On the Division Property of Simon48 and Simon64

Abstract

Simon is a family of lightweight block ciphers published by the U.S. National Security Agency (NSA) in 2013. Due to its novel and bit-based design, integral cryptanalysis on Simon seems a tough job. At EUROCRYPT 2015 Todo proposed division property which is a generalized integral property, and he applied this technique to searching integral distinguishers of Simon block ciphers by considering the left and right halves of Simon independently. As a result, he found 11-round integral distinguishers for both Simon48 and Simon64. Recently, at FSE 2016 Todo et al. proposed bit-based division property that considered each bit independently. This technique can find more accurate distinguishers, however, as pointed out by Todo et al. the time and memory complexity is bounded by \( 2^n \) for an n-bit block cipher. Thus, bit-based division property is only applicable to Simon32.

In this paper we propose a new technique that achieves a trade-off between considering each bit independently and considering left and right halves as a whole, which is actually a trade-off between time-memory and the accuracy of the distinguishers. We proceed by splitting the state of Simon into small pieces and study the division property propagations of circular shift and bitwise AND operations under the state partition. Moreover, we propose two different state partitions and study the influences of different partitions on the propagation of division property. We find that different partitions greatly impact the division property propagation of circular shift which will finally result in a big difference on the length of integral distinguishers. By using a tailored search algorithm for Simon, we find 12-round integral distinguishers for Simon48 and Simon64 respectively, which improve Todo’s results by one round for both variants.

A Proofs of Propositions

1.1 A.1 Proof of Proposition 3

Proof

The aim is to prove under what conditions the output parity is always even given the input multiset division property. Let \( \varvec{u}=(u_0, u_1, \cdots , u_{\frac{n}{t} -1})\in (\mathbb {F}_2^t)^{\frac{n}{t}} \) and

$$ \begin{aligned} \begin{aligned} \bigoplus _{\varvec{z}\in \mathbb {Z}}\varvec{\pi _u}(\varvec{z})&=\bigoplus _{\varvec{z}\in \mathbb {Z}} \prod _{i = 0}^{\frac{n}{t} -1}\pi _{u_i}(z_i) \\&= \bigoplus _{\varvec{x}\in \mathbb {X}}\prod _{i = 0}^{\frac{n}{t} -1}\pi _{u_i}(x_i \& x_i^{*})\\&= \bigoplus _{\varvec{x}\in \mathbb {X}}\prod _{i = 0}^{\frac{n}{t} -1}\pi _{u_i}(x_i)\prod _{i = 0}^{\frac{n}{t} -1}\pi _{u_i}(x_i^{*}) \\&= \bigoplus _{\varvec{x}\in \mathbb {X}}\varvec{\pi _{(u,u)}}(\varvec{x}). \end{aligned} \end{aligned}$$

(5)

In order to get an even parity of \( \bigoplus _{\varvec{z}\in \mathbb {Z}}\varvec{\pi _u}(\varvec{z})\), the parity of \( \bigoplus _{\varvec{x}\in \mathbb {X}}\varvec{\pi _{(u,u)}}(\varvec{x}) \) must be even. According to the input division property \( \mathcal {D}^{t,\frac{2n}{t}}_{\varvec{k}}\), it follows that there must exist \( i \in \{0,1,\cdots ,\frac{n}{t}-1\} \) such that \( w(u_i) < k_i \) or \( w(u_i) < k_i^{*}\), thus \( w(u_i) < \max \{k_i, k_i^{*}\} \). It’s evident to see we need \( W(\varvec{u})\nsucceq \varvec{\hat{k}} \) which completes the proof.

1.2 A.2 Proof of Proposition 4

Proof

Let \( \varvec{u}=(u_0,u_1,\cdots ,u_{\frac{n}{t}-1})\in (\mathbb {F}_2^t)^{\frac{n}{t}}\), since \( \varvec{x^{*}} = \varvec{x}\lll 1 \) we have \( \bigoplus _{\varvec{x^{*}}\in \mathbb {X^{*}}} \varvec{\pi _u}(\varvec{x^{*}}) = \bigoplus _{\varvec{x}\in \mathbb {X}}\varvec{\pi _{u\ggg 1}}(\varvec{x}) \). Let \( \varvec{v} =(v_0,v_1,\cdots ,v_{\frac{n}{t}-1})\in (\mathbb {F}_2^t)^{\frac{n}{t}}\), and \( \varvec{v} = \varvec{u}\ggg 1 \). It follows that \( \bigoplus _{\varvec{x^{*}}\in \mathbb {X^{*}}} \varvec{\pi _u}(\varvec{x^{*}}) = \bigoplus _{\varvec{x}\in \mathbb {X}}\varvec{\pi _v}(\varvec{x}) \).

In order to prove for any \( W(\varvec{u})\nsucceq \varvec{k^{(0)},k^{(1)},\cdots ,k^{(q-1)}} \) the corresponding \( \varvec{v} = \varvec{u}\ggg 1 \) satisfies \( W(\varvec{v}) \nsucceq \varvec{k}\), we can prove for any \( W(\varvec{v})\succeq \varvec{k} \) there exists i such that the corresponding \( \varvec{u}=\varvec{v}\lll 1 \) satisfies \( W(\varvec{u}) \succeq \varvec{k^{(i)}} \).

