Improved Zero-Correlation Cryptanalysis on SIMON

Abstract

SIMON is a family of lightweight block ciphers publicly released by the NSA. Up to now, there have been many cryptanalytic results on it by means of differential, linear, impossible differential, integral, zero-correlation linear cryptanalysis and so forth. At INDOCRYPT 2014, Wang et al. gave zero-correlation attacks for 20-round SIMON32, 20-round SIMON48/72 and 21-round SIMON48/96. We investigate the security of whole family of SIMON by using zero-correlation linear cryptanalysis in this paper. For SIMON32 and SIMON48, we can attack one more round than the previous zero-correlation attacks given by Wang et al. We are the first one to give zero-correlation linear approximations of SIMON64, SIMON96 and SIMON128. These approximations are also utilized to attack the corresponding ciphers.

1 Introduction

Lightweight primitives aim at finding an optimal compromise between efficiency, security and hardware performance. Lightweight ciphers have been used in many fields, such as RFID tags, smartcards, and FPGAs. The impact of lightweight cipher is likely to continue increasing in the future. In recent years, many lightweight ciphers have been developed, including KATAN [10], KLEIN [11], LED [12], Piccolo [15], PRESENT [8] and TWINE [17].

SIMON [6] is a family of lightweight block ciphers publicly released by the National Security Agency (NSA) in June 2013. NSA has developed three ciphers to date, including SIMON, SPECK and Skipjack. SIMON has been optimized for performance in hardware implementations, while its sister algorithm, SPECK [6], has been optimized for software implementations. SIMON and SPECK offer users a variety of block sizes and key sizes for different implementations.

Many cryptanalytic results have been published on SIMON. The first differential cryptanalysis on SIMON was presented by Abed et al. in [1]. Then, Biryukov et al. improved the differential cryptanalysis of SIMON32, SIMON48 and SIMON64 by searching better differential characteristics in [7]. Based on the differential distinguisher shown by Biryukov et al., Wang et al. improved the key recovery attacks on SIMON32, SIMON48 and SIMON64 [18]. In [18], Wang et al. gave the attack on 21-round SIMON32, which is still the best attack up to now. In addition, Sun et al. identified better differential distinguisher for SIMON with MILP models in [16]. Impossible differential attack against SIMON was firstly presented in [2], then the improved impossible differential attacks on SIMON32 and SIMON48 were given in [19], which had been further improved by Boura et al. in [9].

For the integral attack, Wang et al. proposed the attack on 21-round SIMON32 in [19] based on a zero-sum integral distinguisher for 15-round SIMON32, which was obtained experimentally.

Zero-correlation linear attack is one of the recent cryptanalytic methods introduced by Bogdanov and Rijmen in [3]. This kind of attack is based on the linear approximation with correlation zero (i.e. the linear approximation with probability exactly \(\frac{1}{2}\)). The idea of multiple zero-correlation cryptanalysis was developed in recent years in [4] by Bogdanov and Wang. They proposed a new distinguisher by using the fact that there are numerous zero-correlation approximations in susceptible ciphers. In [5], a more powerful distinguisher called multidimensional zero-correlation distinguisher was introduced. Wang et al. also gave the zero correlation linear approximations for SIMON32 and SIMON48 in [19]. They employed these approximations to attack 20-round SIMON32, 20-round SIMON48/72 and 21-round SIMON48/96.

In this paper, we investigate the security of whole family of SIMON by using zero-correlation linear cryptanalysis. For SIMON32 and SIMON48, by using the technique of equivalent-key, our cryptanalysis can attack one more round than the previous zero-correlation attacks in [19]. We are the first ones to give zero-correlation linear approximations of SIMON64, SIMON96 and SIMON128. These approximations are also utilized to attack the corresponding ciphers.

Our Contributions. In this paper, we investigate the security of whole family of SIMON by using zero-correlation linear cryptanalysis. Our contributions can be summarized as follows:

• Based on the 11-round zero-correlation distinguisher for SIMON32 and 12-round zero-correlation distinguisher for SIMON48, we use the equivalent-key technique (i.e. by moving the subkey into the left-side of round function) to improve the key recovery attack on SIMON32 and SIMON48. Finally, we can attack 21-round SIMON32, 21-round SIMON48/72 and 22-round SIMON48/96. The equivalent-key technique has been widely used in various key-recovery attacks. This technique aims at reducing the number of guessed subkey by using equivalent subkeys to replace the original subkeys used in the cipher. This technique had been used in [13] by Isobe. But there exists a little difference. Because the subkey is XORed after non-linear function, the condition in [13] that some parts of plaintext should be fixed can be canceled.

