sign in sign up
<<
Home , Simon (cipher)

Yu XL, Wu WL, Shi ZQ et al. Zero-correlation linear of reduced-round SIMON. JOURNAL OF COMPUTER SCIENCE AND TECHNOLOGY 30(6): 1358–1369 Nov. 2015. DOI 10.1007/s11390-015-1603-5

Zero-Correlation of Reduced-Round SIMON

Xiao-Li Yu 1,2 (于晓丽), Wen-Ling Wu 1 (吴文玲), Senior Member, CCF, Zhen-Qing Shi 1 (石振青) Jian Zhang 1 (张 建), Lei Zhang 1 (张 蕾), and Yan-Feng Wang 1 (汪艳凤)

1Trusted Computing and Information Assurance Laboratory, Institute of Software, Chinese Academy of Sciences Beijing 100190, China 2University of Chinese Academy of Sciences, Beijing 100049, China

E-mail: {yuxiaoli, wwl, shizhenqing, zhangjian, zhanglei1015, wangyanfeng}@tca.iscas.ac.cn

Received March 18, 2014; revised June 2, 2015.

Abstract In June 2013, the U.S. proposed two families of lightweight block ciphers, called SIMON and respectively. These ciphers are designed to perform excellently on both hardware and software platforms. In this paper, we mainly zero-correlation linear cryptanalysis on various versions of SIMON. Firstly, by using miss- in-the-middle approach, we construct zero-correlation linear distinguishers of SIMON, and zero-correlation linear attacks are presented based on careful analysis of recovery phase. Secondly, multidimensional zero-correlation linear attacks are used to reduce the data complexity. Our zero-correlation linear attacks perform better than impossible differential attacks proposed by Abed et al. in ePrint Report 2013/568. Finally, we also use the divide-and-conquer technique to improve the results of linear cryptanalysis proposed by Javad et al. in ePrint Report 2013/663.

Keywords lightweight , SIMON, linear cryptanalysis, zero-correlation, dual property

1 Introduction Though there were neither cryptanalytic results nor analysis provided in the specification document, it still With the growing impact of RFID tags, smartcards, drove great interest of researchers to ana- and FPGAs, lightweight cryptography becomes a very lyze the ciphers. Soon after the publication of the active area of research. In recent years, a number ciphers, Abed et al.[8] proposed the first differential of lightweight block ciphers have been proposed, e.g., cryptanalysis of SIMON using differential characteris- [1] [2] [3] [4] [5] PRESENT , LBlock , KLEIN , Piccolo , LED , tics with low hamming weight. Then, Alkhzaimi and and [6]. These ciphers are usually targeted for Lauridsen also gave the differential cryptanalysis of SI- extremely constrained environments. MON in [9]. They showed how the cipher exhibits a In 2013, the National Security Agency (NSA) pub- strong differential effect. Besides, Abed et al. proposed lished the specifications of two lightweight block cipher the first differential cryptanalysis of SPECK in [10]. families SIMON and SPECK on ePrint[7]. These ci- Later, Abed et al.[8] updated their paper with improve- phers provide high performance across a range of de- ment of differential cryptanalysis and some results of vices. The designers hope to fill the need for secure, linear cryptanalysis. Alizadeh et al.[11] presented better flexible and analyzable lightweight block ciphers. The linear approximations on SIMON. In FSE 2014, Abed specification document of the cipher provides a detailed et al. combined major contributions of [8] and [10] in description of different performance results and imple- [12], and they can attack more or less half rounds of mentations, and it is said that SIMON is optimized for the ciphers, while Biryukov et al. adapted Matsui’s al- hardware implementations and SPECK is optimized for gorithm for ARX constructions and showed differential software, but actually these two families can perform characteristics and trails of SIMON and SPECK in [13]. well in both hardware and software. Recently, there are some new results of SIMON32 and

Regular Paper This work was supported by the National Basic Research 973 Program of China under Grant No. 2013CB338002 and the National Natural Science Foundation of China under Grant Nos. 61272476, 61202420, and 61232009. ©2015 Springer Science + Business Media, LLC & Science Press, China Xiao-Li Yu et al.: Zero-Correlation Linear Cryptanalysis of Reduced-Round SIMON 1359

SIMON48 shown in [14] published by INDOCRYPT 2 Preliminaries 2014. In this section, we provide a brief description of Zero-correlation linear cryptanalysis[15] is a novel SIMON and some preliminaries of zero-correlation lin- promising attack technique for block ciphers. It can ear cryptanalysis. Firstly, we introduce some notations be considered as the counterpart of impossible differen- which will be used in the following parts. tial cryptanalysis in the domain of linear cryptanalysis. The distinguishing property used in zero-correlation lin- 2.1 Notations ear cryptanalysis is the existence of zero-correlation lin- ear hulls over a part of the cipher. Those linear ap- Table 1 lists the notations used in the paper. proximations hold true with probability p equal to 1/2 − and correlation c = 2p 1 equal to 0. The original Table 1. Notations Used in the Paper scheme has the disadvantage of requiring full codebook Symbol Description of data. Bogdanov and Wang used m independent zero- b Block size of the cipher correlation linear approximations to avoid entire code- n Half of the block size, that is, b = 2n book data complexity of zero-correlation linear crypt- k of the cipher analysis in [16]. In [17], the idea of multidimensional XLi Left half of the input state of the i-th round zero-correlation linear cryptanalysis was proposed to XRi Right half of the input state of the i-th round reduce the data complexity which does not use inde- Ki n-bit subkey of the i-th round pendent linear approximations but the conception of x The i-th least significant bit of the bit string x linear space. Recently, there are many results using i x ⊕ y Exclusive or XOR of two strings x and y zero-correlation linear cryptanalysis like [18]. x ⊙ y Binary AND of two strings x and y In this paper, we mainly present zero-correlation lin- x||y Concatenation of two strings x and y ear cryptanalysis on various versions of SIMON and x ≫ j Right circular shift of x by j bits also give some improvement of linear cryptanalysis in x ≪ j Left circular shift of x by j bits [11]. Based on the linear mask propagation for SI- c[α → β] Correlation of linear trail α → β MON, zero-correlation linear distinguishers for all SI- ∗ Unknown bit, which can be 0 or 1 MON versions are constructed. By carefully studying N Number of data collected by the adversary on key recovery phase, we give zero-correlation linear attacks on SIMON, which perform better than impos- sible differential attacks. Our zero-correlation linear 2.2 Brief Description of SIMON attacks can break 19, 20, 22, 23, 25, 28, 33, and 34 rounds for SIMON32/64, SIMON48/72, SIMON48/96, SIMON is a family of block ciphers using ARX- SIMON64/96, SIMON64/128, SIMON96/144, SI- based balanced Feistel structure. It is designed to pro- MON128/192 and SIMON128/256 respectively. Also, vide the flexibility, which supports block sizes of 32, 48, 64, 96, and 128 bits, and different key sizes. We denote we use multidimensional zero-correlation linear attacks the cipher by the form of SIMONb/k (sometimes just to reduce the data complexity. Furthermore, we can SIMONb). use the divide-and-conquer technique to improve the The round function of SIMON processes the left half results of linear cryptanalysis in [11], which can attack of the state using rotations and a logical AND, and the 43 rounds for SIMON128/256. results XORs to the right half of the state. Also, one n- This paper is organized as follows. Section 2 pro- bit round key XORs to the right half of the state. One vides a brief description of SIMON and some pre- round of SIMON is illustrated in Fig.1, where the func- liminaries of zero-correlation linear cryptanalysis. By tion F is defined as F (XLi) = (XLi ≪ 8) ⊙ (XLi ≪ using miss-in-the-middle method, we construct zero- 1). Notice that F is the only nonlinear function of SI- correlation linear distinguishers and give the zero- MON which is based on bitwise operation. correlation attacks in Section 3. Section 4 describes the Table 2 lists the block size, key size, and the number multidimensional zero-correlation linear attacks and of rounds for all variants of SIMON. improved linear attacks of SIMON. Finally, Section 5 For the details of key scheduling algorithm, inte- concludes this paper. rested readers can refer to [7]. 1360 J. Comput. Sci. & Technol., Nov. 2015, Vol.30, No.6

