Linear Cryptanalysis Reduced Round of Piccolo-80

  • Tomer Ashur
  • Orr Dunkelman
  • Nael MasalhaEmail author
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 11527)


Piccolo is a 64-bit lightweight block cipher suitable for constrained environments such as wireless sensor networks. In this paper we evaluate the security of Piccolo-80 against linear cryptanalysis, we present a 6-round linear approximation of Piccolo-80 with probability \(1/2 + 2^{-29.04}\). We use this approximation to attack 7-round Piccolo-80 (with whitening keys) with data complexity of \(2^{61}\) known plaintexts and time complexity of \(2^{61}\). Its extension to an 8-round attack merely increases the time complexity to \(2^{70}\). This is the best linear attack against Piccolo-80 and it is also applicable to Piccolo-128 as the difference between the two variates is only the number of rounds and the key schedule algorithm. Moreover, we show that the bias in the approximation of the F-function, in some cases, is related to the MSB of the input. We utilize this relation to efficiently extract the MSBs of the whitening keys in the first round.


Piccolo Linear cryptanalysis 


  1. 1.
    Azimi, S.A., Ahmadian, Z., Mohajeri, J., Aref, M.R.: Impossible differential cryptanalysis of piccolo lightweight block cipher. In: 2014 11th International ISC Conference on Information Security and Cryptology (ISCISC), pp. 89–94. IEEE (2014)Google Scholar
  2. 2.
    Biham, E.: On Matsui’s linear cryptanalysis. In: De Santis, A. (ed.) EUROCRYPT 1994. LNCS, vol. 950, pp. 341–355. Springer, Heidelberg (1995). Scholar
  3. 3.
    Biham, E., Biryukov, A., Shamir, A.: Cryptanalysis of skipjack reduced to 31 rounds using impossible differentials. In: Stern, J. (ed.) EUROCRYPT 1999. LNCS, vol. 1592, pp. 12–23. Springer, Heidelberg (1999). Scholar
  4. 4.
    Biham, E., Dunkelman, O., Keller, N.: Linear cryptanalysis of reduced round serpent. In: Matsui, M. (ed.) FSE 2001. LNCS, vol. 2355, pp. 16–27. Springer, Heidelberg (2002). Scholar
  5. 5.
    Biham, E., Perle, S.: Conditional linear cryptanalysis - cryptanalysis of DES with less than 242 complexity. IACR Trans. Symmetric Cryptol. 2018(3), 215–264 (2018)Google Scholar
  6. 6.
    Bogdanov, A., Khovratovich, D., Rechberger, C.: Biclique cryptanalysis of the Full AES. In: Lee, D.H., Wang, X. (eds.) ASIACRYPT 2011. LNCS, vol. 7073, pp. 344–371. Springer, Heidelberg (2011). Scholar
  7. 7.
    Bogdanov, A., Rechberger, C.: A 3-subset meet-in-the-middle attack: cryptanalysis of the lightweight block cipher KTANTAN. In: Biryukov, A., Gong, G., Stinson, D.R. (eds.) SAC 2010. LNCS, vol. 6544, pp. 229–240. Springer, Heidelberg (2011). Scholar
  8. 8.
    Collard, B., Standaert, F.-X., Quisquater, J.-J.: Improving the time complexity of Matsui’s linear cryptanalysis. In: Nam, K.-H., Rhee, G. (eds.) ICISC 2007. LNCS, vol. 4817, pp. 77–88. Springer, Heidelberg (2007). Scholar
  9. 9.
    Fu, L., Jin, C., Li, X.: Multidimensional zero-correlation linear cryptanalysis of lightweight block cipher Piccolo-128. Secur. Commun. Netw. 9(17), 4520–4535 (2016)CrossRefGoogle Scholar
  10. 10.
    Isobe, T., Shibutani, K.: Security analysis of the lightweight block ciphers XTEA, LED and Piccolo. In: Susilo, W., Mu, Y., Seberry, J. (eds.) ACISP 2012. LNCS, vol. 7372, pp. 71–86. Springer, Heidelberg (2012). Scholar
  11. 11.
    Jeong, K., Kang, H., Lee, C., Sung, J., Hong, S.: Biclique cryptanalysis of lightweight block ciphers present, piccolo and LED. IACR Cryptology ePrint Archive 2012, 621 (2012)Google Scholar
  12. 12.
    Matsui, M.: Linear cryptanalysis method for DES cipher. In: Helleseth, T. (ed.) EUROCRYPT 1993. LNCS, vol. 765, pp. 386–397. Springer, Heidelberg (1994). Scholar
  13. 13.
    Matsui, M.: The first experimental cryptanalysis of the data encryption standard. In: Desmedt, Y.G. (ed.) CRYPTO 1994. LNCS, vol. 839, pp. 1–11. Springer, Heidelberg (1994). Scholar
  14. 14.
    Minier, M.: On the security of Piccolo lightweight block cipher against related-key impossible differentials. In: Paul, G., Vaudenay, S. (eds.) INDOCRYPT 2013. LNCS, vol. 8250, pp. 308–318. Springer, Cham (2013). Scholar
  15. 15.
    Selçuk, A.A.: On probability of success in linear and differential cryptanalysis. J. Cryptology 21(1), 131–147 (2008)MathSciNetCrossRefGoogle Scholar
  16. 16.
    Shibutani, K., Isobe, T., Hiwatari, H., Mitsuda, A., Akishita, T., Shirai, T.: Piccolo: an ultra-lightweight blockcipher. In: Preneel, B., Takagi, T. (eds.) CHES 2011. LNCS, vol. 6917, pp. 342–357. Springer, Heidelberg (2011). Scholar
  17. 17.
    Tolba, M., Abdelkhalek, A., Youssef, A.M.: Meet-in-the-middle attacks on reduced round piccolo. In: Güneysu, T., Leander, G., Moradi, A. (eds.) LightSec 2015. LNCS, vol. 9542, pp. 3–20. Springer, Cham (2016). Scholar
  18. 18.
    Wang, Y., Wu, W., Yu, X.: Biclique cryptanalysis of reduced-round piccolo block cipher. In: Ryan, M.D., Smyth, B., Wang, G. (eds.) ISPEC 2012. LNCS, vol. 7232, pp. 337–352. Springer, Heidelberg (2012). Scholar

Copyright information

© Springer Nature Switzerland AG 2019

Authors and Affiliations

  1. 1.Department of Electrical Engineering, ESAT/COSICKU LeuvenLeuvenBelgium
  2. 2.iMindsLeuvenBelgium
  3. 3.Department of Computer ScienceUniversity of HaifaHaifaIsrael

Personalised recommendations