Abstract
Simon is a family of lightweight block ciphers published by the U.S. National Security Agency (NSA) in 2013. Due to its novel and bit-based design, integral cryptanalysis on Simon seems a tough job. At EUROCRYPT 2015 Todo proposed division property which is a generalized integral property, and he applied this technique to searching integral distinguishers of Simon block ciphers by considering the left and right halves of Simon independently. As a result, he found 11-round integral distinguishers for both Simon48 and Simon64. Recently, at FSE 2016 Todo et al. proposed bit-based division property that considered each bit independently. This technique can find more accurate distinguishers, however, as pointed out by Todo et al. the time and memory complexity is bounded by \( 2^n \) for an n-bit block cipher. Thus, bit-based division property is only applicable to Simon32.
In this paper we propose a new technique that achieves a trade-off between considering each bit independently and considering left and right halves as a whole, which is actually a trade-off between time-memory and the accuracy of the distinguishers. We proceed by splitting the state of Simon into small pieces and study the division property propagations of circular shift and bitwise AND operations under the state partition. Moreover, we propose two different state partitions and study the influences of different partitions on the propagation of division property. We find that different partitions greatly impact the division property propagation of circular shift which will finally result in a big difference on the length of integral distinguishers. By using a tailored search algorithm for Simon, we find 12-round integral distinguishers for Simon48 and Simon64 respectively, which improve Todo’s results by one round for both variants.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Notes
- 1.
This result is according to Rule 1 and Rule 5 in [16].
References
Abdelraheem, M.A., Alizadeh, J., Alkhzaimi, H.A., Aref, M.R., Bagheri, N., Gauravaram, P.: Improved linear cryptanalysis of reduced-round SIMON-32 and SIMON-48. Cryptology ePrint Archive, Report 2015/988 (2015). http://eprint.iacr.org/
Abdelraheem, M.A., Alizadeh, J., Alkhzaimi, H.A., Aref, M.R., Bagheri, N., Gauravaram, P., Lauridsen, M.M.: Improved linear cryptanalysis of reduced-round SIMON. Cryptology ePrint Archive, Report 2014/681 (2014). http://eprint.iacr.org/
Albrecht, M.R., Driessen, B., Kavun, E.B., Leander, G., Paar, C., Yalçın, T.: Block ciphers-focus on the linear layer (feat. PRIDE). In: Advances in Cryptology-CRYPTO 2014, pp. 57–76 (2014)
Ashur, T.: Improved linear trails for the block cipher SIMON. Cryptology ePrint Archive, Report 2015/285 (2015). http://eprint.iacr.org/
Beaulieu, R., Shors, D., Smith, J., Treatman-Clark, S., Weeks, B., Wingers, L.: The SIMON and SPECK families of lightweight block ciphers. IACR Cryptology ePrint Archive 2013, p. 404 (2013)
Biryukov, A., Roy, A., Velichkov, V.: Differential analysis of block ciphers SIMON and SPECK. In: Cid, C., Rechberger, C. (eds.) FSE 2014. LNCS, vol. 8540, pp. 546–570. Springer, Heidelberg (2015)
Bogdanov, A.A., Knudsen, L.R., Leander, G., Paar, C., Poschmann, A., Robshaw, M., Seurin, Y., Vikkelsoe, C.: PRESENT: an ultra-lightweight block cipher. In: Paillier, P., Verbauwhede, I. (eds.) CHES 2007. LNCS, vol. 4727, pp. 450–466. Springer, Heidelberg (2007)
Borghoff, J., et al.: PRINCE-A low-latency block cipher for pervasive computing applications. In: Wang, X., Sako, K. (eds.) Advances in Cryptology-ASIACRYPT 2012. LNCS, vol. 7658, pp. 208–225. Springer, Heidelberg (2012)
Boura, C., Naya-Plasencia, M., Suder, V.: Scrutinizing and improving impossible differential attacks: applications to CLEFIA, Camellia, LBlock and Simon. In: Sarkar, P., Iwata, T. (eds.) ASIACRYPT 2014. LNCS, vol. 8873, pp. 179–199. springer, Heidelberg (2014)
Chen, H., Wang, X.: Improved linear hull attack on round-reduced Simon with dynamic key-guessing techniques. Cryptology ePrint Archive, Report 2015/666 (2015). http://eprint.iacr.org/
Chen, Z., Wang, N., Wang, X.: Impossible differential cryptanalysis of reduced round SIMON. Cryptology ePrint Archive, Report 2015/286 (2015). http://eprint.iacr.org/