Write the bit string expression of \( \varvec{v} \) as \( (v[0]v[1]\cdots v[t-1],v[t]v[t+1]\cdots v[2t-1],\cdots ,v[n-t]v[n-t+1]\cdots v[n-1])\) with v[i] the i-th bit of \( \varvec{v}\). Since \( \varvec{u} = \varvec{v}\lll 1\), it is easy to see that

$$\begin{aligned} {\left\{ \begin{array}{ll} w(u_0) &{}= w(v_0) - v[0] + v[t],\\ \vdots \\ w(u_{\frac{n}{t}-2}) &{}= w(v_{\frac{n}{t} -2}) - v[n-2t] +v[n-t],\\ w(u_{\frac{n}{t}-1}) &{}= w(v_{\frac{n}{t} -1}) -v[n-t] + v[0]. \end{array}\right. } \end{aligned}$$

(6)

Since \( W(\varvec{v})\succeq \varvec{k}\), it follows that \( w(v_i) \ge k_i \) for any \( i \in \{0,1,\cdots ,\frac{n}{t}-1\}\). Thus we have

$$\begin{aligned} {\left\{ \begin{array}{ll} w(u_0) &{}= w(v_0) - v[0] + v[t]\ge k_0 -v[0] + v[t],\\ \vdots \\ w(u_{\frac{n}{t}-2}) &{}= w(v_{\frac{n}{t} -2}) - v[n-2t] +v[n-t]\ge k_{\frac{n}{t}-1}-v[n-2t]+v[n-t],\\ w(u_{\frac{n}{t}-1}) &{}= w(v_{\frac{n}{t} -1}) -v[n-t] + v[0]\ge k_{\frac{n}{t}-1} -v[n-t] +v[0]. \end{array}\right. } \end{aligned}$$

(7)

If the coordinates of \( (k_0-v[0]+v[t], \cdots , k_{\frac{n}{t}-1}-v[n-t]+v[0])\) are between 0 and t, according to (2), there exists i such that \( \varvec{k^{(i)}} =(k_0-v[0]+v[t], \cdots , k_{\frac{n}{t}-1}-v[n-t]+v[0]) \). It follows that \( W(\varvec{u})\succeq \varvec{k^{(i)}} \) and we have thus proved the proposition.

However, if the coordinates of \( (k_0-v[0]+v[t], \cdots , k_{\frac{n}{t}-1}-v[n-t]+v[0]) \) do not range from 0 to t, we can still find \( \varvec{k^{(i)}} \) such that \( W(\varvec{u})\succeq \varvec{k^{(i)}} \). Note that \( k_i-v[i*t]+v[(i+1)*t] \le w(u_i)\le t\), thus \( k_i-v[i*t]+v[(i+1)*t]\) will be invalid only if it happens that \( k_i-v[i*t]+v[(i+1)*t]=-1\). If this happens we can deduce that \( k_i=0,v[i*t]=1 \) and \( v[(i+1)*t]=0\), thus bit string \( v[0]v[t]\cdots v[\frac{n}{t}-1] \) can not take on values of all one’s or all zero’s. We show next how to construct vector \( \varvec{k^{(i)}} \) such that \( W(\varvec{u})\succeq \varvec{k^{(i)}} \).

Without loss of generality, we assume that \( k_i-v[i*t]+v[(i+1)*t]=-1 \) and \( v[s*t]v[(s+1)*t]\cdots v[i*t]=01\cdots 1 \) with \( s < i \). Denote \( (k_0-v[0]+v[t], \cdots , k_{\frac{n}{t}-1}-v[n-t]+v[0])=\varvec{a}\), thus we have

$$\begin{aligned} {\left\{ \begin{array}{ll} a_j &{}= k_j - v[j*t] + v[(j+1)*t]\ \ \ \forall j\notin \{s,s+1,\cdots ,i\},\\ a_s &{} = k_s-0+1=k_s+1,\\ a_{s+1} &{}=k_{s+1}-1+1=k_{s+1},\\ \vdots \\ a_i &{}= k_i-1+0=-1. \end{array}\right. } \end{aligned}$$

(8)

We construct \( \varvec{b} \) as follows:

$$\begin{aligned} {\left\{ \begin{array}{ll} b_j &{}= k_j - v[j*t] + v[(j+1)*t]\ \ \ \forall j\notin \{s,s+1,\cdots ,i\},\\ b_s &{}= k_s - 0 + 0 = k_s,\\ b_{s+1} &{}= k_{s+1} - 0 +0=k_{s+1},\\ \vdots \\ b_i &{}= k_i -0 + 0=k_i=0. \end{array}\right. } \end{aligned}$$

(9)

Since \( w(u_s)\ge k_s-v[s*t]+v[(s+1)*t]=k_s-0+1=a_s>b_s=k_s, w(u_{s+1}) \ge k_{s+1}-v[(s+1)*t] +v[(s+2)*t]=k_{s+1}=a_{s+1}=b_{s+1},\cdots ,w(u_i)\ge 0 = b_i\), thus we have constructed vector \( \varvec{b} \) such that \( W(\varvec{u})\succeq \varvec{b} \). If the coordinates of \( \varvec{b} \) range from 0 to t, \( \varvec{b} \) is a solution of (2) and there exists \( \varvec{k^{(t)}} \) such that \( \varvec{k^{(t)}} =\varvec{b}\), thus we have proved the proposition. However, If these still exits coordinates of \( \varvec{b} \) equal to -1, we can repeat the above process to modify \( \varvec{b} \) until we get a valid solution.