Improved Biclique Cryptanalysis of the Lightweight Block Cipher Piccolo

Han, Guoyong; Zhang, Wenying

doi:https://doi.org/10.1155/2017/7589306

Security and Communication Networks

On this page

Abstract Introduction Conclusion Conflicts of Interest Acknowledgments References Copyright Related Articles

Research Article | Open Access

Volume 2017 | Article ID 7589306 | https://doi.org/10.1155/2017/7589306

Improved Biclique Cryptanalysis of the Lightweight Block Cipher Piccolo

Guoyong Han^1,2and Wenying Zhang¹

Academic Editor: Nidal Nasser

Received06 Jun 2016

Accepted12 Feb 2017

Published02 Mar 2017

Abstract

Biclique cryptanalysis is a typical attack through finding a biclique which is a type of bipartite diagram to reduce the computational complexity. By investigating the subkey distribution and the encryption structure, we find out a weakness in the key schedule of Piccolo-80. A 6-round biclique is constructed for Piccolo-80 and a 7-round biclique for Piccolo-128. Then a full round biclique cryptanalysis of Piccolo is presented. The results of the attacks are with data complexity of 2⁴⁰ and 2²⁴ chosen ciphertexts and with computational complexity of 2^79.22 and 2^127.14, respectively. They are superior to other known results of biclique cryptanalytic on Piccolo.

1. Introduction

In ASIACRYPT 2011, Bogdanov et al. proposed a biclique on recovering the keys of the full AES-128/192/256 [1], which is a type of meet-in-the-middle attack and the recent cryptanalysis technique of block ciphers. In [1], they gave two techniques by constructing bicliques for AES. One is the independent related-key differentials biclique and the other is the long biclique. Soon after the paper was published, a great deal of cryptanalytical results on the other block ciphers were suggested.

The crucial issue of the technology is to construct a superior biclique structure at the ciphertext (or plaintext). In a biclique, one top set comprises ciphertexts (or plaintexts) while the other set is composed of intermediate states. If , the biclique structure is called a d-dimension ( in this paper). In some constrained environments, for example, RFID tags or sensor nodes, the size of the secret key is typically 64, 80, or 128 bits. A lot of attacks on lightweight block cipher by using biclique have been published, such as Piccolo [2], IDEA [3], HIGHT [4, 5], LED [6], PRESENT [7, 8], TWINE [9, 10], and KLEIN [11].

The meet-in-the-middle (MITM) attack is a representative method which is used in the security evaluation of block cipher, and its exceptional property is only a minimal data complexity. In recent years, many varieties emerged, for example, 3-subset MITM [12]. Many methods carry out the preimage attack to the hash function [13] and they consist of spice-and-cut frame and partial matching and so forth. Using the key expansion algorithm, opponent can construct a structure and pick out wrong keys through partial matching, which is the important idea of the method.

Piccolo is a 64-bit block cipher. In accordance with the different length of the key, we signify the ciphers by Piccolo-80/128, respectively [14]. In ISPEC 2012, Wang et al. presented a biclique attack on reduced round Piccolo [2]. They attacked a 25-round Piccolo-80 with 2⁴⁸ chosen plaintexts and 2^78.95 computations. In the case of a 28-round Piccolo-128, this attack required chosen plaintexts and 2^126.79 computations. However, the authors considered Piccolo-80 without the postwhitening key and Piccolo-128 without the prewhitening key. In [5], Song et al. proposed a full round biclique cryptanalysis on Piccolo-80 demanding 2⁴⁸ chosen plaintexts and 2^79.34 computations and on Piccolo-128 requiring 2²⁴ chosen plaintexts and 2^127.36 computations. In [15], we find two faults which are detailed in Section 4.1 in this paper. Compared to these results, ours are superior to theirs.

In this paper, we detect a weakness in the key schedule on Piccolo-80; that is, the round key can offset the postwhitening key partially. Based on this, the data complexity can be decreased greatly. We apply some observations on Piccolo in [16] and construct an independent related-key differentials biclique for the last several rounds. Then an 8-dimensional biclique structure of 6 rounds is constructed for Piccolo-80 and an 8-dimensional biclique structure of 7 rounds for Piccolo-128. The attacks are, respectively, with data complexity of 2⁴⁰ and 2²⁴, and with computational complexity of 2^79.22 and 2^127.14, which are the best results currently. The attack results on Piccolo are summarized in Tables 1 and 2.

