Academia.eduAcademia.edu

Outline

Title
Abstract
Introduction
Related Work
Linear Cryptanalysis with Super Rounds
Experimental Verification
Summary of Experimental Results
Summary of Projected Results
Conclusions
References
All Topics
Computer Science
Cryptography

Linear Cryptanalysis of Reduced-Round Simon Using Super Rounds

Profile image of Reham SaudReham Saud

2020, Cryptography

https://doi.org/10.3390/CRYPTOGRAPHY4010009
visibility

description

34 pages

link

1 file

Abstract

We present attacks on 21-rounds of Simon 32/64, 21-rounds of Simon 48/96, 25-rounds of Simon 64/128, 35-rounds of Simon 96/144 and 43-rounds of Simon 128/256, often with direct recovery of the full master key without repeating the attack over multiple rounds. These attacks result from the observation that, after four rounds of encryption, one bit of the left half of the state of 32/64 Simon depends on only 17 key bits (19 key bits for the other variants of Simon). Further, linear cryptanalysis requires the guessing of only 16 bits, the size of a single round key of Simon 32/64. We partition the key into smaller strings by focusing on one bit of state at a time, decreasing the cost of the exhaustive search of linear cryptanalysis to 16 bits at a time for Simon 32/64. We also present other example linear cryptanalysis, experimentally verified on 8, 10 and 12 rounds for Simon 32/64.

Related papers

Predicting Outcomes of ElimLin Attack on Lightweight Block Cipher Simon
Nicolas Courtois

Proceedings of the 13th International Joint Conference on e-Business and Telecommunications, 2016

There are two major families in cryptanalytic attacks on symmetric ciphers: statistical attacks and algebraic attacks. In this position paper we argue that algebraic cryptanalysis has not yet been developed properly due to the weakness of the theory which has substantial difficulty to prove most basic results on the number of linearly independent equations in algebraic attacks. Consequently most authors present a restricted range of attacks which are shown experimentally to work with their computer but refrain from claiming results which would work on a larger computer but have not yet been tested. For example in recent 2015 work of Raddum we discover that (experimentally) ElimLin attack breaks up to 16 rounds of Simon block cipher however it is hard to know what happens for 17 rounds. In this paper we argue that one CAN predict and model the behavior of such attacks and evaluate complexity of the attacks which we cannot yet execute. To the best of our knowledge this has never been done before.

View PDFchevron_right
A Flexible and Compact Hardware Architecture for the SIMON Block Cipher
shylaja V karatangi

SIMON is a recent, light-weight block cipher developed by NSA. Previous work on SIMON shows that it is a very promising alternative of AES for resource-constrained platforms. While SIMON offers a range of block sizes and key lengths, a straightforward implementation would select fixed values in order to achieve a compact design. In contrast, we propose a flexible hardware architecture on FPGAs that still preserves the compactness of SIMON. The proposed implementation can execute all configurations of SIMON, and thus provides a versatile architecture that enables adaptive security using a variable key-size. Moreover, it also reduces the inefficiency of encrypting slightly longer messages by supporting a variable block-size. The implementation results show that the proposed architecture occupies 90 and 32 slices on Spartan-3 and Spartan-6 FPGAs, respectively. To our best knowledge, these area results are smaller than other block ciphers of similar security level. Furthermore, we also quantify the cost of flexibility and show the trade-off between the security level, throughput and area.

View PDFchevron_right
Division Property-Based Integral Attack on Reduced-Round SAND-128
ISECURE Journal

Volume 17, Issue 2, 2025

Given the rapid evolution of emerging technologies, such as the Internet of Things (IoT), there is a growing interest in lightweight block ciphers. This paper focuses on the security assessment of SAND-128, a newly proposed lightweight block cipher based on SIMON, recognized for its reliance on S-box-based security evaluation approaches. By employing Xiang's MILP-aided method for integral distinguisher search, this study utilizes a MILP optimizer to identify a 16-round integral characteristic for SAND-128 with nine balanced bits. Furthermore, by extending the distinguisher to 17 rounds utilizing a novel idea without an increase in data complexity, we propose a comprehensive 20-round integral attack on SAND-128, including the key recovery step. This attack leverages the partial sums technique, resulting in a time complexity of 2 119 , memory complexity of 2 76 bytes, and data complexity of 2 127. This cryptanalysis is, to the best of our knowledge, the best integral attack on reduced-round SAND-128 presented thus far.