• We provide 13-, 16- and 19- round zero-correlation linear approximations of SIMON64, SIMON96 and SIMON128, respectively. We also use them to analysis the security of the corresponding ciphers. We are the first one to give the zero-correlation linear cryptanalysis for SIMON64, SIMON96 and SIMON128.

Our results along with the previous zero-correlation attacks on SIMON32 and SIMON48 are listed in Table 1.

Table 1. Summary of zero-correlation attacks on SIMON

Outline. The remainder of this paper is organized as follows. Section 2 gives a brief description of SIMON and a general introduction of zero-correlation linear cryptanalysis. Section 3 presents the zero-correlation linear distinguishers used in the following attacks. Section 4 covers the zero-correlation attacks on the whole family of SIMON. Finally, we conclude the paper in Sect. 5.

2 Preliminaries

2.1 Brief Description of SIMON

SIMON [6] is a family of lightweight block ciphers publicly released by the National Security Agency (NSA) in June 2013. SIMON offers users a variety of block sizes and key sizes for different implementations. Table 2 lists the different block and key sizes, in bits, for SIMON.

Table 2. SIMON parameters

Fig. 1.

Round function of SIMON

SIMON is a two-branch balanced Feistel network which consists of three operations: AND (&), XOR (\(\oplus \)) and rotation (\(\lll \)). We denote the input of the i-th round by \((L_{i}, R_{i}), i = 0, 1, \ldots , r-1\). In round i, \((L_{i}, R_{i})\) is updated to \((L_{i+1}, R_{i+1})\) by using a function \( F(x) = (x \lll 1) \, \& \, (x \lll 8) \oplus (x \lll 2)\) as follows:

$$\begin{aligned} L_{i+1}= & {} F(L_{i}) \oplus R_{i} \oplus rk_{i},\\ R_{i+1}= & {} L_{i}. \end{aligned}$$

The output of the last round \((L_{r}, R_{r})\) is the ciphertext. An illustration of the round function is depicted in Fig. 1.

The key schedule of SIMON uses an LFSR-like procedure to generate r subkeys \(rk_{0}, rk_{1}, \ldots , rk_{r-1}\). SIMON processes three slightly different key schedule procedures, depending on the number of word (\(\omega \)) included in the master key. The first \(\omega \) subkeys \(rk_{0}, rk_{1}, \ldots , rk_{\omega -1}\) are initialized by the master key. The remaining subkeys are generated as follows:

$$\begin{aligned} rk_{i+m}&= c \oplus (z_{j})_{i} \oplus rk_{i} \oplus Y_{m} \oplus (Y_{m} \ggg 1),\\ Y_{m}&= \left\{ \begin{array}{ll} rk_{i+1}\ggg 3 &{} \text {if}~ \omega = 2\\ rk_{i+1} \oplus (rk_{i+2}\ggg 3) &{} \text {if}~ \omega = 3\\ rk_{i+1} \oplus (rk_{i+3}\ggg 3) &{} \text {if}~ \omega = 4. \end{array} \right. \end{aligned}$$

Here, the value c is constant 0xff \(\ldots \) fc, and \((z_{j})_{i}\) denotes the i-th bit from one of the five constant sequences \(z_{0}, z_{1}, z_{2}, z_{3}\) and \(z_{4}\). The master key can be derived if any sequence of \(\omega \) consecutive subkeys is known. For more information, please refer to [6].

2.2 Zero-Correlation Linear Cryptanalysis

Zero-correlation linear attack is one of the recent cryptanalytic methods introduced by Bogdanov and Rijmen in [3]. This kind of attack is based on the linear approximation with correlation zero (i.e. the linear approximation with probability exactly \(\frac{1}{2}\)). The idea of multiple zero-correlation cryptanalysis was developed in recent years in [4] by Bogdanov and Wang. They proposed a new distinguisher by using the fact that there are numerous zero-correlation approximations in susceptible ciphers. In [5], a more powerful distinguisher called multidimensional zero-correlation distinguisher was introduced.

Even though multiple zero-correlation cryptanalysis and multidimensional zero-correlation cryptanalysis perform better than zero-correlation linear cryptanalysis for various ciphers, we have to claim that they are not appropriate for SIMON. Multiple zero-correlation cryptanalysis and multidimensional zero-correlation cryptanalysis are more appropriate for word-level ciphers, such as AES, Skipjack and CAST-256.

The following Theorem is useful for computing the success probability of zero-correlation linear cryptanalysis.

Theorem 1

([3, Proposition 3]). The probability that the correlation value is 0 for a non-trivial linear approximation of a randomly drawn n-bit permutation can be approximated by \(\frac{1}{\sqrt{2\pi }}2^{\frac{4-n}{2}}\) for \(n \ge 5\).

