Paper 2015/754

Related-Key Attack on Full-Round PICARO

Anne Canteaut, Virginie Lallemand, and María Naya-Plasencia


Side-channel cryptanalysis is a very efficient class of attacks that recovers secret information by exploiting the physical leakage of a device executing a cryptographic computation. To adress this type of attack, many countermeasures have been proposed, and some papers adressed the question of constructing an efficient masking scheme for existing ciphers. In their work, G.~Piret, T.~Roche and C.~Carlet took the problem the other way around and specifically designed a cipher that would be easy to mask. Their careful analysis, that started with the design of an adapted Sbox, leads to the construction of a 12-round Feistel cipher named PICARO. In this paper, we present the first full-round cryptanalysis of this cipher and show how to recover the key in the related-key model. Our analysis takes advantage of the low diffusion of the key schedule together with the non-bijectivity of PICARO Sbox. Our best trade-off has a time complexity equivalent to $2^{107.4}$ encryptions, a data complexity of $2^{99}$ plaintexts and requires to store $2^{17}$ (plaintext, ciphertext) pairs.

Available format(s)
Secret-key cryptography
Publication info
Published elsewhere. SAC 2015
related-key attackdifferential cryptanalysisPICARO
Contact author(s)
virginie lallemand @ inria fr
2015-07-30: received
Short URL
Creative Commons Attribution


      author = {Anne Canteaut and Virginie Lallemand and María Naya-Plasencia},
      title = {Related-Key Attack on Full-Round {PICARO}},
      howpublished = {Cryptology ePrint Archive, Paper 2015/754},
      year = {2015},
      note = {\url{}},
      url = {}
Note: In order to protect the privacy of readers, does not use cookies or embedded third party content.