View PDFchevron_right
Hardware Trojan on SIMON Architecture for Key Retrieval
sivappriya manivannan

2019

The need of an hour is the research on design and impacts of Hardware Trojan Horse in a crypto module to serve the purpose of secret key recovery. SIMON is a light weight block cipher that indulges to optimally work with hardware environment. Few papers have come up with the fault attack on SIMON cipher. In this paper, two bit toggle fault attack on 29\(^{th}\) round of the SIMON by intruding Hardware Trojan Horse is realized. The structural design of Hardware Trojan includes activation of two payloads with a single trigger. In consequence, the round key of SIMON cipher is retrieved by executing Differential Fault Analysis, using the fault free and completely faulty ciphertext. The power consumption of the SIMON design for both with and without Hardware Trojan is estimated using Simulation Activity Information File (.saif) on ZYNQ 7000 SoC family FPGA board and observed that there is minimal overhead of 1.32%. Provided, almost negligible difference of one LUT in area utilization is ...

View PDFchevron_right
Notes on the design and analysis of SIMON and SPECK
Louis Wingers

IACR Cryptology ePrint Archive, 2017

* This may not be wise; Zhang and Wu [ZW16] "conclude that it is not advisable for Simon-like ciphers to re-use the round function in the key schedule." Also, we note that a similar reduction in area is not obtained by this method for the five versions of Simon with two or three words of key. † An example of a nonlimiting cryptanalytic feature is the Boolean degree. Compare [ZWW16] and [CW15]: the best reduced-round attack based on degrees for Simon 64/128, for example, is an integral attack on 24 of 44 rounds, whereas the best linear attack works for 31 of 44 rounds. (We note that the 24-round attack is based on a 17-round distinguisher, and Xiang et al. [XZL16] give an 18-round distinguisher, so the 24-round attack likely extends to a 25-round attack.) ‡ 10% is surely an overestimate! Although we have not done the analysis, we suspect that the stepping would not be reduced at all.

View PDFchevron_right
Attack on Six Rounds of Crypton
Gert Bijnens

1999

In this paper we present an attack on a reduced round version of Crypton. The attack is based on the dedicated Square attack. We explain why the attack also works on Crypton and prove that the entire 256-bit user key for 6 rounds of Crypton can be recovered with a complexity of 256 encryptions, whereas for Srypton 272 encryptions are required to recover the 128-bit user key.

View PDFchevron_right
The SIMON and SPECK lightweight block ciphers
Louis Wingers

Proceedings of the 52nd Annual Design Automation Conference, 2015

The Simon and Speck families of block ciphers were designed specifically to offer security on constrained devices, where simplicity of design is crucial. However, the intended use cases are diverse and demand flexibility in implementation. Simplicity, security, and flexibility are ever-present yet conflicting goals in cryptographic design. This paper outlines how these goals were balanced in the design of Simon and Speck.

View PDFchevron_right
A Meet-in-the-Middle Attack on Reduced-Round Kalyna-b/2b
Riham AlTawy

IACR Cryptology ePrint Archive, 2015

Kalyna is an SPN-based block cipher that was selected during Ukrainian national public cryptographic competition (2007-2010), and its slight modification was approved as the new encryption standard of Ukraine (DSTU 7624:2014) in 2015. The cipher supports a block size and a key length of 128, 256 and 512 bits where the size of the key can be either double or equal to that of the block length. According to its designers, the cipher provides strength to several cryptanalytic methods after the fifth and sixth rounds of the 128-bit and 256-bit block versions, respectively. In this paper, we present a meet-in-the-middle attack on the 7-round reduced versions of Kalyna where the key size is double the block length. Our attack is based on the differential enumeration approach where we carefully deploy a four round distinguisher in the first four rounds to bypass the effect of the carry bits resulting from the pre-whitening modular key addition. We also exploit the linear relation between consecutive odd and even indexed round keys which enables us to attack seven rounds and recover all the round keys incrementally. The attack on Kalyna with 128-bit block has a data complexity of 2 89 chosen plaintexts, time complexity of 2 230.2 and a memory complexity of 2 202.64. The data, time and memory complexities of our attack on Kalyna with 256-bit block are 2 233 , 2 502.2 and 2 170 , respectively.