The structure of the paper is as follows. Section 2 describes the structures of Piccolo-80 and Piccolo-128. Section 3 introduces briefly biclique cryptanalysis. Then, Section 4 presents the cryptanalysis with an 8-dimensional biclique of 6 rounds on full round Piccolo-80 and with a biclique structure of 7 rounds on full round Piccolo-128. The data complexity and computational complexity on Piccolo-80 and Piccolo-128 are given, respectively. Finally, we draw our conclusion in Section 5.

2. Piccolo Specifications

2.1. Notations

: bit-wise exclusive or (XOR). : iterative rounds. : concatenation. : the th 16-bit group of the key for Piccolo-80, for Piccolo-128). : the 16-bit whitening key . : the 16-bit round key for Piccolo-80, for Piccolo-128). : a 16-bit round constant. : denoting the bit length of . : 64-bit plaintext, including four 16-bit words . : 64-bit ciphertext, including four 16-bit words . (64): the th and th byte of the state after F-Function in th round.

2.2. Description of Piccolo

The structure of Piccolo is a variation of generalized Feistel, as shown in Figure 1. Piccolo-80/128 supports 80-bit and 128-bit key sizes along with 25 and 31 rounds, respectively.

The detailed descriptions of Piccolo are in [14], and each round of Piccolo consists of the following 3 steps:(1)F-Function (FF), being composed of two S-box layers and a diffusion matrix M.(2)AddRoundKey (AK), the 64-bit intermediate state XORs a round key.(3)RoundPermutation (RP), which splits a 64-bit input into eight bytes and then maps them.

2.3. Key Schedule

The key schedule of Piccolo is straightforward and simple. Firstly, the 80-bit master key of Piccolo-80 is represented by concatenation of five 2 bytes; that is, , where = (, ). The whitening keys () and the subkey () of 25 rounds are engendered as follows: = , = , = , = . For = 0 to

For Piccolo-128, the distribution of subkey is similar to that of Piccolo-80. The 128-bit master key is denoted by , where = (. The whitening keys and 31-round subkey are computed as follows: = , = , = , = . For = 0 to if ((i + 2) mod 8 0), then = ;

The specific subkeys of Piccolo-80/128 are illustrated in Table 3.

3. Biclique Attack on Piccolo

3.1. Definition of Biclique

Biclique cryptanalysis is an attack based on MITM. The major idea is to build bicliques on the target subcipher and promote the computational efficiency. The basic principles of the biclique attack are explained in [1]. Let be a several-round subcipher and is the inverse of . The maps intermediate states to ciphertexts with keys :

The 3-tuple [] is named a biclique with d-dimension, if

To avoid duplication, we do not explicate the detailed attack basis but three stages of the attack are described in more detail.

3.2. Biclique Cryptanalysis of Piccolo-80

3.2.1. Phase 1: Key Partitioning

For greater clarity, we divide the key into 2⁶⁴ groups which have 2¹⁶ keys. The enumerates 64-bit keys and fixes 16-bit keys with 0₁₆. As depicted in Section 2.3, each round has 32-bit subkey which is generated by master keys K[i] and K[j]. By investigating the subkey distribution (Table 3), an 8-dimensional biclique structure of 6 rounds is constructed by each right half of and , that is, and . We find of the round key can offset of the postwhitening key, so it can decrease the data complexity greatly. By calculation, the computational complexity is optimal so far.

The keys , and of each group are depicted, as shown below:

Finally,

Thus, the space of is divided into 2⁶⁴ groups of 2¹⁶ keys each.

3.2.2. Phase 2: 8-Dimensional Biclique Structure of 6 Rounds

We construct an 8-dimensional biclique structure of 6 rounds for Piccolo-80 with whitening keys for each group (Figure 2). The biclique structure connects 2⁸ ciphertexts to 2⁸ intermediate states in each group of keys. The process of calculating the ciphertexts and intermediate states consists of the following 3 steps.

(a)

(b)

(c)

Step 1. Let and decrypt for 6 rounds to obtain (Figure 2(a)); that is, = . The procedure is named basic calculation.

Step 2. In order to get the corresponding ciphertext , encrypt using different keys for (Figure 2(c)). The differences between and can lead to the gray intermediate states’ differences and cause the computational complexity. The gray intermediate states need to be computed times, whereas the remaining states are calculated just once because they have been already computed in Step . This step derives .

Step 3. To get the corresponding states , decrypt using different keys for (Figure 2(b)). The differences between and can bring about the gray intermediate states’ differences. The gray intermediate states need to be computed times, whereas the remaining states have been already computed. As a result, has been constructed.

Thanks to the simplicity of the distribution of the subkey of Piccolo, the two differential paths do not share any active state. Fortunately, it is so easy to verify that is always true for all . Up to now, for each key group, we get a corresponding 8-dimensional biclique structure as discussed above.

From Figure 2, we find a weakness in the key schedule of Piccolo-80; that is, of the round key can offset of the postwhitening key. So it can reduce the data complexity greatly. The calculations of complexities are presented in Section 4.2.

3.2.3. Phase 3: Meeting in the Middle over 19 Rounds

Choose a 16-bit internal state () after F-Function in round 9, as the intermediate matching variable (see Figure 3). The choice is made according to the total number of F-Function and an effective filtering of the wrong keys. Next, we calculate these matching variates in both directions in order to obtain the accurate key.

(a)

(b)

Backward Direction. Each value of the state is decrypted under the key to derive . After that, is decrypted using all the possible keys to get . Because of the same beginning, the key differences between and can cause the computational complexity. On Figure 3(b), the gray bytes are active and the white bytes need not be computed.

Forward Direction. The procedure of forward direction is a bit more complex than the backward direction in calculation. Firstly, we decrypt the ciphertexts for to obtain plaintexts . Secondly, each is encrypted under the key to derive . After that, is encrypted using all the possible keys to obtain . The differences between and can influence the computational complexity. On Figure 3(a), the gray bytes are active and the white bytes need not be computed.

Search Candidates. In the last session of the attack, the adversary verifies the rest candidate key by the equality of and for all in each group exhaustively, until the right key is discovered.

3.3. Biclique Cryptanalysis of Piccolo-128

3.3.1. Phase 1: Key Partitioning

We divide the 128-bit key into 2¹¹² groups. enumerates 112-bit keys and fixes 16-bit keys with 0₁₆. By investigating the subkey distribution (Table 3), an 8-dimensional biclique structure of 7 rounds is constructed by each left half of and , that is, and . The computational complexity of this structure is less than others’.

Similar to Piccolo-80, the keys , and of each group are depicted, as shown below:

Finally,

Thus, the key space of K is divided into groups of keys each.

3.3.2. Phase 2: 8-Dimensional Biclique Structure of 7 Rounds

We construct an 8-dimensional biclique structure of 7 rounds for Piccolo-128 for each group (Figure 4). Here, is subciphers for round 2430 and is the inverse of . The process of calculating the ciphertexts and intermediate states consists of the following 3 steps.

(a)

(b)

(c)

Step 1. Let and decrypt for 7 rounds to obtain (Figure 4(a)); that is, = .

Step 2. Encrypt using different keys for (Figure 4(c)). The differences between and can influence the gray intermediate states’ differences. This step derives .

Step 3. Decrypt using different keys for (Figure 4(b)). The differences between and can bring about the gray intermediate states’ differences. As a result, has been constructed.

Thanks to the simplicity of the distribution of the subkey of Piccolo-128, it is also very easy to verify that is always true for all . Up to now, for each key group, we get a corresponding 8-dimensional biclique structure.

3.3.3. Phase 3: Meeting in the Middle over 24 Rounds

Select a 16-bit internal state () after F-Function in round 12, as the intermediate matching variable (see Figure 5). Next, we calculate these matching variates in both directions in order to obtain the right key.

(a)

(b)

Backward Direction. Each value of the state is decrypted under the key to obtain . After that, is decrypted using all the possible keys to get . On Figure 5(b), the gray bytes are active and the white bytes do not need to be computed.

Forward Direction. Firstly, we decrypt the ciphertexts for to obtain plaintexts . Secondly, each is encrypted under the key to obtain . Then, is encrypted using all the possible keys to get . On Figure 5(a), the gray bytes are active and the white bytes do not need to be computed.

Search Candidates. In the last session of the attack, the adversary verifies the equality of and for all to discover the correct key.

3.4. Another Biclique Cryptanalysis of Piccolo-128

Similar to Section 3.3, we construct an 8-dimensional biclique structure of 5 rounds (2630) for Piccolo-128 by each left half of and , that is, and (Figure 6).

In the phase of meeting in the middle over 26 rounds, we select a 16-bit internal state () after F-Function in round 13, as the intermediate matching variable.

4. Complexities

4.1. Comments on the Result of [15]

Jeong et al. applied biclique cryptanalysis to the lightweight block ciphers LED, Piccolo, and PRESENT in [15]. They used the concept of independent-biclique which included constructing biclique structure by independent related-key differentials and matching with precomputations. They found a limited and slow diffusion of the subkey distribution and encryption process. As a result, their attacks can discover the master key with computational complexities superior to an exhaustive search. However, we find two faults of their biclique cryptanalysis of Piccolo as follows:

Jeong et al. found that and gave the construction of an 8-dimensional biclique which was shown in Figure of [15]. The -differential affected only 6 bytes (, , , , , and ) which is drawn on Figure 7(a) (including the grid line byte) in this paper. As a result, the data complexity does not go beyond .

(a)

(b)

In the attack shown in Figure 7, it is clear that the left half of the round key can offset the left half of (the postwhitening key); that is, there is no difference in the grid line byte (). Based on this, the biclique cryptanalysis of Jeong et al. goes wrong.

So, the -differential affects only 5 bytes (, , , , and ) of the ciphertext and the data complexity does not go beyond . The correct difference path does not include the grid line byte ().

Jeong et al. thought that only 2 bytes were active in the decryption of 17th round in backward direction for Piccolo-80 of recomputation, shown in Figure of [15]. 13 F-Functions (without the grid line) were computed times and 4 F-Functions were computed once. They are drawn on Figure 7(b) in this paper. Then the total complexity of this step is F-Functions.

It is clear that 6 bytes of intermediate are active in the decryption of 17th round in backward direction for Piccolo-80 of recomputation and all bytes are active of 16th round. Based on these, their computational complexity of this step goes wrong.

So, 15 F-Functions (including the grid line) are computed times and 2 F-Functions are computed once. Then the total complexity of this step is F-Functions. The correct difference path includes the grid line bytes.

Similarly, 3 bytes but not one byte are active in the decryption of 22nd round in backward direction for Piccolo-128 of recomputation and they are shown in Figure of [15]. 20 rather than 18 F-Functions are computed times and 3 instead of 5 F-Functions are computed once.

4.2. Complexities of Biclique Cryptanalysis on Piccolo-80

4.2.1. Data Complexity

By analyzing the key schedule, we find a weakness in the key schedule on Piccolo-80; that is, the round key can offset the postwhitening key partially (see Figure 2). Based on this, the data complexity can be reduced greatly.

The amount of ciphertexts to be decrypted dominates the data complexity (Figure 2). For each biclique structure, let . All the ciphertexts share the equal values in 3 bytes (, , and , i.e., white bytes), so the data complexity does not go beyond .

4.2.2. Computational Complexity

The amount of the F-Functions to be computed determines the attack complexity. Each round of Piccolo-80 takes 2 F-Functions computations. So, the single encryption equals computed F-Functions. For each of groups of keys, the following calculation should be completed.

Biclique Complexity. 5 F-Functions (Figure 2(b), noted with gray) need to be computed times and 2 F-Functions (Figure 2(c), noted with gray) need to be computed times. The remaining 5 F-Functions are computed only once. Thus, this stage requires F-Functions computations in total. Then, the computational complexity of a biclique structure is about full round Piccolo-80 encryptions.

Matching Complexity. In forward direction, the differences between and dominate the computational complexity. On Figure 3(a), for a single , 14 F-Functions (noted with gray) are computed times, 3 F-Functions (noted with grid line) are computed only once, and 3 F-Functions (noted with white) do not need to be computed. So, the complexity of this process is F-Functions, which is about full round Piccolo-80 encryptions.

In backward direction, on Figure 3(b), for a single , 15 F-Functions (noted with gray) are computed times, 2 F-Functions (noted with grid line) are computed only once, and 1 F-Function (noted with white) need not be computed. So, the complexity of this process is () F-Functions, which is about full round Piccolo-80 encryptions.

Finally, key candidates are verified by a matching variable (16 bits) in each group, and the average of candidate key needs to be rechecked.

Thus, the total computational complexity of this attack on Piccolo-80 is

4.3. Complexities of Biclique Cryptanalysis on Piccolo-128

4.3.1. Data Complexity

For each biclique structure, let . All the ciphertexts share the equal values in 5 bytes (, , , , and , i.e., white bytes), so the data complexity does not go beyond (See Figure 4).

4.3.2. Computational Complexity

Each round of Piccolo-128 takes 2 F-Functions computations. So, the single encryption equals computed F-Functions. For each of groups of keys, the following calculation should be completed.

