## Cryptology ePrint Archive: Report 2015/754

Related-Key Attack on Full-Round PICARO

Anne Canteaut and Virginie Lallemand and María Naya-Plasencia

Abstract: Side-channel cryptanalysis is a very efficient class of attacks that recovers secret information by exploiting the physical leakage of a device executing a cryptographic computation. To adress this type of attack, many countermeasures have been proposed, and some papers adressed the question of constructing an efficient masking scheme for existing ciphers. In their work, G.~Piret, T.~Roche and C.~Carlet took the problem the other way around and specifically designed a cipher that would be easy to mask. Their careful analysis, that started with the design of an adapted Sbox, leads to the construction of a 12-round Feistel cipher named PICARO. In this paper, we present the first full-round cryptanalysis of this cipher and show how to recover the key in the related-key model. Our analysis takes advantage of the low diffusion of the key schedule together with the non-bijectivity of PICARO Sbox. Our best trade-off has a time complexity equivalent to $2^{107.4}$ encryptions, a data complexity of $2^{99}$ plaintexts and requires to store $2^{17}$ (plaintext, ciphertext) pairs.

Category / Keywords: secret-key cryptography / related-key attack, differential cryptanalysis, PICARO

Original Publication (in the same form): SAC 2015