Bit-level evaluation of piccolo block cipher by satisfiability problem solver.

In the field of symmetric key cryptography, the security against distinguishing attacks is one of the crucial security requirements. With advancements in computing capabilities and cryptanalysis techniques in recent years, more efficient methods have been proposed for exploring distinguishers using Mixed-Integer Linear Programing (MILP) or satisfiability problem (SAT), thereby updating the security bounds of various ciphers. Piccolo is a lightweight block cipher proposed at CHES in 2011, with support 80-bit and 128-bit keys. Designers have undergone a rough security evaluation against differential, impossible differential, and related-key differential attacks, based on nibble-wise estimations due to the limitation of computational resource. Here, the authors perform bit-level evaluations on Piccolo block cipher against differential, integral and impossible differential attacks by leveraging SAT-based approaches. For the first time, the authors succeed in identifying optimal differential distinguisher on 6 rounds in the single key setting, and on 10/12 rounds in the related-key setting for 80-bit and 128-bit keys, respectively. For integral attacks, the authors find integral distinguisher up to 7 rounds. Although the number of attacked rounds is the same as that of the previous attack, the authors find the 56th ordered integral distinguisher, which enable reducing the data complexity for attacks from 2(63) to 2(56). As a result, the authors find the 7-round impossible differentials which is the same number of rounds as the previous nibble-wise evaluation.