i XL XR i by m base zero-correlation linear approximations such that all l = 2m −1 non-zero linear combinations of them [17] F have zero correlation . ∈ Fm For each i 2 , the attacker allocates a counter Ti and initializes it to value 0. Then for each distinct plain-  ki text, the attacker computes the corresponding data in Fm 2 and increases the counter Ti of this data value by 1. Then the attacker computes the statistic T value:

m− 2∑1 (T − N × 2−m)2 T = i . (1) N × 2−m(1 − 2−m) XL i+ XR i+ i=0

2 Fig.1. Round function of SIMON. The statistic T for the right key guess follows a χ - × 2n−N distribution with mean µ0 = l 2n−1 and variance 2 × × 2n−N σ0 = 2 l ( 2n−1 ), while for the wrong key guess, it Table 2. SIMON Parameters 2 follows a χ -distribution with mean µ1 = l and variance Block Size b Key Size k Number of Rounds 2 × σ1 = 2 l. 032 064 32 We denote the probability of non-detection and 048 72, 96 36 the probability of false alarm to distinguish between 064 096 42 a wrong key and a right key as α and β respectively. 064 128 44 More precisely, α is the probability of making a right 096 096 52 key as a wrong key, and β is the probability of mak- 096 144 54 128 128 68 ing a wrong key as a right key. Consider the decision × × 128 192 69 threshold τ = µ0 + σ0 z1−α = µ1 + σ1 z1−β, then 128 256 72 the number of known N should be about

n 2 (z − + z − ) N = √ 1 α 1 β , (2) 2.3 Zero-Correlation Linear Approximations l/2 − z1−β

−1 Consider an n-bit block cipher f and let the input where zp = Φ (p) for 0 < p < 1 and Φ is the cumula- ∈ Fn of the function be z 2 . A linear approximation tive function of the standard normal distribution. Thus (u, v) with an input mask u and an output mask v has the success probability is Ps = 1 − α. probability 3 Zero-Correlation Linear Cryptanalysis of p(u, v) = P rz∈Fn (u · z ⊕ v · f(z) = 0). 2 SIMON The value cf (u, v) = 2p(u, v) − 1 is called the correlation of linear approximation (u, v). Note In this section, we first use miss-in-the-middle that p(u, v) = 1/2 is equivalent to zero correlation approach to construct zero-correlation linear distin- guishers. Then based on these distinguishers, zero- cf (u, v) = 0. Zero-correlation linear cryptanalysis uses linear ap- correlation linear attacks are presented on various ver- proximations that the correlations are equal to 0 for all sions of SIMON. keys. 3.1 Zero-Correlation Linear Distinguisher 2.4 Multidimensional Zero-Correlation Linear Similar to the construction of impossible differential Cryptanalysis distinguishers, the miss-in-the-middle approach also For most of ciphers, there are a large number of can be used to construct zero-correlation linear distin- zero-correlation approximations. To remove the statis- guishers. tical independence for multiple zero-correlation linear In order to find the longest zero-correlation lin- approximations, the zero-correlation linear approxima- ear approximations, several methods were proposed to tions available are treated as a linear space spanned find the linear hull with zero-correlation. The matrix Xiao-Li Yu et al.: Zero-Correlation Linear Cryptanalysis of Reduced-Round SIMON 1361 method was proposed in [18] by using the miss-in-the- sions of SIMON, the zero-bit can go further. And as a middle technique to establish zero-correlation linear ap- result, distinguishers can reach more rounds. proximations. As shown in Table A1, for SIMON32, the output Feistel ciphers usually make use of two basic opera- mask after five rounds will be (0 ∗ ∗ ∗ ∗ ∗ ∗1 ∗ ∗ ∗ ∗ ∗ ∗ 0 ∗ tions: XOR-operation and branching operation. Linear ||∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗) with probability 1. If this input approximations over these operations follow two major mask is rotated left by 7 or 9 bits, one of the 0’s will be principles (see [19] and [16]). shifted to the position of the 1. Since the decryption Lemma 1 (XOR Approximation[16]). Either the and the of the Feistel scheme are symme- three linear selection patterns at an XOR ⊕ are equal tric, two 10-round zero-correlation linear distinguishers to or the correlation over ⊕ is exactly 0. of SIMON32 are constructed, Lemma 2 (Branching Approximation[16]). Either the three linear selection patterns at a branching point c[(0x0000||0x0001) → (0x0000||0x0001 ≪ 7)] = 0, • sum up to 0 or the correlation over • is exactly 0. During the linear mask propagation of Feistel ci- c[(0x0000||0x0001) → (0x0000||0x0001 ≪ 9)] = 0. phers, one starts from the mask of right branch due to the dual property between differential analysis and All zero-correlation linear distinguishers of SIMON linear analysis. Since the function F of SIMON is not are presented in Table 3. For different values of k, the bijective, we will show how to determine the possible zero-correlation linear distinguishers are linear indepen- input linear mask of F from output linear mask. dent. Since the input mask is rotated left by k, one of Lemma 3 (Bias of F Linear Approximation with the 0’s will be shifted to the position of the 1, and then Output Mask of Hamming Weight 1). Suppose the all linear combinations of approximations have correla- output mask of F linear approximation is β, which tion 0 for every SIMONb. has only one nonzero bit, then if the input mask α { ≫ ≫ takes a value from the set V = 0, β 1, β 8, 3.2 Attack Procedure of Zero-Correlation (β ≫ 1) ⊕ (β ≫ 8)}, the bias of F linear approxima- Linear Cryptanalysis tion is 1/4; otherwise, the bias is 0. Lemma 3 is also used in [11]. According to this Given a distinguisher of zero-correlation linear ap- lemma, one can describe input mask α from output proximation over a part of the cipher, the basic key mask β of Hamming weight 1. For example, for SI- recovery can be done with a technique similar to MON32, if β = 0000000000000001, then α = ∗100000 ∗ that of Matsui’s Algorithm 2[20], partially encrypt- 00000000. ing/decrypting from the / up to the This approach can be generalized to arbitrary out- boundaries of the property. This is the key recovery put mask, and each time we put an asterisk on a po- approach used in all zero-correlation attacks so far. sition where we fail to determine that particular bit of In this subsection, we will use the divide-and-conquer the input mask. Table A1 shows how the linear masks technique to reduce the computational complexity of progress over the rounds of SIMON. For the larger ver- attacks.

