Zero-Correlation Linear Cryptanalysis of Reduced-Round SIMON

Transcription

1 Yu XL, Wu WL, Shi ZQ et al. Zero-correlation linear cryptanalysis of reduced-round SIMON. JOURNAL O COMPUTER SCIENCE AND TECHNOLOGY 30(6): Nov DOI /s Zero-Correlation Linear Cryptanalysis of Reduced-Round SIMON Xiao-Li Yu 1, (Ù Û), Wen-Ling Wu 1 ( ), Senior Member, CC, Zhen-Qing Shi 1 (ì ã) Jian Zhang 1 ( ), Lei Zhang 1 ( ), and Yan-eng Wang 1 ( þ) 1 Trusted Computing and Information Assurance Laboratory, Institute of Software, Chinese Academy of Sciences Beijing , China University of Chinese Academy of Sciences, Beijing , China {yuxiaoli, wwl, shizhenqing, zhangjian, zhanglei1015, wangyanfeng}@tca.iscas.ac.cn Received March 18, 014; revised June, 015. Abstract In June 013, the U.S. National Security Agency proposed two families of lightweight block ciphers, called SIMON and SPECK respectively. These ciphers are designed to perform excellently on both hardware and software platforms. In this paper, we mainly present zero-correlation linear cryptanalysis on various versions of SIMON. irstly, by using missin-the-middle approach, we construct zero-correlation linear distinguishers of SIMON, and zero-correlation linear attacks are presented based on careful analysis of key recovery phase. Secondly, multidimensional zero-correlation linear attacks are used to reduce the data complexity. Our zero-correlation linear attacks perform better than impossible differential attacks proposed by Abed et al. in eprint Report 013/568. inally, we also use the divide-and-conquer technique to improve the results of linear cryptanalysis proposed by Javad et al. in eprint Report 013/663. Keywords lightweight block cipher, SIMON, linear cryptanalysis, zero-correlation, dual property 1 Introduction With the growing impact of RID tags, smartcards, and PGAs, lightweight cryptography becomes a very active area of research. In recent years, a number of lightweight block ciphers have been proposed, e.g., PRESENT [1], LBlock [], KLEIN [3], Piccolo [4], LED [5], and PRINCE [6]. These ciphers are usually targeted for extremely constrained environments. In 013, the National Security Agency (NSA) published the specifications of two lightweight block cipher families SIMON and SPECK on eprint [7]. These ciphers provide high performance across a range of devices. The designers hope to fill the need for secure, flexible and analyzable lightweight block ciphers. The specification document of the cipher provides a detailed description of different performance results and implementations, and it is said that SIMON is optimized for hardware implementations and SPECK is optimized for software, but actually these two families can perform well in both hardware and software. Though there were neither cryptanalytic results nor analysis provided in the specification document, it still drove great interest of cryptography researchers to analyze the ciphers. Soon after the publication of the ciphers, Abed et al. [8] proposed the first differential cryptanalysis of SIMON using differential characteristics with low hamming weight. Then, Alkhzaimi and Lauridsen also gave the differential cryptanalysis of SI- MON in [9]. They showed how the cipher exhibits a strong differential effect. Besides, Abed et al. proposed the first differential cryptanalysis of SPECK in [10]. Later, Abed et al. [8] updated their paper with improvement of differential cryptanalysis and some results of linearcryptanalysis. Alizadehet al. [11] presentedbetter linear approximations on SIMON. In SE 014, Abed et al. combined major contributions of [8] and [10] in [1], and they can attack more or less half rounds of the ciphers, while Biryukov et al. adapted Matsui s algorithm for ARX constructions and showed differential characteristics and trails of SIMON and SPECK in [13]. Recently, there are some new results of SIMON3 and Regular Paper This work was supported by the National Basic Research 973 Program of China under Grant No. 013CB33800 and the National Natural Science oundation of China under Grant Nos , 61040, and Springer Science + Business Media, LLC & Science Press, China

2 Xiao-Li Yu et al.: Zero-Correlation Linear Cryptanalysis of Reduced-Round SIMON 1359 SIMON48 shown in [14] published by INDOCRYPT 014. Zero-correlation linear cryptanalysis [15] is a novel promising attack technique for block ciphers. It can be considered as the counterpart of impossible differential cryptanalysis in the domain of linear cryptanalysis. The distinguishing property used in zero-correlation linear cryptanalysis is the existence of zero-correlation linear hulls over a part of the cipher. Those linear approximations hold true with probability p equal to 1/ and correlation c = p 1 equal to 0. The original scheme has the disadvantage of requiring full codebook of data. Bogdanov and Wang used m independent zerocorrelation linear approximations to avoid entire codebook data complexity of zero-correlation linear cryptanalysis in [16]. In [17], the idea of multidimensional zero-correlation linear cryptanalysis was proposed to reduce the data complexity which does not use independent linear approximations but the conception of linear space. Recently, there are many results using zero-correlation linear cryptanalysis like [18]. In this paper, we mainly present zero-correlation linear cryptanalysis on various versions of SIMON and also give some improvement of linear cryptanalysis in [11]. Based on the linear mask propagation for SI- MON, zero-correlation linear distinguishers for all SI- MON versions are constructed. By