Biclique Cryptanalysis of Lightweight Block Ciphers PRESENT, Piccolo and LED

In this paper, we evaluate the security of lightweight block ciphers PRESENT, Piccolo and LED against biclique cryptanalysis. To recover the secret key of PRESENT-80/128, our attacks require $2^{79.76}$ full PRESENT-80 encryptions and $2^{127.91}$ full PRESENT-128 encryptions, respectively. Our attacks on Piccolo-80/128 require computational complexities of $2^{79.13}$ and $2^{127.35}$, respectively. The attack on a $29$-round reduced LED-64 needs $2^{63.58}$ 29-round reduced LED-64 encryptions. In the cases of LED-80/96/128, we propose the attacks on two versions. First, to recover the secret key of $45$-round reduced LED-80/96/128, our attacks require computational complexities of $2^{79.45}, 2^{95.45}$ and $2^{127.45}$, respectively. To attack the full version, we require computational complexities of $2^{79.37}, 2^{95.37}$ and $2^{127.37}$, respectively. However, in these cases, we need the full codebook. These results are superior to known biclique cryptanalytic results on them

Low Data Complexity Biclique Cryptanalysis of Block Ciphers with Application to Piccolo and HIGHT

In this paper, we present a framework for biclique cryptanalysis of block ciphers with an extremely low data complexity. To that end, we enjoy a new representation of biclique attack. Then an algorithm for choosing two dierential characteristics is also presented to simultaneously minimize the data complexity and control the computational complexity. Then we characterize those block ciphers that are vulnerable to this technique and among them, we apply this attack on lightweight block ciphers Piccolo-80, Piccolo-128 and HIGHT. The data complexities of these attacks are considerably less than the existing results. For full-round Piccolo-80 and 128, the data complexity of the attacks are only 16 plaintext-ciphertext pairs and for full-round HIGHT our attack requires 256 pairs. In all attacks the computational complexity remains the same as the previous ones or even it is slightly improved

PICO : An Ultra Lightweight and Low Power Encryption Design for Ubiquitous Computing

An ultra-lightweight, a very compact block cipher ‘PICO’ is proposed. PICO is a substitution and permutation based network, which operates on a 64 bit plain text and supports a key length of 128 bits. It has a compact structure and requires 1877 GEs. Its innovative design helps to generate a large number of active S - boxes in fewer rounds which can thwart the linear and differential attacks on the cipher. PICO shows good performance on both the hardware and the software platforms. PICO consumes only 2504 bytes of Flash memory which is less than the ultra-lightweight cipher PRESENT. PICO has a very strong substitution layer (S-box) which not only makes the design robust but also introduces a great avalanche effect. PICO has a strong and compact key scheduling which is motivated by the latest cipher SPECK designed by NSA. PICO consumes 28 mW of dynamic power which is less than the PRESENT cipher (38 mW). The security analysis of PICO and its performance as an ultra-lightweight cipher are presented.

Biclique Cryptanalysis Of PRESENT, LED, And KLEIN

In this paper, we analyze the resistance of the lightweight ciphers PRESENT, LED, and KLEIN to biclique attacks. Primarily, we describe attacks on the full-round versions PRESENT-80, PRESENT-128, LED-64, LED-128, KLEIN-80, and KLEIN-96. Our attacks have time complexities of $2^{79.49}$, $2^{127.32}$, $2^{63.58}$, $2^{127.42}$, $2^{79.00}$, and $2^{95.18}$ encryptions, respectively. In addition, we consider attacks on round-reduced versions of PRESENT and LED, to show the security margin for which an adversary can obtain an advantage of at least a factor of two compared to exhaustive search

Improved Biclique Cryptanalysis of the Lightweight Block Cipher Piccolo

Biclique cryptanalysis is a typical attack through finding a biclique which is a type of bipartite diagram to reduce the computational complexity. By investigating the subkey distribution and the encryption structure, we find out a weakness in the key schedule of Piccolo-80. A 6-round biclique is constructed for Piccolo-80 and a 7-round biclique for Piccolo-128. Then a full round biclique cryptanalysis of Piccolo is presented. The results of the attacks are with data complexity of 240 and 224 chosen ciphertexts and with computational complexity of 279.22 and 2127.14, respectively. They are superior to other known results of biclique cryptanalytic on Piccolo

Biclique cryptanalysis of MIBS-80 and PRESENT-80

In this paper we present the first biclique cryptanalysis of MIBS block cipher and a new biclique cryptanalysis of PRESENT block cipher. These attacks are performed on full-round MIBS-80 and full-round PRESENT-80. Attack on MIBS- 80 uses matching without matrix method and has a data complexity upper bounded by $2^{52}$ chosen plaintext where it reduced security of this cipher about 1 bit. Attack on PRESENT-80 has a data complexity of at most $2^{22}$ chosen plaintexts and computational complexity of $2^{79.37}$ encryptions that both complexities are lower than other cryptanalyses of PRESENT-80 so far

RAGHAV: A new low power S-P network encryption design for resource constrained environment

This paper proposes a new ultra lightweight cipher RAGHAV. RAGHAV is a Substitution-Permutation (SP) network, which operates on 64 bit plaintext and supports a 128/80 bit key scheduling. It needs only 994.25 GEs by using 0.13µm ASIC technology for a 128 bit key scheduling. It also needs less memory i.e. 2204 bytes of FLASH memory , which is less as compared to all existing S-P network lightweight ciphers. This paper presents a complete security analysis of RAGHAV, which includes basic attacks like linear cryptanalysis and differential cryptanalysis. This paper also covers advanced attack like zero correlation attack, Biclique attack, Algebraic attack, Avalanche effect, key collision attack and key schedule attack. In this cipher,use of block permutation helps the design to improve the throughput. RAGHAV cipher uses 8 bit permutations with S-Box which results in better diffusion mechanism. RAGHAV consumes very less power around 24mW which is less as compared to all existing lightweight ciphers. RAGHAV cipher scores on all design metrics and is best suited for applications like IoT