Based on the linear approximation of correlation zero, a technique similar to Matsui’s Algorithm 2 [14] can be used for key recovery. Let the adversary have \(2^{n}\) plaintext-ciphertext pairs and a zero-correlation linear approximation \(\alpha \rightarrow \beta \) for a part of the cipher. The linear approximation is placed in the middle of the attacked cipher. Let E and D be the partial intermediate states of the data transform at the boundaries of the linear approximations (See Fig. 2). Then the key can be recovered using the following approach:

Fig. 2.

Key recovery in zero-correlation linear cryptanalysis

1. 1.

   Guess the bits of the key needed to compute E and D. For each guess:

   1. (a)

      Partially encrypt the plaintexts and partially decrypt the ciphertexts up to the boundaries of the zero-correlation linear approximation \(\alpha \rightarrow \beta \).

   2. (b)

      Estimate the correlation c of the linear approximation \(\alpha \rightarrow \beta \) for the key guess using the partially encrypted and decrypted value E and D by counting how many times \(\langle \alpha , E \rangle + \langle \beta , D \rangle \) is zero over \(2^{n}\) plaintext-ciphertext pairs.

   3. (c)

      Perform a test on the estimated correlation c to tell of the estimated values of c is compatible with the hypothesis that the actual value of c is zero.

2. 2.

   Test the surviving key candidates against a necessary number of plaintext-ciphertext pairs.

3 Zero-Correlation Linear Distinguishers of SIMON

3.1 Zero-Correlation Linear Distinguisher of SIMON32

For SIMON32, we use the 11-round zero-correlation linear distinguisher in [19], which is shown in Fig. 3. The input mask is (0x0001,0x0000) and the output mask is (0x0000,0x0080). The ‘0’ at bottom left and the ‘1’ at top right (in red) constitute the contradiction that ensures zero correlation.

Fig. 3.

Zero-correlation linear approximation of 11-round SIMON32. (Color figure online)

3.2 Zero-Correlation Linear Distinguisher of SIMON48

Similarly, by using the 12-round zero-correlation linear distinguisher in [19], we can mount the key recovery attacks on 21-round SIMON48/72 and 22-round SIMON48/96. The distinguisher used in the following attacks is shown in Fig. 4. The input mask is (0x000001,0x000000) and the output mask is (0x000000,0x000002). The ‘0’ at bottom left and the ‘1’ at top right (in red) constitute the contradiction that ensures zero correlation.

Fig. 4.

Zero-correlation linear approximation of 12-round SIMON48. (Color figure online)

3.3 Zero-Correlation Linear Distinguishers of SIMON64, SIMON96 and SIMON128

In order to attack SIMON64/96/128, we first construct 13-, 16- and 19-round zero-correlation linear approximations for SIMON64, SIMON96 and SIMON128 by applying miss-in-the middle technique, which are shown in Figs. 5, 6 and 7, respectively.

Fig. 5.

Zero-correlation linear approximation of 13-round SIMON64.

Fig. 6.

Zero-correlation linear approximation of 16-round SIMON96.

Fig. 7.

Zero-correlation linear approximation of 19-round SIMON128.

4 Zero-Correlation Linear Cryptanalysis of SIMON

In this section, we investigate the security of whole family of SIMON by using zero-correlation linear cryptanalysis. We use 11- and 12-round zero-correlation linear approximations of SIMON32 and SIMON48 in [19] to present the key recovery attacks on 21-round SIMON32, 21-round SIMON48/72 and 22-round SIMON48/96. We also utilize the distinguishers presented in Sect. 3.3 to attack SIMON64, SIMON96 and SIMON128.

4.1 Zero-Correlation Linear Cryptanalysis of SIMON32

In this section, we use the 11-round zero-correlation linear distinguisher (See Fig. 3) in [19] to attack 21-round SIMON32. As shown in Fig. 8, we can add five rounds before the distinguisher and append five rounds after the distinguisher (i.e. the zero-correlation distinguisher starts from the 5-th round and ends at the 15-th round, with round number starting from 0). In this way, we can attack 21-round SIMON32.

Equivalent-Subkey Technique. The equivalent-subkey technique has been widely used in various key-recovery attacks. This technique aims at reducing the number of guessed subkey bits by replacing the equivalent subkeys with the original subkeys. This technique had been used in [13] by Isobe. But there exists a little difference. Because the subkey is XORed after non-linear function, the condition in [13] that some parts of plaintext should be fixed can be canceled.