carefully studying on key recovery phase, we give zero-correlation linear attacks on SIMON, which perform better than impossible differential attacks. Our zero-correlation linear attacks can break 19, 0,, 3, 5, 8, 33, and 34 rounds for SIMON3/64, SIMON48/7, SIMON48/96, SIMON64/96, SIMON64/18, SIMON96/144, SI- MON18/19 and SIMON18/56 respectively. Also, we use multidimensional zero-correlation linear attacks to reduce the data complexity. urthermore, we can use the divide-and-conquer technique to improve the results of linear cryptanalysis in [11], which can attack 43 rounds for SIMON18/56. This paper is organized as follows. Section provides a brief description of SIMON and some preliminaries of zero-correlation linear cryptanalysis. By using miss-in-the-middle method, we construct zerocorrelation linear distinguishers and give the zerocorrelation attacks in Section 3. Section 4 describes the multidimensional zero-correlation linear attacks and improved linear attacks of SIMON. inally, Section 5 concludes this paper. Preliminaries In this section, we provide a brief description of SIMON and some preliminaries of zero-correlation linear cryptanalysis. irstly, we introduce some notations which will be used in the following parts..1 Notations Table 1 lists the notations used in the paper. Symbol b n k XL i XR i K i x i x y x y x y x j x j Table 1. Notations Used in the Paper Description Block size of the cipher Half of the block size, that is, b = n Key size of the cipher Left half of the input state of the i-th round Right half of the input state of the i-th round n-bit subkey of the i-th round The i-th least significant bit of the bit string x Exclusive or XOR of two strings x and y Binary AND of two strings x and y Concatenation of two strings x and y Right circular shift of x by j bits Left circular shift of x by j bits c[α β] Correlation of linear trail α β Unknown bit, which can be 0 or 1 N Number of data collected by the adversary. Brief Description of SIMON SIMON is a family of block ciphers using ARXbased balanced eistel structure. It is designed to provide the flexibility, which supports block sizes of 3, 48, 64, 96, and 18 bits, and different key sizes. We denote the cipher by the form of SIMONb/k (sometimes just SIMONb). The round function of SIMON processes the left half of the state using rotations and a logical AND, and the results XORs to the right half of the state. Also, one n- bit round key XORs to the right half of the state. One round of SIMON is illustrated in ig.1, where the function is defined as (XL i ) = (XL i 8) (XL i 1). Notice that is the only nonlinear function of SI- MON which is based on bitwise operation. Table lists the blocksize, keysize, and the number of rounds for all variants of SIMON. or the details of key scheduling algorithm, interested readers can refer to [7].

3 1360 J. Comput. Sci. & Technol., Nov. 015, Vol.30, No.6 XL i XR i k i by m base zero-correlation linear approximations such that alll = m 1non-zerolinearcombinationsofthem have zero correlation [17]. or each i m, the attacker allocates a counter T i andinitializesittovalue0. Thenforeachdistinctplaintext, the attacker computes the corresponding data in m and increases the counter T i of this data value by 1. Then the attacker computes the statistic T value: XL i 1 XR i 1 T = m 1 i=0 (T i N m ) N m (1 m ). (1) ig.1. Round function of SIMON. Table. SIMON Parameters Block Size b Key Size k Number of Rounds , Zero-Correlation Linear Approximations Consider an n-bit block cipher f and let the input of the function be z n. A linear approximation (u,v) with an input mask u and an output mask v has probability p(u,v) = Pr z n (u z v f(z) = 0). The value c f (u,v) = p(u,v) 1 is called the correlation of linear approximation (u, v). Note that p(u, v) = 1/ is equivalent to zero correlation c f (u,v) = 0. Zero-correlation linear cryptanalysis uses linear approximations that the correlations are equal to 0 for all keys..4 Multidimensional Zero-Correlation Linear Cryptanalysis or most of ciphers, there are a large number of zero-correlation approximations. To remove the statistical independence for multiple zero-correlation linear approximations, the zero-correlation linear approximations available are treated as a linear space spanned The statistic T for the right key guess follows a χ - distribution with mean µ 0 = l n N n 1 and variance σ0 = l ( n N n 1 ), while for the wrong key guess, it followsaχ -distributionwith meanµ 1 = l andvariance σ1 = l. We denote the probability of non-detection and the probability of false alarm to distinguish between a wrong key and a right key as α and β respectively. More precisely, α is the probability of making a right key as a wrong key, and β is the probability of making a wrong key as a right key. Consider the decision threshold τ = µ 0 +σ 0 z 1 α = µ 1 + σ 1 z 1 β, then the number of known plaintexts N should be about N = n (z 1 α +z 1 β ) l/ z1 β, () where z p = Φ 1 (p) for 0 < p < 1 and Φ is the cumulative function of the standard normal distribution. Thus the success probability is P s = 1 α. 3 Zero-Correlation Linear Cryptanalysis of SIMON In this section, we first use miss-in-the-middle approach to construct zero-correlation linear distinguishers. Then based on these distinguishers, zerocorrelation linear attacks are presented on various versions of SIMON. 3.1 Zero-Correlation Linear Distinguisher Similar to the construction of impossible differential distinguishers, the miss-in-the-middle approach also can be used to construct zero-correlation linear distinguishers. In order to find the longest zero-correlation linear approximations, several methods were proposed to find the linear hull with zero-correlation. The matrix

