Abstract
In CHES’15, Yang et al. proposed a family of lightweight block cipher SIMECK which combines the good designs of SIMON and SPECK. In this paper, we analysis the properties of the round function of SIMECK, and eliminate the repeated use of rotational independence judgment condition in Liu’s algorithm that proposed in FSE’17, constructing the partial difference distribution table with limited Hamming weight of input difference to improve the search results. We get new differentials of 14/21/27 rounds for SIMECK32/48/64 which can provide higher probability than previous results, and find a new 28 rounds differential for SIMECK64. We also get new 13/21/27 rounds linear hulls with higher square correlation for SIMECK32/48/64, and we find new 14/22/28 rounds linear hulls for SIMECK32/48/64, which are the best linear hulls of SIMECK as far as we know. With the application of the new distinguishers and combination with the dynamic key-guessing techniques, we mount key recovery attacks on SIMECK variants, which can reduce the computational complexity and/or data complexity.
You have full access to this open access chapter, Download conference paper PDF
Similar content being viewed by others
Keywords
1 Introduction
With the development of the Internet of Things, the security issues in the IoT application systems are getting more and more attention. The cryptographic primitives are the basic components of a security application. The research of lightweight cryptographic algorithms aims at protecting the application security for these terminal devices with limited resources. In recent years, various lightweight block ciphers have been proposed, such as: PRINCE [10], PRESENT [9], TWINE [21], SIMON [5], SPECK [5], SIMECK [23], RECTANGLE [25], GIFT [4], etc.
In 2017, authors of SIMON cited the latest researches of cryptanalysis and gave the explanations on the security of SIMON, but still did not give their own results of SIMON’s security analysis [6]. At SAC’17, AlTawy et al. proposed a set of permutation algorithm sLiSCP that based on SIMECK for lightweight sponge cryptographic primitive, used in the sponge framework to construct authenticated encryption, stream cipher, MAC and hash function [2].
At present, there are three mainstream methods to search for the differential/linear distinguishers of SIMON/SIMECK, which are the mixed integer linear programming (MILP) based technique adopted by Sun et al. [20], the SAT/SMT solver method for satisfaction problem solving adopted by Kölbl et al. [12, 13], and the Matsui’s branch and bound automated search algorithm adopted by Abed et al. [1], Biryukov et al. [8], and Liu et al. [14]. In the MILP method of Sun et al., the non-independece of the input differences are not considered yet. At CRYPTO’15, Kölbl et al. derived the differential propagation relationship for SIMON-like round function, but it takes much time for the SAT/SMT solver to find the optimal differential trails in the large block size variants of SIMON. At FSE’14, Abed et al. firstly searched for the possible output difference corresponding to the input difference in the SIMON-like round function, and took into account the dependence of the input differences on the bitwise AND operation, but they did not find the optimal differential trails. Biryukov et al. introduced the concept of pDDT, and applied the Matsui’s approach to the ARX cipher by using the threshold search method, but by the limitation of the heuristic search methods they used, the optimal differential trails are may not obtained. At FSE’17, Liu et al. separately considered the independence and dependence of the inputs of the bitwise AND operation, and they introduced the concept of small block size DDT of bitwise AND operation with independenct inputs, constructing the possible output difference space corresponding to an fixed input difference with a large block size. But in the search algorithm, they reused the independence condition, which will lead more computational efforts. Differential and linear analysis for SIMECK and SIMON are similar. Based on the explicit formula for the differential and linear propagation probability of SIMON-like round function, the optimal differential and linear trails to achieve the security bounds of each variants of SIMON and SIMECK were searched out in [14, 15]. For SIMECK32/48/64, the optimal differential trails cover 13/19/25 rounds, and the optimal linear trails also cover 13/19/25 rounds, respectively. In the previous works, the differentials and linear hulls obtained are based on the optimal trails that do not exceed the security boundary, but the differentials and linear hulls based on lower potential trails are not considered. For SIMECK, the probability of the 14/21/27 rounds differentials and the linear square correlation of the 13/21/27 rounds linear hulls are not tight enough.
For the key recovery attacks, 19/26/33 rounds on SIMECK32/48/64 were attacked by differential cryptanalysis in [13], and 22/28/35 rounds were attacked by dynamic key-guessing technique in [17]. However, the differentials that used to attack SIMECK in [13] and [17] are both 13/20/26 rounds, respectively. Intuitively, with the application of differentials with longer rounds and higher probability, the key recovery attack on SIMECK may need less complexity.
In [18], 13/20/26 rounds linear hulls were used to mount the 23/30/37 rounds key recovery attack on SIMECK32/48/64. However, the squared correlation of the linear hulls they used in the attack are derived from the previous differentials, which are estimated values and not tight enough yet. There are also some other analysis results on SIMECK worth attention under different cryptanalysis model, such as the linear cryptanalysis [3], zero correlation linear cryptanalysis [24], and distinguishing attack [19].
Our Contributions. In this paper, we further investigate the differential and linear propagation properties of the non-linear bitwise AND operation of the round function of SIMECK. We propose improved efficient algorithms to find the possible output differences of nonzero probabilities with a fixed input difference, eliminating the repeated use of the independence judgment condition in Liu’s algorithm, and constructing a partial difference distribution table with Hamming weight less than a set threshold. We get 14/21/27 rounds differentials for SIMECK with higher probability than the previous works, and find a new 28 rounds differential for SIMECK64. Simultaneously, we get 13/21/27 rounds linear hulls with higher square correlation for SIMECK32/48/64 respectively. And the 14/22/28 rounds linear hulls for SIMECK32/48/64 we find are the best linear hulls so far. We improve the key recovery attack on SIMECK and reduce the computational complexity and/or data complexity. The 29-round differential attack on SIMECK48 is the longest so far.