In order to reduce the number of guessed subkey bits in the key recovery process, we move the subkey \(rk_{i}\) of the i-th round to the \((i+1)\)-th round, \((i=0, 1, 2, 3, 4)\), to get the equivalent subkey \(K^{i}\), see Fig. 8 (a). For example, \(K^{0}\) in Fig. 8 (a) is equal to \(rk_{0}\), and \(K^{1}\) is equal to \((rk_{0}\lll 2)\,\oplus \,rk_{1}\) and so forth. Note that \(K^{4}\) is located in the distinguisher and doesn’t need to be guessed. In Fig. 8 (a), we only list the guessed bits for \(K^{i}\), \(0 \le i \le 3\). Similarly, we can move the subkey \(rk_{i}\) of the i-th round to the \((i-1)\)-th round, \((i=16, 17, 18, 19, 20)\), to get the equivalent subkey \(K^{i}\), see Fig. 8 (b). Again, \(K^{16}\) is located in the distinguisher and doesn’t need to be guessed. In Fig. 8 (b), we only list the guessed bits for \(K^{i}\), \(17 \le i \le 20\).

Fig. 8.

Key recovery attack on 21-round SIMON32.

Key Recovery Process for SIMON32. In the following, \(R_{i}\) denotes the output of the i-th round. \(R_{i,\{j\}}\) denotes the j-th bit of the \(R_{i}\). \(L_{i,\{j\}}\) is defined in a similar way. Note the bit position starts from ‘0’.

Firstly, we guess a part of the equivalent subkeys \(K^{17}\), \(K^{18}\), \(K^{19}\) and \(K^{20}\) (the concrete guessed key bits are shown in Fig. 8 (b)) and partially decrypt the ciphertext up to the state \(R_{16,\{7\}}\). Next, we guess a part of the equivalent subkeys \(K^{0}\), \(K^{1}\), \(K^{2}\), \(K^{3}\) (the concrete guessed key bits are shown in Fig. 8 (a)) and partially encrypt the plaintext to the state \(L_{5,\{0\}}\). We count the number of occurrences of the event that \(L_{5,\{0\}}\) \(\parallel \) \(R_{16,\{7\}}\) is equal to “00” or “11”. If the occurrence number is exactly equal to \(2^{31}\), we can keep the guessed 58-bit subkey as a possible subkey candidate, and discard it otherwise. To this end, 58-bit subkey is already guessed, which includes \(K^{0}_{\{0,2-7,9-14\}}\), \(K^{2}_{\{4-6,8,11-15\}}\), \(K^{3}_{\{0,6,7,13,14\}}\), \(K^{4}_{\{8,15\}}\), \(K^{17}_{\{6,15\}}\), \(K^{18}_{\{4,5,7,13,14\}}\), \(K^{19}_{\{2-6,11-13,15\}}\) and \(K^{20}_{\{0-5,7,9-14\}}\).

From Theorem 1, the probability that a wrong subkey guess is kept after the above procedure can be approximated by \(\frac{1}{\sqrt{2\pi }}2^{\frac{4-32}{2}} \approx 2^{-15.33}\). Thus, \(2^{58} \times 2^{-15.33} = 2^{42.67}\) subkey candidates will be left. After that, we guess 6-bit subkey \(K^{0}_{\{1,8,15\}}\) \(\parallel \) \(K^{1}_{\{0,1,2\}}\) and obtain 29 remaining bits of \(K^{1}_{\{3,7,9,10\}}\parallel K^{2}_{\{1-5,8-12,15\}}\parallel K^{3}_{\{0-7,9-14\}}\) by solving the linear equations with Gaussian elimination. At last, we can compute all bits of the master key by inverting the key schedule, and check the correctness by using at most two plaintext-ciphertext pairs. We express this procedure in Algorithm 1.

Table 3. Procedure of subkey recovery for SIMON32

Table 4. Explanation of symbols used in subkey recovery of SIMON32

Complexity of Attack. The data complexity for the attack on SIMON32 is \(2^{32}\) known plaintexts.

In this attack, the dominant term for the memory complexity is the term used to store \(2^{31}\) 8-bit counters \(T_{0}[\varvec{X_{1}^{32}}]\), which makes the memory complexity be \(2^{31}\) bytes.