4 Xiao-Li Yu et al.: Zero-Correlation Linear Cryptanalysis of Reduced-Round SIMON 1361 method was proposed in [18] by using the miss-in-themiddle technique to establish zero-correlation linear approximations. eistel ciphers usually make use of two basic operations: XOR-operation and branching operation. Linear approximations over these operations follow two major principles (see [19] and [16]). Lemma 1 (XOR Approximation [16] ). Either the three linear selection patterns at an XOR are equal to or the correlation over is exactly 0. Lemma (Branching Approximation [16] ). Either the three linear selection patterns at a branching point sum up to 0 or the correlation over is exactly 0. During the linear mask propagation of eistel ciphers, one starts from the mask of right branch due to the dual property between differential analysis and linear analysis. Since the function of SIMON is not bijective, we will show how to determine the possible input linear mask of from output linear mask. Lemma 3 (Bias of Linear Approximation with Output Mask of Hamming Weight 1). Suppose the output mask of linear approximation is β, which has only one nonzero bit, then if the input mask α takes a value from the set V = {0,β 1,β 8, (β 1) (β 8)}, the bias of linear approximation is 1/4; otherwise, the bias is 0. Lemma 3 is also used in [11]. According to this lemma, one can describe input mask α from output mask β of Hamming weight 1. or example, for SI- MON3, if β = ,then α = This approach can be generalized to arbitrary output mask, and each time we put an asterisk on a position where we fail to determine that particular bit of the input mask. Table A1 shows how the linear masks progress over the rounds of SIMON. or the larger versions of SIMON, the zero-bit can go further. And as a result, distinguishers can reach more rounds. As shown in Table A1, for SIMON3, the output mask after five rounds will be (0 1 0 ) with probability 1. If this input mask is rotated left by 7 or 9 bits, one of the 0 s will be shifted to the position of the 1. Since the decryption and the encryption of the eistel scheme are symmetric, two 10-round zero-correlation linear distinguishers of SIMON3 are constructed, c[(0x0000 0x0001) (0x0000 0x0001 7)] = 0, c[(0x0000 0x0001) (0x0000 0x0001 9)] = 0. All zero-correlation linear distinguishers of SIMON are presented in Table 3. or different values of k, the zero-correlation linear distinguishers are linear independent. Since the input mask is rotated left by k, one of the 0 s will be shifted to the position of the 1, and then all linear combinations of approximations have correlation 0 for every SIMONb. 3. Attack Procedure of Zero-Correlation Linear Cryptanalysis Given a distinguisher of zero-correlation linear approximation over a part of the cipher, the basic key recovery can be done with a technique similar to that of Matsui s Algorithm [0], partially encrypting/decrypting from the plaintext/ciphertext up to the boundaries of the property. This is the key recovery approach used in all zero-correlation attacks so far. In this subsection, we will use the divide-and-conquer technique to reduce the computational complexity of attacks. Table 3. Zero-Correlation Linear Distinguishers of SIMON Block n Number of Rounds Distinguisher k orwards Backwards (0x0000 0x0001) (0x0000 0x0001 k) {7, 9} (0x x0...01) (0x x k) {1} (0x x0...01) (0x x k) {1,,3,7,9} (0x x0...01) (0x x k) {7,9} (0x (0x x x ) (0x ) (0x x x k) {1,3} 1 k) {1,63}

5 136 J. Comput. Sci. & Technol., Nov. 015, Vol.30, No Zero-Conelation Linear Attack on 19-Round SIMON3/64 Next, we will describe a zero-correlation linear attack on 19-round SIMON3/64. The attack utilizes the 10-round zero-correlation linear approximation (0x0000 0x0001) (0x0000 0x000) from round 6 to round 15. After collecting sufficient plaintextciphertext pairs, we guess corresponding subkeys for the first five rounds and the last four rounds, and estimate the correlation of the approximation as described in ig.. Here, we let N = 3. Since there are 40-bit subkeys in outer rounds, the time complexity will be N 40 = 7, which is much more than exhaustive search. We can reduce time complexity significantly using the divide-and-conquer technique introduced in [18] which is also used in [14]. There are only two nonzero linear masks of the approximation in the distinguisher. Thus in order to estimate the correlation, we only need to know the values of XR0 6 and XR9 16, which are not affected by all bits in outer rounds. More precisely, in the first five rounds, the bit XR0 6 is affected by 4 bits of plaintext XL 1 XR 1, 16 bits of XL XR, 9 bits of XL 3 XR 3, 4 bits of XL 4 XR 4, and 1 bit of XL 5. Similarly, in the last four rounds, the bit XR9 16 is affected by 4 bits of XL 0 XR 0, 16 bits of XL 19 XR 19, 9 bits of XL 18 XR 18, and 4 bits of XL 17 XR 17. We denote these bits active and other ones neutral. During the attack procedure, we allocate counters to contain the plaintext-ciphertext pairs indexed by the active bits. In each step, for each subkey candidate, we encrypt (decrypt) active bits in round r over one round and count the number of pairs which give the same 1 XL ı XR ı Round Distinguisher 1 k ı XR 9 16 XL ı XR ı k 9 k ı XL XR ı XL ı XR ı k ı XL ı XR k ı XL ı XR ı k ı k XL ı XR ı XL k ı XR XL ı XR ı Round Distinguisher Zero-Correlation Linear Approximation: XR 0 6 XR 9 16 ig.. 19-round attack of SIMON3/64.