Outline. This paper is organized as follows. In Sect. 2, we give the notations used in this paper. In Sect. 3, we give improved efficient algorithms to search for the possible nonzero probability output differences with fixed input difference. And we construct all the possible valid input mask space by using the base vectors of input mask introduced in [15]. In Sect. 4, we apply the obtained differentials to key recovery attacks on all variants of SIMECK for reducing the computational complexity and/or data complexity, as listed in Table 5. Conclusions are given in Sect. 5.
2 Preliminaries
2.1 Notations
The main notations used in this paper are shown in Table 1.
Let \(P(\alpha ,\beta )\) be the probability of a given input difference \(\alpha \) propagate to a given output difference \(\beta \), which is defined as
Let \( f(x):\mathbb {F}_2^n \rightarrow \mathbb {F}_2^n \) be a vectorial boolean function on n bits with the input mask \( \alpha \) and output mask \( \beta \), we denote by \(g(\alpha ,\beta )=\sum _{x \in \mathbb {F}_2^n}(-1)^{\alpha \cdot x \bigoplus \beta \cdot f(x)} \), and \(g(\alpha ,\beta )= \varepsilon \cdot 2^{n}\) for all \( x \in \mathbb {F}_2^n \). Hence, the square correlation of \( \alpha \) propagate to \(\beta \), we denote by
Under the Markov’s assumption, the probability of a differential (or linear) trail is the product of the probability of each round. Let \( \alpha \) be the input difference, and \(\beta \) is the given output difference after r rounds, then the probability of the r-round differential is the sum of all r-round differential trails with the same input and output difference. Similarly, the square correlation of the r-round linear hull is the sum of all r-round linear trails with the same input and output mask.
2.2 Description of SIMECK
The SIMECK family has 3 variants: SIMECK32/64 (32 rounds), SIMECK48/96 (36 rounds) and SIMECK64/128 (44 rounds). They share the same rotational constant set \((a,b,c) = (0,5,1)\), with which SIMECK32/48/64 to achieve full diffusion needs 8/9/11 rounds respectively as investigated in [13]. In this paper, we denote the input states of round i by \((x_{i + 1}, x_{i}) \). The state transformation function of SIMECK can be presented as \(x_{i + 1} = ({x_i} \lll a) \wedge ({x_i} \lll b) \oplus ({x_i} \lll c) \oplus {x_{i-1}} \oplus r{k_{i-1}}\). Let \({x_{i + 1}} = f({x_i}) \oplus {x_{i - 1}} \oplus r{k_{i-1}}\), we generally call f(x) the round function of SIMECK. The differential and linear propagation in the round function of SIMECK is shown in Fig. 1.
3 Automatic Search Algorithm for Differentials and Linear Hulls of SIMECK
3.1 The Properties of SIMECK Round Function
The bitwise AND operation is the only non-linear component in the SIMECK round function, we first study its differential and linear propagation properties.
Property 1
Let x, \(x'\), y, \(y'\), \(\alpha \), \( \beta \), \( \gamma \) \(\in \{ 0,1\}\), \(f(x,y) = x \wedge y\), and \(x = x' \oplus \alpha \), \(y = y' \oplus \beta \), \(\gamma = f(x,y) \oplus f(x',y')\), so \(\alpha \), \(\beta \), \(\gamma \) have the probability propagation relationship in Table 2. Hence, when \(P\{ (\alpha ,\beta ) \rightarrow \gamma \} \ne 0\) is satisfied, if and only if \({\overline{\alpha }} \wedge {\overline{\beta }} \wedge \gamma = 0\) is satisfied [1].
According to the definition of differential probability, let \(\alpha \), \(\beta \), \(\gamma \) be the n bits XOR difference, and x, \(x'\), y, \(y'\) \(\in \mathbb {F}_2^n\), \(f(x,y) = x \wedge y\), and \(x = x' \oplus \alpha \), \(y = y' \oplus \beta \), \(\gamma = f(x,y) \oplus f(x',y')\), the probability of two n bits inputs lead to one n bits output is the product of the n probabilities of bitwise operation. As \(P\{ (\alpha ,\beta ) \rightarrow \gamma \} = {2^{ - 2n}} \cdot \#\{ (x,y)|f(x,y) \oplus f(x \oplus \alpha ,y \oplus \beta ) = \gamma \}\), which implies the following lemma.