Daemen, J., Knudsen, L.R., Rijmen, V.: The block cipher SQUARE. In: Biham, E. (ed.) FSE 1997. LNCS, vol. 1267, pp. 149–165. Springer, Heidelberg (1997)
De Cannière, C., Dunkelman, O., Knežević, M.: KATAN and KTANTAN — a family of small and efficient hardware-oriented block ciphers. In: Clavier, C., Gaj, K. (eds.) CHES 2009. LNCS, vol. 5747, pp. 272–288. Springer, Heidelberg (2009)
Knudsen, L.R., Wagner, D.: Integral cryptanalysis. In: Daemen, J., Rijmen, V. (eds.) FSE 2002. LNCS, vol. 2365, pp. 112–127. Springer, Heidelberg (2002)
Mourouzis, T., Song, G., Courtois, N., Christofii, M.: Advanced differential cryptanalysis of reduced-round SIMON64/128 using large-round statistical distinguishers. Cryptology ePrint Archive, Report 2015/481 (2015). http://eprint.iacr.org/
Todo, Y.: Integral cryptanalysis on full MISTY1. In: Gennaro, R., Robshaw, M. (eds.) CRYPTO 2015. LNCS, vol. 9216, pp. 413–432. Springer, Heidelberg (2015)
Todo, Y.: Structural evaluation by generalized integral property. In: Oswald, E., Fischlin, M. (eds.) EUROCRYPT 2015. LNCS, vol. 9056, pp. 287–314. Springer, Heidelberg (2015)
Todo, Y., Morii, M.: Bit-based division property and application to SIMON family. Cryptology ePrint Archive, Report 2016/285 (2016). http://eprint.iacr.org/
Wang, N., Wang, X., Jia, K., Zhao, J.: Differential attacks on reduced SIMON versions with dynamic key-guessing techniques. Cryptology ePrint Archive, Report 2014/448 (2014). http://eprint.iacr.org/
Wang, Q., Liu, Z., Varıcı, K., Sasaki, Y., Rijmen, V., Todo, Y.: Cryptanalysis of reduced-round SIMON32 and SIMON48. In: Meier, W., Mukhopadhyay, D. (eds.) INDOCRYPT 2014. LNCS, vol. 8885, pp. 143–160. Springer, Heidelberg (2014)
Wu, W., Zhang, L.: LBlock: a lightweight block cipher. In: Lopez, J., Tsudik, G. (eds.) ACNS 2011. LNCS, vol. 6715, pp. 327–344. Springer, Heidelberg (2011)
Zhang, H., Wu, W.: Structural evaluation for generalized feistel structures and applications to LBlock and TWINE. In: Biryukov, A., Goyal, V. (eds.) INDOCRYPT 2015. LNCS, vol. 9462, pp. 218–237. Springer, Heidelberg (2015)
Zhang, W., Bao, Z., Lin, D., Rijmen, V., Yang, B., Verbauwhede, I.: RECTANGLE: a bit-slice lightweight block cipher suitable for multiple platforms. Sci. Chin. Inf. Sci. 58(12), 1–15 (2015)
Acknowledgements
We are very grateful to the anonymous reviewers. This work was supported by the National Natural Science Foundation of China (Grant No. 61379138), the “Strategic Priority Research Program” of the Chinese Academy of Sciences (Grant No. XDA06010701).
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
A Proofs of Propositions
A Proofs of Propositions
1.1 A.1 Proof of Proposition 3
Proof
The aim is to prove under what conditions the output parity is always even given the input multiset division property. Let \( \varvec{u}=(u_0, u_1, \cdots , u_{\frac{n}{t} -1})\in (\mathbb {F}_2^t)^{\frac{n}{t}} \) and
In order to get an even parity of \( \bigoplus _{\varvec{z}\in \mathbb {Z}}\varvec{\pi _u}(\varvec{z})\), the parity of \( \bigoplus _{\varvec{x}\in \mathbb {X}}\varvec{\pi _{(u,u)}}(\varvec{x}) \) must be even. According to the input division property \( \mathcal {D}^{t,\frac{2n}{t}}_{\varvec{k}}\), it follows that there must exist \( i \in \{0,1,\cdots ,\frac{n}{t}-1\} \) such that \( w(u_i) < k_i \) or \( w(u_i) < k_i^{*}\), thus \( w(u_i) < \max \{k_i, k_i^{*}\} \). It’s evident to see we need \( W(\varvec{u})\nsucceq \varvec{\hat{k}} \) which completes the proof.
1.2 A.2 Proof of Proposition 4
Proof
Let \( \varvec{u}=(u_0,u_1,\cdots ,u_{\frac{n}{t}-1})\in (\mathbb {F}_2^t)^{\frac{n}{t}}\), since \( \varvec{x^{*}} = \varvec{x}\lll 1 \) we have \( \bigoplus _{\varvec{x^{*}}\in \mathbb {X^{*}}} \varvec{\pi _u}(\varvec{x^{*}}) = \bigoplus _{\varvec{x}\in \mathbb {X}}\varvec{\pi _{u\ggg 1}}(\varvec{x}) \). Let \( \varvec{v} =(v_0,v_1,\cdots ,v_{\frac{n}{t}-1})\in (\mathbb {F}_2^t)^{\frac{n}{t}}\), and \( \varvec{v} = \varvec{u}\ggg 1 \). It follows that \( \bigoplus _{\varvec{x^{*}}\in \mathbb {X^{*}}} \varvec{\pi _u}(\varvec{x^{*}}) = \bigoplus _{\varvec{x}\in \mathbb {X}}\varvec{\pi _v}(\varvec{x}) \).
