Hindawi Security and Communication Networks Volume 2018, Article ID 5160237, 11 pages https://doi.org/10.1155/2018/5160237

Research Article Improved Integral Attacks on SIMON32 and SIMON48 with Dynamic Key-Guessing Techniques

Zhihui Chu ,1,2 Huaifeng Chen ,1,2 Xiaoyun Wang ,1,2,3 Xiaoyang Dong ,3 and Lu Li 1,2

1 Key Laboratory of Cryptologic Technology and Information Security, Ministry of Education, Shandong University, Jinan 250100, China 2School of Mathematics, Shandong University, Jinan 250100, China 3Institute for Advanced Study, Tsinghua University, Beijing 100084, China

Correspondence should be addressed to Xiaoyun Wang; [email protected]

Received 17 July 2017; Accepted 3 January 2018; Published 19 February 2018

Academic Editor: Barbara Masucci

Copyright © 2018 Zhihui Chu et al. Tis is an open access article distributed under the Creative Commons Attribution License, which permits unrestricted use, distribution, and reproduction in any medium, provided the original work is properly cited.

Dynamic key-guessing techniques, which exploit the property of AND operation, could improve the diferential and linear cryptanalytic results by reducing the number of guessed subkey bits and lead to good cryptanalytic results for SIMON. Tey have only been applied in diferential and linear attacks as far as we know. In this paper, dynamic key-guessing techniques are frst introduced in integral cryptanalysis. According to the features of integral cryptanalysis, we extend dynamic key-guessing techniques and get better integral cryptanalysis results than before. As a result, we present integral attacks on 24-round SIMON32, 24-round SIMON48/72, and 25-round SIMON48/96. In terms of the number of attacked rounds, our attack on SIMON32 is better than any previously known attacks, and our attacks on SIMON48 are the same as the best attacks.

1. Introduction SIMON has been extensively scrutinized [3–25]. As an ultralightweight primitive, SIMON is a very good target for Te integral attack, proposed by Daemen et al. [1], is an integral cryptanalysis. In integral cryptanalysis, Wang et al. important cryptanalytic technique for symmetric-key primi- [21] experimentally found an integral distinguisher for 14 tives. Te integral distinguisher is based on the property that rounds of SIMON32 and mounted a key-recovery attack on when some parts of the input (constant bits) of distinguishers 21-round SIMON32. At EUROCRYPT 2015, Todo proposed are held constant whereas the other parts (active bits) vary the division property [17], which is a generalized integral through all possibilities, the sum of all the output values property. Tis new technique enables the cryptographers to equals zero at some particular locations (balanced bits). In propagate the integral property in a more precise manner. the key recovery, the sum is random if the guessed key As a result, an 11-round integral distinguisher of SIMON48 is incorrect, while the sum is zero if the guessed key is was found. Subsequently, using the bit-based division prop- correct. As a powerful class of cryptanalytic techniques, erty, Todo and Morii proved the 14-round distinguisher of integral cryptanalysis has been applied to many block ciphers, SIMON32 theoretically in [18]. However, searching integral especially the ones with low-degree round functions. characteristics by the bit-based division property requires SIMON is a family of ten lightweight block ciphers much time and memory complexity. In order to overcome the designed by the US National Security Agency [2]. Te problem, Xiang et al. [23] proposed a state partition to achieve SIMON2�/�� family of lightweight block ciphers have clas- a trade-of between the accuracy of the integral distinguisher sical Feistel structures with 2�-bit block size and ��-bit key, and the time-memory complexity. Accordingly, Todo’s result where � is the word size. was improved by one round for SIMON48. Aferwards, MILP 2 Security and Communication Networks method was applied by Xiang et al. [22] to fnd integral thesingle-keymodel.Wepresentintegralattackson24- characteristics of some lightweight block ciphers, including round SIMON32, 24-round SIMON48/72, and 25-round a 15-round integral distinguisher for SIMON48. At ACNS SIMON48/96. In terms of the number of attacked rounds, 2016, some integral distinguishers of SIMON-like ciphers ourattackonSIMON32isbetterthananypreviouslyknown were constructed by Kondo et al. [10]. However, the block size attacks, and our attacks on SIMON48 are the same as the best considered is only 32 bits. Later in [7], with the equivalent- attacks. In order to verify the correctness of our approach, we subkey technique, Fu et al. presented integral attacks on implement the summation procedure of the integral attack 22-round SIMON32, 22-round SIMON48/72, and 23-round on 22-round SIMON32. A summary of our results is given in SIMON48/96. Good results [6, 13, 20] were achieved in Table 1. diferential and linear cryptanalysis, as well. Te cryptan- Outline.Tispaperisstructuredasfollows.Section2briefy alytic results that attack the most rounds of SIMON were describes the specifcation of SIMON and some integral obtained in [6], and these results were achieved by linear hull distinguishers. In Section 3, we discuss the time reduction cryptanalysis. Te most efcient diferential and linear attacks in integral cryptanalysis of bit-oriented block ciphers. In on SIMON were presented with the help of dynamic key- Section 4, we present improved integral attacks on SIMON32 guessing techniques. and SIMON48. In Section 4.1, we give the experimental result. With regard to dynamic key-guessing techniques, they Finally, Section 5 draws conclusions. were initially proposed to improve the diferential attacks on SIMON [20]. Te techniques, which exploit the property of AND operation, help reduce the average number of guessed 2. Preliminaries key bits signifcantly in diferential cryptanalysis. Ten they were applied to linear hull attacks on SIMON [6]. In both 2.1. Notations [6, 20], with the techniques above, the adversaries are able � to extend previous diferential (resp., linear hull) results on :thewordsize SIMON by 2 to 4 more rounds, using existing diferential ��:the�thbitofbitstring� (resp., linear hull) distinguishers. Subsequently, Qiao et al. �[�−�] (or �� −��):the�th to the �th bits of bit string � [13] released a tool, which provides the diferential security �� ,...,� �� �=�1,...,�� evaluation of SIMON given diferential distinguishers of high 1 � :theXORsumof ,where ,i.e., ⨁ � probability. Moreover, with newly proposed diferentials [9], �∈{�1,...,��} � Qiao et al. improved diferential attacks against SIMON, �‖�: concatenation of two bit strings � and � usingthetechniques.Alsointhediferentialcryptanalysis � � :theinputofround� or output of round (� − 1) and linear cryptanalysis of Simeck [26], good results [13, 27] � � � � ��,��: the lef and right halves of � ,thatis,� = have been obtained by using dynamic key-guessing tech- � � niques. Up to now, the dynamic key-guessing techniques have �� ‖�� � � � � only been combined with linear and diferential cryptanalysis ��,� (resp.��,�):the�th bit of bit string ��(resp.��) methods. Tere is no attempt to combine the dynamic key- �� ( �� −�� ) � � guessing techniques with integral attack so far. �,[�−�] or �,� �,� :the th to the th bits of bit �� Besides the above results under the single-key model, string � � � � the security of SIMON has also been evaluated under the ��,[�−�] (or ��,� −��,�):the�th to the �th bits of bit � related-key [11] and known-key [8] models. In the related-key string �� setting, Kondo et al. [11] constructed a 15-round related-key �� � impossible diferential distinguisher of SIMON32. :thesubkeyusedin th round �\{�� ,...,�� }:anewbitstring,ofwhichbitsare 1 � � {� ,...,� } Our Contributions. In this paper, we frst apply dynamic derived from bit string ,excluding �1 �� key-guessing techniques to integral attacks. In our improved ⊕:bitwiseXOR integral cryptanalysis, we extend dynamic key-guessing techniques to compute the sum, which is in the form of &: bitwise AND ∑� �(�, �) ⋅ �[�],where� is a nonlinear Boolean function �⋘�:alefcircularshifofbitstring� by � bits and �[�] are counters for �. Te dynamic key-guessing �[�], �[�], �[�]:countersforbitstring� techniques improve the time complexity of the computation � � signifcantly. Please see the following example. Suppose � (�): � (�) = ∑� �(�, �)⋅�[�],where� is a Boolean � �(�, �) = 1 ⊕ �1(�1,�1)&�2(�2,�2),where�=�1 ‖�2, function of � and � (actually, � (�) are counters for �) �=�1 ‖�2,and�1 and �2 aretwoBooleanfunctions.We �(�): �(�) = [(� ⋘ 1)&(� ⋘ 8)] ⊕ (� ⋘ 2) guess �1 atfrst;thenwesplit�=�1 ‖�2 into two sets: �(�) � �(�) �1 ={�|�1(�1,�1)=0}and �2 ={�|�1(�1,�1)=1}.We �:the th bit of bit string continue to compute the sum for each set. For set �1,thereis no need to guess �2 since �(�, �) = 1 when �∈�1.Finally, 2.2. Description of SIMON2�/��. SIMON2�/�� is a two- we sum them up. branch balanced Feistel network with 2�-bit block size and Using the dynamic key-guessing techniques, we present ��-bit key, where � isthewordsize.Tereare10variants improved integral attacks on SIMON32 and SIMON48 in for SIMON. Te parameters of SIMON32/64, SIMON48/72, Security and Communication Networks 3