Table 3. Zero-Correlation Linear Distinguishers of SIMON

Block 2n Number of Rounds Distinguisher k Forwards Backwards 032 05 5 (0x0000||0x0001) → (0x0000||0x0001 ≪ k) {7, 9} || → || ≪ { } 048 06 5 (0x |0 ...{z 0} 0x |0 ...{z 0} 1) (0x |0 ...{z 0} 0x |0 ...{z 0} 1 k) 1 6 5 6 5 || → || ≪ { } 048 05 5 (0x |0 ...{z 0} 0x |0 ...{z 0} 1) (0x |0 ...{z 0} 0x |0 ...{z 0} 1 k) 1, 2, 3, 7, 9 6 5 6 5 || → || ≪ { } 064 07 5 (0x |0 ...{z 0} 0x |0 ...{z 0} 1) (0x |0 ...{z 0} 0x |0 ...{z 0} 1 k) 7, 9 8 7 8 7 || → || ≪ { } 096 09 6 (0x |0 ...{z 0} 0x |0 ...{z 0} 1) (0x |0 ...{z 0} 0x |0 ...{z 0} 1 k) 1, 3 12 11 12 11 || → || ≪ { } 128 11 7 (0x |0 ...{z 0} 0x |0 ...{z 0} 1) (0x |0 ...{z 0} 0x |0 ...{z 0} 1 k) 1, 63 16 15 16 15 1362 J. Comput. Sci. & Technol., Nov. 2015, Vol.30, No.6

3.2.1 Zero-Conelation Linear Attack on 19-Round There are only two nonzero linear masks of the ap- SIMON32/64 proximation in the distinguisher. Thus in order to es- Next, we will describe a zero-correlation linear timate the correlation, we only need to know the val- 6 16 attack on 19-round SIMON32/64. The attack uti- of XR0 and XR9 , which are not affected by all lizes the 10-round zero-correlation linear approxima- bits in outer rounds. More precisely, in the first five 6 tion (0x0000||0x0001) → (0x0000||0x0200) from round rounds, the bit XR0 is affected by 24 bits of plaintext 1 1 2 2 3 3 6 to round 15. After collecting sufficient plaintext- XL ||XR , 16 bits of XL ||XR , 9 bits of XL ||XR , 4 4 5 ciphertext pairs, we guess corresponding subkeys for 4 bits of XL ||XR , and 1 bit of XL . Similarly, in 16 the first five rounds and the last four rounds, and esti- the last four rounds, the bit XR9 is affected by 24 mate the correlation of the approximation as described bits of XL20||XR20, 16 bits of XL19||XR19, 9 bits of in Fig.2. XL18||XR18, and 4 bits of XL17||XR17. We denote Here, we let N = 232. Since there are 40-bit these bits “active” and other ones “neutral”. Dur- subkeys in outer rounds, the time complexity will be ing the attack procedure, we allocate counters to con- N × 240 = 272, which is much more than exhaustive tain the plaintext-ciphertext pairs indexed by the active search. We can reduce time complexity significantly bits. In each step, for each subkey candidate, we en- using the divide-and-conquer technique introduced in crypt (decrypt) active bits in round r over one round [18] which is also used in [14]. and count the number of pairs which give the same