6 Xiao-Li Yu et al.: Zero-Correlation Linear Cryptanalysis of Reduced-Round SIMON 1363 value in active bits in round r+1 (r 1). Since we use the whole codebook as data complexity, if the value of the final counter is not equal to N/, we can delete the corresponding guessed key. In summary, the steps of the attack procedure are listed as follows: 1) Collect N = 3 pairs of plaintexts and corresponding ciphertexts. And we guess the 0 bits of subkeys k 19 {15,14,13,8,7,6,5,4,3,1}, k18 {15,9,7,6,5,0}, k17 k9 16. Then we calculate the value of XR9 16. {8,7,1} and ) Allocate an 8-bit counter N 1 [x 1 x 16 ] for each of 5 possible values of (x 1 x 16 ) where x 1 = XL 1 {14,13,1,11,10,9,8,7,6,5,4,3,,0} XR{15,14,13,1,11,10,8,6,5,4} 1, and x16 = XR9 16, and set them to zero. Then we calculate the number of pairs of plaintext-ciphertext with given values x 1 and x 16 and save it in N 1 [x 1 x 16 ]. In this step, 3 plaintextciphertext pairs are divided into 5 different states. The expected pairs for each state are around 7. Thus the assumption N 1 as an 8-bit counter is sufficient. 3) Guess the 10 bits k{15,14,13,1,11,10,8,6,5,4} 1. Then we allocate a counter N [x x 16 ] for each of 17 possible values of (x x 16 ) where x = XL {15,14,13,1,11,10,8,6,5,4} XR {14,13,1,7,6,0} and set them to zero. or all 4 possible values of x 1, we encrypt x 1 one round to obtain x and update the value N [x x 16 ] = N [x x 16 ]+N 1 [x 1 x 16 ] for all values of x 16. 4) Guess the 6 bits k{14,13,1,7,6,0}. Then we allocateacountern 3 [x 3 x 16 ]foreachof 10 possiblevalues of (x 3 x 16 ), where x 3 = XL 3 {14,13,1,7,6,0} XR3 {15,14,8} and set them to zero. or all 16 possible values of x, we encrypt x one round to obtain x 3 and update the value N 3 [x 3 x 16 ] = N 3 [x 3 x 16 ]+N [x x 16 ] for all values of x 16. 5) Guess the 3 bits k{15,14,8} 3. Then we allocate a counter N 4 [x 4 x 16 ] for each of 5 possible values of (x 4 x 16 ), where x 4 = XL 4 {15,14,8} XR4 0 and set them to zero. or all 9 possible values of x 3, we encrypt x 3 one round to obtain x 4 and update the value N 4 [x 4 x 16 ] = N 4 [x 4 x 16 ]+N 3 [x 3 x 16 ] for all values of x 16. 6) Guess the 1 bit k0 4. Then we allocate a counter N 5 [x 5 x 16 ] for each of possible values of (x 5 x 16 ), where x 5 = XL 5 0 and set them to zero. or all 4 possible values of x 4, we encrypt x 4 one round to obtain x and update the value N 5 [x 5 x 16 ] = N 5 [x 5 x 16 ] + N 4 [x 4 x 16 ] for all values of x 16. 7) Check if N 6 [x 5 x 16 ] is equal to N/. If x 5 =x 16 not, delete the corresponding guessing key. 8) Do exhaustive search for all keys corresponding to the guessed subkey bits. 3.. Attack Complexity The memory complexity of the attack is dominated by step which needs 5 bytes. The time complexity of step 1 is N 0 = 5 encryptions. And the time complexity of each step from step 3 to step 6 depends on the number of accesses to the memory, which is = 55, = 53, = 49 and = 45 memory accesses respectively. Since N = 3, for a guessed value of the 40 subkey bits, iftheeventthatxr0 XR isequalto0happens 31 times (i.e., the correlation of the linear equation XR0 6 XR16 9 = 0isexactly0),thenwetakethisguessed subkey information as a correct subkey candidate. According to [1] and the Wrong-Key Randomization Hypothesis given in[], for a wrong subkey candidate, the probability that the correlation of XR0 6 XR9 16 = 0 is 1 0 can be estimated as π Thus the 40-bit subkey space can be reduced by a factor of approximately. Therefore, the time complexity of step 8 is not the main part of the total time complexity. Thus the time complexity of the attack is 55 memory accesses. Similarly, for the other versions of SIMON, the time complexity of the last step is also not the main part of the total time complexity which we will omit. or other versions of SIMON, the procedure of zero-correlation linear cryptanalysis is similar, and since both of the input and the output mask of zerocorrelation linear distinguisher have only one nonzero bit, we just list the active bits of every round for different block size n n in Table 4. Here, we denote the nonzero bit position of input mask by i, the rounds of distinguisher by r, and the backwards k rounds of the distinguisher by r k, where k = 1,,3,. As shown in Table 4, from round r to round r 8, active bits in backwards rounds of zero-correlation linear distinguisher have the following count sequence (0,1) (1,0) (3,1) (6,3) (10,6) (15,10) (1,15) (8,1) (4,8). And from round r+1 to round r+7, active bits in forwards rounds of zero-correlation linear distinguisher are similar and the count sequence is (0,1) (1,3) (3,6) (6,10) (10,15) (15,1) (1,8). When n = 4, the active-bit number of right mask in roundr 6 changesfrom15 to14. And when n = 3, the active-bit number of right mask in round r 7 changes from 1 to 0.

