Hindawi Security and Communication Networks Volume 2018, Article ID 5160237, 11 pages https://doi.org/10.1155/2018/5160237 Research Article Improved Integral Attacks on SIMON32 and SIMON48 with Dynamic Key-Guessing Techniques Zhihui Chu ,1,2 Huaifeng Chen ,1,2 Xiaoyun Wang ,1,2,3 Xiaoyang Dong ,3 and Lu Li 1,2 1 Key Laboratory of Cryptologic Technology and Information Security, Ministry of Education, Shandong University, Jinan 250100, China 2School of Mathematics, Shandong University, Jinan 250100, China 3Institute for Advanced Study, Tsinghua University, Beijing 100084, China Correspondence should be addressed to Xiaoyun Wang; [email protected] Received 17 July 2017; Accepted 3 January 2018; Published 19 February 2018 Academic Editor: Barbara Masucci Copyright © 2018 Zhihui Chu et al. Tis is an open access article distributed under the Creative Commons Attribution License, which permits unrestricted use, distribution, and reproduction in any medium, provided the original work is properly cited. Dynamic key-guessing techniques, which exploit the property of AND operation, could improve the diferential and linear cryptanalytic results by reducing the number of guessed subkey bits and lead to good cryptanalytic results for SIMON. Tey have only been applied in diferential and linear attacks as far as we know. In this paper, dynamic key-guessing techniques are frst introduced in integral cryptanalysis. According to the features of integral cryptanalysis, we extend dynamic key-guessing techniques and get better integral cryptanalysis results than before. As a result, we present integral attacks on 24-round SIMON32, 24-round SIMON48/72, and 25-round SIMON48/96. In terms of the number of attacked rounds, our attack on SIMON32 is better than any previously known attacks, and our attacks on SIMON48 are the same as the best attacks. 1. Introduction SIMON has been extensively scrutinized [3–25]. As an ultralightweight primitive, SIMON is a very good target for Te integral attack, proposed by Daemen et al. [1], is an integral cryptanalysis. In integral cryptanalysis, Wang et al. important cryptanalytic technique for symmetric-key primi- [21] experimentally found an integral distinguisher for 14 tives. Te integral distinguisher is based on the property that rounds of SIMON32 and mounted a key-recovery attack on when some parts of the input (constant bits) of distinguishers 21-round SIMON32. At EUROCRYPT 2015, Todo proposed are held constant whereas the other parts (active bits) vary the division property [17], which is a generalized integral through all possibilities, the sum of all the output values property. Tis new technique enables the cryptographers to equals zero at some particular locations (balanced bits). In propagate the integral property in a more precise manner. the key recovery, the sum is random if the guessed key As a result, an 11-round integral distinguisher of SIMON48 is incorrect, while the sum is zero if the guessed key is was found. Subsequently, using the bit-based division prop- correct. As a powerful class of cryptanalytic techniques, erty, Todo and Morii proved the 14-round distinguisher of integral cryptanalysis has been applied to many block ciphers, SIMON32 theoretically in [18]. However, searching integral especially the ones with low-degree round functions. characteristics by the bit-based division property requires SIMON is a family of ten lightweight block ciphers much time and memory complexity. In order to overcome the designed by the US National Security Agency [2]. Te problem, Xiang et al. [23] proposed a state partition to achieve SIMON2�/�� family of lightweight block ciphers have clas- a trade-of between the accuracy of the integral distinguisher sical Feistel structures with 2�-bit block size and ��-bit key, and the time-memory complexity. Accordingly, Todo’s result where � is the word size. was improved by one round for SIMON48. Aferwards, MILP 2 Security and Communication Networks method was applied by Xiang et al. [22] to fnd integral thesingle-keymodel.Wepresentintegralattackson24- characteristics of some lightweight block ciphers, including round SIMON32, 24-round SIMON48/72, and 25-round a 15-round integral distinguisher for SIMON48. At ACNS SIMON48/96. In terms of the number of attacked rounds, 2016, some integral distinguishers of SIMON-like ciphers ourattackonSIMON32isbetterthananypreviouslyknown were constructed by Kondo et al. [10]. However, the block size attacks, and our attacks on SIMON48 are the same as the best considered is only 32 bits. Later in [7], with the equivalent- attacks. In order to verify the correctness of our approach, we subkey technique, Fu et al. presented integral attacks on implement the summation procedure of the integral attack 22-round SIMON32, 22-round SIMON48/72, and 23-round on 22-round SIMON32. A summary of our results is given in SIMON48/96. Good results [6, 13, 20] were achieved in Table 1. diferential and linear cryptanalysis, as well. Te cryptan- Outline.Tispaperisstructuredasfollows.Section2briefy