Table 1: Summary of some related results for SIMON32 and SIMON48.

Memory Success Attack Target Rounds Data Time Source (bytes) probability type 31 63 54 21 2 2 E 2 1 Integ. [21] 31 55.25 21 2 2 E-51% Dif. [20] 22 231 263 255.8 1 SIMON32/64 E Integ. [7] 32 58.76 22 2 2 E-31.5% Dif. [13] 31.19 57.19 61.84 56 23 2 2 TWO+2 A+2 E- 28% Lin. hull [6] 32 63 33.64 24 2 2 E 2 1 Integ. Section 4.3 18 ---1 Integ. [23] 47 71 42 22 2 2 E 2 1 Integ. [7] 47 63.25 SIMON48/72 23 2 2 E-48% Dif. [20] 47.92 69.92 67.89 56 24 2 2 ONE+2 A+2 E- - Lin. hull [6] 48 71 50 24 2 2 E 2 1 Integ. Appendix B.2 19 ---1 Integ. [23] 47 95 47 23 2 2 E 2 1 Integ. [7] 24 247 287.25 48 SIMON48/96 E-% Dif. [20] 48 78.99 24 2 2 E-47.5% Dif. [13] 47.92 91.92 89.89 80 25 2 2 TWO+2 A+2 E- - Lin. hull [6] 48 95 50 25 2 2 E 2 1 Integ. Appendix B.3 Note. Tis table summaries our results along with some previous major results of SIMON32 and SIMON48 in the single-key setting; E: encryption; A: addition; TWO: two rounds of encryption or decryption; ONE: one round of encryption or decryption.

i i Table 2: Parameters of SIMON32 and SIMON48. XL XR ⋘2 Block size (2�) Key size (��) Rounds Ki 32 (� = 16) 64 (� = 4) 32 ⋘1 & 72 (� = 3) 36 48 (� = 24) ⋘8 96 (� = 4) 36

i+1 i+1 and SIMON48/96 are listed in Table 2, since only these three XL XR � � � variants are considered in this paper. Let � =�� ‖�� �+1 �+1 �+1 Figure 1: Round function of SIMON. denotetheinputofround� and � =�� ‖�� be the output of round �.Tesubkeyusedinround� is denoted by � � .Te�th round is as follows (also see Figure 1): � ��+1 =�� , encrypted texts sum to zero afer rounds encryption, the � � cipher has an �-round integral distinguisher. (1) ��+1 =�(�� )⊕�� ⊕��, Wang et al. [21] found a 14-round integral distinguisher of � � � SIMON32 experimentally. Later, Todo and Morii [18] proved where the internal nonlinear function � is defned as the correctness of this distinguisher using division property. Also, Fu et al. [7] revealed this distinguisher from the view � � � � �(��) = [(�� ⋘1)& (�� ⋘ 8)] ⊕ (�� ⋘2). (2) ofdegreeoftheBooleanfunction.Integralcharacteristicsof SIMON32 and SIMON48 were found in [7, 18, 21, 22]. And Te key schedules are diferent depending on the key size. we apply them to our attacks. Te constant bit, active bit, Please refer to [2] for more details. balanced bit, and unknown bit are labeled as c, a, b,and?, respectively. Te integral characteristics used in this literature 2.3. Integral Distinguishers of SIMON32 and SIMON48. are as follows. Attackers prepare a set of texts where some bits (constant bits) (i) SIMON32’s 14-round distinguisher: arefxedtosamevaluesandtheotherbits(activebits)range over all possible values. If some bits (balanced bits) in the Input: (caaaaaaaaaaaaaaa, aaaaaaaaaaaaaaaa) 4 Security and Communication Networks

Output: (????????????????, collections of ciphertexts can be converted into the task of ?b??????b??????b) computing another counter �[�] which is defned as (ii) SIMON48’s 15-round distinguisher: � [�] = ∑� (�, �) ⋅�[�] , � (4) Input: (caaaaaaaaaaaaaaaaaaaaaaa, aaaaaaaaaaaaaaaaaaaaaaaa) where � is a Boolean function of � and �,and�[�] denotes the number of �.Let� be a �1-bit value and � be a �2-bit value. Output: (????????????????????????, � +� In a naive way, it needs O(2 1 2 ) calculations of � to get the bbbbbbbbbbbbbbbbbbbbbbbb) counters �[�]. Using dynamic key-guessing techniques, the calculation can be done with improved time complexity. Te 3. Time Reduction in Integral Attacks on Bit- basicideaisasfollows. � � � � � � � Let �=� ‖� ‖� ‖�,where� , � , � ,and Oriented Block Ciphers � � � � � � � are �2 , �2 , �2 ,and�2 bits. Afer guessing � ,thesetof � � � � Suppose the input of the integral distinguisher is from the set � canbesplitintotwosets� and � with � and � �� � � � � � � �−1 � elements, respectively. For values in , is independent of � ={�=(� ,� )|� =�,� ∈ F ,� � � � � � � �,0 �,[1−15] 2 � � . Similarly, for values in � , � is independent of � .Tus, (3) � � � � ∑� �(�, �) ⋅ �[�] = ∑�∈�� �(�, � ‖� ‖�) ⋅ �[�] + ∈ F2 }. � � � ∑�∈�� �(�, � ‖� ‖�) ⋅ �[�].Wecomputethesumfor