In order to prove for any \( W(\varvec{u})\nsucceq \varvec{k^{(0)},k^{(1)},\cdots ,k^{(q-1)}} \) the corresponding \( \varvec{v} = \varvec{u}\ggg 1 \) satisfies \( W(\varvec{v}) \nsucceq \varvec{k}\), we can prove for any \( W(\varvec{v})\succeq \varvec{k} \) there exists i such that the corresponding \( \varvec{u}=\varvec{v}\lll 1 \) satisfies \( W(\varvec{u}) \succeq \varvec{k^{(i)}} \).
Write the bit string expression of \( \varvec{v} \) as \( (v[0]v[1]\cdots v[t-1],v[t]v[t+1]\cdots v[2t-1],\cdots ,v[n-t]v[n-t+1]\cdots v[n-1])\) with v[i] the i-th bit of \( \varvec{v}\). Since \( \varvec{u} = \varvec{v}\lll 1\), it is easy to see that
Since \( W(\varvec{v})\succeq \varvec{k}\), it follows that \( w(v_i) \ge k_i \) for any \( i \in \{0,1,\cdots ,\frac{n}{t}-1\}\). Thus we have
If the coordinates of \( (k_0-v[0]+v[t], \cdots , k_{\frac{n}{t}-1}-v[n-t]+v[0])\) are between 0 and t, according to (2), there exists i such that \( \varvec{k^{(i)}} =(k_0-v[0]+v[t], \cdots , k_{\frac{n}{t}-1}-v[n-t]+v[0]) \). It follows that \( W(\varvec{u})\succeq \varvec{k^{(i)}} \) and we have thus proved the proposition.
However, if the coordinates of \( (k_0-v[0]+v[t], \cdots , k_{\frac{n}{t}-1}-v[n-t]+v[0]) \) do not range from 0 to t, we can still find \( \varvec{k^{(i)}} \) such that \( W(\varvec{u})\succeq \varvec{k^{(i)}} \). Note that \( k_i-v[i*t]+v[(i+1)*t] \le w(u_i)\le t\), thus \( k_i-v[i*t]+v[(i+1)*t]\) will be invalid only if it happens that \( k_i-v[i*t]+v[(i+1)*t]=-1\). If this happens we can deduce that \( k_i=0,v[i*t]=1 \) and \( v[(i+1)*t]=0\), thus bit string \( v[0]v[t]\cdots v[\frac{n}{t}-1] \) can not take on values of all one’s or all zero’s. We show next how to construct vector \( \varvec{k^{(i)}} \) such that \( W(\varvec{u})\succeq \varvec{k^{(i)}} \).
Without loss of generality, we assume that \( k_i-v[i*t]+v[(i+1)*t]=-1 \) and \( v[s*t]v[(s+1)*t]\cdots v[i*t]=01\cdots 1 \) with \( s < i \). Denote \( (k_0-v[0]+v[t], \cdots , k_{\frac{n}{t}-1}-v[n-t]+v[0])=\varvec{a}\), thus we have
We construct \( \varvec{b} \) as follows:
Since \( w(u_s)\ge k_s-v[s*t]+v[(s+1)*t]=k_s-0+1=a_s>b_s=k_s, w(u_{s+1}) \ge k_{s+1}-v[(s+1)*t] +v[(s+2)*t]=k_{s+1}=a_{s+1}=b_{s+1},\cdots ,w(u_i)\ge 0 = b_i\), thus we have constructed vector \( \varvec{b} \) such that \( W(\varvec{u})\succeq \varvec{b} \). If the coordinates of \( \varvec{b} \) range from 0 to t, \( \varvec{b} \) is a solution of (2) and there exists \( \varvec{k^{(t)}} \) such that \( \varvec{k^{(t)}} =\varvec{b}\), thus we have proved the proposition. However, If these still exits coordinates of \( \varvec{b} \) equal to -1, we can repeat the above process to modify \( \varvec{b} \) until we get a valid solution.
Rights and permissions
Copyright information
© 2016 Springer International Publishing Switzerland
About this paper
Cite this paper
Xiang, Z., Zhang, W., Lin, D. (2016). On the Division Property of Simon48 and Simon64. In: Ogawa, K., Yoshioka, K. (eds) Advances in Information and Computer Security. IWSEC 2016. Lecture Notes in Computer Science(), vol 9836. Springer, Cham. https://doi.org/10.1007/978-3-319-44524-3_9
Download citation
DOI: https://doi.org/10.1007/978-3-319-44524-3_9
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-44523-6
Online ISBN: 978-3-319-44524-3
eBook Packages: Computer ScienceComputer Science (R0)