New Observations on Piccolo Block Cipher
Lecture Notes in Computer Science
To reduce the cost in hardware, key schedules of lightweight block ciphers are usually simple and some even are direct linear transformations on master keys. Designers always add some asymmetry rounddependent constants to prevent the well-known slide attack. For linear key schedules, the choice of round constants becomes important but lacks principles. In this paper, we aim at evaluating the robustness of the key schedule algorithm and summarizing some design principles for simple key
... We define a special kind of weak keys named linearreflection weak keys and their existence breaks the independence between different keys. For one weak key k, we can find another related weak key k such that the decryption under k can be linearly represented by the encryption under k. For a block cipher, the number of rounds that exhibits linear-reflection weak keys should be as small as possible. Besides, an automatic searching algorithm is designed to find weak keys for Piccolo ciphers. Results show that 7-round Piccolo-80 and 10-round Piccolo-128 both have many weak keys. Furthermore, we also find some special features for the key schedule of Piccolo-128. One of them is used to extract that the round permutation RP in Piccolo-128 should not be allowed to be self-inverse. Another is applied to show an efficient pseudopreimage attack on hash function based on full-round Piccolo-128. The results do not threaten the application of Piccolo in secret-key setting but reveal the weakness of Piccolo-128's key schedule algorithm to some extent. We expect the results of our paper may guide the design of key schedules for block ciphers especially for the design of round constants for simple key schedules. 22 C = (P0, P1 ⊕ k2 ⊕ 0x071c ⊕ k 2 ⊕ 0x3f 12, P2, P3 ⊕ k3 ⊕ 0x293d ⊕ k 3 ⊕ 0x353a) = (P0, P1 ⊕ y ⊕ z ⊕ 0x2a20, P2, P3 ⊕ y ⊕ z ⊕ 0x0e29).