Lemma 1
Let \(\alpha \), \(\beta \), \(\gamma \) be the n-bit XOR difference, and x, \(x'\), y, \(y'\) \(\in \mathbb {F}_2^n\), \(f(x,y) = x \wedge y\), and \(x = x' \oplus \alpha \), \(y = y' \oplus \beta \), \(\gamma = f(x,y) \oplus f(x',y')\), then
Where \(wt(\alpha )\) denotes the Hamming weight of the vector \(\alpha \in \mathbb {F}_2^n\), the \( \mathbf {0} \) represents an all-zero vector of n bits, and correspondingly \( \mathbf {1} \) represents an all-one vector of n bits. When one of the inputs of the bitwise AND is rotated r bits to the left(or right), i.e. \(f(x,y) = x \wedge (y \lll r)\), it is easy to get
If the two input values of bitwise AND are mutual rotational dependent of each other, i.e. let x, \( x' \), \( \alpha \), \( \beta \) \(\in \mathbb {F}_2^n\), \(x = x' \oplus \alpha \), \(f(x) = x \wedge (x \lll r)\), and \(\beta = f(x) \oplus f(x \oplus \alpha )\), then the differential probability is
then
and let
be a set of equations with variable x, where \(\alpha , \beta \in \mathbb {F}_2^n\) as parameters. By solving the number of solutions of x, considering these \(2^n\) equations with the relationship between \((\alpha ,\beta )\), Kölbl et al. derived the explicit formula of the differential probability propagation relationship between input and output difference [12]. Therefore, there is an equivalent relationship as shown in Theorem 1. Similarly, the linear square correlation can be defined in Theorem 2 [12].
Theorem 1
Let \(\alpha \), \(\beta \) be fixed n-bit XOR differences, \(x \in \mathbb {F}_2^n\), \(x' = x \oplus \alpha \), and \(f(x) = x \wedge (x \lll r)\), \(\beta = f(x) \oplus f(x')\), define variables \(u = (\alpha \lll r) \vee \alpha \), and \(v = \alpha \wedge \overline{(\alpha \lll r)} \wedge (\alpha \lll 2r)\), so the differential propagation probability of the bitwise AND with two inputs mutual rotational dependent is
Theorem 2
Let \(\alpha \), \(\beta \) be an input and an output mask, \(f(x) = x \wedge (x \lll r)\), where \(x \in \mathbb {F}_2^n\), and the set \( U_\beta \) is defined by \( U_\beta = \{x| (\beta \wedge (x\lll r)) \oplus ((\beta \wedge x ) \ggg r) = \mathbf {0} \} \), the dimension of \( U_\beta \) is \(d=dim \ U_\beta \), and \( U_\beta ^\perp \) is the orthogonal complement space of \( U_\beta \). Hence, the squared correlation calculation of f(x) that \( \alpha \) propagate to \( \beta \) can be denoted by
Corollary 1
Let \(\alpha \), \(\beta \) be fixed n-bit XOR differences, x, \(x'\) \(\in \mathbb {F}_2^n\), \(x' = x \oplus \alpha \), \(f(x) = x \wedge (x \lll r)\), and \(\beta = f(x) \oplus f(x')\), so the probability \(P(\alpha \rightarrow \beta )\) is only related to the value of the input difference \(\alpha \), and the differential probability corresponding to each valid output difference \(\beta \) is equivalent. And the number of valid output differences is equal to , where \(P\{ \alpha \rightarrow \beta \} \ne 0\).
Corollary 2
Let \(\{\varDelta {x_1},\varDelta {x_0}\}\) be the 2n-bit input XOR difference, \(\{\varDelta {x_{i+1}},\varDelta {x_i}\}\) is the 2n-bit output XOR difference of i round differential of SIMECK2n, and the probability is P. There exist other \( n-1 \) differentials with similar probability, the input difference and output difference can be constructed as \(\{\varDelta {x_1} \lll j,\varDelta {x_0}\lll j \}\) and \(\{\varDelta {x_{i+1}} \lll j,\varDelta {x_i} \lll j \} \) respectively, for \( j \in [1,n-1]\).
3.2 Improved the Differentials of SIMECK Variants
When the inputs of the bitwise AND are independent of each other, i.e. let \(f(x,y) = x \wedge y\), the DDT can be constructed directly according to Lemma 1, as shown in Algorithm 1. If the inputs of the bitwise AND are mutually rotational dependent, i.e. let \(f(x) = x \wedge (x \lll r)\), the difference distribution table of bitwise AND can be deduced by Theorem 1. Algorithm 2 constructs the nonzero probability difference distribution table of the bitwise AND with inputs rotational dependent. When the block size n is not too large, generally when \(n \le 16\), the difference distribution table (DDT) generated by it can be storaged feasibly. The storage size of the DDT of the bitwise AND operation with input rotational dependent can be reduced from \({2^{2n}}\) to \({2^n} \cdot \mathcal {O} \), when n=16, \(\mathcal {O} \approx {2^{8.62}}\).
When the inputs of the bitwise AND are mutually rotational dependent and the block length is larger than 16 bits, it will be difficult to store the large DDT produced by Algorithm 2 directly. We are inspired by Liu et al., in order to reduce the storage complexity, consider the independent and dependent conditions of the inputs separately. Firstly, assuming that the inputs are independent of each other, referring to Algorithm 1, a large block of blocksize n can be splited into several small blocks with m bits length each, and the possible output differences corresponding to the fixed input difference are reconstructed by the output of small blocksize DDT whose inputs are mutually independent. For example, the blocksize of a cipher is \( 2n = 64 \), let \( m = 8 \) in Algorithm 1, the input of round function with \( n=32 \) bits length can be splited into four 8-bit blocks, then for each block just lookup the DDT produced by Algorithm 1, and then recombine the 4 sets of 8-bit possible output difference which construct the 32 bits length possible output differences. Secondly, verifing whether the recombined output differences are valid possible output differences with nonzero probability or not through the judgment condition in Theorem 1, and considering the constraints of output difference and input inter dependence. Here, for filtering out the possible output differences of nonzero probability, we eliminate the repeated use of input independent condition (i.e. \(\beta \wedge \overline{(\alpha \vee \alpha \lll r)} = \mathbf {0}\)) in Liu’s algorithm. Thirdly, considering the increasement in the Hamming weight of the input difference \(\alpha \), the probability of the corresponding output difference decrease, shown in [7, 14]. When the Hamming weight of the input difference increases, the upper bound of the probability of the round function will also decrease, which lead to the Matsui’s pruning condition in the search procedure will not be satisfied mostly. The output differences and probabilities corresponding the low Hamming weight input difference are used frequently. Inspired by the concept of partial difference distribution table introduced by Biryukov et al. [8], we can just precompute and store the difference distribution table corresponding to the input difference with low Hamming weight, where the Hamming weight is less than a certain threshold. When the input difference Hamming weight is smaller than the set threshold, just look up the precomputed table, otherwise, calculating the possible output difference from \(PO{D_{n}}(\alpha )\) in Algorithm 3.