�+� eachset,thenwesumthemup.Terefore,usingdynamickey- Afer �-round encryption, some bits of the output � are guessing techniques, the improved time complexity becomes � ��+��+�� � ��+��+�� balanced. For simplicity, let the frst bit of the right part, O(� ⋅22 2 2 +� ⋅22 2 2 ) �+� . that is, ��,0 , be balanced. We add � rounds before the Again, we provide a toy example that illustrates the idea � 3 3 distinguisher and append rounds afer it. Let the Boolean behind the improvement. Let �∈F2 ,�∈F2 ,and�(�, �) = � �+� � ⊕� ⊕ ((� ⊕� ) (� ⊕� )) � expressions of ��,0 and ��,0 be functions represented as 0 0 1 1 & 2 2 . Firstly, we guess 1.Ten, �� (��,��) and �� (��,��),where��, ��, ��,and�� are � � ∑� (�, �) ⋅�[�] efective bit strings derived from the plaintext, the ciphertext, � and involved subkeys. We briefy outline the idea of our integral attacks on �+ = ∑ (�0 ⊕�0)⋅�[�] � =� ,� ∈F ,� ∈F (5) �+�rounds of ciphers. Given the entire codebook, we guess 1 1 0 2 2 2 some subkey bits and carry out the frst � rounds’ encryption. + ∑ (�0,2 ⊕�0,2)⋅�[�] . Tenchooseasetofstatesthatformtheinputspace��.For � =� ⊕1,� ∈F ,� ∈F the corresponding ciphertexts, we guess the related subkey 1 1 0 2 2 2 � bitsanddecryptthelast rounds to check if the target bit Next, we create four counters �0,0, �0,1, �1,0,and�1,1 and �+� � =�[0‖� ‖0]+�[0‖ ��,0 is balanced. assign some values to them: 0,0 1 In general, the time complexity of the integral attack is �1 ‖1], �0,1 =�[1‖�1 ‖0]+�[1‖�1 ‖1], � � =�[0‖(� ⊕1)‖ 0]+�[1‖ (� ⊕1)‖ 1] roughly O(2 ⋅�),where� isthenumberofguessedsubkeybits 1,0 1 1 ,and � =�[0‖(� ⊕1)‖ 1]+�[1‖ (� ⊕1)‖ 0] and � denotes the number of plaintext-ciphertext pairs. But 1,1 1 1 .Finally, �[�] = � +� �[�] we can optimize it with dynamic key-guessing techniques. 0,�0⊕1 1,�0⊕�2⊕1.Tus,thecalculationof 2 4 essentially requires 2×(2+2+2)=2 additions, while 26 3.1.FindCollectionsofCiphertexts. Let �[��,��] denote the it takes operations in a straightforward method. counters into which we store the frequency of (��,��).For See Appendix A for more information on the time ∑ �(�, �) ⋅ �[�] each guessed ��,wetraversethewholeplaintextspaceand complexity of the calculation of � . � (� ,� )=� make partial encryptions. If �� � � ,westorethe corresponding ciphertext. Tus, we generate new counters 3.3. Compute the XOR Sum of the Recovered Bit. Assume now �[�� ,� ] �� �[��,��], which are defned as ∑� ,� (� ,� )=� �[��,��]. that we obtain the new counters � � .Forafxed �, � �� � � we guess �� and partially decrypt each efective bit string Furthermore, if �� is linear with some bit of ��,say � � � (� ,� ) � � � to get the value of the target bit, that is, �� � � . ��,0 ,welet�� (��,��)=��,0 ⊕�� (��,��),where�� = � � Ten, check whether the XOR sum of the recovered bit � ‖�� � � ⊕1 �,0 �.Wenowassign the value �,0 . Accordingly, iszero.NotethattheXORsumamountstotheparityof � � �[��,��]=∑� ,�� (� ,�� )=1 �[��,��],whichmeansthat ∑ � (� ,� )⋅�[� ,� ] � (� ,� ) � �� � � �� �� � � � � . For simplicity, let �� � � � � � � the condition � (��,� )=1can be transformed to a � ⊕� (� ,� ) � � � = �� � be �,0 �� � � ,where �,0 is the frst bit of �, � �[�� ,� ]= � coefcient. Terefore, it is sufcient to calculate � � ��,0 ‖��.Wecanomit��,0 sinceitdoesnotafecttheXOR ∑ �� (� ,�� )⋅�[� ,� ] �� � � � � � . sum. Hence, the XOR sum essentially equals the parity of �[�� ,�� ] ∑ �� (� ,�� )⋅ new counters � � which is defned as �� �� � � � 3.2. Compute ∑� �(�, �) ⋅ �[�] with Dynamic Key-Guessing �[��,��]. Also, dynamic key-guessing techniques can be Techniques. As described above, the modeling to fnd the applied in the last � rounds to improve the time complexity. Security and Communication Networks 5

� Table 3: Each efective bit of the Boolean expression of ��,15.

�� Representation of �� �� Representation of �� �−4 �−4 �−4 �−4 �−4 �−4 �−4 �−3 �−3 �−2 �−1 �0 ��,7 ⊕(��,8 &��,1 )⊕��,9 ⊕��,11 ⊕��,15 �0 �9 ⊕�11 ⊕�15 ⊕�13 ⊕�15 �−4 �−4 �−4 �−4 �−4 �1 ��,8 ⊕(��,9 &��,2 )⊕��,10 �1 �10 �−4 �−4 �−4 �−4 �−4 �2 ��,1 ⊕(��,2 &��,11)⊕��,3 �2 �3 �−4 �−4 �−4 �−4 �−4 �3 ��,12 ⊕(��,13&��,6 )⊕��,14 �3 �14 �−4 �−4 �−4 �−4 �−4 �4 ��,5 ⊕(��,6 &��,15)⊕��,7 �4 �7 �−4 �−4 �−4 �−4 �−4 �−4 �−3 �5 ��,8 ⊕(��,9 &��,2 )⊕��,10 ⊕��,12 �5 �10 ⊕�12 �−4 �−4 �−4 �−4 �−4 �6 ��,9 ⊕(��,10&��,3 )⊕��,11 �6 �11 �−4 �−4 �−4 �−4 �−4 �7 ��,2 ⊕(��,3 &��,12)⊕��,4 �7 �4 �−4 �−4 �−4 �−4 �−4 �−4 �−3 �8 ��,1 ⊕(��,2 &��,11)⊕��,3 ⊕��,5 �8 �3 ⊕�5 �−4 �−4 �−4 �−4 �−4 �9 ��,11 ⊕(��,12&��,5 )⊕��,13 �9 �13 �−2 �10 �3 ⊕�5 �10 �3 ⊕�5 ⊕�14 �−4 �−4 �−4 �−4 �−4 �−4 �−3 �11 ��,9 ⊕(��,10&��,3 )⊕��,11 ⊕��,13 �11 �11 ⊕�13 �−4 �−4 �−4 �−4 �−4 �12 ��,10 ⊕(��,11&��,4 )⊕��,12 �12 �12 �−4 �−4 �−4 �−4 �−4 �13 ��,3 ⊕(��,4 &��,13)⊕��,5 �13 �5 �−4 �−4 �−4 �−4 �−4 �−4 �−3 �14 ��,2 ⊕(��,3 &��,12)⊕��,4 ⊕��,6 �14 �4 ⊕�6 �−2 �15 �4 ⊕�8 �15 �4 ⊕�8 ⊕�7 �−4 �−4 �−4 �−4 �−4 �−4 �−3 �16 ��,11 ⊕(��,12&��,5 )⊕��,13 ⊕��,15 �16 �13 ⊕�15