 XL ı,,,,,,,,,,,,,℘  XR ı,,,,,,,,,℘

F 10 -Round Distinguisher

   kı,,,,,,,,,℘ XR 

 F  XR ı,,,,,℘ XL ı,,,,,,,,,℘  F  k

  kı,,,,,℘   XL  XR ı,,℘ F   XR ı,,℘ XL ı,,,,,℘  F  kı,,℘

  kı,,℘   XL ı,,℘ XR ı,,,,,℘

 F  XR XL ı,,℘  F  kı,,,,,℘

  k XL   ı,,,,,℘ XR ı,,,,,,,,,℘ F  XL   F  kı,,,,,,,,,℘

 XR    XL ı,,,,,,,,,℘ XR ı,,,,,,,,,,,,,℘

Zero-Correlation Linear Approximation: - 10 Round Distinguisher   XR  XR 

Fig.2. 19-round attack of SIMON32/64. Xiao-Li Yu et al.: Zero-Correlation Linear Cryptanalysis of Reduced-Round SIMON 1363 value in active bits in round r + 1 (r − 1). 8) Do exhaustive search for all keys corresponding Since we use the whole codebook as data comple- to the guessed subkey bits. xity, if the value of the final counter is not equal to N/2, we can delete the corresponding guessed key. 3.2.2 Attack Complexity In summary, the steps of the attack procedure are The memory complexity of the attack is dominated listed as follows: by step 2 which needs 225 bytes. The time comple- 1) Collect N = 232 pairs of plaintexts and cor- xity of step 1 is N × 220 = 252 . And the responding . And we guess the 20 bits of time complexity of each step from step 3 to step 6 de- 19 18 17 subkeys k{15,14,13,8,7,6,5,4,3,1}, k{15,9,7,6,5,0}, k{8,7,1} and pends on the number of accesses to the memory, which 16 16 20 10 25 55 20+10 6 17 53 k9 . Then we calculate the value of XR9 . is 2 × 2 × 2 = 2 , 2 × 2 × 2 = 2 , 2) Allocate an 8-bit counter N 1[x1||x16] 220+10+6 ×23 ×210 = 249 and 220+10+6+3 ×21 ×25 = 245 for each of 225 possible values of (x1||x16) memory accesses respectively. 1 1 32 where x = XL{14,13,12,11,10,9,8,7,6,5,4,3,2,0} Since N = 2 , for a guessed value of the 40 subkey ||XR1 , and x16 = XR16, and set 6⊕ 16 {15,14,13,12,11,10,8,6,5,4} 9 bits, if the event that XR0 XR9 is equal to 0 happens them to zero. Then we calculate the number of pairs 231 times (i.e., the correlation of the linear equation of plaintext-ciphertext with given values x1 and x16 6⊕ 16 XR0 XR9 = 0 is exactly 0), then we take this guessed and save it in N 1[x1||x16]. In this step, 232 plaintext- subkey information as a correct subkey candidate. Ac- ciphertext pairs are divided into 225 different states. cording to [21] and the Wrong-Key Randomization Hy- The expected pairs for each state are around 27. Thus pothesis given in [22], for a wrong subkey candidate, the the assumption N 1 as an 8-bit counter is sufficient. 6 ⊕ 16 probability that the correlation of XR0 XR9 = 0 is 4−32 1 √1 −15.33 3) Guess the 10 bits k{15,14,13,12,11,10,8,6,5,4}. 0 can be estimated as 2 2 ≈ 2 . Thus the 2 2|| 16 2π Then we allocate a counter N [x x ] for each 40-bit subkey space can be reduced by a factor of 215.33 17 2|| 16 2 of 2 possible values of (x x ) where x = approximately. Therefore, the time complexity of step 8 2 || 2 XL{15,14,13,12,11,10,8,6,5,4} XR{14,13,12,7,6,0} and set is not the main part of the total time complexity. Thus 24 1 them to zero. For all 2 possible values of x , we the time complexity of the attack is 255 memory ac- 1 2 encrypt x one round to obtain x and update the cesses. Similarly, for the other versions of SIMON, the 2 2|| 16 2 2|| 16 1 1|| 16 value N [x x ] = N [x x ] + N [x x ] for all 2 time complexity of the last step is also not the main 16 values of x . part of the total time complexity which we will omit. 2 4) Guess the 6 bits k{14,13,12,7,6,0}. Then we allo- For other versions of SIMON, the procedure of 3 3|| 16 10 cate a counter N [x x ] for each of 2 possible values zero-correlation linear cryptanalysis is similar, and 3|| 16 3 3 || 3 of (x x ), where x = XL{14,13,12,7,6,0} XR{15,14,8} since both of the input and the output mask of zero- 16 2 and set them to zero. For all 2 possible values of x , correlation linear distinguisher have only one nonzero 2 3 we encrypt x one round to obtain x and update the bit, we just list the active bits of every round for dif- 3 3|| 16 3 3|| 16 2 2|| 16 value N [x x ] = N [x x ] + N [x x ] for all 2 ferent block size 2n n in Table 4. Here, we denote the 16 values of x . nonzero bit position of input mask by i, the rounds of 5) Guess the 3 bits k3 . Then we allocate {15,14,8} distinguisher by r, and the backwards k rounds of the 4 4|| 16 5 a counter N [x x ] for each of 2 possible values distinguisher by r − k, where k = 1, 2, 3, ··· . of (x4||x16), where x4 = XL4 ||XR4 and set {15,14,8} 0 As shown in Table 4, from round r to round r − 8, 9 3 them to zero. For all 2 possible values of x , we en- active bits in backwards rounds of zero-correlation lin- 3 4 crypt x one round to obtain x and update the value ear distinguisher have the following count sequence 4 4|| 16 4 4|| 16 3 3|| 16 N [x x ] = N [x x ] + N [x x ] for all 2 values (0, 1) → (1, 0) → (3, 1) → (6, 3) → (10, 6) → (15, 10) → 16 of x . (21, 15) → (28, 21) → (42, 28). 4 6) Guess the 1 bit k0. Then we allocate a counter And from round r + 1 to round r + 7, active bits in 5 5|| 16 2 5|| 16 N [x x ] for each of 2 possible values of (x x ), forwards rounds of zero-correlation linear distinguisher 5 5 4 where x = XL0 and set them to zero. For all 2 pos- are similar and the count sequence is (0, 1) → (1, 3) → 4 4 sible values of x , we encrypt x one round to obtain (3, 6) → (6, 10) → (10, 15) → (15, 21) → (21, 28). 2 5 5|| 16 5 5|| 16 x and update the value N [x x ] = N [x x ] + When n = 24, the active-bit number of right mask N 4[x4||x16] for all 2 values of x16. ∑ in round r−6 changes from 15 to 14. And when n = 32, 7) Check if N 6[x5||x16] is equal to N/2. If the active-bit number of right mask in round r − 7 x5=x16 not, delete the corresponding guessing key. changes from 21 to 20. 1364 J. Comput. Sci. & Technol., Nov. 2015, Vol.30, No.6

Table 4. Active Bits in Backwards Rounds of Zero-Correlation Linear Distinguisher

