Cryptanalysis of Simpira v2

Abstract

In Asiacrypt 2016, Simpira v2 was proposed as a family of efficient permutations. It combines the AES round function with the Generalized Feistel Scheme (GFS) to construct permutations with arbitrarily large size which is a multiple of 128-bit. In this paper, we study the security of Simpira-3, the 3-block instance of Simpira v2. By applying the truncated differential analysis, we construct 8-round and 9-round distinguishers for Simpira-3 with complexity 2 and \( 2^{22} \) respectively. Then, we apply the impossible differential analysis to construct a 9-round impossible differential. Using this impossible differential, we can launch 9- and 10-round partial key recovery attacks on Simpira-3-based block cipher. Lastly, we present a boomerang distinguisher for 10-round Simpira-3 with practical complexity \( 2^{23} \). To the best of our knowledge, this is the first cryptanalysis results on Simpira-3. Our analysis will not affect the security of Simpira.

Appendices

A 9-Round Truncated Differential Distinguishing Attack

The 9-round truncated differential distinguisher can be done in the following way. We are assuming that we are given a permutation \(\varPi :\left( {\mathbb {F}}_2^{128}\right) ^3\rightarrow \left( {\mathbb {F}}_2^{128}\right) ^3\) and we are asked to identify whether \(\varPi \) is a 9-round Simpira-3 or a random function.

1. 1.

   Fix the pattern a as the last pattern given in Fig. 3 and F(a) as the MixColumn of its corresponding pattern in Fig. 4. In other words, now the non-zero cells of a are in cells 1, 6, 11, 12 following the numbering of state cells in [6]. Similarly, the possible non-zero cells of \(MC^{-1}(F(a))\) are in cells 3, 6, 9, 12.

2. 2.

   Fix \(c_1\in {\mathbb {F}}_2^{128}\), \(c_0[0,1,2,4,5,6,8,10,11,13,14,15]\) and \(c_2[0,1,\cdots ,11,\)13, 14, 15].

3. 3.

   For \(i,j=0,\cdots ,2^8-1\), we define \(c^{(2^8 i+j )}_0[3,6,9,12]= (i,j,0,0)\) and \(c^{(2^{16}+2^8 i+ j)}_0[3,6,9,12]=(0,0,i,j)\). So now we have \(c^{(i)}_0\) for \(i=0,\cdots , 2^{17}-1\).

4. 4.

   For \(i=0,\cdots , 2^4-1\), we define \(c^{(i)}_2[12]=i\) and \(c^{(2^4+i)}_2[12]=2^4+i\). So now we have \(c_2^{(j)}\) for \(j=0,\cdots ,2^5-1\).

5. 5.

   For \(i=0,\cdots , 2^{17}-1, j=0,\cdots ,2^5-1\), calculate \(\varPi ^{-1}(c^{(i)}_0, c_1, c^{(j)}_2)=(p^{(i,j)}_0, p^{(i,j)}_1, p^{(i,j)}_2)\). From these plaintexts, we can generate \(2^{43}\) plaintext pairs.

6. 6.

   Count the number of plaintext pairs that have difference pattern (F(a), r, r). Let this number be n. If \(n\ge 1880\), conclude that \(\varPi \) is Simpira-3. Otherwise we conclude that \(\varPi \) is a random permutation.

Note that if \(\varPi \) is Simpira-3 and \(F(\varDelta c_2)= \varDelta c_0\), then \(\varDelta p_0= F(a)\) with probability 1. So

$$\begin{aligned}Pr(\varDelta p_0 = F(a)| \varPi ~is~Simpira-3~and~F(\varDelta c_2)= \varDelta c_0) = Pr(F(\varDelta c_2)= \varDelta c_0).\end{aligned}$$

Now we note that by the choice of our inputs,

$$\begin{aligned}\{MC^{-1}(\varDelta c^{i}_0)\}=\{\varDelta \in \{0,*\}^{4\times 4}, \varDelta [0,1,2,4,5,7,8,10,11,13,14,15]=0\}.\end{aligned}$$

Moreover,

$$\begin{aligned}\{\varDelta c^{j}_2\}=\{\varDelta \in \{0,*\}^{4\times 4}, \varDelta [0,1,2,3,4,5,6,7,8,9,10,13,14,15]=0\}.\end{aligned}$$

By design, \(MC^{-1}(F(\varDelta c^{j}_2))\) has the fourth pattern given in Fig. 4. So the probability above equals to the probability that \(MC^{-1}(\varDelta c^i_0)\) coincides with the value we get from \(MC^{-1}(F(\varDelta c^j_2))\) which only depends on the value of the 4 values in cells 3, 6, 9, 12. Hence this probability is \(2^{-32}.\)