� � � 4. Integral Attacks on SIMON32 and SIMON48 During the computation of �[��,��],wefrstguess��; � then we guess ��. Since there is no diference between the frst 4.1. Integral Attack on 22-Round SIMON32. We start with a and the second halves of the computation, in the following, key-recovery attack over four rounds of partial encryption we mainly discuss the frst half, that is, the computation of and four rounds of partial decryption, exploiting the 14- round integral characteristic. Any of balanced bits can be � � � �+14 ,� ]= � (� ,� )⋅�[� ,� ]. � �[�� � ∑ � � � � � taken as the target bit. Here, we pick �,0 .Intheattack,we � (7) compress each plaintext-ciphertext pair into counters. Ten � weapplytheapproachgivenabovetothereducedSIMON32. � To describe our procedure in a convenient way, we simplify Te Boolean expression of the constant bit ��,15 has the �+14 our modeling. Wegive a brief description of the modeling. We same general form as that of the balanced bit � .Te �� � �,0 aim to compute another counter � (� ), which is defned as general form is shown in (6). Te specifc information on each � � � �−4 �+18 ∑� � (�, � ) ⋅ �[�],where�=�0 ‖� and �(�, �) = �0 ⊕ bitislistedinTables3and4.Inthetables,� and � , � � � (�, � ). Our approach is as follows. respectively, denote the plaintext and the ciphertext. (a) Guess �1,�3,�7 andthensplitthetextsinto8sets according to the value (�1 ⊕�1,�3 ⊕�3,�7 ⊕�7).Table5shows � � � (�, �) =�0 ⊕�0 ⊕ ((�1 ⊕�1) & (�2 ⊕�2)) ⊕ ((�3 corresponding variants of the Boolean function � (�, � ). Accordingly, we have ⊕�3) & (�4 ⊕�4)) ⊕ [(�5 ⊕�5 ⊕ ((�6 ⊕�6) � =� ⊕[(� ⊕� ) (� ⊕� )] ⊕ {(� ⊕� & (�7 ⊕�7))) & (�8 ⊕�8 ⊕ ((�9 ⊕�9) 000 0 5 5 & 8 8 10 10 ⊕[(� ⊕� ⊕((� ⊕� ) (� ⊕� ))) & (�7 ⊕�7)))] ⊕ {(�10 ⊕�10 ⊕ ((�6 ⊕�6) 11 11 12 12 & 13 13 (� ⊕� )]) (� ⊕� ⊕[(� ⊕� ) & (�7 ⊕�7)) & 14 14 & 15 15 14 14 (6) (� ⊕� )])} , ⊕[(�11 ⊕�11 ⊕ ((�12 ⊕�12) & (�13 ⊕�13))) & 16 16 . & (�14 ⊕�14 ⊕ ((�3 ⊕�3) & (�13 ⊕�13)))]) & (�15 .

⊕�15 ⊕ ((�7 ⊕�7) & (�9 ⊕�9)) �111 =�0,2,4 ⊕�2,4 ⊕[(�5,6 ⊕�5,6) & (�8,9 ⊕�8,9)]

⊕[(�14 ⊕�14 ⊕ ((�13 ⊕�13) & (�3 ⊕�3))) ⊕{(�6,10 ⊕�6,10

& (�16 ⊕�16 ⊕ ((�3 ⊕�3) & (�4 ⊕�4)))])} . ⊕[(�11 ⊕�11 ⊕((�12 ⊕�12) & (�13 ⊕�13))) 6 Security and Communication Networks

�+14 Table 4: Each efective bit of the Boolean expression of ��,0 .

�� Representation of �� �� Representation of �� �+18 �+18 �+18 �+18 �+18 �+18 �+17 �+16 �+16 �+15 �+14 �0 ��,8 ⊕(��,9 &��,2 )⊕��,10 ⊕��,12 ⊕��,0 �0 �10 ⊕�12 ⊕�0 ⊕�14 ⊕�0 �+18 �+18 �+18 �+18 �+17 �1 ��,9 ⊕(��,10&��,3 )⊕��,11 �1 �11 �+18 �+18 �+18 �+18 �+17 �2 ��,2 ⊕(��,3 &��,12 )⊕��,4 �2 �4 �+18 �+18 �+18 �+18 �+17 �3 ��,13 ⊕(��,14&��,7 )⊕��,15 �3 �15 �+18 �+18 �+18 �+18 �+17 �4 ��,6 ⊕(��,7 &��,0 )⊕��,8 �4 �8 �+18 �+18 �+18 �+18 �+18 �+17 �+16 �5 ��,9 ⊕(��,10&��,3 )⊕��,11 ⊕��,13 �5 �11 ⊕�13 �+18 �+18 �+18 �+18 �+17 �6 ��,10 ⊕(��,11&��,4 )⊕��,12 �6 �12 �+18 �+18 �+18 �+18 �+17 �7 ��,3 ⊕(��,4 &��,13 )⊕��,5 �7 �5 �+18 �+18 �+18 �+18 �+18 �+17 �+16 �8 ��,2 ⊕(��,3 &��,12 )⊕��,4 ⊕��,6 �8 �4 ⊕�6 �+18 �+18 �+18 �+18 �+17 �9 ��,12 ⊕(��,13&��,6 )⊕��,14 �9 �14 �+15 �10 �3 ⊕�5 �10 �3 ⊕�5 ⊕�15 �+18 �+18 �+18 �+18 �+18 �+17 �+16 �11 ��,10 ⊕(��,11&��,4 )⊕��,12 ⊕��,14 �11 �12 ⊕�14 �+18 �+18 �+18 �+18 �+17 �12 ��,11 ⊕(��,12&��,5 )⊕��,13 �12 �13 �+18 �+18 �+18 �+18 �+17 �13 ��,4 ⊕(��,5 &��,14 )⊕��,6 �13 �6 �+18 �+18 �+18 �+18 �+18 �+17 �+16 �14 ��,3 ⊕(��,4 &��,13 )⊕��,5 ⊕��,7 �14 �5 ⊕�7 �+15 �15 �4 ⊕�8 �15 �4 ⊕�8 ⊕�8 �+18 �+18 �+18 �+18 �+18 �+17 �+16 �16 ��,12 ⊕(��,13&��,6 )⊕��,14 ⊕��,0 �16 �14 ⊕�0

� � Table 5: Variants of the Boolean function � (�, � ). Table 6: Variants of the Boolean function �111. � � ⊕� ,� ⊕� � Guess �1 ⊕�1, �3 ⊕�3, �7 ⊕�7 � Guess 5,6 5,6 13,14 13,14 111 0, 0 �00 0, 0, 0 �000 111 0, 1 �01 0, 0, 1 �001 111 �5,6,�13,14 1, 0 �10 0, 1, 0 �010 111 11 0, 1, 1 � 1, 1 �111 �1,�3,�7 011 1, 0, 0 �100

