New Analysis of Reduced-Version of Piccolo in the Single-Key Scenario

Abstract

The lightweight block cipher Piccolo adopts Generalized Feistel Network structure with 64 bits of block size. Its key supports 80 bits or 128 bits, expressed by Piccolo-80 or Piccolo-128, respectively. In this paper, we exploit the security of reduced version of Piccolo from the first round with the pre-whitening layer, which shows the vulnerability of original Piccolo. As a matter of fact, we first study some linear relations among the round subkeys and the properties of linear layer. Based on them, we evaluate the security of Piccolo-80/128 against the meet-in-the-middle attack. Finally, we attack 13 rounds of Piccolo-80 by applying a 5-round distinguisher, which requires 244 chosen plaintexts, 267.39 encryptions and 264.91 blocks, respectively. Moreover, we also attack 17 rounds of Piccolo-128 by using a 7-round distinguisher, which requires 244 chosen plaintexts, 2126 encryptions and 2125.49 blocks, respectively. Compared with the previous cryptanalytic results, our results are the currently best ones if considering Piccolo from the first round with the pre-whitening layer.