View PDFchevron_right
A Cube Attack on a Reduced-Round Sycon
Erzhena Tcydenova

Electronics

The cube attack was proposed at the 2009 Eurocrypt. The attack derives linear polynomials for specific output bits of a BlackBox cipher. Cube attacks target recovery keys or secret states. In this paper, we present a cube attack on a 5-round Sycon permutation and a 6-round Sycon permutation with a 320-bit state, whose rate occupies 96 bits, and whose capacity is 224 bits. We found cube variables related to a superpoly with a secret state. Within the cube variables, we recovered 32 bits of the secret state. The target algorithm was Sycon with 5-round and 6-round versions of permutation. For the 5-round Sycon, we found a cube variable and recovered a state with a total of 2192 Sycon computations and 237 bits of memory. For the 6-round Sycon, we found cube variables and recovered a state with a total of 2192 Sycon computations and 270 bits of memory. When using brute force in a 5-round attack, 2224 operations were required, but the cube attack proposed in this paper had 248 offline ope...

View PDFchevron_right
Meet-inthe-Middle Attacks on Round-reduced
Mohamed Tolba

2015

Khudra is a hardware-oriented lightweight block cipher that is designed to run efficiently on Field Programmable Gate Arrays. It employs an 18-rounds Generalized type-2 Feistel Structure with a 64bit block length and an 80-bit key. In this paper, we present Meet-inthe-Middle (MitM) attacks on 13 and 14 round-reduced Khudra. These attacks are based on finding a distinguisher that is evaluated offline independently of the key. Then in an online phase, some rounds are appended before and after the distinguisher and the correct key candidates for these rounds are checked whether they verify the distinguisher property or not. Using this technique, we find two 6-round distinguishers and use them to attack 13 and 14 rounds of Khudra with time complexity of 2 and 2, respectively. Both attacks require the same data and memory complexities of 2 chosen plaintexts and 2 64-bit blocks, respectively.

View PDFchevron_right

References (23)

