biclique for 4 rounds of mCrypton-128 where the dimension is 8. The -differentials are based on the difference in 4-bits of and , and -differentials are based on the difference in 4 bits of and . Approximately 3.4375 nonlinear substitution operations (55 -boxes) are required in recomputation: : , : , : , : .Consequentially, the total complexity is
In ciphertext, four nibbles have 4-bit difference and the remaining 12 nibbles have only 3-bit difference. Also 12 bits of ciphertext have zero difference. Hence the data complexity does not exceed 2^{52}.

#### 6. Conclusions

We use bicliques to recover master key for the full rounds of Crypton-256 and mCrypton-128 with the computation complexity of 2^{253.78} and 2^{126.5}, respectively. This is the first single-key full-round attack for the Crypton-256. And our result on the mCrypton-128 with 4-round bicliques is better than the known biclique cryptanalysis result with 3-round bicliques in terms of computational time complexity.

#### Conflict of Interests

The authors declare that there is no conflict of interests regarding the publication of this paper.