1, 0, 1 �101 (b) For each set of texts and corresponding Boolean 1, 1, 0 �110 � � \{�1,�3,�7} � function, we compute � (� ).Wetake�111 as an 1, 1, 1 �111 example when (�1 ⊕�1,�3 ⊕�3,�7 ⊕�7)=(1,1,1). (1) Te next guesses, �5,6 and �13,14,areconstrainedby � & (�13,14 ⊕�13,14)]) & (�9,15 ⊕�9,15 the simplifed Boolean function 111. Te corresponding texts are split into four sets. Te Boolean functions simplifed even ⊕[(�13,14 ⊕�13,14) & (�4,16 ⊕�4,16)])} . further are shown in Table 6. (i) (�5,6 ⊕�5,6,�13,14 ⊕�13,14) = (0, 0). (8) 00 Te new counters �111 are created. Tey are given by Ten we create new counters for the next step. For (� ⊕�,� ⊕�,� ⊕�) = (1,1,1) �� 00 example, if 1 1 3 3 7 7 , is equal �111 [�0,2,4,�6,10,�9,15]= ∑ �111 [�0,2,4, � � =� ,� =� to 111. Tus, we compress corresponding counters into new 5,6 5,6 13,14 13,14 (11) counters �111,where �5,6,�8,9,�6,10,�11,�12,�13,�13,14,�9,15,�4,16]. �111 [�0,2,4,�5,6,�8,9,�6,10,�11,�12,�13,�13,14,�9,15,�4,16] (9) 2 5 Te creation of new counters takes 2 ×(2 −1)addition is initialized to operations. Accordingly, we have

∑ � [�] . 00 (10) � =�0,2,4 ⊕�2,4 ⊕ ((�6,10 ⊕�6,10) (�9,15 ⊕�9,15)) . (12) �1=�1⊕1,�3=�3⊕1,�7=�7⊕1,�2∈F2,�5∈F2,�8∈F2 111 &

Due to �10 =�3 ⊕�5, �6,10 is uniquely determined by In Appendix A, the time complexity of computing �2,4,�6,10,�9,15 00 �5,6. Besides, 3-bit information is independent of the value � (�111) (Case 2 in Appendix A) is estimated. [� ,� ,� ,� ,� ,� ,� ,� ,� ,� ] �2,4,�6,10,�9,15 00 4 0,2,4 5,6 8,9 6,10 11 12 13 13,14 9,15 4,16 .Conse- Te calculation of � (�111) requires 2 additions. 9 quently, the creation in this example costs 2 ×7additions. (ii) (�5,6 ⊕�5,6,�13,14 ⊕�13,14) = (0, 1). Security and Communication Networks 7

Similarly, Tus,thetimecomplexityofthesummationrequiresnomore 28 ×3=28.58 � ,� 01 than additions, for each 5,6 13,14. � [� ,� ,� ,� ,� ] 2 7 2 4 7 5 6.75 111 0,2,4 6,10,11 12 13 4,9,15,16 In this example, it takes 2 ×((2 −2 +2 +2 −2 +2 )× 8.58 12.06 ��\{� ,� ,� } � = ∑ � [� ,� ,� ,� ,� , 2+2 )=2 additions to compute � 1 3 7 (� ). 111 0,2,4 5,6 8,9 6,10 11 ( ) � ,� ,� �5,6=�5,6,�13,14=�13,14⊕1 c For each 1 3 7,wesumtheeighttemporary variables up. Te summation yields a time complexity of � ,� ,� ,� ,� ], 213 ×7 12 13 13,14 9,15 4,16 (13) addition operations. � 01 Tus, for each �, the time complexity of computing � 19.87 �111 =�0,2,4 ⊕�2,4 ⊕[(�6,10,11 ⊕�6,10,11 �[��,��] is approximately 2 additions. Te details are giveninTable7.�1 denotes the time complexity of creating ⊕((�12 ⊕�12) & (�13 ⊕�13))) & (�4,9,15,16 new counters according to guessed key bits. �2 denotes the � ⊕�4,9,15,16)] . time complexity of computing the sum for each set. 3 denotes the time complexity of summing them up. 5 2 Te creation of new counters takes 2 ×(2 −1)= Let us review the procedure proc simon 32 bit cond 7 5 �[�� ,�� ] 2 −2 addition operations. And the calculation of used to compute � � andthekey-recoveryattackon22- �2,4,�6,10,11,�12,�13,�4,9,15,16 01 6.75 � (�111) costs 2 additions. round SIMON32. Te procedure is as follows. (iii) (�5,6 ⊕�5,6,�13,14 ⊕�13,14) = (1, 0). 15 � (1) For each of 2 ��,wecompute�[��,��]. 10 216�� �[�� ,�� ] �111 [�0,2,4,8,9,�6,10,�9,15] (2) For each of �,wecompute � � . Te time complexity of proc simon 32 bit cond proce- = ∑ � [� ,� ,� ,� ,� , 15 19.87 16 19.87 36.45 111 0,2,4 5,6 8,9 6,10 11 dure is 2 ×2 +2 ×2 =2 additions. �5,6=�5,6⊕1,�13,14=�13,14 Teattackworksasfollows. � ,� ,� ,� ,� ], (14) 12 13 13,14 9,15 4,16 (1) Compress the whole plaintext-ciphertext pairs into 30 10 2 counters �[��,��]. �111 =�0,2,4,8,9 ⊕�2,4,8,9 ⊕(�6,10 ⊕�6,10) & (�9,15 (2) Call proc simon 32 bit cond. ⊕�9,15). � � (3) Check the parity of �[��,��].Iftheparityisodd, 2 5 discard the 32-bit subkey guess. Otherwise, use the Te creation of new counters takes 2 ×(2 −1)= 7 2 key schedule to recover 32 bits of the master key 2 −2 addition operations. And the calculation of � ,� ,� 01 4 and then exhaustively search for the remaining 32-bit � 2,4,8,9 6,10 9,15 (� ) 2 111 costs additions. keys. (iv) (�5,6 ⊕�5,6,�13,14 ⊕�13,14) = (1, 1). It is noted that there is one AND operation and three 11 �111 [�0,2,4,8,9,�6,10,11,�12,�13,�4,9,15,16] XORoperationsinoneroundofSIMON.Inouranalysis, we approximate them as four XOR operations. Te time 32 = ∑ �111 [�0,2,4,�5,6,�8,9,�6,10,�11, complexity of step 1 is 2 compressions, which is equivalent � =� ⊕1,� =� ⊕1 32 28.24 5,6 5,6 13,14 13,14 to about 2 × (104/(4 × 16 × 22)) = 2 encryptions. � � Sincewecareabouttheparityof�[��,��], all counters �12,�13,�13,14,�9,15,�4,16], (15) can be taken modulo 2. Te addition is actually the bitwise 11 � � � =� ⊕� ⊕[(� ⊕� XOR operation in the calculation of �[��,��].Tus,thetime 111 0,2,4,8,9 2,4,8,9 6,10,11 6,10,11 36.45 complexity of step 2 is equivalent to about 2 × (1/(4 × ⊕((� ⊕� ) (� ⊕� ))) (� 26 12 12 & 13 13 & 4,9,15,16 16 × 22)) = 2 encryptions. Te time complexity of step 3 63 ⊕� )] . is 2 encryptions. Hence, the proposed attack on 22-round 4,9,15,16 32 SIMON32 requires 2 known plaintexts and has a total time 5 2 63 Te creation of new counters takes 2 ×(2 −1)= complexity equivalent to about 2 encryptions. 7 5 �[�� ,�� ] 2 −2 addition operations. And the calculation of We have implemented the calculation of � � .Te � ,� ,� ,� ,� 11 6.75 2,4,8,9 6,10,11 12 13 4,9,15,16 experiment was performed on Intel Core i7-4790 with 8 � (�111) costs 2 additions. (2) Afer this, we sum the four temporary variables up; GBytes of DDR3 memory. Te experimental result confrmed namely, the correctness of our technique.