To search for the differentials of SIMECK, we firstly employ the Matsui’s branch-bound search approach similar to [14] for finding the optimal differential characteristics(trails). Try to search for longer rounds of differential trails that exceed security bound with limitting the Hamming weight of the input difference according to the differential probability upper bound of the input Hamming weight [7, 14]. Afterward, we fix the input difference \(\alpha \) and output difference \(\beta \) to find enough amount of trails, and statistic the probability of all trails. In order to effectively search for trails as much as possible within a feasible time, we limit the search range of probability weights(\( {-\log _2}(p)\)) from \(w{t_{\min }}\) to \(w{t_{\max }}\). And \(w{t_{\min }}\) is the probability weight of the differential characteristic, \(w{t_{\max }}\) is the probability weight of the minimal probability that be limited. In the first two rounds of the search process, using the left and right part of the input difference as the inputs of round function. During the branch search process of differential trails of 3 to \(r - 1\) rounds, searching the possible output differences corresponding to the input difference by lookup table generated by Algorithm 4, when the Hamming weight of input difference is less than H. Otherwise utilizing the Algorithm 3 to generate the possible output differences. In the process of the middle rounds, we use Matsui’s branch pruning condition \(wt({p_1}) + wt({p_1}) + ... + wt({p_i}) + wt({p_{r - i}}) \le w{t_{\max }}\) as the stop condition, when the probability of searched truncated path is larger than the set value, remove it in advance. Even so, there are still some trails in the front \(r - 1\) round maybe satisfying the brach pruning condition, but when multiplied by the differential probability of the last round, the probability weight will larger than the limited \(w{t_{\max }}\), while they are also propagate to the same output difference of the differential. In our statistical approach, these part trails with lower probability are also counted. Probability weight marked by * in Table 3 means there are some trails with lower probability than the set probability weight \(w{t_{\max }}\) be counted. The differential probability is calculated by \(P = \sum \limits _{w = w{t_{\min }}}^{w{t_{\max }}} {\# trails[w] \times {2^{ - w}}} \).
For a differential of i rounds, take the output difference of the \({i_{th}}\) round as the input difference of \({\mathrm{{(i + 1)}}_{th}}\) round, according to Algorithm 3, one more round can be extended by check the number of output difference. For every valid possible output difference of \({\mathrm{{(i + 1)}}_{th}}\) round, probability of the new \(i + 1\) round differential can be calculated by Corollary 1. The obtained differentials for SIMECK is shown in Table 3, in which the number of possible output difference corresponding to the output difference of the 13-round differential \((0x0,0x2 \rightarrow 0x2,0x0)\) used in [17] of SIMECK32 is 4. Hence, there exists 14 rounds differential of probability at least \(\frac{1}{4} \times {2^{ - 28.91}}\), the input difference of it is (0x0, 0x2) and the output difference is one of \(\{ (0x4,0x2), (0x6,0x2), (0x44,0x2), (0x46,0x2)\} \), and the searched experimental result of the probability is \({2^{ -30.90}}\). In addition, the result of 27/28 round differential of SIMECK64 that also confirmed the guesswork of Corollary 1. Additionally, we also searched out some differentials that follow Corollary 2, such as the 14-round differential \( (2,15) \rightarrow (8,5) \), which is the rotational pair of \( (1,800A) \rightarrow (4,8002) \) that rotated 1-bit to the left for each half stateFootnote 1. More differentials can be constructed from Table 3 by the Corollary 2, for example, the 14-round differential of SIMECK32 implies \( ((0,2) \rightarrow (4,2)) \Rightarrow ((0 \lll j,2 \lll j) \rightarrow (4 \lll j,2 \lll j))\), \( j \in [1,15] \) with the similar probability that larger than \( 2^{-30.90} \). And the derivation process for SIMECK48/64 is similar. The obtained 14/21/27 rounds differential of SIMECK32/48/64 are the best so far, meanwhile, the 28-round differential of SIMECK64 is the longest so far.
3.3 Improved the Linear Hulls of SIMECK Variants
In [15], an automatic search algorithm to search for the optimal linear trails of SIMON and SIMECK are proposed. They gave an algorithm to find the base of all possible input masks \( \alpha \in U_\beta ^\perp \) in Theorem 2. By using the base vectors of \( \alpha \), we can construct all the possible valid input masks by Algorithm 5. Then, we use the method in [15] and search for longer round linear trails with the square correlation exceed the security boundary. Take the input and output mask of the trails as that of the linear hull, and we limit the search scope by the lower bound of the square correlation \( (-log_2{C^2(\alpha ,\beta )}) \). Also, setting the branch pruning condition \(wt({p_1}) + wt({p_1}) + ... + wt({p_i}) + wt({p_{r - i}}) \le w{t_{\max }}\) as the stop condition. By using the longer round linear trails with square correlation exceed the security boundary, the new longer round linear hulls are found in Table 4. The 14/22/28 rounds linear hulls of SIMECK32/48/64 are the longest linear hulls so farFootnote 2.