7 1364 J. Comput. Sci. & Technol., Nov. 015, Vol.30, No.6 Table 4. Active Bits in Backwards Rounds of Zero-Correlation Linear Distinguisher Round Left Mask Right Mask Active Bits (mod n) Count Active Bits (mod n) Count r 8 (i 8),(i 9),(i 10), 4 (i 6),(i 7),(i 8), 8 (i 11),(i 1),(i 13), (i 9),(i 10),(i 11), (i 14),(i 15),(i 16), (i 1),(i 13),(i 14), (i 17),(i 18),(i 19), (i 15),(i 16),(i 17), (i 0),(i 1),(i ), (i 18),(i 0),(i 1), (i 3),(i 4),(i 5), (i ),(i 3),(i 4), (i 6),(i 7),(i 8), (i 7),(i 8),(i 9), (i 9),(i 30),(i 31), (i 30),(i 34),(i 35), (i 3),(i 33),(i 34), (i 36),(i 41),(i 4), (i 36),(i 37),(i 38), (i 48) (i 39),(i 40),(i 43), (i 44),(i 45),(i 46), (i 50),(i 51),(i 5), (i 57),(i 58),(i 64) r 7 (i 6),(i 7),(i 8), 8 (i 5),(i 6),(i 7), 1 (i 9),(i 10),(i 11), (i 8),(i 9),(i 10), (i 1),(i 13),(i 14), (i 1),(i 13),(i 14), (i 15),(i 16),(i 17), (i 15),(i 16),(i 19), (i 18),(i 0),(i 1), (i 0),(i 1),(i ), (i ),(i 3),(i 4), (i 6),(i 7),(i 8), (i 7),(i 8),(i 9), (i 33),(i 34),(i 40) (i 30),(i 34),(i 35), (i 36),(i 41),(i 4), (i 48) r 6 (i 5),(i 6),(i 7), 1 (i 4),(i 5),(i 6), 15 (i 8),(i 9),(i 10), (i 7),(i 8),(i 11), (i 1),(i 13),(i 14), (i 1),(i 13),(i 14), (i 15),(i 16),(i 19), (i 18),(i 19),(i 0), (i 0),(i 1),(i ), (i 5),(i 6),(i 3) (i 6),(i 7),(i 8), (i 33),(i 34),(i 40) r 5 (i 4),(i 5),(i 6), 15 (i 3),(i 4),(i 5), 10 (i 7),(i 8),(i 11), (i 6),(i 10),(i 11), (i 1),(i 13),(i 14), (i 1),(i 17),(i 18), (i 18),(i 19),(i 0), (i 4) (i 5),(i 6),(i 3) r 4 (i 3),(i 4),(i 5), 10 (i ),(i 3),(i 4), 06 (i 6),(i 10),(i 11), (i 9),(i 10),(i 16) (i 1),(i 17),(i 18), (i 4) r 3 (i ),(i 3),(i 4), 06 (i 1),(i ),(i 8) 03 (i 9),(i 10),(i 16) r (i 1),(i ),(i 8) 03 i 01 r 1 i r 00 i 01 In the zero-correlation linear attack, we set all data complexity as N = b. or SIMON48/7, we add five rounds before the distinguisher and four rounds after the distinguisher. or 48 plain-ciphertexts, we guess the first 10 bits subkeys to obtain the middle state to set the counters. Then we

8 Xiao-Li Yu et al.: Zero-Correlation Linear Cryptanalysis of Reduced-Round SIMON 1365 update the counters by guessing subkeys for decryption and encryption successively. The steps and corresponding time complexities are shown in Table 5. It is obvious that the memory complexity of the attack is 40 bytes, and the time complexity of the attack is 60 memory accesses. or other versions of SIMON, we present the main attack process in Table 6. or SIMONn/b, we add R rounds before R D -round distinguisher and R B rounds after the distinguisher. or N plain-ciphertexts, we guess the first Keybits first bits and the last Keybits last bits to obtain the middle state Active bits state to set the counters. In the table, MA means memory accesses. 4 Multidimensional Zero-Correlation Cryptanalysis and Improved Linear Cryptanalysis In this section, we will use multidimensional zerocorrelation cryptanalysis to reduce the data complexity of zero-correlation cryptanalysis. Also, we will use the divide-and-conquer technique to improve the results of linear cryptanalysis in [11]. 4.1 Multidimensional Zero-Correlation Cryptanalysis of SIMON In the multidimensional zero-correlation linear attack, as described in Subsection.4, according to (1) and (), if setting α = 0.35, β = 0.4 and m =, then z 1 α = , z 1 β = 0.533, l = 1 = 3, and we obtain N b 0.6, where m = is derived from the fact that there are at least two zero-correlation linear approximations for all versions of SIMON. Thus the success probability is P s = 65%. or SIMON3/64, the procedure of multidimensional zero-correlation linear attack is similar to that in Subsection 3. except for the method of determining the guessed subkeys, which is updated as follows: ComputethestatisticvalueT. IfT < τ, whereτ is the threshold of multidimensional zero-correlation linear cryptanalysis, then the corresponding guessed key is a possible candidate. In the procedure of the attack, we use two zerocorrelation linear approximations of SIMON3, which are (0x0000 0x0001) (0x0000 0x0001 k), where k = {7,9}. And in this case, we add three rounds after the distinguisher instead of four rounds, since the subkeys guessed in the last