Biclique Complexity. 13 F-Functions (Figure 4(b), noted with gray) need to be computed times and 1 F-Function (Figure 4(c), noted with gray) needs to be computed times. Thus, this stage requires F-Functions computations in total. Then, the computational complexity of a biclique structure is about full round Piccolo-128 encryptions.

Matching Complexity. In forward direction, for a single , 16 F-Functions (noted with gray) are computed times, 7 F-Functions (noted with grid line) are computed only once, and 3 F-Functions (noted with white) do not need to be computed on Figure 5(a). So, the complexity of this process is F-Functions, which is about full round Piccolo-128 encryptions.

In backward direction, for a single , 18 F-functions (noted with gray) are computed times, 3 F-functions (noted with grid line) are computed only once, and 1 F-Function (noted with white) need not be computed on Figure 5(b). So, the complexity of this process is F-Functions, which is about full round Piccolo-128 encryptions.

Finally, key candidates are verified by a matching variate (16 bits) in each group, and the average of candidate key needs to be rechecked.

Thus, the total computational complexity of this attack on Piccolo-128 is

4.4. Complexities of Another Biclique Cryptanalysis on Piccolo-128

4.4.1. Data Complexity

For each biclique structure, let . All the ciphertexts share the equal values in 7 bytes (, , , , , , and , i.e., white bytes), so the data complexity does not go beyond (See Figure 6).

4.4.2. Computational Complexity

Biclique Complexity. This stage requires F-Functions computations in total. Then, the computational complexity of a biclique structure is about full round Piccolo-128 encryptions.

Matching Complexity. In forward direction, the complexity is F-Functions, which is about full round Piccolo-128 encryptions. In backward direction, the complexity is F-Functions, which is about full round Piccolo-128 encryptions.

Thus, the total computational complexity of this attack on Piccolo-128 is

5. Conclusion

Designers have given several attacks including linear cryptanalysis, impossible differential cryptanalysis, and MITM attack on security analysis for Piccolo. The best result was 3-subset MITM attacks on 14/21-round Piccolo-80/128 without the whitening key. The previous results and our results are summarized on Piccolo in Tables 1 and 2. Some results did not include whitening key; some attacks were reduced-round. However, our results are full round Piccolo-80/128.

By analyzing the distribution of the subkey and the structure of encryption, we find two faults of the results in [15] and a weakness in the key schedule on Piccolo-80. The two faults are depicted in Section 4.1. The weakness on Piccolo-80 is that the right half of the round key can offset the right half of the postwhitening key (Figure 2(c)). Based on this, the data complexity can be decreased greatly.

We use biclique cryptanalysis to recover the master key for the full round Piccolo-80 with a 6-round biclique and the full round Piccolo-128 with a 7-round biclique, respectively. The attacks require data complexity of and chosen ciphertexts and computational complexity of and , respectively. These results are superior to other biclique cryptanalytic results on Piccolo.

This result is that the biclique technology can attack some ciphers with simple key schedule and slow diffusion. So, the designers of lightweight ciphers need to consider not only the implementation efficiency, but also key schedule complexity and diffusion speed.

Conflicts of Interest

None of the authors declare any conflicts of interest.

Acknowledgments

This work is partially supported by National Natural Science Foundation of China (nos. 61272434, 61672330, and 61602287) and Nature Science Foundation of Shandong Province (no. ZR2013FQ021).