�2,4,�5,6,�8,9,�6,10,�11−�14,�9,15,�4,16 � (�111) 4.2. Integral Attack on 23-Round SIMON32. In this section, we extend the 22-round attack by one round. Te improved �2,4,�6,10,�9,15 00 �2,4,8,9,�6,10,�9,15 10 =(� (�111)+� (�111)) attack is as follows. Guess 13 bits’ subkey �� and partially (16) � =��−5 −��−5 ‖��−5 −��−5 ‖ � ,� ,� ,� ,� 01 encrypt plaintexts, where � 1 6 8 13 +(� 2,4 6,10,11 12 13 4,9,15,16 (� ) �−5 111 �15 . Ten carry out the 22-round attack. ��−5 �2,4,8,9,�6,10,11,�12,�13,�4,9,15,16 11 We briefy explain why there is no need to guess 7 .Let +� (�111)) . the frst bit of �� (resp., ��)be��,0 (resp., ��,0 ). In our attack, 8 Security and Communication Networks

� Table 7: Time complexity of calculating �[��,��] with a fxed ��.

� Time Guess �1 ⊕�1, �3 ⊕�3, �7 ⊕�7 � �1 �2 �3 9 12.06 0, 0, 0 �000 2 ×7 2 9 12.06 0, 0, 1 �001 2 ×7 2 9 12.06 0, 1, 0 �010 2 ×7 2 9 12.06 0, 1, 1 � 2 ×7 2 13 �1,�3,�7 011 2 ×7 9 12.06 1, 0, 0 �100 2 ×7 2 9 12.06 1, 0, 1 �101 2 ×7 2 9 12.06 1, 1, 0 �110 2 ×7 2 9 12.06 1, 1, 1 �111 2 ×7 2 9 12.06 13 3 19.87 Total time ((2 ×7+2 )×8+2 ×7)×2 =2

�−5 �−4 �−4 �−4 we make the redefnitions, ��,0 =�7 ⊕��,7 ⊕(��,8 &��,1 )⊕ 5. Conclusion �−4 �−4 �−4 �−5 �−4 �−3 �−3 ��,9 ⊕��,11 ⊕��,15 and ��,0 =�7 ⊕�9 ⊕�11 ⊕�15 ⊕ �−2 �−1 �−5 �−4 �−4 �−4 �−4 In this paper, dynamic key-guessing techniques are frst �13 ⊕�15 .Itisevidentthat�7 ⊕��,7 ⊕(��,8 &��,1 )⊕��,9 ⊕ �−4 �−4 introduced in integral cryptanalysis, and we extend dynamic ��,11 ⊕��,15 canbeobtainedaferguessing13bits’subkey��. key-guessing techniques to ft our needs. Dynamic key- � � Consequently, we still have ��(��,��)=1. guessing techniques signifcantly improve the complexity of 32 ∑ �(�, �) ⋅ �[�] Te 23-round attack has a data complexity of 2 known calculating � . Using dynamic key-guessing 63 plaintexts and a time complexity of about 2 encryptions. techniques, we can attack two more rounds than previously known integral attacks on SIMON32 and SIMON48. 4.3. Integral Attack on 24-Round SIMON32. Te 22-round attack can be extended by one round in forward and one Appendix round in backward direction in a straightforward way. Te improved attack proceeds as follows. Guess 26 bits subkey A. Time Complexities under Some Variations � ‖� � =��+18 ‖��+18 −��+18 ‖��+18 −��+18 � �,where � 0 2 7 9 14 . of Boolean Functions Partially encrypt plaintexts and partially decrypt correspond- ing ciphertexts. Ten carry out the 22-round attack presented In this section, we estimate the time complexity of calculating �+18 ��(�) ∑ �(�, �) ⋅ �[�] above. It should be noted that we do not guess �8 .Te ,whichisdefnedas � , under some reason is essentially the same as the case mentioned above. variations of Boolean functions. Let Guess denote the bit In this attack, the dominant part of the time complexity guessed at frst. Let �� ⊕�� denote the set of texts, where is still exhaustively searching half of the key space. Te total the value of �� is the same. Let �� be the simplifed Boolean 63 time complexity of our attack is about 2 encryptions. Te function afer guessing. In addition, the form of �� is the same 32 �∗ number of the required known plaintexts is 2 . Te success as that of � . And the new counters are created with a time � probability of our attack is 100%. complexity of 1 additions. Computing the sum for each set � � Te total memory complexity of our attack is determined costs 2 addition operations. It takes 3 additions to sum all by the size of the entire SIMON32 codebook, �[��,��] and of them up. Moreover, total time denotes the overall time � �[��,��]. Tis corresponds to a memory requirement of complexity. 33.64 �+19 All the cases are similar, so we focus on Case 3 in the about 2 bytes. Note that we can only store �(�� )0 ⊕ �+19 �+19 �+19 �+19 �+19 �+19 following. �3 is a Boolean function of 5-bit � and 4-bit �, ��,0 ‖(�(�� )⊕�� )2 −(�(�� )⊕�� )14 ‖��,4 − where �=�0 ‖ ⋅⋅⋅ ‖ �4 and �=�1 ‖⋅⋅⋅‖�4.First,we ��+19 ‖��+19 ‖��+19 −��+19 �,6 �,8 �,10 �,15 for each ciphertext. In addition, guess �1 and the texts are split into two sets. One set contains �[�� ,�� ] there is no need to store � � .Teelementsofitcan the texts where �1 =�1, and the other contains the texts � � be computed on-the-fy. As soon as a value of �[��,��] is where �1 =�1 ⊕1. Obviously, we obtain the corresponding computed, the bit condition is checked. If the condition is simplifed Boolean functions, �0 and �0,2 ⊕�2 ⊕(�3 ⊕�3)&(�4 ⊕ satisfed, then exhaustively search for the remaining 6-bit key. �4). Te new counters can be created according to simplifed Boolean functions. Note that when �1 =�1, we only need �1[�0 =1]=∑ �[�] 4.4. Improved Integral Attacks on SIMON48. We can improve to compute �0=1,�1=�1 . Next, we try the integral attacks on SIMON48/72 and SIMON48/96, to compute the corresponding temporary variables. When �2,�3,�4 using dynamic key-guessing techniques. Since the attack �1 =�1 ⊕1,weobtain� (�0,2 ⊕�2 ⊕(�3 ⊕�3)&(�4 ⊕�4)), procedures for them are similar, we present these integral referring to Case 2. And when �1 =�1, �(�0)=�1[�0 =1]. � attacksinAppendixB.TeresultsaresummarizedinTable1. Finally, we sum them up and get � (�). Security and Communication Networks 9

(� ⊕� )) Table 8: Time complexity of the calculation �1. & 7 7

Guess �1 ⊕�1 �1 �1 �2 �3 ⊕[(�11 ⊕�11 ⊕ ((�12 ⊕�12) & (�13 ⊕�13))) 0010 �1 2 & (�14 ⊕�14 ⊕ ((�17 ⊕�17) & (�13 ⊕�13)))]) 1020

Total time 2×(1+2+2)=10 & (�15 ⊕�15 ⊕ ((�7 ⊕�7) & (�9 ⊕�9))

⊕[(�14 ⊕�14 ⊕ ((�13 ⊕�13) & (�17 ⊕�17))) Table 9: Time complexity of the calculation �3. & (�16 ⊕�16 ⊕ ((�17 ⊕�17) & (�18 ⊕�18)))])} . Guess �1 ⊕�1 �3 �1 �2 �3 (B.1) 0023 −1 0 � 23 1 3 4 1�2∗2×1 2 In the above function, �1 ⊕�5 =�10 and �2 ⊕�8 =�15. 3 3 4 3 6.29 Total time 2×(2 −1+2 +2 +2 )=2 Procedure proc simon 48 comp w/proc simon 48 comp y