4 Key Recovery Attack on Round Reduced SIMECK
In 2014, Wang et al. proposed dynamic key-guessing techniques in differential attack on SIMON [22], and then these techniques had also been used to achieve linear hull attack on SIMON at FSE’16 [11]. The differential and linear hull attack on SIMECK with dynamic key-guessing techniques are the most efficient method until now [17, 18]. Hence, by applying the new differentials obtained, we try to get some new results for the key recovery attacks on SIMECK variants. And for the attack on SIMECK with the new linear hulls obtained, better results with less complexity may also occur combining with dynamic key-guessing techniques in linear hulls attack. Even so, we leave it as subsequent researchs because the attack process is too cumbersome, it is recommended to refer to [11] for the process details of using linear hulls for key recovery.
4.1 Dynamic Key-Guessing in Differential Attack
In [17, 22], the dynamic key guessing technique was introduced to the differential attack on SIMON and SIMECK. By observing the round function of SIMECK, the bit-transformation relationship of it is denoted by follows. Let \({x_i} = \{ x_i^{n - 1}x_i^{n - 2} \cdot \cdot \cdot x_i^j \cdot \cdot \cdot x_i^0\} \), \(x_i^j \in \{ 0,1\} \), there have,
The bits relationship of the differential propagation of the SIMECK round function is expressed as follows:
and the plaintext bits \(x_i^j\) and \(x_i^{j - 5}\) involved secret subkey bits for \(i \ge 2\).
As the choosen plaintexts are known, considering \({\varDelta }x_i^{j}\) and \({\varDelta }x_i^{j - 5}\) as parameters under different values, and discussing the number of subkey bits satisfy the equations. When some subkey bits are determined, which can reduce the number of the remaining subkey bits that need to be exhaustive searched.
If \(({\varDelta }x_i^j,{\varDelta }x_i^{j - 5}) = (0,0)\), \({\varDelta }x_{i + 1}^j = b\), \(b \in \{ 0,1\}\), when \({\varDelta }x_i^{j - 2} \oplus {\varDelta }x_{i - 1}^j \ne b\), the differential propagation relationship of round function is not satisfied, this condition can be used to filter out the wrong plaintext pairs in the first and last round. When \({\varDelta }x_i^{j - 2} \oplus {\varDelta }x_{i - 1}^j = b\), the bit differential propagation relationship can not be used for determining subkey bits, so \((rk_{i - 1}^j, rk_{i - 1}^{j-5}) \in \mathbb {F}_2^2\) with 4 solutions. And if \(({\varDelta }x_i^j,{\varDelta }x_i^{j - 5}) = (0,1), (1,0) \ or \ (1,1)\), then \((rk_{i - 1}^j, rk_{i - 1}^{j-5})\) have only 2 solutions. After appending \({r_0}\) rounds forward and \({r_1}\) rounds backward, generate the extended path with sufficient bit conditions, from which the related subkey bits for each sufficient bit condition can be solved by whether to satisfy the equations.
4.2 Applying the Differentials to Key Recovery Attack on SIMECK Variants
In [17, 22], to extend the differential path according to the rules that the output differences of AND operation is 0, if and only if its input differences are (0,0), otherwise set the output difference of AND operation to * as uncertain bit. However, the rotational dependence of the input differences of AND operation is not considered in these previous works. To extend the differential path with adding \( {r_0} \) round forward and \( {r_1} \) round backward, we use the nonzero probability outputs produce by Algorithm 3. In the data collection phase, there are \( {Q_{{r_0}}} \) possible plaintext differences in the set \( \{ {{\varDelta }_P}\} \), which will lead to at least 1 input difference \( {{\varDelta }_{in}} \) of the r-round truncated differential that be appended \( {r_0} \) round forward. There are \({Q_{{r_1}}} \) possible ciphertext output differences in the set \( \{ {{\varDelta }_C}\} \), which can be deduced from 1 output difference \( {{\varDelta }_{out}} \) of the r-round truncated differential that be appended \( {r_1} \) round backward. The number of possible plaintext difference \( {Q_{{r_0}}} \) is less than the plaintext pairs in each data structure constructed in [22]. Selecting one plaintext X, then the plaintexts set \( \{ X \oplus {{\varDelta }_P}\} \) obtained by \( {Q_{{r_0}}} \) XOR additions which can yield \( {Q_{{r_0}}} \) plaintext pairs which lead to at least one input difference \( {{\varDelta }_{in}} \). Choosing \( {2^t} \) arbitrary plaintext X, for example \( X \in {\{ 0,1\} ^t} \), then we can get \( {2^t} \times {Q_{{r_0}}} \) plaintext pairs that lead to \( {2^t}\) paris with intermediate state in \( ({r_1})_{th} \) round with \( {{\varDelta }_{in}} \). Since the set of ciphertext differences resulting from the output difference of choosen differential, there exists conditions that some bit positions of the ciphertext difference are fixed, which can be used to filter out the invalid plaintext differece in \( \{ {{\varDelta }_P}\} \), so does the invalid plaintexts, and then check the remaining ciphertext belong to \( \{ {{\varDelta }_C}\} \) or not, which can reduce the storage complexity.