Furthermore, if \(\varPi \) is Simpira-3, \(F(\varDelta c_2)\ne \varDelta c_0\) or if \(\varPi \) is a random permutation, \(\varDelta p_0\) can be seen as a random 128-bit state. So we also have that \(MC^{-1}(\varDelta p_0)\) is also a random 128-bit state. So for this value to be in the \(MC^{-1}(F(a))\) pattern, the probability, as discussed before, is \(2^{-96}.\) So now we have that if \(\varPi \) is Simpira-3, then the number of pairs that has \(\varDelta P_0\) in F(a) pattern follows a binomial distribution with \(2^{43}\) trials and \(2^{-32}+2^{-96}(1-2^{-32})\approx 2^{-32}\) success probability. Let this random variable be denoted by \(X_1.\) On the other hand, if \(\varPi \) is a random permutation, then this random variable follows another binomial distribution with \(2^{43}\) trials and \(2^{-96}\) success probability. Let this random variable be denoted by \(X_2.\) Then our attack’s probability of false negative is

$$\begin{aligned} \alpha =Pr(n\le 1779| n \sim X_1). \end{aligned}$$

and our attack’s false positive probability is

$$\begin{aligned} \beta =Pr(n\ge 1880| n\sim X_2). \end{aligned}$$

A simple calculation using the normal approximation of random variables will tell us that \(\alpha \approx 0.0001\) and \(\beta \approx 0.00003\).

Lastly, for the complexity, our attack complexity is \(2^{22}\) inverse enquiries and \(2^{43}\) comparison.

B 9-Round Key Recovery Using Truncated Differential

1. 1.

   Select a according to the first pattern given in Fig. 3. F(a) is the difference after MixColumn of the corresponding pattern in Fig. 4.

2. 2.

   Generate \((c^{(i)}_0, c^1, c^{(j)}_2)\) with an analogous method as the one we described in the 9-rounds distinguishing attack in Appendix A.

3. 3.

   Decrypt \((c^{(i)}_0, c^1, c^{(j)}_2)\) to obtain \(2^{22}\) plaintexts \((p^{(i,j)}_0, p^{(i,j)}_1, p^{(i,j)}_2)\) and generate \(2^{43}\) plaintext-ciphertext pairs from it, all with the ciphertext differences in the pattern (F(a), 0, a).

4. 4.

   Out of these \(2^{43}\) pairs, we have a probability \(2^{-32}\) for the corresponding \(\varDelta p_0\) to have difference pattern F(a). When this happens with high probability we have \(F(\varDelta c_2) = \varDelta c_0.\) We can expect around \(2^{11}\) pairs that satisfy this. Let the differences in the first and last sub-blocks be \((\varDelta c^{(i)}_0, \varDelta c^{(i)}_2), i=1,\cdots ,2^{11}\) with its corresponding ciphertexts being \((c^{(i,1)}_0,c^{(i,1)}_2)\) and \((c^{(i,2)}_0,c^{(i,2)}_2).\) Due to the linearity of SR and MC, we also have that \(SS(SR(\varDelta c_2)) = MC^{-1}\circ SR^{-1}(\varDelta c_0).\) By Observation 1, we can identify the value of \((c^{(i,1)}_0\oplus k_0,c^{(i,1)}_2\oplus k_2)\) and \((c^{(i,2)}_0\oplus k_0,c^{(i,2)}_2\oplus k_2).\) Note that since the observation only mentions that there is in average one pair of solutions for \((c^{(i,1)}_0\oplus k_0,c^{(i,1)}_2\oplus k_2)\) and \((c^{(i,2)}_0\oplus k_0,c^{(i,2)}_2\oplus k_2)\), there are two possibilities of matching the pair. So for each of the filtered \((\varDelta c_0, \varDelta c_2)\), we obtain two possible values of \((k_0[0,5,10,15],k_2[0,7,10,13])\). Note that the two possible values that we obtain from \((\varDelta c^{(i)}_0,\varDelta c^{(i)}_2)\) will contain a correct key \((k^*_0[0,5,10,15],k^*_2[0,7,10,13])\) and \((k^*_0[0,5,10,15]\oplus \varDelta _0,k^*_2[0,7,10,13]\oplus \varDelta _2)\) where \(\varDelta _0= c^{(i,1)}_0\oplus c^{(i,2)}_0\) and \(\varDelta _2=c^{(i,1)}_2\oplus c^{(i,2)}_2.\) So a wrong key can be in at least two pairs if the difference in both the first and last sub-blocks in the two pairs are the same. Now a specific difference in the last block can only occur in at most \(2^7\) different pairs by our choices of \(c_2.\) Since we have \(2^{11}\) pairs, we can expect to filter out all the wrong \((k_0[0,5,10,15],k_2[0,7,10,13]).\)

5. 5.