Round Left Mask Right Mask Active Bits (mod n) Count Active Bits (mod n) Count r − 8 (i − 8), (i − 9), (i − 10), 42 (i − 6), (i − 7), (i − 8), 28 (i − 11), (i − 12), (i − 13), (i − 9), (i − 10), (i − 11), (i − 14), (i − 15), (i − 16), (i − 12), (i − 13), (i − 14), (i − 17), (i − 18), (i − 19), (i − 15), (i − 16), (i − 17), (i − 20), (i − 21), (i − 22), (i − 18), (i − 20), (i − 21), (i − 23), (i − 24), (i − 25), (i − 22), (i − 23), (i − 24), (i − 26), (i − 27), (i − 28), (i − 27), (i − 28), (i − 29), (i − 29), (i − 30), (i − 31), (i − 30), (i − 34), (i − 35), (i − 32), (i − 33), (i − 34), (i − 36), (i − 41), (i − 42), (i − 36), (i − 37), (i − 38), (i − 48) (i − 39), (i − 40), (i − 43), (i − 44), (i − 45), (i − 46), (i − 50), (i − 51), (i − 52), (i − 57), (i − 58), (i − 64) r − 7 (i − 6), (i − 7), (i − 8), 28 (i − 5), (i − 6), (i − 7), 21 (i − 9), (i − 10), (i − 11), (i − 8), (i − 9), (i − 10), (i − 12), (i − 13), (i − 14), (i − 12), (i − 13), (i − 14), (i − 15), (i − 16), (i − 17), (i − 15), (i − 16), (i − 19), (i − 18), (i − 20), (i − 21), (i − 20), (i − 21), (i − 22), (i − 22), (i − 23), (i − 24), (i − 26), (i − 27), (i − 28), (i − 27), (i − 28), (i − 29), (i − 33), (i − 34), (i − 40) (i − 30), (i − 34), (i − 35), (i − 36), (i − 41), (i − 42), (i − 48) r − 6 (i − 5), (i − 6), (i − 7), 21 (i − 4), (i − 5), (i − 6), 15 (i − 8), (i − 9), (i − 10), (i − 7), (i − 8), (i − 11), (i − 12), (i − 13), (i − 14), (i − 12), (i − 13), (i − 14), (i − 15), (i − 16), (i − 19), (i − 18), (i − 19), (i − 20), (i − 20), (i − 21), (i − 22), (i − 25), (i − 26), (i − 32) (i − 26), (i − 27), (i − 28), (i − 33), (i − 34), (i − 40) r − 5 (i − 4), (i − 5), (i − 6), 15 (i − 3), (i − 4), (i − 5), 10 (i − 7), (i − 8), (i − 11), (i − 6), (i − 10), (i − 11), (i − 12), (i − 13), (i − 14), (i − 12), (i − 17), (i − 18), (i − 18), (i − 19), (i − 20), (i − 24) (i − 25), (i − 26), (i − 32) r − 4 (i − 3), (i − 4), (i − 5), 10 (i − 2), (i − 3), (i − 4), 06 (i − 6), (i − 10), (i − 11), (i − 9), (i − 10), (i − 16) (i − 12), (i − 17), (i − 18), (i − 24) r − 3 (i − 2), (i − 3), (i − 4), 06 (i − 1), (i − 2), (i − 8) 03 (i − 9), (i − 10), (i − 16) r − 2 (i − 1), (i − 2), (i − 8) 03 i 01 r − 1 i 01 00 r 00 i 01

In the zero-correlation linear attack, we set all data tinguisher and four rounds after the distinguisher. For complexity as N = 2b. 248 plain-ciphertexts, we guess the first 10 bits subkeys For SIMON48/72, we add five rounds before the dis- to obtain the middle state to set the counters. Then we Xiao-Li Yu et al.: Zero-Correlation Linear Cryptanalysis of Reduced-Round SIMON 1365 update the counters by guessing subkeys for decryption and (2), if setting α = 0.35, β = 0.4 and m = 2, then 2 and encryption successively. The steps and correspond- z1−α = 0.385 3, z1−β = 0.253 3, l = 2 − 1 = 3, and ing time complexities are shown in Table 5. we obtain N ≈ 2b−0.6, where m = 2 is derived from It is obvious that the memory complexity of the at- the fact that there are at least two zero-correlation lin- tack is 240 bytes, and the time complexity of the attack ear approximations for all versions of SIMON. Thus the 60 is 2 memory accesses. success probability is Ps = 65%. For other versions of SIMON, we present the main For SIMON32/64, the procedure of multidimen- attack process in Table 6. For SIMON2n/b, we add RF sional zero-correlation linear attack is similar to that rounds before RD-round distinguisher and RB rounds in Subsection 3.2 except for the method of determining after the distinguisher. For N plain-ciphertexts, we the guessed subkeys, which is updated as follows: guess the first Keybitsfirst bits and the last Keybitslast • Compute the statistic value T . If T < τ, where τ is bits to obtain the middle state “Active”bitsstate to set the threshold of multidimensional zero-correlation lin- the counters. In the table, MA means memory accesses. ear cryptanalysis, then the corresponding guessed key is a possible candidate. 4 Multidimensional Zero-Correlation Crypt- In the procedure of the attack, we use two zero- analysis and Improved Linear Cryptanalysis correlation linear approximations of SIMON32, which are (0x0000||0x0001) → (0x0000||0x0001 ≪ k), where In this section, we will use multidimensional zero- k = {7, 9}. And in this case, we add three rounds after correlation cryptanalysis to reduce the data complexity the distinguisher instead of four rounds, since the sub- of zero-correlation cryptanalysis. Also, we will use the keys guessed in the last three rounds are 2+6+10 = 18 divide-and-conquer technique to improve the results of bits. Similar to Subsection 3.2, the memory complexity linear cryptanalysis in [11]. of the attack is still 225 bytes, while the time complexity of the attack is changed to 253 memory accesses. 4.1 Multidimensional Zero-Correlation Crypt- analysis of SIMON For other versions of SIMON, we also choose two zero-correlation linear approximations which have the In the multidimensional zero-correlation linear at- nearest bit position of nonzero output mask. For SI- tack, as described in Subsection 2.4, according to (1) MON48, the subkeys guessed in the following rounds of

Table 5. Steps of Zero-Correlation Linear Attack on 20-Round SIMON48/72

Step Data Complexity #“Active”bitsstate # Guessed Bits Time Complexity 1 N = 248 – 10 248 × 210 = 258 2 − 10 + 6 + 10 + 14 = 40 10 240 × 210+10 = 260 3 − 10 + 6 + 6 + 10 = 32 06 232 × 220+6 = 258 4 − 10 + 6 + 3 + 6 = 25 03 225 × 226+3 = 254 5 − 10 + 6 + 1 + 3 = 20 01 220 × 229+1 = 250 6 − 10 + 6 + 1 = 17 06 217 × 230+6 = 253 7 − 6 + 3 + 1 = 10 03 210 × 236+3 = 249 8 − 3 + 1 + 1 = 5 01 25 × 239+1 = 245 Note: # denotes number of.