For SIMECK32/64, similarly to the attack in [17], we use the 14-round differential \({\varDelta }in:0x0000 \ \mathrm{{ 0002}} \rightarrow {\varDelta }out:0x0004\mathrm{{ }} \ 0002\) with the probability of \({2^{ - 30.90}}\) in Table 3, and extended 4 rounds forward and 4 rounds backward of it to mount the key recovery attack against the 22 rounds of SIMECK32/64. The extended differential path with sufficient bit conditions listed in Table 6.
In the data collection phase, we choose \( 2^{32} \) plaintexts, with \({2^{32}} \times {Q_{{r_0}}} \approx {2^{32 + 21.3}} = {2^{53.3}} \) times XOR addition, \({2^{53.3}} \) plaintext pairs can be get, which will lead to \( {2^{32}} \times p = {2^{32 - 30.90}} \approx 2.14 \) right pairs occured in average. For the choosen plaintext pairs, after \( {2^{32}} \times ({Q_{{r_0}}} + 1) \approx {2^{53.3}} \) times \( ({r_0} + r +{r_1}) \) rounds encryption, using the fixed 6 bits of the ciphertext difference as conditions to filter out the wrong pairs with \( {2^{47.3}} \) pairs left in approximately. Then use the \( \{ {{\varDelta }_C}\} \) as the filter oracle, pairs remained and should be stored in table T.
Considering the recovery of 4 consecutive rounds of subkeys, by partial decrypt the last four round, there are totally 35 bits of \( rk_{21}^{10,15} \), \( rk_{20}^{0,5,9 - 11,14,15} \), \( rk_{19}^{10,15} \), \(rk_{18}^{0,4 - 5,8 - 11,13 - 15} \) involved in the 18 bit conditions in the 18 to 22 rounds. Create a list of counters for the 35 subkey bits, and solve the 18 bit condition equations with each pairs remained in T. If the candidate subkey bits matches the equations then increment the counter. The counter associated with the candidate subkey bits has the highest count value.
For the data complexity, there requires \( {2^{32}}\) plaintexts, and 3 tables of \( \{ {{\varDelta }_P}\} \), \( \{ {{\varDelta }_C}\} \) and T with \( {2^{21.3}} + {2^{24.85}} + {2^{22.45}} \approx {2^{26.3}} \) storage size. The computational effort contains the XOR addition, encryptions, filtering phase, subkey bits guessing, and the brute-force search phase. The computational time complexity \({C_t} = ({2^{32}} \times {2^{21.3}})A + ({2^{32}} \times ({2^{21.3}} + 1))E + (({2^{53.3}})A + ({2^{47.3}})A) + (2 \cdot {2^{22.45}} \cdot {2^{35}} \cdot \frac{4}{{22}})E + {2^{64 - 35}}E \approx {2^{54.3}}A + {2^{56}}E\). Here, ‘A’ represents a XOR addition operation and ‘E’ represents the encryption operation of attacked rounds. For the calculation of the success probability, we refer to the theory in [22], the success probability equals to \(1 - Poisscdf(s,{\lambda _r}) \), where \(s = \lfloor {\lambda _r} \rfloor \) is the number of hits that no more than right pairs \( {\lambda _r}\), and \( Poisscdf(s,{\lambda _r}) \) is the probability density function of Poisson distribution. Hence, we can get the success probability is \( 73\% \) for the attack on SIMECK32.
For SIMECK48/96, we use a 21-round differential \({\varDelta }in:0x0002 \ \mathrm{{ 0005}} \rightarrow {\varDelta }out:0x0005\mathrm{{ }} \ 0002\) with the probability of \({2^{ - 45.18}}\) in Table 3, and add 4 rounds forward and 4 rounds backward of it to mount the key recovery attack against the 29 rounds of SIMECK48/96. The extended differential path with sufficient bit conditions listed in Table 7.
We choose \( 2^{47} \) plaintexts, with \({2^{47}} \times {Q_{{r_0}}} \approx {2^{47 + 29.41}} = {2^{76.41}} \) times XOR addition, \({2^{76.41}} \) plaintext pairs can be get, which will lead to \( {2^{47-45.18}} \approx 3.53 \) right pairs occured in average. After \( {2^{47}} \times ({Q_{{r_0}}} + 1) \approx {2^{76.41}} \) times encryption for all pairs, we use the fixed 16 difference bits in the last round to filter out most part of wrong pairs with \( {2^{60.41}} \) pairs left. Then use the \( \{ {{\varDelta }_C}\} \) as the filter oracle, \({2^{60.41 - 29.41}} = {2^{31}} \) pairs remained and should be stored in table T. Create counters for the candidate 54 subkey bits \(rk_{27}^{9,11 - 23}, rk_{26}^{4,6,8 - 23}, rk_{25}^{1,3 - 23} \) involved in the last 4 rounds, and solve the 32 bit condition equations with each pairs remained in T. For the data complexity, there requires \( {2^{47}}\) choosen plaintexts, and \( {2^{29.41}} + {2^{29.41}} + {2^{31}} \approx {2^{31.5}} \) storage size for \( \{ {{\varDelta }_P}\} \), \( \{ {{\varDelta }_C}\} \) and table T is needed. And for the computational effort, there needs \({C_t} = ({2^{76.41}})A + ({2^{76.41}})E + ((2 \cdot {2^{76.41}})A + (2 \cdot {2^{60.41}})A) + (2 \cdot {2^{31}} \cdot {2^{54}} \cdot \frac{4}{{29}})E + {2^{96 - 54}}E \approx {2^{77.04}}A + {2^{83.14}}E\), and the success probability is 78%.
