Improved Linear Cryptanalysis of Reduced-Round SIMON-32 and SIMON-48 | SpringerLink
Skip to main content
Springer Nature Link
Log in

Improved Linear Cryptanalysis of Reduced-Round SIMON-32 and SIMON-48

  • Conference paper
  • First Online:
Progress in Cryptology -- INDOCRYPT 2015 (INDOCRYPT 2015)

Part of the book series: Lecture Notes in Computer Science ((LNSC,volume 9462))

Included in the following conference series:

  • 996 Accesses

Abstract

In this paper we analyse two variants of SIMON family of light-weight block ciphers against variants of linear cryptanalysis and present the best linear cryptanalytic results on these variants of reduced-round SIMON to date.

We propose a time-memory trade-off method that finds differential/linear trails for any permutation allowing low Hamming weight differential/linear trails. Our method combines low Hamming weight trails found by the correlation matrix representing the target permutation with heavy Hamming weight trails found using a Mixed Integer Programming model representing the target differential/linear trail. Our method enables us to find a 17-round linear approximation for SIMON-48 which is the best current linear approximation for SIMON-48. Using only the correlation matrix method, we are able to find a 14-round linear approximation for SIMON-32 which is also the current best linear approximation for SIMON-32.

The presented linear approximations allow us to mount a 23-round key recovery attack on SIMON-32 and a 24-round Key recovery attack on SIMON-48/96 which are the current best results on SIMON-32 and SIMON-48. In addition we have an attack on 24 rounds of SIMON-32 with marginal complexity.

This work was done while the author was a postdoc at the Technical University of Denmark

Javad Alizadeh, Mohammad Reza Aref and Nasour Bagheri were partially supported by Iran-NSF under grant no. 92.32575.

Praveen Gauravaram is supported by Australian Research Council Discovery Project grant number DP130104304.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution

Subscribe and save

Springer+ Basic
¥17,985 /Month
  • Get 10 units per month
  • Download Article/Chapter or eBook
  • 1 Unit = 1 Article or 1 Chapter
  • Cancel anytime
Subscribe now

Buy Now

Chapter
JPY 3498
Price includes VAT (Japan)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
JPY 5719
Price includes VAT (Japan)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
JPY 7149
Price includes VAT (Japan)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Similar content being viewed by others

References

  1. Abdelraheem, M.A.: Estimating the probabilities of low-weight differential and linear approximations on PRESENT-like ciphers. In: Kwon, T., Lee, M.-K., Kwon, D. (eds.) ICISC 2012. LNCS, vol. 7839, pp. 368–382. Springer, Heidelberg (2013)

    Chapter  Google Scholar 

  2. Abdelraheem, M.A., Alizadeh, J., AlKhzaimi, H., Aref, M.R., Bagheri, N., Gauravaram, P., Lauridsen, M.M.: Improved Linear Cryptanalysis of Round Reduced SIMON. IACR Cryptology ePrint Archive, 2014:681 (2014)

    Google Scholar 

  3. Abed, F., List, E., Lucks, S., Wenzel, J.: Differential Cryptanalysis of Reduced-Round Simon. IACR Cryptology ePrint Archive 2013:526 (2013)

    Google Scholar 

  4. Abed, F., List, E., Lucks, S., Wenzel, J.: Differential cryptanalysis of round-reduced simon and speck. In: Cid, C., Rechberger, C. (eds.) FSE 2014. LNCS, vol. 8540, pp. 525–545. Springer, Heidelberg (2015)

    Google Scholar 

  5. Alizadeh, J., Alkhzaimi, H.A., Aref, M.R., Bagheri, N., Gauravaram, P., Kumar, A., Lauridsen, M.M., Sanadhya, S.K.: Cryptanalysis of SIMON variants with connections. In: Sadeghi, A.-R., Saxena, N. (eds.) RFIDSec 2014. LNCS, vol. 8651, pp. 90–107. Springer, Heidelberg (2014)

    Google Scholar 

  6. Alizadeh, J., Bagheri, N., Gauravaram, P., Kumar, A., Sanadhya, S.K.: Linear Cryptanalysis of Round Reduced SIMON. IACR Cryptology ePrint Archive 2013:663 (2013)