(1) Guess �1,�3 andcreatecorrespondingcounters. Table 10: Time complexity of the calculation �2. (2) When �1 ⊕�1 =1and �3 ⊕�3 =1,guess�7,�17 and

Guess �1 ⊕�1 �2 �1 �2 �3 create corresponding counters. Te other situations can be treated in a similar way. 002×102 �1 2 102×10 (3) When �1 ⊕�1 =1, �3 ⊕�3 =1, �7 ⊕�7 = 2 4 1,and�17 ⊕�17 =1,guess�8,9,�13,14 and create Total time 2×(2+2+2 )=2 corresponding counters. Te other situations can be treated in a similar way. � Table 11: Time complexity of the calculation 4. (4) Compute temporary variables and sum them up. � ⊕� � � � � 2 7 Guess 1 1 4 1 2 3 Time complexity evaluation: Steps (3)-(4) cost 2 ×[(2 − 3 5 6.75 8 12.63 002×(2−1) 0 4 2 +2 )×4+2 ×3]= 2 bitwise XOR operations; Steps �1 2 2 9 12.63 13 17.97 1�∗23 ×1 24 (2)–(4) cost 2 ×[(2 ×7+2 )×4+2 ×3]= 2 bitwise 2 2 14 17.97 3 3 4 4 6.75 XOR operations; Steps (1)–(4) cost 2 ×[(2 +2 )×4+ Total time 2×(2×(2 −1)+2 +2 +2 )=2 16 22.29 2 ×3]=2 bitwise XOR operations. Procedure proc simon 48 bit cond

Case 1. �1 =�0 ⊕ ((�1 ⊕�1)&(�2 ⊕�2)) (see Table 8). 17 (1) For each of 2 ��,callproc simon 48 comp w. 218�� Case 2. �2 =�0 ⊕�0 ⊕ ((�1 ⊕�1)&(�2 ⊕�2)) (see Table 10). (2) For each of �,callproc simon 48 comp y. 217 ×222.29 +218 ×222.29 = Case 3. �3 =�0 ⊕(�1 ⊕�1)&((�2 ⊕�2)⊕(�3 ⊕�3)&(�4 ⊕�4)) Time complexity evaluation: 240.87 (see Table 9). bitwise XOR operations. Procedure proc attack simon 48 Case 4. �4 =�0 ⊕�0 ⊕(�1 ⊕�1)&((�2 ⊕�2)⊕(�3 ⊕�3)&(�4 ⊕�4)) (see Table 11). (1) Compress the whole plaintext-ciphertext pairs into 34 2 counters. B. Improved Integral Attacks on SIMON48 (2) Call proc simon 48 bit cond. (3) Check the bit condition. If the condition is satisfed, B.1. Integral Attack on 23-Round SIMON48. Using the 15- usethekeyscheduletorecover36bitsofthemaster round integral characteristic, we provide a key-recovery key; then exhaustively search for the remaining key attack (procedure proc attack simon 48) over four rounds of bits.Otherwise,discardthe36-bitsubkeyguess. partial encryption and four rounds of partial decryption. Te i �+15 48 constant bit is ��,23 and we take the balanced bit ��,23 as Complexity evaluation includes 2 known plaintexts, 71 95 33 the bit condition. It is obvious that the Boolean expressions 2 /2 encryptions, and 2 bytes. �� ��+15 of �,23 and �,23 have the same general form, as follows. In the key-recovery attack (procedure proc attack simon 48), the whole plaintext-ciphertext pairs are com- � (�, �) =�0 ⊕�0 ⊕((�1 ⊕�1) & (�2 ⊕�2)) ⊕ ((�3 pressed into counters. Tus, the memory complexity of our ⊕� ) (� ⊕� )) ⊕ [(� ⊕� ⊕((� ⊕� ) attack is only determined by the size of counters used in the 3 & 4 4 5 5 6 6 attack. Tis corresponds to a memory requirement of about 233 �[�� ,�� ] (� ⊕� ))) (� ⊕� ⊕((� ⊕� ) bytes. Note that there is no need to store � � ,since & 7 7 & 8 8 9 9 � � we can compute the elements of �[��,��] on-the-fy, similar & (�7 ⊕�7)))] ⊕ {(�10 ⊕�10 ⊕((�6 ⊕�6) totheintegralattackon24-roundSIMON32. 10 Security and Communication Networks

