On the Design Rationale of Simon Block Cipher: Integral Attacks and Impossible Differential Attacks against Simon Variants

Simon is a lightweight block cipher designed by NSA in 2013. NSA presented the specification and the implementation efficiency, but they did not provide detailed security analysis nor the design rationale. The original Simon has rotation constants of (1, 8, 2), and Kolbl et al. regarded the constants as a parameter (a, b, c), and analyzed the security of Simon block cipher variants against differential and linear attacks for all the choices of (a, b, c). This paper complements the result of Kolbl et al. by considering integral and impossible differential attacks. First, we search the number of rounds of integral distinguishers by using a supercomputer. Our search algorithm follows the previous approach by Wang et al., however, we introduce a new choice of the set of plaintexts satisfying the integral property. We show that the new choice indeed extends the number of rounds for several parameters. We also search the number of rounds of impossible differential characteristics based on the miss-in-the-middle approach. Finally, we make a comparison of all parameters from our results and the observations by Kolbl et al. Interesting observations are obtained, for instance we find that the optimal parameters with respect to the resistance against differential attacks are not stronger than the original parameter with respect to integral and impossible differential attacks. We also obtain a parameter that is better than the original parameter with respect to security against these four attacks.

[1]  Lei Hu,et al.  Constructing Mixed-integer Programming Models whose Feasible Region is Exactly the Set of All Valid Differential Characteristics of SIMON , 2015, IACR Cryptol. ePrint Arch..

[2]  Jason Smith,et al.  SIMON and SPECK: Block Ciphers for the Internet of Things , 2015, IACR Cryptol. ePrint Arch..

[3]  María Naya-Plasencia,et al.  Scrutinizing and Improving Impossible Differential Attacks: Applications to CLEFIA, Camellia, LBlock and Simon (Full Version) , 2014, IACR Cryptol. ePrint Arch..

[4]  Ning Wang,et al.  Differential attacks on reduced SIMON versions with dynamic key-guessing techniques , 2017, Science China Information Sciences.

[5]  Bo Zhu,et al.  The Simeck Family of Lightweight Block Ciphers , 2015, CHES.

[6]  Xiaoyun Wang,et al.  Improved Linear Hull Attack on Round-Reduced Simon with Dynamic Key-Guessing Techniques , 2015, FSE.

[7]  Nasour Bagheri,et al.  Improved Linear Cryptanalysis of Reduced-Round SIMON-32 and SIMON-48 , 2015, INDOCRYPT.

[8]  Stefan Kölbl,et al.  Observations on the SIMON Block Cipher Family , 2015, CRYPTO.

[9]  Alex Biryukov,et al.  Differential Analysis of Block Ciphers SIMON and SPECK , 2014, FSE.

[10]  Nasour Bagheri,et al.  Cryptanalysis of SIMON Variants with Connections , 2014, RFIDSec.

[11]  Tomer Ashur Improved Linear Trails for the Block Cipher Simon , 2015, IACR Cryptol. ePrint Arch..

[12]  Lei Hu,et al.  Improved linear (hull) cryptanalysis of round-reduced versions of SIMON , 2015, Science China Information Sciences.

[13]  Willi Meier,et al.  Truncated differential based known-key attacks on round-reduced SIMON , 2016, Designs, Codes and Cryptography.

[14]  Ning Wang,et al.  Impossible Differential Cryptanalysis of Reduced Round SIMON , 2015, IACR Cryptol. ePrint Arch..

[15]  Jason Smith,et al.  The SIMON and SPECK Families of Lightweight Block Ciphers , 2013, IACR Cryptol. ePrint Arch..

[16]  Theodosis Mourouzis,et al.  Advanced Differential Cryptanalysis of Reduced-Round SIMON64/128 Using Large-Round Statistical Distinguishers , 2015, IACR Cryptol. ePrint Arch..

[17]  Yosuke Todo,et al.  Bit-Based Division Property and Application to Simon Family , 2016, FSE.

[18]  Vincent Rijmen,et al.  Cryptanalysis of Reduced-Round SIMON32 and SIMON48 , 2014, INDOCRYPT.

[19]  Vincent Rijmen,et al.  Links Among Impossible Differential, Integral and Zero Correlation Linear Cryptanalysis , 2015, CRYPTO.

[20]  Håvard Raddum Algebraic Analysis of the Simon Block Cipher Family , 2015, LATINCRYPT.

[21]  Stefan Lucks,et al.  Differential Cryptanalysis of Round-Reduced Simon and Speck , 2014, FSE.

[22]  Mohamed A. Sharaf,et al.  Databases Theory and Applications , 2014, Lecture Notes in Computer Science.

[23]  Mohammad Reza Aref,et al.  Automated Dynamic Cube Attack on Block Ciphers: Cryptanalysis of SIMON and KATAN , 2015, IACR Cryptol. ePrint Arch..

[24]  Lei Hu,et al.  Automatic Security Evaluation and (Related-key) Differential Characteristic Search: Application to SIMON, PRESENT, LBlock, DES(L) and Other Bit-Oriented Block Ciphers , 2014, ASIACRYPT.

[25]  David A. Wagner,et al.  Integral Cryptanalysis , 2002, FSE.

[26]  Vincent Rijmen,et al.  Impact of Rotations in SHA-1 and Related Hash Functions , 2005, Selected Areas in Cryptography.

[27]  Eli Biham,et al.  Cryptanalysis of Skipjack reduced to 31 rounds using impossible differentials , 1999 .