For SIMECK64/128, we use the 27-round differential \({\varDelta }in\):0x00000000 00000011 \( \rightarrow \) \( {\varDelta }out \):0x00000005 00000002 with the probability of \({2^{ -60.75}}\) in Table 3, by appending 4 rounds on the top and 4 rounds at the bottom, and extend it to mount the key recovery attack against the 35 rounds of SIMECK64/128. The extended dfferential path of the 35 rounds SIMECK64/128 is listed in Table 8. Choosing \( 2^{62} \) plaintexts, we can get \({2^{90.6}} \) plaintext pairs with \({2^{90.6}} \) XOR additions, and \( {2^{62 - 60.75}} \approx 2.13 \) right pairs occured in average. For all choosen plaintext pairs, there need \({2^{90.6}} \) encryptions of 35 rounds which lead to \( {2^{58.6}} \) pairs left, and then use the \( \{ {{\varDelta }_C}\} \) as the filter oracle, \( {2^{29.19}} \) pairs stored in table T. There are 78 bits of \( rk_{34}^{9,11 - 31}, rk_{33}^{4,6,8 - 31}, rk_{32}^{1,3 - 31} \) can be guessed. There requires \( {2^{62}}\) choosen plaintexts for data complexity, and storage complexity is \( {2^{28.6}} + {2^{29.41}} + {2^{29.19}} \approx {2^{30.7}} \) for \( \{ {{\varDelta }_P}\} \), \( \{ {{\varDelta }_C}\} \) and table T. For the computational complexity, there needs \( {C_t} = ({2^{90.6}})A + ({2^{90.6}})E + (({2^{58.6}})A + ({2^{29.19}})A) + (2 \cdot {2^{29.19}} \cdot {2^{78}} \cdot \frac{4}{{35}})E + {2^{128 - 78}}E \approx {2^{90.6}}A + {2^{105.5}}E \), and the success probability is 73%.
5 Conclusions
In this paper, we analyzed the differential and linear propagation properties of the bitwise AND operation with inputs mutually independent or dependent, and improved efficient algorithms by constructing the partial difference distribution table for bitwise AND operation. We searched out new differentials and linear hulls for SIMECK, which are the best results as far as we know. We applied our differentials to the key recovery attack on SIMECK and less complexity required while compared to previous differential attack.
Notes
- 1.
The reason why the experimental result of the probability is higher than that of [14] is because of more trails are counted.
- 2.
All experiments code are runned on a PC with \(\hbox {Intel}^\circledR \) \(\hbox {Core}^{TM}\) i7-2600 CPU @ 3.40GHz \( \times \) 8.
References
Abed, F., List, E., Lucks, S., Wenzel, J.: Differential cryptanalysis of round-reduced Simon and Speck. In: Cid, C., Rechberger, C. (eds.) FSE 2014. LNCS, vol. 8540, pp. 525–545. Springer, Heidelberg (2015). https://doi.org/10.1007/978-3-662-46706-0_27
AlTawy, R., Rohit, R., He, M., Mandal, K., Yang, G., Gong, G.: sLiSCP: Simeck-based permutations for lightweight sponge cryptographic primitives. In: Selected Areas in Cryptography - SAC 2017–24th International Conference, Ottawa, ON, Canada, 16–18 August 2017, Revised Selected Papers, pp. 129–150 (2017)
Bagheri, N.: Linear cryptanalysis of reduced-round SIMECK variants. In: Biryukov, A., Goyal, V. (eds.) INDOCRYPT 2015. LNCS, vol. 9462, pp. 140–152. Springer, Cham (2015). https://doi.org/10.1007/978-3-319-26617-6_8
Banik, S., Pandey, S.K., Peyrin, T., Sasaki, Y., Sim, S.M., Todo, Y.: GIFT: a small present. In: Fischer, W., Homma, N. (eds.) CHES 2017. LNCS, vol. 10529, pp. 321–345. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-66787-4_16
Beaulieu, R., Shors, D., Smith, J., Treatman-Clark, S., Weeks, B., Wingers, L.: The SIMON and SPECK families of lightweight block ciphers. Cryptology ePrint Archive, Report 2013/404 (2013)
Beaulieu, R., Shors, D., Smith, J., Treatman-Clark, S., Weeks, B., Wingers, L.: Notes on the design and analysis of SIMON and SPECK. IACR Cryptology ePrint Archive 2017/560 (2017)
Beierle, C.: Pen and paper arguments for SIMON and SIMON-like designs. In: Zikas, V., De Prisco, R. (eds.) SCN 2016. LNCS, vol. 9841, pp. 431–446. Springer, Cham (2016). https://doi.org/10.1007/978-3-319-44618-9_23
Biryukov, A., Roy, A., Velichkov, V.: Differential analysis of block ciphers SIMON and SPECK. In: Cid, C., Rechberger, C. (eds.) FSE 2014. LNCS, vol. 8540, pp. 546–570. Springer, Heidelberg (2015). https://doi.org/10.1007/978-3-662-46706-0_28
Bogdanov, A., Knudsen, L.R., Leander, G., Paar, C., Poschmann, A., Robshaw, M.J.B., Seurin, Y., Vikkelsoe, C.: PRESENT: an ultra-lightweight block cipher. In: Paillier, P., Verbauwhede, I. (eds.) CHES 2007. LNCS, vol. 4727, pp. 450–466. Springer, Heidelberg (2007). https://doi.org/10.1007/978-3-540-74735-2_31