   Repeating the whole process with a as the second, third and last patterns given in Fig. 3 will help us in recovering the other 12 bytes of \(k_0\) and \(k_2.\)

Note that here the complexity of each iteration is \(2^{22}\) decryption enquiry and \(2^{43}\) processing of the pairs and there are 4 iterations. So in total, the time complexity is \(2^{24}\) to recover the value of \(k_0\) and \(k_2\).

C Key Recovery Attack on 9-Round Simpira-3

We define \(E_K\) to be the block cipher built by using the Even-Mansour construction with 9-round Simpira-3.

For this key recovery attack, we use a shortened variant of the 9-round impossible differential that we have in Observation 3 where we omit the first round of that trail. Therefore, we need to rotate the whole trail and it changes the input difference pattern from (F(b), r, b) to (F(b), r, r). This 8-round impossible differential can be found in the Appendix D. Based on this differential, we then append one more round, which is the round given in Fig. 5. The attack procedure is given as follows:

1. 1.

   Let a be the first pattern in Fig. 3, and b be the first pattern given in Fig. 6, which is the complementary of a. Let F(a) and F(b) be the MixColumn of the corresponding patterns in Figs. 4 and 7 respectively.

2. 2.

   Construct \(2^{22}\) ciphertexts that differ in the active cells of (F(a), 0, a). This provides us with \(2^{43}\) ciphertext pairs with difference pattern (F(a), 0, a).

3. 3.

   Decrypt the \( 2^{22} \) ciphertexts to get \( 2^{22} \) plaintexts. For each of the \( 2^{43} \) pairs of plaintext, we check if they have difference pattern (F(b), r, r). Since F(b) provides a 32-bit filter, we expect to have \(2^{11}\) pairs of plaintext with difference (F(b), r, r).

4. 4.

   For each of the remaining pair, let the ciphertext difference be \((\varDelta c_0,\varDelta c_1, \varDelta c_2)\) and the plaintext difference be \((\varDelta p_0,\varDelta p_1, \varDelta p_2).\) From the impossible differential in Appendix D, the relation \( (0,0,a)\rightarrow (F(a),0,a) \) in Round 9 must be invalid. This gives a filter of one value of the key bytes \(k_0[0,7,10,13]\) (See Step 4 in Appendix B for more details).

5. 5.

   Repeat the above procedure for \(2^{26}\) times to detect all wrong possible values of \(k_0[0,7,10,13].\)

6. 6.

   Repeat the whole process for the other 3 patterns of (a, F(a), b, F(b)) to recover the remaining bytes of \(k_0.\)

For each iteration, we are left with \(2^{11}\) pairs. With \(2^{26}\) iterations, the total number of pairs is \(2^{37}\). The probability that any wrong key left after the attack is \((1-2^{-32})^{2^{37}}<2^{-32}.\) Hence we expect to have only one key remaining after \(2^{26}\) iterations.

In total we have \(2^{22}\times 2^{26}\times 4\approx 2^{50}\) decryption queries and \(2^{51}\) pairs to process to recover the value of \(k_0\).

D 8-Round Impossible Differential Figure

See Fig. 8.

Fig. 8.

8-round impossible differential used for 9-round impossible distinguisher

E Distinguishing Attack on 9- Rounds Simpira-3

In this case, we will be using the following values:

• \(\varDelta =(a,F(a),r)\),

• \(\varDelta ^{*}=(a,F(a),r)\),

• \(\nabla =(a,0,0)\) and

• \(\nabla ^{*}=(r,F(a),r)\)

where a is one of the patterns described in Fig. 3.

By the same argument as the one given in Observation 4, it is easy to see that the success probability of this boomerang trail is \(2^{-96}.\)

Assume that we are given a permutation function \(\varPi \) and we are asked to identify whether \(\varPi \) is 10-round Simpira-3 or a random permutation.

1. 1.

   Fix a pattern a to be one of the pattern given in Fig. 3 and F(a) be MixColumn of the corresponding pattern given in Fig. 7.

2. 2.

   Generate \(2^{51} P^{(i)}, i=1,\cdots , 2^{51}\) such that for any \(i,j, P^{(i)}\oplus P^{(j)}\in (a,F(a),r).\)

3. 3.

   Calculate \(C^{(i)}=\varPi (P^{(i)}).\)

4. 4.