    Google Scholar 

  7. Ashur, T.: Improved linear trails for the block cipher simon. Cryptology ePrint Archive, Report 2015/285 (2015). http://eprint.iacr.org/

  8. Aumasson, J.-P., Henzen, L., Meier, W., Naya-Plasencia, M.: Quark: a lightweight hash. In: Mangard, S., Standaert, F.-X. (eds.) CHES 2010. LNCS, vol. 6225, pp. 1–15. Springer, Heidelberg (2010)

    Chapter  Google Scholar 

  9. Beaulieu, R., Shors, D., Smith, J., Treatman-Clark, S., Weeks, B., Wingers, L.: The SIMON and SPECK Families of lightweight block ciphers. IACR Cryptology ePrint Archive 2013, 404 (2013)

    Google Scholar 

  10. Biham, E.: On matsui’s linear cryptanalysis. In: De Santis, A. (ed.) EUROCRYPT 1994. LNCS, vol. 950, pp. 341–355. Springer, Heidelberg (1995)

    Chapter  Google Scholar 

  11. Biryukov, Alex, Roy, Arnab, Velichkov, Vesselin: Differential analysis of block ciphers SIMON and SPECK. 8540, 546–570 (2015)

    Google Scholar 

  12. Bogdanov, A., Knezevic, M., Leander, G., Toz, D., Varici, K., Verbauwhede, I.: SPONGENT: A Lightweight Hash Function. In: Preneel and Takagi [22], pp. 312–325

    Google Scholar 

  13. Bogdanov, A.A., Knudsen, L.R., Leander, G., Paar, C., Poschmann, A., Robshaw, M., Seurin, Y., Vikkelsoe, C.: PRESENT: an ultra-lightweight block cipher. In: Paillier, P., Verbauwhede, I. (eds.) CHES 2007. LNCS, vol. 4727, pp. 450–466. Springer, Heidelberg (2007)

    Chapter  Google Scholar 

  14. Boura, C., Naya-Plasencia, M., Suder, V.: Scrutinizing and improving impossible differential attacks: applications to CLEFIA, Camellia, LBlock and Simon. In: Sarkar, P., Iwata, T. (eds.) ASIACRYPT 2014. LNCS, vol. 8873, pp. 179–199. Springer, Heidelberg (2014)

    Google Scholar 

  15. De Cannière, C., Preneel, B.: Trivium. In: Robshaw and Billet [23], pp. 244–266

    Google Scholar 

  16. Daemen, J., Rijmen, V.: The Design of Rijndael: AES - The Advanced Encryption Standard. Information Security and Cryptography. Springer, Heidelberg (2002)

    Book  Google Scholar 

  17. Guo, J., Peyrin, T., Poschmann, A.: The PHOTON Family of Lightweight Hash Functions. In: Rogaway, P. (ed.) CRYPTO 2011. Lecture Notes in Computer Science, vol. 6841, pp. 222–239. Springer, Heidelberg (2011)

    Chapter  Google Scholar 

  18. Guo, J., Peyrin, T., Poschmann, A., Robshaw, M.J.B.: The LED Block Cipher. In: Preneel and Takagi [22], pp. 326–341

    Google Scholar 

  19. Hell, M., Johansson, T., Maximov, A., Meier, W.: The grain family of stream ciphers. In: Robshaw and Billet [23], pp. 179–190

    Google Scholar 

  20. Kölbl, S., Leander, G., Tiessen, T.: Observations on the SIMON Block Cipher Family. In: Gennaro, R., Robshaw, M. (eds.) CRYPTO 2015. LNCS, vol. 9215, pp. 161–185. Springer, Heidelberg (2015)

    Chapter  Google Scholar 

  21. Mouha, N., Wang, Q., Gu, D., Preneel, B.: Differential and Linear Cryptanalysis Using Mixed-Integer Linear Programming. In: Wu, C.-K., Yung, M., Lin, D. (eds.) Inscrypt 2011. LNCS, vol. 7537, pp. 57–76. Springer, Heidelberg (2012)

    Chapter  Google Scholar 

  22. Preneel, B., Takagi, T. (eds.): CHES

    Google Scholar 

  23. Robshaw, M.J.B., Billet, O. (eds.): New Stream Cipher Designs - The eSTREAM Finalists. LNCS, vol. 4986. Springer, Heidelberg (2008)