Borghoff, J., et al.: Prince - a low-latency block cipher for pervasive computing applications (full version). In: Proceedings of Advances in Cryptology - ASIACRYPT 2012–18th International Conference on the Theory and Application of Cryptology and Information Security (2012)
Chen, H., Wang, X.: Improved linear hull attack on round-reduced Simon with dynamic key-guessing techniques. In: Peyrin, T. (ed.) FSE 2016. LNCS, vol. 9783, pp. 428–449. Springer, Heidelberg (2016). https://doi.org/10.1007/978-3-662-52993-5_22
Kölbl, S., Leander, G., Tiessen, T.: Observations on the SIMON block cipher family. In: Gennaro, R., Robshaw, M. (eds.) CRYPTO 2015. LNCS, vol. 9215, pp. 161–185. Springer, Heidelberg (2015). https://doi.org/10.1007/978-3-662-47989-6_8
Kölbl, S., Roy, A.: A brief comparison of Simon and Simeck. In: Bogdanov, A. (ed.) LightSec 2016. LNCS, vol. 10098, pp. 69–88. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-55714-4_6
Liu, Z., Li, Y., Wang, M.: Optimal differential trails in simon-like ciphers. IACR Trans. Symmetric Cryptol. 2017(1), 358–379 (2017)
Liu, Z., Li, Y., Wang, M.: The security of simon-like ciphers against linear cryptanalysis. IACR Cryptology ePrint Archive 2017/576 (2017)
Matsui, M.: On correlation between the order of S-boxes and the strength of DES. In: De Santis, A. (ed.) EUROCRYPT 1994. LNCS, vol. 950, pp. 366–375. Springer, Heidelberg (1995). https://doi.org/10.1007/BFb0053451
Qiao, K., Hu, L., Sun, S.: Differential analysis on simeck and SIMON with dynamic key-guessing techniques. In: Camp, O., Furnell, S., Mori, P. (eds.) ICISSP 2016. CCIS, vol. 691, pp. 64–85. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-54433-5_5
Qin, L., Chen, H., Wang, X.: Linear hull attack on round-reduced simeck with dynamic key-guessing techniques. In: Liu, J.K., Steinfeld, R. (eds.) ACISP 2016. LNCS, vol. 9723, pp. 409–424. Springer, Cham (2016). https://doi.org/10.1007/978-3-319-40367-0_26
Ryabko, B., Soskov, A.: The distinguishing attack on speck, simon, simeck, HIGHT and LEA. Cryptology ePrint Archive, Report 2018/047 (2018)
Sun, S., et al.: Towards finding the best characteristics of some bit-oriented block ciphers and automatic enumeration of (related-key) differential and linear characteristics with predefined properties. Cryptology ePrint Archive, Report 2014/747 (2014)
Suzaki, T., Minematsu, K., Morioka, S., Kobayashi, E.: \(\mathit{TWINE}\): a lightweight block cipher for multiple platforms. In: Knudsen, L.R., Wu, H. (eds.) SAC 2012. LNCS, vol. 7707, pp. 339–354. Springer, Heidelberg (2013). https://doi.org/10.1007/978-3-642-35999-6_22
Wang, N., Wang, X., Jia, K., Zhao, J.: Differential attacks on reduced SIMON versions with dynamic key-guessing techniques. Cryptology ePrint Archive, Report 2014/448 (2014)
Yang, G., Zhu, B., Suder, V., Aagaard, M.D., Gong, G.: The Simeck family of lightweight block ciphers. In: Güneysu, T., Handschuh, H. (eds.) CHES 2015. LNCS, vol. 9293, pp. 307–329. Springer, Heidelberg (2015). https://doi.org/10.1007/978-3-662-48324-4_16
Zhang, K., Guan, J., Hu, B., Lin, D.: Security evaluation on simeck against zero-correlation linear cryptanalysis. IET Inf. Secur. 12(1), 87–93 (2018)
Zhang, W., Bao, Z., Lin, D., Rijmen, V., Yang, B., Verbauwhede, I.: RECTANGLE: a bit-slice lightweight block cipher suitable for multiple platforms. SCIENCE CHINA Inf. Sci. 58(12), 1–15 (2015)
Acknowledgements
The authors are very grateful to the anonymous reviewers for their valuable comments. This work was supported by the National Key Research and Development Program of China (No. 2017YFB0801900).
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2018 Springer Nature Switzerland AG
About this paper
Cite this paper
Huang, M., Wang, L., Zhang, Y. (2018). Improved Automatic Search Algorithm for Differential and Linear Cryptanalysis on SIMECK and the Applications. In: Naccache, D., et al. Information and Communications Security. ICICS 2018. Lecture Notes in Computer Science(), vol 11149. Springer, Cham. https://doi.org/10.1007/978-3-030-01950-1_39
Download citation
DOI: https://doi.org/10.1007/978-3-030-01950-1_39
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-030-01949-5
Online ISBN: 978-3-030-01950-1
eBook Packages: Computer ScienceComputer Science (R0)