three rounds are = 18 bits. Similar to Subsection 3., the memory complexity ofthe attackisstill 5 bytes, whilethetimecomplexity of the attack is changed to 53 memory accesses. or other versions of SIMON, we also choose two zero-correlation linear approximations which have the nearest bit position of nonzero output mask. or SI- MON48, the subkeys guessed in the following rounds of Table 5. Steps of Zero-Correlation Linear Attack on 0-Round SIMON48/7 Step Data Complexity # Active bits state # Guessed Bits Time Complexity 1 N = = = = = = = = = = = = = = = = 45 Note: # denotes number of. Table 6. Summary of Zero-Correlation Linear Attack for Other Versions of SIMON Cipher R D R R B # Keybits first # Keybits last # Active bits state Time Complexity SIMON48/ = MA SIMON64/ = MA SIMON64/ = MA SIMON96/ = MA SIMON18/ = MA SIMON18/ = 98 7 MA Note: we update the counters by guessing subkeys for decryption and encryption successively. # denotes number of.

9 1366 J. Comput. Sci. & Technol., Nov. 015, Vol.30, No.6 the distinguisher are,5,9,14,0,7 bits respectively, which are also the right half active bits number in these rounds. or the other larger versions, subkeys guessed in the following rounds of the distinguisher are,6,10,17,4,31 bits respectively. Except that when n = 64, subkeys guessed in the following rounds of the distinguisher have,6,11,17,4,31 bits. We present the main attack process in Table 7 whose head of form has the same meaning with Table Improvement of Linear Cryptanalysis In this subsection, we will use the divide-andconquer technique to improve the results of linear cryptanalysis in [11]. With the same linear distinguisher of [11], we can attack more rounds by carefully guessing subkeys of the outer rounds. Meanwhile, we choose the same data complexity as in [11], thus the success probability is still The procedure of linear attack is similar to that in Subsection 3. except for the method of determining the guessed subkeys, which is updated as follows: Compute the statistic value T. If T > τ where τ is the threshold of linear cryptanalysis, then the corresponding guess key is a possible candidate. We summarizetheresultsoflinearattackforallversions of SIMON in Table 8 whose head of form has the same meaning with that of Table 6. 5 Conclusions In this paper, we firstly constructed zero-correlation linear distinguisher of SIMON using the miss-in-themiddle approach. Based on these distinguishers, zerocorrelation linear attacks were presented for various versions of SIMON by careful analysis of key recovery phase. Also, multidimensional zero-correlation linear attacks were also used to reduce the data complexity. urthermore, the divide-and-conquer technique was used to improve the results of linear cryptanalysis in [11]. We summarized the cryptanalytic results in this paper and compared them with others in Table 9. Recently, [14], accepted by INDOCRYPT 014, gives some new results of SIMON3 and SIMON48. Although [14] can reach more rounds for SIMON3, our attacks use less memory and our memories of attacks are all less than the whole codebook. or SIMON48/96, we can attack one more round than [14]. Note that during the linear attacks, one only needs to know what the value corresponding nonzero mask of the distinguisher is. This reduces the bits number of subkeys guessed in the outer rounds. Also during Table 7. Summary of Multidimensional Zero-Correlation Linear Attack for Other Versions of SIMON Cipher R D R R B # Keybits first # Keybits last # Active bits state Time Complexity SIMON48/ = MA SIMON48/ = MA SIMON64/ = MA SIMON64/ = MA SIMON96/ = MA SIMON18/ = MA SIMON18/ = MA Note: we update the counters by guessing subkeys for encryption and decryption successively except for SIMON18/56. # denotes number of. Table 8. Summary of Linear Attack for All Versions of SIMON Cipher R D R R B # Keybits first # Keybits last # Active bits state Time Complexity SIMON3/ = 7 6 MA SIMON48/ = 3 66 MA SIMON48/ = MA SIMON64/ = 5 95 MA SIMON64/ = MA SIMON96/ = MA SIMON18/ = MA SIMON18/ = 17 3 MA Note: we update the counters by guessing subkeys for encryption and decryption successively. # denotes number of.