Table 6. Summary of Zero-Correlation Linear Attack for Other Versions of SIMON

Cipher RD RF RB # Keybitsfirst # Keybitslast #“Active”bitsstate Time Complexity SIMON48/96 11 6 5 14 14 + 10 14 + 10 + 6 + 10 = 40 286 MA SIMON64/96 12 6 5 15 15 15 + 10 + 10 + 15 = 50 294 MA SIMON64/128 12 7 6 20 20 + 15 20 + 15 + 10 + 15 = 60 2126 MA SIMON96/144 15 7 6 21 21 21 + 15 + 15 + 21 = 72 2138 MA SIMON128/192 18 8 7 28 28 28 + 21 + 21 + 28 = 98 2185 MA SIMON128/256 18 9 7 42 + 28 28 28 + 21 + 21 + 28 = 98 2227 MA Note: we update the counters by guessing subkeys for decryption and encryption successively. # denotes number of. 1366 J. Comput. Sci. & Technol., Nov. 2015, Vol.30, No.6 the distinguisher are 2, 5, 9, 14, 20, 27 bits respectively, sions of SIMON in Table 8 whose head of form has the which are also the right half active bits number in same meaning with that of Table 6. these rounds. For the other larger versions, subkeys guessed in the following rounds of the distinguisher are 5 Conclusions 2, 6, 10, 17, 24, 31 bits respectively. Except that when n = 64, subkeys guessed in the following rounds of the In this paper, we firstly constructed zero-correlation distinguisher have 2, 6, 11, 17, 24, 31 bits. We present linear distinguisher of SIMON using the miss-in-the- the main attack process in Table 7 whose head of form middle approach. Based on these distinguishers, zero- has the same meaning with Table 6. correlation linear attacks were presented for various versions of SIMON by careful analysis of key reco- 4.2 Improvement of Linear Cryptanalysis very phase. Also, multidimensional zero-correlation lin- ear attacks were also used to reduce the data comple- In this subsection, we will use the divide-and- xity. Furthermore, the divide-and-conquer technique conquer technique to improve the results of linear crypt- was used to improve the results of linear cryptanalysis analysis in [11]. With the same linear distinguisher of in [11]. We summarized the cryptanalytic results in this [11], we can attack more rounds by carefully guessing paper and compared them with others in Table 9. Re- subkeys of the outer rounds. Meanwhile, we choose the cently, [14], accepted by INDOCRYPT 2014, gives some same data complexity as in [11], thus the success prob- new results of SIMON32 and SIMON48. Although [14] ability is still 0.997. can reach more rounds for SIMON32, our attacks use The procedure of linear attack is similar to that in less memory and our memories of attacks are all less Subsection 3.2 except for the method of determining than the whole codebook. For SIMON48/96, we can the guessed subkeys, which is updated as follows: attack one more round than [14]. • Compute the statistic value T . If T > τ ′ where τ ′ Note that during the linear attacks, one only needs is the threshold of linear cryptanalysis, then the corre- to know what the value corresponding nonzero mask sponding guess key is a possible candidate. of the distinguisher is. This reduces the bits number We summarize the results of linear attack for all ver- of subkeys guessed in the outer rounds. Also during

Table 7. Summary of Multidimensional Zero-Correlation Linear Attack for Other Versions of SIMON

Cipher RD RF RB # Keybitsfirst # Keybitslast #“Active”bitsstate Time Complexity SIMON48/72 10 5 4 10 14 10 + 6 + 9 + 14 = 39 270.2 MA SIMON48/96 10 6 4 14 + 10 14 10 + 6 + 9 + 14 = 39 284.2 MA SIMON64/96 12 6 4 15 17 15 + 10 + 10 + 17 = 52 294.2 MA SIMON64/128 12 7 4 20 + 15 17 15 + 10 + 10 + 17 = 52 2114.2 MA SIMON96/144 15 7 5 21 24 21 + 15 + 17 + 24 = 77 2139.2 MA SIMON128/192 18 8 5 28 24 28 + 21 + 17 + 24 = 90 2178.2 MA SIMON128/256 18 9 6 42 + 28 31 28 + 21 + 24 + 31 = 104 2235 MA Note: we update the counters by guessing subkeys for encryption and decryption successively except for SIMON128/256. # denotes number of.

Table 8. Summary of Linear Attack for All Versions of SIMON

Cipher RD RF RB # Keybitsfirst # Keybitslast #“Active”bitsstate Time Complexity SIMON32/64 10 2 3 9 + 3 14 3 + 1 + 9 + 14 = 27 262 MA SIMON48/72 13 2 3 12 11 12 + 4 + 5 + 11 = 32 266 MA SIMON48/96 13 2 4 12 18 12 + 4 + 11 + 18 = 45 279 MA SIMON64/96 17 2 4 12 22 15 + 10 + 10 + 17 = 52 295 MA SIMON64/128 17 3 4 21 + 12 22 12 + 4 + 14 + 22 = 52 2116 MA SIMON96/144 26 4 4 23 23 23 + 16 + 14 + 23 = 76 2141 MA SIMON128/192 33 3 5 21 34 21 + 12 + 25 + 34 = 92 2178 MA SIMON128/256 33 4 6 30 42 30 + 21 + 34 + 42 = 127 2232 MA Note: we update the counters by guessing subkeys for encryption and decryption successively. # denotes number of. Xiao-Li Yu et al.: Zero-Correlation Linear Cryptanalysis of Reduced-Round SIMON 1367