    MATH  Google Scholar 

  24. Shi, D., Lei, H., Sun, S. Song, L., Qiao, K., Ma, X.: Improved Linear (hull) Cryptanalysis of Round-reduced Versions of SIMON. IACR Cryptology ePrint Archive 2014: 973 (2014)

    Google Scholar 

  25. Sun, S., Lei, H., Wang, M., Wang, P., Qiao, K., Ma, X., Shi, D., Song, L., Kai, F.: Towards Finding the Best Characteristics of Some Bit-oriented Block Ciphers and Automatic Enumeration of (Related-key) Differential and Linear Characteristics with Predefined Properties. IACR Cryptology ePrint Archive 2014: 747 (2014)

    Google Scholar 

  26. Sun, S., Hu, L., Wang, P., Qiao, K., Ma, X., Song, L.: Automatic security evaluation and (Related-key) differential characteristic search: application to SIMON, PRESENT, LBlock, DES(L) and other bit-oriented block ciphers. In: Sarkar, P., Iwata, T. (eds.) ASIACRYPT 2014. LNCS, vol. 8873, pp. 158–178. Springer, Heidelberg (2014)

    Google Scholar 

  27. Wang, N., Wang, X., Jia, K., Zhao, J.: Differential Attacks on Reduced SIMON Versions with Dynamic Key-guessing Techniques. IACR Cryptology ePrint Archive 2014: 448 (2014)

    Google Scholar 

  28. Wang, N., Wang, X., Jia, K., Zhao, J.: Improved Differential Attacks on Reduced SIMON Versions. IACR Cryptology ePrint Archive 2014: 448 (2014)

    Google Scholar 

  29. Wang, Qingju, Liu, Zhiqiang, Kerem Varici, Yu., Sasaki, Vincent Rijmen, Todo, Yosuke: Cryptanalysis of Reduced-Round SIMON32 and SIMON48. In: Meier, Willi, Mukhopadhyay, Debdeep (eds.) INDOCRYPT 2014. Lecture Notes in Computer Science, vol. 8885, pp. 143–160. Springer, Heidelberg (2014)

    Google Scholar 

  30. Yang, G., Zhu, B., Suder, V., Aagaard, M.D., Gong, G.: The simeck family of lightweight block ciphers. In: Güneysu, T., Handschuh, H. (eds.) CHES 2015. LNCS, vol. 9293, pp. 307–329. Springer, Heidelberg (2015)

    Chapter  Google Scholar 

Download references

Acknowledgments

The authors would like to thank Lars Knudsen, Stefan Kölbl, Martin M. Lauridsen, Arnab Roy and Tyge Tiessen for many useful discussions about linear and differential cryptanalysis of SIMON. Many thanks go to Anne Canteaut and the anonymous reviewers for their valuable comments and suggestions to improve the quality of the paper.

Author information

Authors and Affiliations

  1. SICS Swedish ICT, Kista, Sweden

    Mohamed Ahmed Abdelraheem

  2. ISSL, Department of Electrical Engineering, Sharif University of Technology, Tehran, Iran

    Javad Alizadeh & Mohammad Reza Aref

  3. Section for Cryptology, DTU Compute, Technical University of Denmark, Lyngby, Denmark

    Hoda A. Alkhzaimi

  4. Department of Electrical Engineering, Shahid Rajaee Teachers Training University, Tehran, Iran

    Nasour Bagheri

  5. School of Computer Science, Institute for Research in Fundamental Sciences (IPM), Tehran, Iran

    Nasour Bagheri

  6. Queensland University of Technology, Brisbane, Australia

    Praveen Gauravaram

Authors
  1. Mohamed Ahmed Abdelraheem
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Javad Alizadeh
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Hoda A. Alkhzaimi
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. Mohammad Reza Aref
    View author publications

    You can also search for this author in PubMed Google Scholar

  5. Nasour Bagheri
    View author publications

    You can also search for this author in PubMed Google Scholar

  6. Praveen Gauravaram
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Mohamed Ahmed Abdelraheem .

Editor information

Editors and Affiliations

  1. Luxembourg, Luxembourg

    Alex Biryukov

  2. Microsoft Research India, Banglore, India

    Vipul Goyal

Appendices

A Steps of the Key Recovery Attack on SIMON-32/64

Table 3. Step 1 of key recovery attack on SIMON-32/64
Full size table
Table 4. Step 2 of key recovery attack on SIMON-32/64
Full size table
Fig. 1.
figure 1

Adding some rounds to the 14-round linear hull for SIMON-32 / K (Color figure online).