  1. McKay, K.A.; Bassham, L.E.; Turan, M.S.; Mouha, N.W. Report on Lightweight Cryptography; National Institute of Standards and Technology: Gaithersburg, MD, USA, 2017.
  2. Biryukov, A.; De Cannière, C.; Quisquater, M. On Multiple Linear Approximations. In Advances in Cryptology-CRYPTO 2004; Franklin, M., Ed.; Springer: Berlin/Heidelberg, Germany, 2004; pp. 1-22.
  3. Lee, J.; Koo, B.; Kim, W. Related-Key Linear Cryptanalysis on SIMON. IACR Cryptol. ePrint Arch. 2018, 2018, 152.
  4. Alizadeh, J.; AlKhzaimi, H.; Aref, M.R.; Bagheri, N.; Gauravaram, P.; Lauridsen, M.M. Improved Linear Cryptanalysis of Round Reduced SIMON. IACR Cryptol. ePrint Arch. 2014, 2014, 681.
  5. Alizadeh, J.; Alkhzaimi, H.A.; Aref, M.R.; Bagheri, N.; Gauravaram, P.; Kumar, A.; Lauridsen, M.M.; Sanadhya, S.K. Cryptanalysis of SIMON Variants with Connections. Radio Frequency Identification: Security and Privacy Issues; Saxena, N., Sadeghi, A.R., Eds.; Springer International Publishing: Cham, Switzerland, 2014; pp. 90-107.
  6. Ashur, T. Improved Linear Trails for the Block Cipher Simon. IACR Cryptol. ePrint Arch. 2015, 2015, 285.
  7. Chen, H.; Wang, X. Improved Linear Hull Attack on Round-Reduced Simon with Dynamic Key-Guessing Techniques. In Fast Software Encryption; Peyrin, T., Ed.; Springer: Berlin/Heidelberg, Germany, 2016; pp. 428-449.
  8. Hermelin, M.; Cho, J.Y.; Nyberg, K. Multidimensional Linear Cryptanalysis. J. Cryptol. 2019, 32, 1-34. [CrossRef]
  9. Beaulieu, R.; Shors, D.; Smith, J.; Treatman-Clark, S.; Weeks, B.; Wingers, L. The SIMON and SPECK Families of Lightweight Block Ciphers. IACR Cryptol. ePrint Arch. 2013, 2013, 404.
  10. Nyberg, K. Linear approximation of block ciphers. In Advances in Cryptology-EUROCRYPT '94; De Santis, A., Ed.; Springer: Berlin/Heidelberg, Germany, 1995; pp. 439-444.
  11. Ma, X.; Shi, D.; Hu, L.; Sun, S.; Song, L.; Qiao, K.; Ma, X. Improved Linear (hull) Cryptanalysis of Round-reduced Versions of SIMON. Sci. China Inf. Sci. 2017, 60, 39101.
  12. Sun, S.; Hua, L.; Wang, M.; Wang, P.; Qiao, K.; Ma, X.; Shi, D.; Ling Song, K.F. Towards Finding the Best Characteristics of Some Bit-oriented Block Ciphers and Automatic Enumeration of (Related-key) Differential and Linear Characteristics with Predefined Properties. Cryptol. ePrint Arch. 2014, 747, 2014.
  13. Abdelraheem, M.A.; Alizadeh, J.; Alkhzaimi, H.A.; Aref, M.R.; Bagheri, N.; Gauravaram, P. Improved Linear Cryptanalysis of Reduced-Round SIMON-32 and SIMON-48. In Progress in Cryptology-INDOCRYPT 2015;
  14. Wang, N.; Wang, X.; Jia, K.; Zhao, J. Differential attacks on reduced SIMON versions with dynamic key-guessing techniques. Sci. China Inf. Sci. 2018, 61. [CrossRef]
  15. Bogdanov, A.; Rijmen, V. Linear hulls with correlation zero and linear cryptanalysis of block ciphers. Des. Codes Cryptogr. 2014, 70, 369-383. [CrossRef]
  16. Yu, X.; Wu, W.; Shi, Z.; Zhang, J.; Zhang, L.; Wang, Y. Zero-Correlation Linear Cryptanalysis of Reduced-Round SIMON. J. Comput. Sci. Technol. 2015, 30, 1358-1369. [CrossRef]
  17. Wang, Q.; Liu, Z.; Varici, K.; Sasaki, Y.; Rijmen, V.; Todo, Y. Cryptanalysis of Reduced-Round SIMON32 and SIMON48. In Progress in Cryptology-INDOCRYPT 2014, Proceedings of the 15th International Conference on Cryptology in India, New Delhi, India, 14-17 December 2014; Lecture Notes in Computer Science; Meier, W., Mukhopadhyay, D., Eds.; Springer: Berlin/Heidelberg, Germany, 2014; Volume 8885, pp. 143-160. [CrossRef]
  18. Sun, L.; Fu, K.; Wang, M. Improved Zero-Correlation Cryptanalysis on SIMON. In Information Security and Cryptology; Lin, D., Wang, X., Yung, M., Eds.; Springer International Publishing: Cham, Switzerland, 2016; pp. 125-143.
  19. Abed, F.; List, E.; Lucks, S.; Wenzel, J. Differential Cryptanalysis of Round-Reduced Simon and Speck. In Fast Software Encryption; Cid, C., Rechberger, C., Eds.; Springer: Berlin/Heidelberg, Germany, 2015; pp. 525-545.
  20. Alizadeh, J.; Bagheri, N.; Gauravaram, P.; Kumar, A.; Sanadhya, S.K. Linear Cryptanalysis of Round Reduced SIMON. IACR Cryptol. ePrint Arch. 2013, 2013, 663.
  21. Daemen, J.; Rijmen, V. Two-Round AES Differentials. IACR Cryptol. ePrint Arch. 2006, 2006, 39.
  22. Kaliski, B.S.; Robshaw, M.J.B. Linear Cryptanalysis Using Multiple Approximations. In Advances in Cryptology-CRYPTO '94; Desmedt, Y.G., Ed.; Springer: Berlin/Heidelberg, Germany, 1994; pp. 26-39.
  23. Samajder, S.; Sarkar, P. Success probability of multiple/multidimensional linear cryptanalysis under general key randomisation hypotheses. Cryptogr. Commun. 2018, 10, 835-879. [CrossRef]

Related papers

Advanced Differential Cryptanalysis of Reduced-Round SIMON64/128 Using Large-Round Statistical Distinguishers
Nicolas Courtois

IACR Cryptol. ePrint Arch., 2015

Lightweight cryptography is a rapidly evolving area of research and it has great impact especially on the new computing environment called the Internet of Things (IoT) or the Smart Object networks (Holler et al., 2014), where lots of constrained devices are connected on the Internet and exchange information on a daily basis. Every year there are many new submissions of cryptographic primitives which are optimized towards both software and hardware implementation so that they can operate in devices which have limited resources of hardware and are subject to both power and energy consumption constraints. In 2013, two families of ultra-lightweight block ciphers were proposed, SIMON and SPECK, which come in a variety of block and key sizes and were designed to be optimized in hardware and software implementation respectively (Beaulieu et al., 2013). In this paper, we study the security of the 64-bit SIMON with 128-bit key against advanced forms of differential cryptanalysis using trunca...