Table 9. Summary of Attack Results on SIMON Cipher Full Rounds Cryptanalysis Attacked Data Memory Time Source Rounds Complexity (Bytes) Complexity SIMON32/64 32 Differential 18 231.2 CP 215 246 [12] Impossible-Diff 13 230 CP 220 250.1 [9] Zero-Correlation 20 232 KP 241.42 256.96 [14] 19 232 KP 225 255 MA Subsection 3.2 Multi-Zero-Correlation 18 231.4 KP 225 253 MA Subsection 4.1 Linear 12 231 KP 231 237 [11] 15 231 KP 227 262 MA Subsection 4.2 Integral 21 231 CP 254 263 [14] SIMON48/72 36 Differential 19 246 CP 220 252 [12] Zero-Correlation 20 248 KP 243 259.7 [14] 20 248 KP 240 260 MA Subsection 3.2 Multi-Zero-Correlation 19 247.4 KP 239 270.2 MA Subsection 4.1 Linear 18 243 KP 232 266 MA Subsection 4.2 SIMON48/96 36 Differential 19 246 CP 220 276 [12] Impossible-Diff 15 238 CP 220.6 253 [9] Zero-Correlation 21 248 KP 246.73 272.63 [14] 22 248 KP 240 286 MA Subsection 3.2 Multi-Zero-Correlation 20 247.4 KP 239 284.2 MA Subsection 4.1 Linear 15 243 KP 243 248 [11] 19 243 KP 245 279 MA Subsection 4.2 SIMON64/96 42 Differential 26 263 CP 231 263.9 [12] Zero-Correlation 23 264 KP 250 294 MA Subsection 3.2 Multi-Zero-Correlation 22 263.4 KP 252 294.2 MA Subsection 4.1 Linear 23 261 KP 252 295 MA Subsection 4.2 SIMON64/128 44 Differential 26 263 CP 231 294 [12] Impossible-Diff 17 252 CP 221 271 [9] Zero-Correlation 25 264 KP 260 2126 MA Subsection 3.2 Multi-Zero-Correlation 23 263.4 KP 252 2114.2 MA Subsection 4.1 Linear 19 261 KP 261 266 [11] 24 261 KP 252 2116 MA Subsection 4.2 SIMON96/96 52 Differential 35 293.2 CP 237.8 293.3 [12] SIMON96/144 54 Differential 35 293.2 CP 237.8 2101.1 [12] Impossible-Diff 20 284 CP 219.6 2111 [9] Zero-Correlation 28 296 KP 272 2138 MA Subsection 3.2 Multi-Zero-Correlation 27 295.4 KP 277 2139.2 MA Subsection 4.1 Linear 28 295 KP 295 2100 [11] 34 295 KP 276 2141 MA Subsection 4.2 SIMON128/128 68 Differential 46 2125.6 CP 240.6 2125.7 [12] SIMON128/192 69 Differential 33 2125.6 CP 240.6 2142 [12] Zero-Correlation 33 2128 KP 298 2185 MA Subsection 3.2 Multi-Zero-Correlation 31 2127.4 KP 290 2178.2 MA Subsection 4.1 Linear 41 2123 KP 292 2178 MA Subsection 4.2 SIMON128/256 72 Differential 34 2125.6 CP 240.6 2206 [12] Impossible-Diff 25 2119 CP 223 2195 [9] Zero-Correlation 34 2128 KP 298 2227 MA Subsection 3.2 Multi-Zero-Correlation 33 2127.4 KP 2104 2235 MA Subsection 4.1 Linear 35 2123 KP 2123 2128 [11] 43 2123 KP 2127 2232 MA Subsection 4.2 Note: CP: chosen plaintexts, KP: known plaintexts, Multi-Zero-Correlation: multidimensional zero-correlation, MA: memory accesses. the guessing subkeys phase, one does not delete any ers. As we know, there are always filters in outer rounds plaintext, because the values of subkeys only affect the of differential distinguishers which make right pairs less distribution of the linear approximation. This shows than the pairs chosen in the data collection phase. This great advantages when the key space is larger than the is the main reason why our zero-correlation linear crypt- plaintext space like most versions of SIMON. While for differential cryptanalysis, one should always make sure analysis can attack more rounds than impossible diffe- there are enough right pairs going into the distinguish- rential cryptanalysis. 1368 J. Comput. Sci. & Technol., Nov. 2015, Vol.30, No.6

References [16] Bogdanov A, Wang M. Zero correlation linear cryptanal- ysis with reduced data complexity. In Proc. the 19th In- [1] Bogdanov A, Knudsen L, Leander G et al. PRESENT: An ternational Workshop on Fast Software Encryption, March ultra-lightweight block cipher. In Proc. the 9th Interna- 2012, pp.29-48. tional Workshop on Cryptographic Hardware and Embed- [17] Bogdanov A, Leander G, Nyberg K et al. Integral and mul- ded Systems, September 2007, pp.450-466. tidimensional linear distinguishers with correlation zero. In [2] Wu W, Zhang L. LBlock: A lightweight block cipher. In Proc. the 18th International Conference on the Theory and Proc. the 9th International Conference on Applied Cryp- Application of Cryptology and Information Security, De- tography and Network Security, June 2011, pp.327-344. cember 2012, pp.244-261. [3] Gong Z, Nikova S, Law Y. KLEIN: A new family of [18] Soleimany H, Nyberg K. Zero-correlation linear cryptanal- lightweight block ciphers. In Proc. the 7th International ysis of reduced-round LBlock. Designs, Codes and Cryptog- Workshop on RFID Security and Privacy (RFIDSec), June raphy, 2014, 73(2): 683-698. 2011, pp.1-18. [19] Biham E. On Matsui’s linear cryptanalysis. In Proc. the [4] Shibutani K, Isobe T, Hiwatari H et al. Piccolo: An ultra- Workshop on the Theory and Application of Cryptographic lightweight blockcipher. In Proc. the 13th International Workshop on Cryptographic Hardware and Embedded Sys- Techniques, May 1994, pp.341-355. tems, September 28-October 1, 2011, pp.342-357. [20] Matsui M. Linear cryptoanalysis method for DES cipher. [5] Guo J, Peyrin T, Poschmann A et al. The LED block cipher. In Proc. the Workshop on the Theory and Application of In Proc. the 13th International Workshop on Cryptographic Cryptographic Techniques, May 1993, pp.386-397. Hardware and Embedded Systems, September 28-October 1, [21] Bogdanov A, Rijmen V. Linear hulls with correlation zero 2011, pp.326-341. and linear cryptanalysis of block ciphers. Designs, Codes [6] Borghoff J, Canteaut A, G¨uneysuT et al. PRINCE — A and Cryptography, 2014, 70(3): 369-383. low-latency block cipher for pervasive computing applica- [22] Harpes C, Kramer G G, Massey J L. A generalization tions. In Proc. the 18th International Conference on the of linear cryptanalysis and the applicability of Matsui’s Theory and Application of Cryptology and Information Se- piling-up lemma. In Proc. the 14th Advances in Cryptology- curity, December 2012, pp.208-225. Eurocrypt, May 1995, pp.24-38. [7] Beaulieu R, Shors D, Smith J et al. The SIMON and SPECK families of lightweight block ciphers. Cryptology ePrint Archive: Report 404, 2013. http://eprint.iacr.org/2013/404, April 2015. Xiao-Li Yu received her Ph.D. [8] Abed F, List E, Lucks S et al. Differential and degree in information security from linear cryptanalysis of reduced-round SIMON. Institute of Software (IOS), Chinese Cryptology ePrint Archive: Report 526, 2013. Academy of Sciences (CAS), Beijing, http://eprint.iacr.org/2013/526.pdf, April 2015. 2015. Her research interests include [9] Alkhzaimi H, Lauridsen M. Cryptanalysis of the SIMON design and cryptanalysis of block family of block ciphers. Cryptology ePrint Archive: Report ciphers.text text text text text text text 543, 2013. http://eprint.iacr.org/2013/543.pdf, April 2015. text text text text text text text text [10] Abed F, List E, Lucks S et al. Cryptanalysis of the SPECK family of block ciphers. Cryptology ePrint Archive: Report 568, 2013. http://eprint.iacr.org/2013/568, April 2015. Wen-Ling Wu is a researcher and [11] Alizadeh J, Bagheri N, Gauravaram P et al. Lin- a Ph.D. supervisor in the Institute ear cryptanalysis of round reduced variants of SI- of Software, Chinese Academy of MON. Cryptology ePrint Archive: Report 663, 2013. Sciences, Beijing. She is also a senior http://eprint.iacr.org/2013/663.pdf, April 2015. member of CCF. Her research interests [12] Abed F, List E, Lucks S et al. Differential cryptanalysis of reduced-round SIMON and SPECK. In Proc. the 21st In- include design and cryptanalysis of ternational Workshop on Fast Software Encryption, March block ciphers and hash functions, and 2014, pp.525-545. cryptography.text text text text text [13] Biryukov A, Roy A, Velichkov V. Differential analysis of text text text text text text text text text text block ciphers SIMON and SPECK. In Proc. the 21st In- ternational Workshop on Fast Software Encryption, March 2014, pp.546-570. Zhen-Qing Shi is a Ph.D. candidate [14] Wang , Liu Z, Varıcı K et al. Cryptanalysis of reduced- in the Institute of Software, Chinese round SIMON32 and SIMON48. Cryptology ePrint Archive: Academy of Sciences. His interests Report 761, 2014. http://eprint.iacr.org/2014/761.pdf, include cryptanalysis of stream ciphers April 2015. and functions based on ARX opera- [15] Bogdanov A, Rijmen V. Linear hulls with corre- tions.text text text text text text text lation zero and linear cryptanalysis of block ci- text text text text text text text text phers. Cryptology ePrint Archive, Report 123, 2011. http://eprint.iacr.org/2011/123, Mar. 2011. Xiao-Li Yu et al.: Zero-Correlation Linear Cryptanalysis of Reduced-Round SIMON 1369