The time complexity of each step in subkey recovery procedure is listed in Table 3. Overall, the time complexity in subkey recovery procedure is \(2^{59.42}\) 21-round SIMON32 encryptions. In master key recovery phase, solving 29 linear equations with 29 variables by using Gaussian elimination needs about \(\frac{1}{3}\cdot 29^{3} \approx 8130\) bit-XOR operations, which can be measured by \(\frac{8130}{16\cdot 4\cdot 21} \approx 2^{2.60}\) 21-round SIMON32 encryptions (Note that there are three XOR operations and one AND operation in the round function of SIMON. For simplicity, we approximate them as four XOR operations in our analysis), thus the time complexity of master key recovery phase can be approximated as \(2^{42.67} \times 2^{5} \times 2^{2.60} + 2^{42.67} \times 2^{5} \times (1 + 2^{-32}) \approx 2^{50.49}\) 21-round SIMON32 encryptions. Thus, the total time complexity of this attack is about \( 2^{59.42}\) 21-round SIMON32 encryptions.

Fig. 9.

Key recovery attack on 21-round SIMON48/72.

4.2 Zero-Correlation Linear Cryptanalysis of SIMON48

Similarly, by using the 12-round zero-correlation linear distinguisher (See Fig. 4) in [19], we can mount key recovery attacks on 21-round SIMON48/72 and 22-round SIMON48/96.

Key Recovery Attack on 21-Round SIMON48/72. As shown in Fig. 9, we can add five rounds before the distinguisher and append four rounds after the distinguisher. In this way, we can attack 21-round SIMON48/72. We only list the guessed subkey bits in Fig. 9. The detailed attack procedure is proceeded in Algorithm 2.

The data complexity for the attack on SIMON48/72 is \(2^{48}\) known plaintexts.

In this attack, the dominant term for the memory complexity is the term used to store \(2^{43}\) 8-bit counters \(T_{0}[\varvec{X_{1}^{48,72}}]\), which makes the memory complexity be \(2^{43}\) bytes.

From Table 5, the time complexity for subkey recovery is about \(2^{61.87}\) 21-round SIMON48/72 encryptions. In Algorithm 2, it will proceed Gaussian elimination process for \(2^{30.67} \cdot 2^{18} = 2^{48.67}\) times, which can be ignored compared to \(2^{61.87}\) 21-round encryptions. After that, the time complexity of checking the correctness of guess using two plaintext-ciphertext pairs also can be ignored compared to \(2^{61.87}\) 21-round encryptions. Thus, the total time complexity is about \(2^{61.87}\) 21-round SIMON48/72 encryptions.

Table 5. Procedure of subkey recovery for SIMON\(48/72^{\dag }\)

Table 6. Explanation of symbols used in subkey recovery of SIMON48/72

Fig. 10.

Key recovery attack on 22-round SIMON48/96.

Key Recovery Attack on 22-Round SIMON48/96. As shown in Fig. 10, we can add five rounds before the distinguisher and append five rounds after the distinguisher. In this way, we can attack 22-round SIMON48/96. We only list the guessed subkey bits in Fig. 10. The detailed attack procedure is proceeded in Algorithm 3.

Table 7. Procedure of subkey recovery for SIMON\(48/96^{\dag }\)

Table 8. Explanation of symbols used in subkey recovery of SIMON48/96

The data complexity for the attack on SIMON48/96 is \(2^{48}\) known plaintexts.

In this attack, the dominant term for the memory complexity is the term used to store \(2^{43}\) 8-bit counters \(T_{0}[\varvec{X_{1}^{48,96}}]\), which makes the memory complexity to be \(2^{43}\) bytes.

From Table 7, the time complexity for subkey recovery is about \(2^{80.54}\) 22-round SIMON48/96 encryptions. In Algorithm 3, it will proceed Gaussian elimination process for \(2^{48.67} \cdot 2^{24} = 2^{72.67}\) times, which can be ignored compared to \(2^{80.54}\) 22-round encryptions. After that, the time complexity of checking the correctness of guess using two plaintext-ciphertext pairs also can be ignored compared to \(2^{80.54}\) 22-round encryptions. Thus, the total time complexity is about \(2^{80.54}\) 22-round SIMON48/96 encryptions.

4.3 Zero-Correlation Linear Cryptanalysis of SIMON64, SIMON96 and SIMON128

We can use the zero-correlation linear approximations showed in Figs. 5, 6 and 7 to attack SIMON64, SIMON96 and SIMON128, respectively. Since the attack procedures for them are similar, we only list the attack results in Table 9.

Table 9. Summary of ZC linear attack results on SIMON

5 Conclusion

In this paper, we study the security of whole family of SIMON by using zero-correlation linear cryptanalysis. We improved the previous zero-correlation attacks for SIMON32 and SIMON48. Moreover, we present the 13-, 16- and 19-round zero correlation linear approximations of SIMON64, SIMON96 and SIMON128, respectively, and use them to attack the corresponding ciphers. We are the first one to give the zero-correlation linear cryptanalysis for SIMON 64, SIMON96 and SIMON128.