10 Xiao-Li Yu et al.: Zero-Correlation Linear Cryptanalysis of Reduced-Round SIMON 1367 Table 9. Summary of Attack Results on SIMON Cipher ull Rounds Cryptanalysis Attacked Data Memory Time Source Rounds Complexity (Bytes) Complexity SIMON3/64 3 Differential CP [1] Impossible-Diff CP [9] Zero-Correlation 0 3 KP [14] 19 3 KP 5 55 MA Subsection 3. Multi-Zero-Correlation KP 5 53 MA Subsection 4.1 Linear 1 31 KP [11] KP 7 6 MA Subsection 4. Integral 1 31 CP [14] SIMON48/7 36 Differential CP 0 5 [1] Zero-Correlation 0 48 KP [14] 0 48 KP MA Subsection 3. Multi-Zero-Correlation KP MA Subsection 4.1 Linear KP 3 66 MA Subsection 4. SIMON48/96 36 Differential CP 0 76 [1] Impossible-Diff CP [9] Zero-Correlation 1 48 KP [14] 48 KP MA Subsection 3. Multi-Zero-Correlation KP MA Subsection 4.1 Linear KP [11] KP MA Subsection 4. SIMON64/96 4 Differential 6 63 CP [1] Zero-Correlation 3 64 KP MA Subsection 3. Multi-Zero-Correlation 63.4 KP MA Subsection 4.1 Linear 3 61 KP 5 95 MA Subsection 4. SIMON64/18 44 Differential 6 63 CP [1] Impossible-Diff 17 5 CP 1 71 [9] Zero-Correlation 5 64 KP MA Subsection 3. Multi-Zero-Correlation KP MA Subsection 4.1 Linear KP [11] 4 61 KP MA Subsection 4. SIMON96/96 5 Differential CP [1] SIMON96/ Differential CP [1] Impossible-Diff 0 84 CP [9] Zero-Correlation 8 96 KP MA Subsection 3. Multi-Zero-Correlation KP MA Subsection 4.1 Linear 8 95 KP [11] KP MA Subsection 4. SIMON18/18 68 Differential CP [1] SIMON18/19 69 Differential CP [1] Zero-Correlation KP MA Subsection 3. Multi-Zero-Correlation KP MA Subsection 4.1 Linear KP MA Subsection 4. SIMON18/56 7 Differential CP [1] Impossible-Diff CP [9] Zero-Correlation KP 98 7 MA Subsection 3. Multi-Zero-Correlation KP MA Subsection 4.1 Linear KP [11] KP 17 3 MA Subsection 4. Note: CP: chosen plaintexts, KP: known plaintexts, Multi-Zero-Correlation: multidimensional zero-correlation, MA: memory accesses. the guessing subkeys phase, one does not delete any plaintext, because the values of subkeys only affect the distribution of the linear approximation. This shows great advantages when the key space is larger than the plaintext space like most versions of SIMON. While for differential cryptanalysis, one should always make sure there are enough right pairs going into the distinguishers. Asweknow,therearealwaysfiltersinouterrounds of differential distinguishers which make right pairs less than the pairs chosen in the data collection phase. This is the main reason why our zero-correlation linear cryptanalysis can attack more rounds than impossible differential cryptanalysis.

11 1368 J. Comput. Sci. & Technol., Nov. 015, Vol.30, No.6 References [1] Bogdanov A, Knudsen L, Leander G et al. PRESENT: An ultra-lightweight block cipher. In Proc. the 9th International Workshop on Cryptographic Hardware and Embedded Systems, September 007, pp [] Wu W, Zhang L. LBlock: A lightweight block cipher. In Proc. the 9th International Conference on Applied Cryptography and Network Security, June 011, pp [3] Gong Z, Nikova S, Law Y. KLEIN: A new family of lightweight block ciphers. In Proc. the 7th International Workshop on RID Security and Privacy (RIDSec), June 011, pp [4] Shibutani K, Isobe T, Hiwatari H et al. Piccolo: An ultralightweight blockcipher. In Proc. the 13th International Workshop on Cryptographic Hardware and Embedded Systems, September 8-October 1, 011, pp [5] Guo J,Peyrin T,Poschmann Aet al.the LEDblock cipher. In Proc. the 13th International Workshop on Cryptographic Hardware and Embedded Systems, September 8-October 1, 011, pp [6] Borghoff J, Canteaut A, Güneysu T et al. PRINCE A low-latency block cipher for pervasive computing applications. In Proc. the 18th International Conference on the Theory and Application of Cryptology and Information Security, December 01, pp [7] Beaulieu R, Shors D, Smith J et al. The SIMON and SPECK families of lightweight block ciphers. Cryptology eprint Archive: Report 404, April 015. [8] Abed, List E, Lucks S et al. Differential and linear cryptanalysis of reduced-round SIMON. Cryptology eprint Archive: Report 56, April 015. [9] Alkhzaimi H, Lauridsen M. Cryptanalysis of the SIMON family of block ciphers. Cryptology eprint Archive: Report 543, April 015. [10] Abed, List E, Lucks S et al. Cryptanalysis of the SPECK family of block ciphers. Cryptology eprint Archive: Report 568, April 015. [11] Alizadeh J, Bagheri N, Gauravaram P et al. Linear cryptanalysis of round reduced variants of SI- MON. Cryptology eprint Archive: Report 663, April 015. [1] Abed, List E, Lucks S et al. Differential cryptanalysis of reduced-round SIMON and SPECK. In Proc. the 1st International Workshop on ast Software Encryption, March 014, pp [13] Biryukov A, Roy A, Velichkov V. Differential analysis of block ciphers SIMON and SPECK. In Proc. the 1st International Workshop on ast Software Encryption, March 014, pp [14] Wang Q, Liu Z, Varıcı K et al. Cryptanalysis of reducedround SIMON3 and SIMON48. Cryptology eprint Archive: Report 761, April 015. [15] Bogdanov A, Rijmen V. Linear hulls with correlation zero and linear cryptanalysis of block ciphers. Cryptology eprint Archive, Report 13, Mar [16] Bogdanov A, Wang M. Zero correlation linear cryptanalysis with reduced data complexity. In Proc. the 19th International Workshop on ast Software Encryption, March 01, pp [17] Bogdanov