View PDFchevron_right
Combined Algebraic and Truncated Differential Cryptanalysis on Reduced-round Simon
Nicolas Courtois

Proceedings of the 11th International Conference on Security and Cryptography, 2014

Recently, two families of ultra-lightweight block ciphers were proposed, SIMON and SPECK, which come in a variety of block and key sizes (Beaulieu et al., 2013). They are designed to offer excellent performance for hardware and software implementations (Beaulieu et al., 2013; Aysu et al., 2014). In this paper, we study the resistance of SIMON-64/128 with respect to algebraic attacks. Its round function has very low Multiplicative Complexity (MC) (Boyar et al., 2000; Boyar and Peralta, 2010) and very low non-linearity (Boyar et al., 2013; Courtois et al., 2011) since the only non-linear component is the bitwise multiplication operation. Such ciphers are expected to be very good candidates to be broken by algebraic attacks and combinations with truncated differentials (additional work by the same authors). We algebraically encode the cipher and then using guess-then-determine techniques, we try to solve the underlying system using either a SAT solver (Bard et al., 2007) or by ElimLin algorithm (Courtois et al., 2012b). We consider several settings where P-C pairs that satisfy certain properties are available, such as low Hamming distance or follow a strong truncated differential property (Knudsen, 1995). We manage to break faster than brute force up to 10(/44) rounds for most cases we have tried. Surprisingly, no key guessing is required if pairs which satisfy a strong truncated differential property are available. This reflects the power of combining truncated differentials with algebraic attacks in ciphers of low non-linearity and shows that such ciphers require a large number of rounds to be secure.

View PDFchevron_right
Using Simon's Algorithm to Attack Symmetric-Key Cryptographic Primitives
Thomas Santoli

arXiv (Cornell University), 2016

We present new connections between quantum information and the field of classical cryptography. In particular, we provide examples where Simon's algorithm can be used to show insecurity of commonly used cryptographic symmetric-key primitives. Specifically, these examples consist of a quantum distinguisher for the 3-round Feistel network and a forgery attack on CBC-MAC which forges a tag for a chosen-prefix message querying only other messages (of the same length). We assume that an adversary has quantum-oracle access to the respective classical primitives. Similar results have been achieved recently in independent work by Kaplan et al. [KLLNP16]. Our findings shed new light on the post-quantum security of cryptographic schemes and underline that classical security proofs of cryptographic constructions need to be revisited in light of quantum attackers.

View PDFchevron_right
Optimization of Block Cipher with SIMON
shylaja V karatangi

In cryptography, a block cipher is a deterministic algorithm operating on fixed-length groups of bits, called blocks, with an unvarying transformation that is specified by a symmetric key. Block ciphers are important elementary components in the design of many cryptographic protocols, and are widely used to implement encryption of bulk data. A block cipher is a method of encrypting text (to produce cipher text) in which a cryptographic key and algorithm are applied to a block of data (for example, 64 contiguous bits) at once as a group rather than applying it to one bit at a time. The primary purpose of encryption is to protect the confidentiality of digital data stored on computer systems or transmitted via the Internet or other computer networks. A recent promising low-cost alternative of advanced encryption standard (AES) on reconfigurable platforms called the SIMON. It has been implemented as the construction of the round function and the key generation of SIMON, that enables bit-serial hardware architectures which can significantly reduce the cost. Encryption and decryption can be done using the same hardware and also propose the hardware architecture of the smallest block cipher ever published on field-programmable gate arrays (FPGAs) at 128-bit level of security.

View PDFchevron_right
Improved Linear Cryptanalysis of Round-Reduced ARIA
Mohamed Tolba

Lecture Notes in Computer Science, 2016

ARIA is an iterated SPN block cipher developed by a group of Korean cryptographers in 2003, established as a Korean standard in 2004 and added to the Transport Layer Security (TLS) supported cipher suites in 2011. It encrypts 128-bit blocks with either 128, 192, or 256bit key. In this paper, we revisit the security of round-reduced ARIA against linear cryptanalysis and present a 5-round linear hull using the correlation matrix approach to launch the first 8-round key recovery attack on ARIA-128 and improve the 9 and 11-round attacks on ARIA-192/256, respectively, by including the post whitening key. Furthermore, sin all our attacks, we manage to recover the secret master key. The (data in known plaintexts, time in round-reduced encryption operations, memory in 128-bit blocks) complexities of our attacks are (2 122.

View PDFchevron_right

Related topics

  • Mathematics
  • Computer Science
  • Cryptography
  • Linear Cryptanalysis
    • 580 California St., Suite 400
    San Francisco, CA, 94104
    © 2025 Academia. All rights reserved