   Generate \(D^{(i)}\) such that \(C^{(i)}\oplus D^{(i)}\in (a,0,0)\)

5. 5.

   Calculate \(Q^{(i)}=\varPi ^{-1}(D^{(i)}).\)

6. 6.

   Compute \(n=\left| \{(i,j)| i\ne j, Q^{(i)}\oplus Q^{(j)}\in (a,F(a),r)\}\right| .\)

7. 7.

   If \(n\ge 2\), conclude that \(\varPi \) is Simpira-3, otherwise, conclude that \(\varPi \) is a random permutation.

We note that in this attack, if \(\varPi \) is Simpira, the probability that \(Q^{(i)}\oplus Q^{(j)}\in (a,F(a),r)\) is \(2^{-96}\) by the observation we made above. This probability becomes \(2^{-192}\) when \(\varPi \) is a random permutation. So by a similar argument in the 9-Rounds Distinguishing attack based on Truncated differential analysis, the probability of false negative and false positive are 0.0001 and 0.00003 respectively. The complexity here is \(2^{51} \varPi \) queries, \(2^{51} \varPi ^{-1}\) queries and \(2^{100}\) pairs to process.

The distinguisher we introduced above in fact can be improved if we are using b instead of a. However, we will be using the distinguisher described here to launch a key recovery attack on 10-rounds Simpira-3 and the complexity of the key recovery attack is the smallest if we use a.

F 10-Round Key Recovery Attack Using Boomerang

As before, let \(E_K\) be a block cipher built by using the Even Mansour scheme with 10-round Simpira-3 as its permutation function. For this attack, we will call the active diagonal in each of the pattern given in Fig. 3 as first, second, third and fourth diagonal respectively. So for example, in the first pattern given in Fig. 6, the active diagonals are second, third and fourth diagonal. Similarly, we call the active anti-diagonal in each of the pattern given in Fig. 4 as the first, second, third and fourth anti-diagonal respectively.

The attack goes as follows:

1. 1.

   Let a be the first pattern given in Fig. 3 and F(a) be the MixColumn of the corresponding pattern in Fig. 4.

2. 2.

   Construct \(2^{51}\) plaintexts \(P^{(i)},i=1,\cdots , 2^{51}\) such that \(\forall i,j, P^{(i)}\oplus P^{(j)}\in (a,F(a),r).\)

3. 3.

   Calculate \(C^{(i)}= (c^{(i)}_0, c^{(i)}_1, c^{(i)}_2)= E_K(P^{(i)}).\)

4. 4.

   For each guess of the value of the first diagonal of \(k_0\), generate \(d^{(i)}_0\) such that \(d^{(i)}_0\oplus c^{(i)}_0\in a.\) Since we guessed the value of the keys in the active cells, we know the exact value of \(\delta =F( d^{(i)}_0\oplus c^{(i)}_0).\) Generate \(d^{(i)}_1\) such that \(d^{(i)}_0\oplus c^{(i)}_0=\delta .\) Set \(d^{(i)}_2=c^{(i)}_2\) and let \(D^{(i)}=(d^{(i)}_0,d^{(i)}_1,d^{(i)}_2).\)

5. 5.

   Calculate \(Q^{(i)}= E_K^{-1}(D^{(i)}).\)

6. 6.

   Compute \(n=\left| \{(i,j)|i\ne j, Q^{(i)}\oplus Q^{(j)}\in (a,F(a),r)\}\right| .\) If \(n\ge 2\), conclude that the current guess of \(k_0[0,5,10,15]\) passes the filter. Otherwise, conclude the current guess is wrong repeat with different guess of the 4-byte subkey.

7. 7.

   Repeat the whole attack with the other three patterns of a to retrieve the value of \(k_0\) in the other three diagonals.

Note that in this attack, we assume that if our guess key is wrong, then the remaining 9 rounds is a random permutation instead of 9-round Simpira-3 that is discussed in the 9-rounds distinguishing attack. So we use the 9-round distinguishing attack here to decide whether the current guess of key is correct or not. So with failure probability of less than \(0.1\%\), we can recover the value of \(k_0.\) For the complexity, for each pattern of a, we recover one diagonal of \(k_0\) with complexity \(2^{51}\) encryption queries and \(2^{32}\times 2^{51}=2^{83}\) decryption queries. Since we repeat the attack four times for four different values of a, the total complexity is \(2^{53}\) encryption queries and \(2^{85}\) decryption queries.

We note here that this attack recovers different subkey from the one recovered in the key recovery attack of 10-round Simpira-3 based on impossible differential attack. The attack described in this subsection recovers the value of \(k_0\) while the previous one recovers the value of \(k_1\).