B.2. Integral Attack on 24-Round SIMON48/72 [4] P. Ahir, M. Mozafari-Kermani, and R. Azarderakhsh, “Light- weight architectures for reliable and fault detection Simon and Procedure proc attack simon 48 72 24 Speck cryptographic algorithms on FPGA,” ACM Transactions on Embedded Computing Systems,vol.16,no.4,articleno.109, (1) Guess 18 bits’ subkey �� and partially encrypt plain- 2017. � =��−5 −��−5 ‖��−5 ‖��−5 −��−5 texts, where � 3 5 7 9 22 . [5] A. Aysu, E. Gulcan, and P.Schaumont, “SIMON says: Break area (2) Call proc attack simon 48. records of block ciphers on FPGAs,” IEEE Embedded Systems Letters,vol.6,no.2,pp.37–40,2014. 48 71 Complexity evaluation includes 2 known plaintexts, 2 [6] H. Chen and X. Wang, “Improved linear hull attack on round- 50 encryptions, and 2 bytes. reduced SIMON with dynamic key-guessing techniques,” in In this attack, the dominant part of the memory com- International Conference on Fast Sofware Encryption,vol.9783, plexity is the size of the entire SIMON48 codebook. Tis pp. 428–449, Springer, Berlin, Heidelberg, 2016. 50 corresponds to a memory requirement of about 2 bytes. It is [7] K. Fu, L. Sun, and M. Wang, “New integral attacks on SIMON,” �+20 �+20 �+20 IET Information Security, vol. 11, no. 5, pp. 277–286, 2017. noted that we can only store (�(�� )⊕�� )3 −(�(�� )⊕ ��+20) ‖�(��+20) ⊕��+20 ‖(�(��+20)⊕��+20) −(�(��+20)⊕ [8] Y. Hao and W. Meier, “Truncated diferential based known-key � 5 � 7 �,7 � � 9 � attacks on round-reduced simon,” Designs, Codes and Cryptog- ��+20) ‖��+20 ‖��+20 ‖��+20 −��+20 ‖��+20 ‖��+20 − � 23 �,5 �,6 �,11 �,13 �,15 �,17 raphy,vol.83,no.2,pp.467–492,2017. �+20 �+20 �+20 ��,20 ‖��,22 ‖��,23 for each ciphertext. [9] S. Kolbl,¨ G. Leander, and T. Tiessen, “Observations on the simon block cipher family,” in Annual Cryptology Conference, vol. 9215 of Lecture Notes in Comput. Sci., pp. 161–185, Springer, B.3. Integral Attack on 25-Round SIMON48/96 Heidelberg, Germany, 2015. Procedure proc attack simon 48 96 25 [10] K. Kondo, Y. Sasaki, and T. Iwata, “On the design ratio- nale of SIMON block cipher: Integral attacks and impossible �−5 �−5 (1) Guess 36 bits’ subkey �� ‖��,where�� =�3 −�5 ‖ diferential attacks against SIMON variants,” in International ��−5 ‖��−5 −��−5 � =��+19 −��+19 ‖��+19 ‖ Conference on Applied Cryptography and Network Security,vol. 7 9 22 and � 3 5 7 9696, pp. 518–536, Springer, Cham, Switzerland, 2016. ��+19 −��+19 9 22 . Partially encrypt plaintexts and partially [11] K. Kondo, Y. Sasaki, Y. Todo, and T. Iwata, “Analyzing key decrypt corresponding ciphertexts. schedule of SIMON: Iterative key diferences and application to (2) Call proc attack simon 48. related-key impossible diferentials,” in International Workshop on Security,vol.10418,pp.141–158,Springer,Cham,Switzerland, 48 95 Complexity evaluation includes 2 known plaintexts, 2 2017. 50 encryptions, and 2 bytes. [12] R. Nithya and D. S. Kumar, “Where aes is for internet, simon Similar to the integral attack on 24-round SIMON48/72, could be for iot,” Procedia Technology,vol.25,pp.302–309,2016. thedominantpartofthememorycomplexityisthesizeofthe [13] K. Qiao, L. Hu, and S. Sun, “Diferential analysis on simeck and entire SIMON48 codebook. simon with dynamic key-guessing techniques,” in Proceedings of the International Conference on Information Systems Security and Privacy,pp.64–85,Springer,2016. Conflicts of Interest [14] A. Shahverdi, M. Taha, and T. Eisenbarth, “Lightweight Side Channel Resistance: Treshold Implementations of Simon,” Te authors declare that there are no conficts of interest IEEE Transactions on Computers,vol.66,no.4,pp.661–671, regarding the publication of this article. 2017. [15] D.Shi,L.Hu,S.Sun,L.Song,K.Qiao,andX.Ma,“Improvedlin- Acknowledgments ear (hull) cryptanalysis of round-reduced versions of SIMON,” Science China Information Sciences,vol.60,no.3,ArticleID TisworkissupportedbyChina’s973Program(no. 39101, 2017. 2013CB834205). [16] P.Suil,P.Sepehrdad,S.Vaudenay,N.Courtois,andP.Suˇsil, “On selection of samples in algebraic attacks and a new technique References to fnd hidden low degree equations,” International Journal of Information Security,vol.15,no.1,pp.51–65,2016. [1] J. Daemen, L. R. Knudsen, and V. Rijmen, “Te block cipher [17] Y. Todo, “Structural evaluation by generalized integral prop- square,” in Fse,vol.97,pp.149–165,Springer,1997. erty,” in Proceedings of the Annual International Conference on [2]B.Ray,S.Douglas,S.Jason,T.Stefan,W.Bryan,andW.Louis, the Teory and Applications of Cryptographic Techniques,pp. “Te simon and speck families of lightweight block ciphers,” 287–314, Springer, 2015. Cryptology ePrint Archive Report 2013/404, 2013. [18] Y. Todo and M. Morii, “Bit-based division property and appli- [3]M.A.Abdelraheem,J.Alizadeh,H.A.Alkhzaimi,M.R.Aref, cation to SIMON family,” in International Conference on Fast N. Bagheri, and P. Gauravaram, “Improved linear cryptanalysis Sofware Encryption,vol.9783,pp.357–377,Springer,Berlin, of reduced-round simon-32 and simon-48,” in Proceedings of Heidelberg, 2016. the International Conference in Cryptology in India,vol.9462 [19] G.Wang,N.Gan,andY.Li,“Improveddiferentialattackon30- of Lecture Notes in Comput. Sci.,pp.153–179,Springer,Cham, round simon64,” Wuhan University Journal of Natural Sciences, Germany, December 2015. vol.21,no.1,pp.75–83,2016. Security and Communication Networks 11

[20] N. Wang, X. Wang, K. Jia, and J. Zhao, “Diferential attacks on reduced simon versions with dynamic key-guessing tech- niques,” Cryptology ePrint Archive Report 2014/448, 2014. [21]Q.Wang,Z.Liu,K.Varıcı,Y.Sasaki,V.Rijmen,andY.Todo, “Cryptanalysis of reduced-round SIMON32 and SIMON48,” in International Conference in Cryptology in India, vol. 8885, pp. 143–160, Springer, Cham, Switzerland, 2014. [22] Z. Xiang, W. Zhang, Z. Bao, and D. Lin, “Applying milp method to searching integral distinguishers based on division property for 6 lightweight block ciphers,” in Advances in Cryptology–ASIACRYPT,vol.10031ofLecture Notes in Comput. Sci., pp. 648–678, Springer, Berlin, Germany, 2016. [23] Z. Xiang, W. Zhang, and D. Lin, “On the division property of SIMON48 and SIMON64,” in International Workshop on Security,vol.9836,pp.147–163,Springer,Cham,Switzerland, 2016. [24] X.-L. Yu, W.-L. Wu, Z.-Q. Shi, J. Zhang, L. Zhang, and Y.-F. Wang, “Zero-correlation linear cryptanalysis of reduced-round simon,” JournalofComputerScienceandTechnology,vol.30,no. 6, pp. 1358–1369, 2015. [25] P. Zajac, “Upper bounds on the complexity of algebraic cryptanalysis of ciphers with a low multiplicative complexity,” Designs, Codes and Cryptography. An International Journal,vol. 82, no. 1-2, pp. 43–56, 2017. [26]G.Yang,B.Zhu,V.Suder,M.D.Aagaard,andG.Gong,“Te simeck family of lightweight block ciphers,” in International Workshop on Cryptographic Hardware and Embedded Systems, vol. 9293, pp. 307–329, Springer, Berlin, Heidelberg, 2015. [27] L. Qin, H. Chen, and X. Wang, “Linear hull attack on round- reduced simeck with dynamic key-guessing techniques,” in Australasian Conference on Information Security and Privacy, vol. 9723, pp. 409–424, Springer, Cham, Switzerland, 2016. International Journal of Rotating Advances in Machinery Multimedia

Journal of The Scientifc Journal of Engineering World Journal Sensors Hindawi Hindawi Publishing Corporation Hindawi Hindawi Hindawi www.hindawi.com Volume 2018 http://www.hindawi.comwww.hindawi.com Volume 20182013 www.hindawi.com Volume 2018 www.hindawi.com Volume 2018 www.hindawi.com Volume 2018

Journal of Control Science and Engineering

Advances in Civil Engineering Hindawi Hindawi www.hindawi.com Volume 2018 www.hindawi.com Volume 2018

Submit your manuscripts at www.hindawi.com

Journal of Journal of Electrical and Computer Robotics Engineering Hindawi Hindawi www.hindawi.com Volume 2018 www.hindawi.com Volume 2018

VLSI Design Advances in OptoElectronics International Journal of Modelling & International Journal of Simulation Aerospace Navigation and in Engineering Observation Engineering

Hindawi Hindawi Hindawi Hindawi Volume 2018 www.hindawi.com Volume 2018 www.hindawi.com Volume 2018 Volume 2018 Hindawi www.hindawi.com www.hindawi.com www.hindawi.com Volume 2018

International Journal of International Journal of Antennas and Active and Passive Advances in Chemical Engineering Propagation Electronic Components Shock and Vibration Acoustics and Vibration

Hindawi Hindawi Hindawi Hindawi Hindawi www.hindawi.com Volume 2018 www.hindawi.com Volume 2018 www.hindawi.com Volume 2018 www.hindawi.com Volume 2018 www.hindawi.com Volume 2018