Meet-in-the-Middle Attacks on Reduced Round Piccolo

Piccolo is a lightweight block cipher designed by Sony Corporation and published in CHES 2011. It inherits the Generalized Feistel Network (GFN) structure and operates on a 64-bit state. It has two versions; Piccolo-80 and Piccolo-128 with 80-bit and 128-bit keys, respectively. In this paper, we propose meet-in-the-middle attacks on 14-round reduced Piccolo-80 and 16, 17-round reduced Piccolo-128. First, we build a 5-round distinguisher by using specific properties of the linear transformation of Piccolo. This 5-round distinguisher is then used to launch a 14-round attack on Piccolo-80. As Piccolo-128 uses a different key schedule than what is used in Piccolo-80, we utilize the key dependent sieving technique to construct a 7-round distinguisher which is then employed to mount an attack on 16-round reduced Piccolo-128. To extend the attack to 17 rounds, we build a different 6-round distinguisher. For Piccolo-80, the time, data, and memory complexities of the 14-round attack are 2 encryptions, 2 chosen plaintexts, and 2 64-bit blocks, respectively. For Piccolo-128, the data complexity of both the 16-round and 17-round attacks is 2 chosen plaintexts. The time and memory complexities of the 16-round (resp. 17-round) attack are 2 (resp. 2) encryptions, and 2 (resp. 2) 64-bit blocks. To the best of our knowledge, these are currently the best published attacks on both Piccolo-80 and Piccolo-128.