References

A. Bogdanov, D. Khovratovich, and C. Rechberger, “Biclique cryptanalysis of the full AES,” in Advances in Cryptology— ASIACRYPT 2011, vol. 7073 of Lecture Notes in Comput. Sci., pp. 344–371, Springer, Heidelberg, Germany, 2011.
View at: Publisher Site | Google Scholar | MathSciNet
Y. Wang, W. Wu, and X. Yu, “Biclique cryptanalysis of reduced-round piccolo block cipher,” in Proceedings of the 8th International Conference on Information Security Practice and Experience (ISPEC '12), M. R. Dermot, S. Ben, and G. Wang, Eds., vol. 7232 of Lecture Notes in Computer Science, pp. 337–352, Springer, Heidelberg, Germany, 2012.
View at: Google Scholar
D. Khovratovich, G. Leurent, and C. Rechberger, “Narrow-bicliques: cryptanalysis of full IDEA,” in Proceedings of the 31st Annual International Conference on the Theory and Applications of Cryptographic Techniques (EUROCRYPT '12), Lecture Notes in Computer Science, pp. 392–410, Springer, Heidelberg, Germany, 2012.
View at: Google Scholar
D. Hong, B. Koo, and D. Kwon, “Biclique attack on the full HIGHT,” in Information Security and Cryptology—ICISC 2011, vol. 7259 of Lecture Notes in Computer Science, pp. 365–374, Springer, Berlin, Germany, 2012.
View at: Google Scholar
J. Song, K. Lee, and H. Lee, “Biclique cryptanalysis on lightweight block cipher: HIGHT and Piccolo,” International Journal of Computer Mathematics, vol. 90, no. 12, pp. 2564–2580, 2013.
View at: Publisher Site | Google Scholar | Zentralblatt MATH
F. Abed, C. Forler, E. List, S. Lucks, and J. Wenzel, “Biclique cryptanalysis of the PRESENT and LED lightweight ciphers,” Tech. Rep. 2012/591, Cryptology ePrint Archive, 2012.
View at: Google Scholar
M. Sereshgi and M. Shakiba, “Biclique cryptanalysis of MIBS-80 and PRESENT-80 block ciphers,” Security and Communication Networks, vol. 9, no. 1, pp. 27–33, 2016.
View at: Google Scholar
O. Özen, K. Varıcı, C. Tezcan, and Ç. Kocair, “Lightweight block ciphers revisited: cryptanalysis of reduced round PRESENT and HIGHT,” in Information Security and Privacy, vol. 5594 of Lecture Notes in Computer Science, pp. 90–107, Springer, Berlin, Germany, 2009.
View at: Google Scholar
Y. F. Wang and W. L. Wu, “Meet-in-the-middle attack on TWINE block cipher,” Journal of Software, vol. 26, no. 10, pp. 2684–2695, 2015 (Chinese).
View at: Google Scholar | MathSciNet
M. Çoban, F. Karakoc, and Ö. Biztaş, “Biclique cryptanalysis of TWINE,” Tech. Rep. 2012/422, Cryptology ePrint Archive, 2012.
View at: Google Scholar
Z. Ahmadian, M. Salmasizadeh, and M. R. Aref, “Biclique cryptanalysis of the full-round KLEIN block cipher,” IET Information Security, vol. 9, no. 5, pp. 294–301, 2015.
View at: Publisher Site | Google Scholar
W. Diffie and M. E. Hellman, “Exhaustive Cryptanalysis of the NBS Data Encryption Standard,” Computer, vol. 10, no. 6, pp. 74–84, 1977.
View at: Publisher Site | Google Scholar
Y. Sasaki, “Meet-in-the-middle preimage attacks on AES hashing modes and an application to whirlpool,” in Proceedings of the International Workshop on Fast Software Encryption (FSE '11), A. Joux, Ed., vol. 6733 of Lecture Notes in Computer Science, pp. 378–396, Springer, Heidelberg, Germany, 2011.
View at: Google Scholar
K. Shibutani, T. Isobe, H. Hiwatari, A. Mitsuda, T. Akishita, and T. Shirai, “Piccolo: an ultra-lightweight blockcipher,” in Proceedings of the 13th International Workshop on Cryptographic Hardware and Embedded Systems (CHES '11), B. Preneel and T. Takagi, Eds., vol. 6917 of Lecture Notes in Computer Science, pp. 342–357, Springer, Heidelberg, Germany, 2011.
View at: Google Scholar
K. Jeong, H. Kang, C. Lee, J. Sung, and S. Hong, “Biclique cryptanalysis of lightweight block ciphers PRESENT, piccolo and LED,” Tech. Rep. 2012/621, Cryptology ePrint Archive, 2012.
View at: Google Scholar
W. Zhang, J. Zhang, and X. Zheng, “Some observations on the lightweight block cipher piccolo-80,” in Proceedings of the 6th International Conference on Trusted Systems (INTRUST '14), vol. 9473 of Lecture Notes in Computer Science, pp. 364–373, Springer, Cham, Switzerland, 2015.
View at: Google Scholar
T. Isobe and K. Shibutani, “Security analysis of the lightweight block ciphers XTEA, LED and piccolo,” in Information Security and Privacy, vol. 7372, pp. 71–86, Springer, Berlin, Germany, 2012.
View at: Google Scholar

Copyright

Copyright © 2017 Guoyong Han and Wenying Zhang. This is an open access article distributed under the Creative Commons Attribution License, which permits unrestricted use, distribution, and reproduction in any medium, provided the original work is properly cited.

PDF Download Citation

Download other formats

Order printed copies

Views

1396

Downloads

977

Citations