A, Leander G, Nyberg K et al. Integral and multidimensional linear distinguishers with correlation zero. In Proc. the 18th International Conference on the Theory and Application of Cryptology and Information Security, December 01, pp [18] Soleimany H, Nyberg K. Zero-correlation linear cryptanalysis of reduced-round LBlock. Designs, Codes and Cryptography, 014, 73(): [19] Biham E. On Matsui s linear cryptanalysis. In Proc. the Workshop on the Theory and Application of Cryptographic Techniques, May 1994, pp [0] Matsui M. Linear cryptoanalysis method for DES cipher. In Proc. the Workshop on the Theory and Application of Cryptographic Techniques, May 1993, pp [1] Bogdanov A, Rijmen V. Linear hulls with correlation zero and linear cryptanalysis of block ciphers. Designs, Codes and Cryptography, 014, 70(3): [] Harpes C, Kramer G G, Massey J L. A generalization of linear cryptanalysis and the applicability of Matsui s piling-up lemma. In Proc. the 14th Advances in Cryptology- Eurocrypt, May 1995, pp Xiao-Li Yu received her Ph.D. degree in information security from Institute of Software (IOS), Chinese Academy of Sciences (CAS), Beijing, 015. Her research interests include design and cryptanalysis of block ciphers.text text text text text text text text text text text text text text text Wen-Ling Wu is a researcher and a Ph.D. supervisor in the Institute of Software, Chinese Academy of Sciences, Beijing. She is also a senior member of CC. Her research interests include design and cryptanalysis of block ciphers and hash functions, and cryptography.text text text text text text text text text text text text text text text Zhen-Qing Shi is a Ph.D. candidate in the Institute of Software, Chinese Academy of Sciences. His interests include cryptanalysis of stream ciphers and functions based on ARX operations.text text text text text text text text text text text text text text text

12 Xiao-Li Yu et al.: Zero-Correlation Linear Cryptanalysis of Reduced-Round SIMON 1369 Jian Zhang is a Ph.D. candidate in the Institute of Software, Chinese Academy of Sciences. His research interests mainly include cryptanalysis of block ciphers and authenticated encryption ciphers.text text text text text text text text text text text text text text text Yan-eng Wang is a Ph.D. candidate in the Institute of Software, Chinese Academy of Sciences. Her research interests are cryptanalysis and the design of block ciphers.text text text text text text text text text text text text text text text text text text text text text text text text text Lei Zhang received her Ph.D. degree in information security from Institute of Software, CAS. She is an associate researcher in the Institute of Software, CAS. Her research interests include design and cryptanalysis of block ciphers.text text text text text text text text text text text text text text text Appendix Linear Mask Propagations of SIMON The linear mask propagations of all versions of SI- MON are given in Table A1. Table A1. Linear Mask Propagations over the Rounds of SIMON R Left Branch Right Branch 3-Bit Block Size *100000* *100000* **10000**00000* 3 0**10000**00000* *****10*0*** *****10*0***0000 0******1******0* 5 0******1******0* **************** 48-Bit Block Size *100000* *100000* **10000**00000* **10000**00000* *0***10*0***0000**00000* 4 *0***10*0***0000**00000* **************0*0*** **************0*0***0001 **********************0* 6 **********************0* ************************ 64-Bit Block Size *100000* *100000* **10000**00000* **10000**00000* *0***10*0***0000**00000* *0***10*0***0000**00000* ******1******0*0***0000**00000* 5 0******1******0*0***0000**00000* **********************0*0*** **********************0*0***0000 0*****************************0* 7 0*****************************0* ******************************** 96-Bit Block Size *100000* *100000* **10000**00000* **10000**00000* *0***10*0***0000**00000* *0***10*0***0000**00000* ******1******0*0***0000**00000* ******1******0*0***0000**00000* *1********************0*0***0000**00000* *1********************0*0***0000**00000* *****************************0*0***0000**00000* 7 0*****************************0*0***0000**00000* **************************************0*0*** **************************************0*0***0000 0*********************************************0* 9 0*********************************************0* ************************************************ 18-Bit Block Size *100000* *100000* **10000**00000* **10000**00000* *0***10*0***0000**00000* *0***10*0***0000**00000* ******1******0*0***0000**00000* ******1******0*0***0000**00000* *1********************0*0***0000**00000* *1********************0*0***0000**00000* *****************************0*0***0000**00000* *****************************0*0***0000**00000* *0************************************0*0***0000**00000* *0************************************0*0***0000**00000* *********************************************0*0***0000**00000* 9 0*********************************************0*0***0000**00000* ******************************************************0*0*** ******************************************************0*0***0000 0*************************************************************0* 11 0*************************************************************0* ****************************************************************