Jian Zhang is a Ph.D. candidate Yan-Feng Wang is a Ph.D. can- in the Institute of Software, Chinese didate in the Institute of Software, Academy of Sciences. His research Chinese Academy of Sciences. Her interests mainly include cryptanalysis research interests are cryptanalysis and of block ciphers and authenticated the design of block ciphers.text text encryption ciphers.text text text text text text text text text text text text text text text text text text text text text text text text text text text text text text text text text text text text text text

Lei Zhang received her Ph.D. degree Appendix Linear Mask Propagations of SIMON in information security from Institute of Software, CAS. She is an associate The linear mask propagations of all versions of SI- researcher in the Institute of Software, MON are given in Table A1. CAS. Her research interests include design and cryptanalysis of block ciphers.text text text text text text text text text text text text text text text

Table A1. Linear Mask Propagations over the Rounds of SIMON

R Left Branch Right Branch 32-bit block size 0 0000000000000000 0000000000000001 1 0000000000000001 *100000*00000000 2 *100000*00000000 0**10000**00000* 3 0**10000**00000* *****10*0***0000 4 *****10*0***0000 0******1******0* 5 0******1******0* **************** 48-bit block size 0 000000000000000000000000 000000000000000000000001 1 000000000000000000000001 *100000*0000000000000000 2 *100000*0000000000000000 0**10000**00000*00000001 3 0**10000**00000*00000001 *0***10*0***0000**00000* 4 *0***10*0***0000**00000* **************0*0***0001 5 **************0*0***0001 **********************0* 6 **********************0* ************************ 64-bit block size 0 00000000000000000000000000000000 00000000000000000000000000000001 1 00000000000000000000000000000001 *100000*000000000000000000000000 2 *100000*000000000000000000000000 0**10000**00000*0000000000000001 3 0**10000**00000*0000000000000001 *0***10*0***0000**00000*00000000 4 *0***10*0***0000**00000*00000000 0******1******0*0***0000**00000* 5 0******1******0*0***0000**00000* **********************0*0***0000 6 **********************0*0***0000 0*****************************0* 7 0*****************************0* ******************************** 96-bit block size 0 000000000000000000000000000000000000000000000000 000000000000000000000000000000000000000000000001 1 000000000000000000000000000000000000000000000001 *100000*0000000000000000000000000000000000000000 2 *100000*0000000000000000000000000000000000000000 0**10000**00000*00000000000000000000000000000001 3 0**10000**00000*00000000000000000000000000000001 *0***10*0***0000**00000*000000000000000000000000 4 *0***10*0***0000**00000*000000000000000000000000 0******1******0*0***0000**00000*0000000000000001 5 0******1******0*0***0000**00000*0000000000000001 *1********************0*0***0000**00000*00000000 6 *1********************0*0***0000**00000*00000000 0*****************************0*0***0000**00000* 7 0*****************************0*0***0000**00000* **************************************0*0***0000 8 **************************************0*0***0000 0*********************************************0* 9 0*********************************************0* ************************************************ 128-bit block size 0 0000000000000000000000000000000000000000000000000000000000000000 0000000000000000000000000000000000000000000000000000000000000001 1 0000000000000000000000000000000000000000000000000000000000000001 *100000*00000000000000000000000000000000000000000000000000000000 2 *100000*00000000000000000000000000000000000000000000000000000000 0**10000**00000*000000000000000000000000000000000000000000000001 3 0**10000**00000*000000000000000000000000000000000000000000000001 *0***10*0***0000**00000*0000000000000000000000000000000000000000 4 *0***10*0***0000**00000*0000000000000000000000000000000000000000 0******1******0*0***0000**00000*00000000000000000000000000000001 5 0******1******0*0***0000**00000*00000000000000000000000000000001 *1********************0*0***0000**00000*000000000000000000000000 6 *1********************0*0***0000**00000*000000000000000000000000 0*****************************0*0***0000**00000*0000000000000001 7 0*****************************0*0***0000**00000*0000000000000001 *0************************************0*0***0000**00000*00000000 8 *0************************************0*0***0000**00000*00000000 0*********************************************0*0***0000**00000* 9 0*********************************************0*0***0000**00000* ******************************************************0*0***0000 10 ******************************************************0*0***0000 0*************************************************************0* 11 0*************************************************************0* ****************************************************************