alytic results that attack the most rounds of SIMON were describes the specifcation of SIMON and some integral obtained in [6], and these results were achieved by linear hull distinguishers. In Section 3, we discuss the time reduction cryptanalysis. Te most efcient diferential and linear attacks in integral cryptanalysis of bit-oriented block ciphers. In on SIMON were presented with the help of dynamic key- Section 4, we present improved integral attacks on SIMON32 guessing techniques. and SIMON48. In Section 4.1, we give the experimental result. With regard to dynamic key-guessing techniques, they Finally, Section 5 draws conclusions. were initially proposed to improve the diferential attacks on SIMON [20]. Te techniques, which exploit the property of AND operation, help reduce the average number of guessed 2. Preliminaries key bits signifcantly in diferential cryptanalysis. Ten they were applied to linear hull attacks on SIMON [6]. In both 2.1. Notations [6, 20], with the techniques above, the adversaries are able � to extend previous diferential (resp., linear hull) results on :thewordsize SIMON by 2 to 4 more rounds, using existing diferential ��:the�thbitofbitstring� (resp., linear hull) distinguishers. Subsequently, Qiao et al. �[�−�] (or �� −��):the�th to the �th bits of bit string � [13] released a tool, which provides the diferential security �� ,...,� �� �=�1,...,�� evaluation of SIMON given diferential distinguishers of high 1 � :theXORsumof ,where ,i.e., ⨁ � probability. Moreover, with newly proposed diferentials [9], �∈{�1,...,��} � Qiao et al. improved diferential attacks against SIMON, �‖�: concatenation of two bit strings � and � usingthetechniques.Alsointhediferentialcryptanalysis � � :theinputofround� or output of round (� − 1) and linear cryptanalysis of Simeck [26], good results [13, 27] � � � � ��,��: the lef and right halves of � ,thatis,� = have been obtained by using dynamic key-guessing tech- � � niques. Up to now, the dynamic key-guessing techniques have �� ‖�� � � � � only been combined with linear and diferential cryptanalysis ��,� (resp.��,�):the�th bit of bit string ��(resp.��) methods. Tere is no attempt to combine the dynamic key- �� ( �� −�� ) � � guessing techniques with integral attack so far. �,[�−�] or �,� �,� :the th to the th bits of bit �� Besides the above results under the single-key model, string � � � � the security of SIMON has also been evaluated under the ��,[�−�] (or ��,� −��,�):the�th to the �th bits of bit � related-key [11] and known-key [8] models. In the related-key string �� setting, Kondo et al. [11] constructed a 15-round related-key �� � impossible diferential distinguisher of SIMON32. :thesubkeyusedin th round �\{�� ,...,�� }:anewbitstring,ofwhichbitsare 1 � � {� ,...,� } Our Contributions. In this paper, we frst apply dynamic derived from bit string ,excluding �1 �� key-guessing techniques to integral attacks. In our improved ⊕:bitwiseXOR integral cryptanalysis, we extend dynamic key-guessing techniques to compute the sum, which is in the form of &: bitwise AND ∑� �(�, �) ⋅ �[�],where� is a nonlinear Boolean function �⋘�:alefcircularshifofbitstring� by � bits and �[�] are counters for �. Te dynamic key-guessing �[�], �[�], �[�]:countersforbitstring� techniques improve the time complexity of the computation � � signifcantly. Please see the following example. Suppose � (�): � (�) = ∑� �(�, �)⋅�[�],where� is a Boolean � �(�, �) = 1 ⊕ �1(�1,�1)&�2(�2,�2),where�=�1 ‖�2, function of � and � (actually, � (�) are counters for �) �=�1 ‖�2,and�1 and �2 aretwoBooleanfunctions.We �(�): �(�) = [(� ⋘ 1)&(� ⋘ 8)] ⊕ (� ⋘ 2) guess �1 atfrst;thenwesplit�=�1 ‖�2 into two sets: �(�) � �(�) �1 ={�|�1(�1,�1)=0}and �2 ={�|�1(�1,�1)=1}.We �:the th bit of bit string continue to compute the sum for each set. For set �1,thereis no need to guess �2 since �(�, �) = 1 when �∈�1.Finally, 2.2. Description of SIMON2�/��. SIMON2�/�� is a two- we sum them up. branch balanced Feistel network with 2�-bit block size and Using the dynamic key-guessing techniques, we present ��-bit key, where � isthewordsize.Tereare10variants improved integral attacks on SIMON32 and SIMON48 in for SIMON. Te parameters of SIMON32/64, SIMON48/72, Security and Communication Networks 3 Table 1: Summary of some related results for SIMON32 and SIMON48. Memory Success Attack Target Rounds Data Time Source (bytes) probability type 31 63 54 21 2 2 E 2 1 Integ. [21] 31 55.25 21 2 2 E-51% Dif. [20] 22 231 263 255.8 1 SIMON32/64 E Integ. [7] 32 58.76 22 2 2 E-31.5% Dif. [13] 31.19 57.19 61.84 56 23 2 2 TWO+2 A+2 E- 28% Lin. hull [6] 32 63 33.64 24 2 2 E 2 1 Integ. Section 4.3 18 ---1 Integ. [23] 47 71 42 22 2 2 E 2 1 Integ. [7] 47 63.25 SIMON48/72 23 2 2 E-48% Dif. [20] 47.92 69.92 67.89 56 24 2 2 ONE+2 A+2 E- - Lin. hull [6] 48 71 50 24 2 2 E 2 1 Integ. Appendix B.2 19 ---1 Integ. [23] 47 95 47 23 2 2 E 2 1 Integ. [7] 24 247 287.25 48 SIMON48/96 E-% Dif. [20] 48 78.99 24 2 2 E-47.5% Dif. [13] 47.92 91.92 89.89 80 25 2 2 TWO+2 A+2 E- - Lin.