Full size image
Table 5. Step 3 of key recovery attack on SIMON-32/64
Full size table
Table 6. Step 4 of key recovery attack on SIMON-32/64
Full size table
Table 7. Step 5 of key recovery attack on SIMON-32/64
Full size table

B Steps of the Key Recovery Attack on SIMON-48/96

$$\begin{aligned} \mathcal {V}_j&\!\!=\!\!&(X^{i}_L)[2,6,14,22] \!\oplus \! (X^{i}_R) [0] \!\oplus \! (K^i)[2,6,14,22] \!\oplus \! (K^{i-1})[0,4,12,20] \!\oplus \! (K^{i-2})[2,18] \\ \mathcal {W}_j= & {} (X^{i+18}_L)[0] \oplus (X^{i+18}_R) [2,6,14,16,22] \oplus (K^{i+19})[2,6,14,16,22] \\&\oplus (K^{i+20})[0,4,12,20] \oplus (K^{i+21})[2,18] \oplus (K^{i+22})[0] \end{aligned}$$
Fig. 2.
figure 2

Adding some rounds to the 17-round linear hull for SIMON-48 / 96 (Color figure online).

Full size image
Table 8. Step 1 of key recovery attack on SIMON-48/96
Full size table
Table 9. Step 2 of key recovery attack on SIMON-48/96
Full size table
Table 10. Step 3 of key recovery attack on SIMON-48/96
Full size table

C MIP Experiments

Table 11 shows the 30 sub approximations that have been used to estimate the squared correlations of the lower class trails. The experiments where the MIP solutions are limited to 512 trails per approximation took exactly 70125.382718 seconds which is less than 20 hrs using a standard laptop.

Table 12 shows the 30 sub approximations that have been used to estimate the squared correlations of the upper class trails. The experiments where the MIP solutions are limited to 512 trails per approximation took exactly 62520.033249 seconds which is less than 18 hrs using a standard laptop.

Table 11. Lower Class Trails found through our time-memory trade-off method, \(c^2_{i1} \equiv \) the squared correlation of the ith 11-round linear approximation with light trails found through the correlation matrix, \(c^2_{i2} \equiv \) the squared correlation of the ith 6-round linear approximation with heavy trails found through the MIP method, \(c^2_{i1}c^2_{i2}\equiv \) is the squared correlation of the ith 17-round linear approximation and \(\sum c^2_{i1}c^2_{i2}\) is the total estimated squared correlation of the lower class trails of our 17-round linear hull after including \(i \le 30\) linear approximations
Full size table
Table 12. Upper Class Trails found through our time-memory trade-off method, \(c^2_{i1} \equiv \) the squared correlation of the ith 6-round linear approximation with heavy trails found through the MIP method, \(c^2_{i2} \equiv \) the squared correlation of the ith 6-round linear approximation with light trails found through the correlation matrix, \(c^2_{i1}c^2_{i2}\equiv \) is the squared correlation of the ith 17-round linear approximation and \(\sum c^2_{i1}c^2_{i2}\) is the total estimated squared correlation of the upper class trails of our 17-round linear hull after including \(i \le 30\) linear approximations
Full size table

Rights and permissions

Reprints and permissions

Copyright information

© 2015 Springer International Publishing Switzerland

About this paper

Cite this paper

Abdelraheem, M.A., Alizadeh, J., Alkhzaimi, H.A., Aref, M.R., Bagheri, N., Gauravaram, P. (2015). Improved Linear Cryptanalysis of Reduced-Round SIMON-32 and SIMON-48. In: Biryukov, A., Goyal, V. (eds) Progress in Cryptology -- INDOCRYPT 2015. INDOCRYPT 2015. Lecture Notes in Computer Science(), vol 9462. Springer, Cham. https://doi.org/10.1007/978-3-319-26617-6_9

Download citation

  • DOI: https://doi.org/10.1007/978-3-319-26617-6_9

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-319-26616-9

  • Online ISBN: 978-3-319-26617-6

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation