Bit-Based Division Property and Application to Simon Family
- 38 Citations
- 1.3k Downloads
Abstract
Ciphers that do not use S-boxes have been discussed for the demand on lightweight cryptosystems, and their round functions consist of and, rotation, and xor. Especially, the Simon family is one of the most famous ciphers, and there are many cryptanalyses again the Simon family. However, it is very difficult to guarantee the security because we cannot use useful techniques for S-box-based ciphers. Very recently, the division property, which is a new technique to find integral characteristics, was shown in Eurocrypt 2015. The technique is powerful for S-box-based ciphers, and it was used to break, for the first time, the full MISTY1 in CRYPTO 2015. However, it has not been applied to non-S-box-based ciphers like the Simon family effectively, and only the existence of the 10-round integral characteristic on Simon32 was proven. On the other hand, the experimental characteristic, which possibly does not work for all keys, covers 15 rounds, and there is a 5-round gap. To fill the gap, we introduce a bit-based division property, and we apply it to show that the experimental 15-round integral characteristic always works for all keys. Though the bit-based division property finds more accurate integral characteristics, it requires much time and memory complexity. As a result, we cannot apply it to symmetric-key ciphers whose block length is over 32. Therefore, we alternatively propose a method for designers. The method works for ciphers with large block length, and it shows “provable security” against integral cryptanalyses using the division property. We apply this technique to the Simon family and show that Simon48, 64, 96, and 128 probably do not have 17-, 20-, 25-, and 29-round integral characteristics, respectively.
Keywords
Integral cryptanalysis Division property Provable security Simon family1 Introduction
Non-S-box-based ciphers have been proposed for the demand on lightweight cryptosystems [2, 3]. Such ciphers are superior in lightweight environments because they are implemented by logical operations and do not have a lookup table like S-boxes. In 2013, the NSA proposed a lightweight block cipher family, called the Simon family, that follows this design principle [3]. However, it is too difficult to guarantee the security against several cryptanalyses because we cannot use many useful techniques for S-box-based ciphers. Therefore, many cryptanalyses have been proposed against the Simon family, e.g., [1, 5, 6, 10, 15, 18], and the designers recently summarized cryptanalyses in [4]. In this paper, we investigate the security of non-S-box-based ciphers against integral cryptanalyses and illustrate our methods on the Simon family.
Integral characteristics on Simon32
Our Contribution. The round function of the Simon family is regarded as any function of degree 2 in [17] because we cannot decompose the round function into several sub blocks like S-boxes. However, we can decompose the round function into every bit, and we call the division property that focuses on every bit a bit-based division property.
Provable secure number of rounds for the Simon family
Ciphers | Simon48 | Simon64 | Simon96 | Simon128 | reference |
---|---|---|---|---|---|
Vulnerable number | 14 rounds | 17 rounds | 21 rounds | 25 rounds | [21] |
Provable security | 17 rounds | 20 rounds | 25 rounds | 29 rounds | this paper |
Although the bit-based division property can find more accurate integral characteristics, their propagations require much time and memory complexity. When we evaluate the propagation for n-bit block ciphers, it roughly requires \(2^n\) complexity because the bit-based division property has to manage the set of n-dimensional vectors whose elements take values in \(\mathbb {F}_2\). This is feasible for Simon32 because the block length is 32 bits, but it is infeasible for other Simon family members. Therefore, we introduce a new technique, which is useful for designers but is not useful for attackers. We call this technique a lazy propagation, where we evaluate only a part of all propagations. The lazy propagation cannot find the integral characteristic, but it can evaluate the number of rounds that the bit-based division property cannot find integral characteristics even if we can evaluate the accurate propagation. Namely, the technique shows “provable security” for the integral cryptanalysis using the division property, and we expect that it becomes a useful technique for designers. Our provable security guarantees the security against only the integral cryptanalysis using the division property, and it does not always guarantee the security against all integral-like cryptanalyses. However, for Simon32, the bit-based division property can find the accurate integral characteristic. Therefore, we expect that it also finds the best integral characteristic for the other Simon family if it is feasible. Table 2 shows the number of rounds of Simon48, 64, 96, and 128, where the division property never finds integral characteristics. As a result, we expect that Simon48, 64, 96, and 128 do not have 17-, 20-, 25-, and 29-round integral characteristics, respectively^{2}. Moreover, as the comparison, Table 2 also shows the number of rounds that Simon48, 64, 96, and 128 have integral characteristics [21].
2 Preliminaries
2.1 Notations
2.2 Integral Attack
The integral attack was first introduced by Daemen et al. to evaluate the security of Square [7], and then it was formalized by Knudsen and Wagner [9]. Attackers first prepare N chosen plaintexts and encrypt them R rounds. If the XOR of all encrypted texts becomes 0, we say that the cipher has an R-round integral characteristic with N chosen plaintexts. Finally, we analyze the entire cipher by using the integral characteristic. Therefore, it is very important to find integral characteristic. There are two main approaches to find integral characteristics. The first one is the propagation of the integral property [9] and the second one is based on the degree estimation [8, 11].
2.3 Division Property
The division property, which was proposed in [17], is a new method to find integral characteristics. This section briefly shows the definition and propagation rules. Please refer to [17] in detail.
Definition of Division Property
Definition 1
See [17] to better understand the concept in detail, and [14] and [16] help readers understand the division property. In this paper, the division property for \((\mathbb {F}_2^n)^m\) is referred to as \(\mathcal{D}_{\mathbb {K}}^{n^m}\) for the simplicity^{3}. If there are \(\varvec{k} \in \mathbb {K}\) and \(\varvec{k}' \in \mathbb {K}\) satisfying \(\varvec{k} \succeq \varvec{k}'\) in the division property \(\mathcal{D}_{\mathbb {K}}^{{n}_1, {n}_2, \ldots , {n}_{m}}\), \(\varvec{k}\) can be removed from \(\mathbb {K}\) because the vector \(\varvec{k}\) is redundant.
Propagation Rules of Division Property. Some propagation rules for the division property are proven in [17], and the rules are summarized in [16] as follows.
- Rule 1 (Substitution). Let F be a function that consists of m S-boxes, where the bit length and the algebraic degree of the ith S-box is \(n_i\) bits and \(d_i\), respectively. The input and output take a value of \((\mathbb {F}_2^{n_1} \times \mathbb {F}_2^{n_2} \times \cdots \times \mathbb {F}_2^{n_m})\), and \(\mathbb {X}\) and \(\mathbb {Y}\) denote the input multiset and output multiset, respectively. Assuming that the multiset \(\mathbb {X}\) has the division property \(\mathcal{D}_{\mathbb {K}}^{{n}_1, {n}_2, \ldots , {n}_{m}}\), the division property of the multiset \(\mathbb {Y}\) is \(\mathcal{D}_{\mathbb {K}'}^{{n}_1, {n}_2, \ldots , {n}_{m}}\) asHere, when the ith S-box is bijective and \(k_i=n_i\), the ith element of the propagated property becomes \(n_i\) not \(\lceil n_i/d_i \rceil \).$$\begin{aligned} \mathbb {K}' \leftarrow \left( \left\lceil \frac{k_1}{d_1} \right\rceil , \left\lceil \frac{k_2}{d_2} \right\rceil , \ldots , \left\lceil \frac{k_m}{d_m} \right\rceil \right) ,~~\forall \varvec{k} \in \mathbb {K}. \end{aligned}$$
- Rule 2 (Copy). Let F be a copy function, where the input x takes a value of \(\mathbb {F}_2^{n}\) and the output is calculated as \((y_1,y_2)=(x,x)\). Let \(\mathbb {X}\) and \(\mathbb {Y}\) be the input multiset and output multiset, respectively. Assuming that the multiset \(\mathbb {X}\) has the division property \(\mathcal{D}_k^n\), the division property of the multiset \(\mathbb {Y}\) is \(\mathcal{D}_{\mathbb {K}'}^{n, n}\) as$$\begin{aligned} \mathbb {K}' \leftarrow (k-i, i),~~\mathrm{for}~0 \le i \le k. \end{aligned}$$
- Rule 3 (Compression by XOR). Let F be a function compressed by an XOR, where the input \((x_1,x_2)\) takes a value of \((\mathbb {F}_2^{n} \times \mathbb {F}_2^{n})\) and the output is calculated as \(y=x_1\oplus x_2\). Let \(\mathbb {X}\) and \(\mathbb {Y}\) be the input multiset and output multiset, respectively. Assuming that the multiset \(\mathbb {X}\) has the division property \(\mathcal{D}_{\mathbb {K}}^{n, n}\), the division property of the multiset \(\mathbb {Y}\) is \(\mathcal{D}_{k'}^{n}\) asHere, if the minimum value of \(k'\) is larger than n, the propagation characteristic of the division property is aborted. Namely, a value of \(\oplus _{y \in \mathbb {Y}} \pi _v(y)\) is 0 for all \(v \in \mathbb {F}_2^n\).$$\begin{aligned} k' = \min _{(k_1,k_2) \in \mathbb {K}}\{ k_1 + k_2\}. \end{aligned}$$
- Rule 4 (Split). Let F be a split function, where the input x takes a value of \(\mathbb {F}_2^{n}\) and the output is calculated as \(x=y_1 \Vert y_2\), where \((y_1,y_2)\) takes a value of \((\mathbb {F}_2^{n_1} \times \mathbb {F}_2^{n-n_1})\). Let \(\mathbb {X}\) and \(\mathbb {Y}\) be the input multiset and output multiset, respectively. Assuming that the multiset \(\mathbb {X}\) has the division property \(\mathcal{D}_{k}^{n}\), the division property of the multiset \(\mathbb {Y}\) is \(\mathcal{D}_{\mathbb {K}'}^{n_1,n-n_1}\) asHere, \((k-i)\) is less than or equal to \(n_1\), and i is less than or equal to \(n-n_1\).$$\begin{aligned} \mathbb {K}' \leftarrow (k-i, i),~~ \mathrm{for}~0 \le i \le k. \end{aligned}$$
- Rule 5 (Concatenation). Let F be a concatenation function, where the input \((x_1,x_2)\) takes a value of \((\mathbb {F}_2^{n_1} \times \mathbb {F}_2^{n_2})\) and the output is calculated as \(y=x_1 \Vert x_2\). Let \(\mathbb {X}\) and \(\mathbb {Y}\) be the input multiset and output multiset, respectively. Assuming that the multiset \(\mathbb {X}\) has the division property \(\mathcal{D}_{\mathbb {K}}^{n_1,n_2}\), the division property of the multiset \(\mathbb {Y}\) is \(\mathcal{D}_{k'}^{n_1+n_2}\) as$$\begin{aligned} k' = \min _{(k_1,k_2) \in \mathbb {K}}\{ k_1 + k_2\}. \end{aligned}$$
2.4 Simon Family
2.5 Known Integral Characteristic on Simon Family
It is difficult to find effective integral characteristics on ciphers which consist of and, rotation, and xor. In [18], authors experimentally showed that Simon32 has the 15-round integral characteristic with \(2^{31}\) chosen plaintexts. Since their characteristic is confirmed under \(2^{13}\) secret keys, they expected that the success probability of this characteristic is at least \(1-2^{-13}\). Therefore, this approach does not guarantee that the characteristic works for all secret keys. Moreover, it is practically infeasible to find integral characteristics of other Simon family members because the block length is too large for proceeding to an experimental evaluation.
Integral characteristics proved under all secret keys are shown in [17], but in this approach the round function of Simon2n is seen as any n-bit function of degree 2. Therefore, the detailed structure of the round function is not exploited. As a result, it shows that Simon32, 48, 64, 96, and 128 has 9-, 11-, 11-, 13-, and 13-round integral characteristic, respectively. Since the round key is XORed after the round function, we can trivially get one-round extended integral characteristics using the same technique in [18]. Therefore, 10-, 12-, 12-, 14-, and 14-round integral characteristics are proved in Simon32, 48, 64, 96, and 128, respectively. Thus, there is a 5-round gap between the proved characteristic and experimental one.
3 Conventional Bit-Based Division Property
3.1 Comparison Between Conventional Bit-Based Division Property and Solving Algebraic Equations
Before the introduction of the conventional bit-based division property, we roughly show the relation between the bit-based division property and the resolution of algebraic equations by brute force. When entire ciphers are represented by algebraic equations, such equations involve both the plaintext and secret key. Therefore, if we solve such equations for an n-bit block cipher with a k-bit secret key, this roughly requires \(2^{k+n}\) complexity. On the other hand, XORing with a constant value does not change the conventional bit-based division property because such XORing is a linear function [16]. Therefore, the propagation of the conventional bit-based division property does not involve the secret key. It may miss some useful cryptographic properties, but it dramatically reduces the complexity.
3.2 Propagation for Core Operation of Simon
As an example, we analyze Simon2n by using the conventional bit-based division property. We focus on only one bit of the right half in Simon2n. The core operation of the round function is represented by Fig. 2. Since the input and output bit length is 4 bits, we use the division property \(\mathcal{D}_{\mathbb {K}}^{1^4}\).
We consider the propagation characteristic. For instance, let assume that the input multiset has \(\mathcal{D}_{[k_1, k_2, k_3, 1]}^{1^4}\), where \(k_i\) denotes any value, i.e., 0 or 1. Then, if the multiset of \((y_1, y_2, y_3, w_5, x_4)\) has \(\mathcal{D}_{[*, *, *, 1, 1]}^{1^5}\), where \(*\) is propagated values, the propagation always abort in the XOR, \(x_4 \oplus w_5\). Consequently, the bit-based division property of \((y_1,y_2,y_3,y_4)\) is the same as that of \((x_1,x_2,x_3,x_4)\). On the other hand, assuming that the input multiset has \(\mathcal{D}_{[k_1,k_2,k_3,0]}^{1^4}\), the output property is different from the input one.
Propagation of the conventional bit-based division property for the core operation in the Simon family
Input \(\mathcal{D}_{\varvec{k}}^{1^4}\) | Output \(\mathcal{D}_{\mathbb {K}}^{1^4}\) |
---|---|
\(\varvec{k} = [0,0,0,0] \) | \(\mathbb {K} = \{[0,0,0,0]\}\) |
\(\varvec{k} = [1,0,0,0] \) | \(\mathbb {K} = \{[1,0,0,0], [0,0,0,1]\}\) |
\(\varvec{k} = [0,1,0,0] \) | \(\mathbb {K} = \{[0,1,0,0], [0,0,0,1]\}\) |
\(\varvec{k} = [1,1,0,0] \) | \(\mathbb {K} = \{[1,1,0,0], [0,0,0,1]\}\) |
\(\varvec{k} = [0,0,1,0] \) | \(\mathbb {K} = \{[0,0,1,0], [0,0,0,1]\}\) |
\(\varvec{k} = [1,0,1,0] \) | \(\mathbb {K} = \{[1,0,1,0], [0,0,1,1], [1,0,0,1]\}\) |
\(\varvec{k} = [0,1,1,0] \) | \(\mathbb {K} = \{[0,1,1,0], [0,0,1,1], [0,1,0,1]\}\) |
\(\varvec{k} = [1,1,1,0] \) | \(\mathbb {K} = \{[1,1,1,0], [0,0,1,1], [1,1,0,1]\}\) |
\(\varvec{k} = [k_1,k_2,k_3,1] \) | \(\mathbb {K} = \{[k_1,k_2,k_3,1]\}\) |
Size of \(\mathbb {K}\) in \(\mathcal{D}_{\mathbb {K}}^{1^{32}}\) for the integral characteristic on Simon32
Round | 0 | 1 | 2 | 3 | 4 | 5 | 6 | 7 | 8 | 9 | 10 | 11 | 12 | 13 | 14 |
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
\(|\mathbb {K}|\) | 1 | 1 | 3 | 11 | 65 | 774 | 18165 | 587692 | 5191387 | 1595164 | 95768 | 5894 | 682 | 136 | 32 |
3.3 Application to Simon32
4 Bit-Based Division Property Using Three Subsets
4.1 Motivation
The conventional bit-based division property proved the existence of the 14-round integral characteristic of Simon32. However, the experimental characteristic covers 15 rounds [18], and there is still a one-round gap between the experiment and proof. In [18], the authors experimentally confirm the characteristic by randomly choosing \(2^{13}\) secret keys. Therefore, they concluded that the success probability of the characteristic is at least \(1 - 2^{-13}\). Thus, we consider that this gap derives from either the experimental result does not work for all keys or the conventional bit-based division property cannot find the accurate characteristic.
We first show that the conventional bit-based division property is insufficient to find integral characteristics on Simon32, and we then introduce a new variant of the bit-based division property. The conventional bit-based division property focuses on that the parity \(\bigoplus _{\varvec{x} \in \mathbb {X}} \pi _{\varvec{u}}(\varvec{x})\) is 0 or unknown. On the other hand, the new variant focuses on that the parity \(\bigoplus _{\varvec{x} \in \mathbb {X}} \pi _{\varvec{u}}(\varvec{x})\) is 0, 1, or unknown. Therefore we call the new variant the bit-based division property using three subsets. The new variant can find more accurate integral characteristics and prove that the experimental characteristic shown in [18] works for all keys.
4.2 Characteristic that Conventional Bit-Based Division Property Cannot Find
The conventional division property divides the set of \(\varvec{u}\) according to whether the parity becomes 0 or unknown [17]. However, it sometimes overlooks useful characteristics. We show it by using a simple example.
We again evaluate the propagation of the conventional bit-based division property for the circuit in Fig. 2, and \(F : \mathbb {F}_2^4 \rightarrow \mathbb {F}_2^4\) denotes the circuit. Moreover, let \(\mathbb {X}\) and \(\mathbb {Y}\) be the input and output multiset, respectively. Assuming that \(\mathbb {X}\) has \(\mathcal{D}_{\{[1,1,0,0], [0,0,1,0]\}}^{1^4}\), \(\bigoplus _{\varvec{x} \in \mathbb {X}} \pi _{[1,1,0,0]}(\varvec{x})\) and \(\bigoplus _{\varvec{x} \in \mathbb {X}} \pi _{[0,0,1,0]}(\varvec{x})\) are unknown. Then, the output multiset \(\mathbb {Y}\) has \(\mathcal{D}_{\{[1,1,0,0], [0,0,1,0], [0,0,0,1]\}}^{1^4}\) from Table 3.
Since the conventional division property focuses on the case the parity becomes 0, it cannot find characteristics that appear by cancelling like the above example. Therefore, we newly introduce a variant of the bit-based division property to exploit this fact. The variant divides the set of \(\varvec{u}\) into three subsets, i.e., 0, 1, and unknown.
4.3 Definition of Bit-Based Division Property Using Three Subsets
The conventional division property uses the set \(\mathbb {K}\) to represent the subset of \(\varvec{u}\) such that \(\bigoplus _{\varvec{x} \in \mathbb {X}} \pi _{\varvec{u}}(\varvec{x})\) is unknown. The bit-based division property using three subsets needs to represent not only the subset of \(\varvec{u}\) such that \(\bigoplus _{\varvec{x} \in \mathbb {X}} \pi _{\varvec{u}}(\varvec{x})\) is unknown but also the subset of \(\varvec{u}\) such that \(\bigoplus _{\varvec{x} \in \mathbb {X}} \pi _{\varvec{u}}(\varvec{x})\) is one. Therefore, we use the set \(\mathbb {K}\) to represent the subset of \(\varvec{u}\) such that \(\bigoplus _{\varvec{x} \in \mathbb {X}} \pi _{\varvec{u}}(\varvec{x})\) is unknown, and we also use the set \(\mathbb {L}\) to represent the subset of \(\varvec{u}\) such that \(\bigoplus _{\varvec{x} \in \mathbb {X}} \pi _{\varvec{u}}(\varvec{x})\) is one.
Definition 2
If there are \(\varvec{k} \in \mathbb {K}\) and \(\varvec{k}' \in \mathbb {K}\) satisfying \(\varvec{k} \succeq \varvec{k}'\), \(\varvec{k}\) can be removed from \(\mathbb {K}\) because the vector \(\varvec{k}\) is redundant. Moreover, when there is \(\varvec{k} \in \mathbb {K}\) satisfying \(W(\varvec{u}) \succeq \varvec{k}\), \(\bigoplus _{\varvec{x} \in \mathbb {X}} \pi _{\varvec{u}}(\varvec{x})\) is unknown even if there is \(\varvec{\ell }\in \mathbb {L}\) satisfying \(W(\varvec{u}) = \varvec{\ell }\). Therefore, if there are \(\varvec{\ell }\in \mathbb {L}\) and \(\varvec{k} \in \mathbb {K}\) satisfying \(\varvec{\ell }\succeq \varvec{k}\), the vector \(\varvec{\ell }\) is redundant. Notice that redundant vectors in \(\mathbb {K}\) and \(\mathbb {L}\) do not affect whether \(\bigoplus _{\varvec{x} \in \mathbb {X}} \pi _{\varvec{u}}(\varvec{x})\) becomes 0, 1, or unknown for any \(\varvec{u}\).
Example 1
4.4 Propagation Rules
We show propagation rules for the bit-based division property using three subsets. There rules are very similar to those of the conventional division property. Here, we show three rules, “Copy,” “Compression by AND,” and “Compression by XOR,” because any Boolean function can be evaluated by using these three rules. We omit the proof of three propagation rules in this paper because of the page limit, and please see the full version of this paper.
- Rule 1 (Copy). Let F be a copy function, where the input \((x_1, x_2, \ldots , x_m)\) takes values of \((\mathbb {F}_2)^m\), and the output is calculated as \((x_1, x_1, x_2, x_3, \ldots , x_m)\). Let \(\mathbb {X}\) and \(\mathbb {Y}\) be the input multiset and output multiset, respectively. Assuming that \(\mathbb {X}\) has \(\mathcal{D}_{\mathbb {K}, \mathbb {L}}^{1^m}\), \(\mathbb {Y}\) has \(\mathcal{D}_{\mathbb {K}', \mathbb {L}'}^{1^{m+1}}\), where \(\mathbb {K}'\) and \(\mathbb {L}'\) are computed asfrom all \(\varvec{k} \in \mathbb {K}\) and all \(\varvec{\ell }\in \mathbb {L}\), respectively.$$\begin{aligned} \mathbb {K}'&\leftarrow {\left\{ \begin{array}{ll} (0, 0, k_2, \ldots , k_m), &{} \text{ if } k_1=0 \\ (1, 0, k_2, \ldots , k_m), (0, 1, k_2, \ldots , k_m), &{} \text{ if } k_1=1 \end{array}\right. }, \\ \mathbb {L}'&\leftarrow {\left\{ \begin{array}{ll} (0, 0, \ell _2, \ldots , \ell _m), &{} \text{ if } \ell _1=0 \\ (1, 0, \ell _2, \ldots , \ell _m), (0, 1, \ell _2, \ldots , \ell _m), (1, 1, \ell _2, \ldots , \ell _m) &{} \text{ if } \ell _1=1 \end{array}\right. }. \end{aligned}$$
- Rule 2 (Compression by AND). Let F be a function compressed by an AND, where the input \((x_1, x_2, \ldots , x_m)\) takes values of \((\mathbb {F}_2)^m\), and the output is calculated as \((x_1 \wedge x_2, x_3, \ldots , x_m)\). Let \(\mathbb {X}\) and \(\mathbb {Y}\) be the input multiset and output multiset, respectively. Assuming that \(\mathbb {X}\) has \(\mathcal{D}_{\mathbb {K}, \mathbb {L}}^{1^m}\), \(\mathbb {Y}\) has \(\mathcal{D}_{\mathbb {K}', \mathbb {L}'}^{1^{m-1}}\), where \(\mathbb {K}'\) is computed from all \(\varvec{k} \in \mathbb {K}\) asMoreover, \(\mathbb {L}'\) is computed from all \(\varvec{\ell }\in \mathbb {L}\) s.t. \((\ell _1,\ell _2)=(0,0)\) or (1, 1) as$$\begin{aligned} \mathbb {K}'&\leftarrow \left( \left\lceil \frac{k_1+k_2}{2}\right\rceil , k_3, k_4, \ldots , k_m \right) . \end{aligned}$$$$\begin{aligned} \mathbb {L}'&\leftarrow \left( \left\lceil \frac{\ell _1+\ell _2}{2}\right\rceil , \ell _3, \ell _4, \ldots , \ell _m \right) . \end{aligned}$$
- Rule 3 (Compression by XOR). Let F be a function compressed by an XOR, where the input \((x_1, x_2, \ldots , x_m)\) takes values of \((\mathbb {F}_2)^m\), and the output is calculated as \((x_1 \oplus x_2, x_3, \ldots , x_m)\). Let \(\mathbb {X}\) and \(\mathbb {Y}\) be the input multiset and output multiset, respectively. Assuming that \(\mathbb {X}\) has \(\mathcal{D}_{\mathbb {K}, \mathbb {L}}^{1^m}\), \(\mathbb {Y}\) has \(\mathcal{D}_{\mathbb {K}', \mathbb {L}'}^{1^{m-1}}\), where \(\mathbb {K}'\) is computed from all \(\varvec{k} \in \mathbb {K}\) s.t. \((k_1, k_2) = (0,0)\), (1, 0), or (0, 1) asMoreover, \(\mathbb {L'}\) is computed from all \(\varvec{\ell }\in \mathbb {L}\) s.t. \((\ell _1,\ell _2)=(0,0)\), (1, 0), or (0, 1) as$$\begin{aligned} \mathbb {K}'&\leftarrow (k_1+k_2, k_3, k_4, \ldots , k_m). \end{aligned}$$$$\begin{aligned} \mathbb {L}'&\mathop {\leftarrow }\limits ^\mathtt{x} \left( \ell _1+\ell _2, \ell _3, \ell _4, \ldots , \ell _m \right) . \end{aligned}$$
4.5 Dependencies Between \(\mathbb {K}\) and \(\mathbb {L}\)
Propagation for Public Function. In the propagation rules shown in Sect. 4.4, \(\mathbb {K'}\) and \(\mathbb {L'}\) are computed from \(\mathbb {K}\) and \(\mathbb {L}\), respectively. Therefore, we can evaluate the propagation from \(\mathbb {K}\) and that from \(\mathbb {L}\) independently. However, independent propagations generate many redundant vectors in \(\mathbb {K'}\) and \(\mathbb {L'}\). Note that redundant vectors in \(\mathbb {K'}\) and \(\mathbb {L'}\) do not affect whether the parity becomes 0, 1, or unknown for any \(\varvec{u}\). Therefore, when we consider the propagation for public functions, we do not need to care about the dependencies between \(\mathbb {K}\) and \(\mathbb {L}\). On the other hand, if there are many redundant vectors, the propagation requires much time complexity. Therefore, we should remove redundant vectors if possible because of the reason of only complexity.
XORing with Secret Round Key. For the public function, the propagation from \(\mathbb {K}\) and that from \(\mathbb {L}\) are independently evaluated. However, if the secret round key is XORed, every vector in \(\mathbb {L}\) affects \(\mathbb {K}\).
Let \(\mathbb {X}\) and \(\mathbb {Y}\) be the input and output multiset, respectively. Then, \(\varvec{y} \in \mathbb {Y}\) is computed as \(\varvec{y} = \varvec{x} \oplus \varvec{rk}\) for \(\varvec{x} \in \mathbb {X}\), where \(\varvec{rk}\) is the secret round key. Moreover, let \(\mathcal{D}_{\mathbb {K}, \mathbb {L}}^{1^m}\) and \(\mathcal{D}_{\mathbb {K'}, \mathbb {L'}}^{1^m}\) be the bit-based division property using three subsets on \(\mathbb {X}\) and \(\mathbb {Y}\), respectively. We want to get \(\mathbb {K'}\) and \(\mathbb {L'}\) from \(\mathbb {K}\) and \(\mathbb {L}\). We cannot know the secret round key. Therefore, the parity \(\bigoplus _{\varvec{x} \in \mathbb {X}} \pi _{\varvec{v}}(\varvec{x} \oplus \varvec{rk})\) satisfying \(\varvec{v} \succ \varvec{\ell }\) becomes unknown because the parity depends on the secret round key.
4.6 Propagation for Core Operation of Simon
Propagation of the bit-based division property using three subsets for the core operation in the Simon family
Input \(\mathcal{D}_{\mathbb {K}, \{\varvec{\ell }\}}^{1^4}\) | Output \(\mathcal{D}_{\mathbb {K'},\mathbb {L'}}^{1^4}\) |
---|---|
\(\varvec{\ell }= [0,0,0,0]\) | \(\mathbb {L'} = \{[0,0,0,0]\}\) |
\(\varvec{\ell }= [1,0,0,0]\) | \(\mathbb {L'} = \{[1,0,0,0]\}\) |
\(\varvec{\ell }= [0,1,0,0]\) | \(\mathbb {L'} = \{[0,1,0,0]\}\) |
\(\varvec{\ell }= [1,1,0,0]\) | \(\mathbb {L'} = \{[1,1,0,0], [0,0,0,1], [1,0,0,1], [0,1,0,1], [1,1,0,1]\}\) |
\(\varvec{\ell }= [0,0,1,0]\) | \(\mathbb {L'} = \{[0,0,1,0], [0,0,0,1], [0,0,1,1]\}\) |
\(\varvec{\ell }= [1,0,1,0]\) | \(\mathbb {L'} = \{[1,0,1,0], [1,0,0,1], [1,0,1,1]\}\) |
\(\varvec{\ell }= [0,1,1,0]\) | \(\mathbb {L'} = \{[0,1,1,0], [0,1,0,1], [0,1,1,1]\}\) |
\(\varvec{\ell }= [1,1,1,0]\) | \(\mathbb {L'} = \{[1,1,1,0], [0,0,1,1], [1,0,1,1], [0,1,1,1], [1,1,0,1]\}\) |
\(\varvec{\ell }= [\ell _1,\ell _2,\ell _3,1]\) | \(\mathbb {L'} = \{[\ell _1,\ell _2,\ell _3,1]\}\) |
Sizes of \(\mathbb {K}\) and \(\mathbb {L}\) in \(\mathcal{D}_{\mathbb {K},\mathbb {L}}^{1^{32}}\) for the integral characteristic on Simon32
Round | 0 | 1 | 2 | 3 | 4 | 5 | 6 | 7 | 8 | 9 | 10 | 11 | 12 | 13 | 14 | 15 |
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
\(|\mathbb {L}|\) | 1 | 1 | 5 | 19 | 138 | 2236 | 89878 | 4485379 | 47149981 | 2453101 | 20360 | 168 | 8 | 0 | 0 | 0 |
\(|\mathbb {K}|\) | 1 | 1 | 1 | 6 | 43 | 722 | 23321 | 996837 | 9849735 | 2524718 | 130724 | 7483 | 852 | 181 | 32 | 32 |
The core operation is a public function and it does not involve any secret information. Therefore, we can evaluate the propagation from \(\mathbb {K}\) and that from \(\mathbb {L}\) independently. Table 5 summarizes the propagation characteristics from \(\mathcal{D}_{\mathbb {K}, \{\varvec{\ell }\}}^{1^4}\) to \(\mathcal{D}_{\mathbb {K'}, \mathbb {L'}}^{1^4}\), where the propagation from \(\mathbb {K}\) to \(\mathbb {K'}\) is the same as that in Table 3. Next, the propagation on the round function can be evaluated by repeating for all bits of the right half. Finally, when round keys are XORed with the right half, new vectors are generated from \(\mathbb {L}\), and the new vectors are inserted into \(\mathbb {K}\).
4.7 Application to Simon32
We evaluate the propagation characteristic of the bit-based division property using three subsets on Simon32. We prepare chosen plaintexts such that the first bit is constant and the others are active, and the set of chosen plaintexts has \(\mathcal{D}_{\{[1,1,1,\ldots ,1]\}, \{[0,1,1,\ldots ,1]\}}^{1^{32}}\).
4.8 Application to Simeck32
5 Provable Security Against Integral Cryptanalysis
We introduced the bit-based division property using three subsets in Sect. 4, and we proved that this method can find more accurate integral characteristics than those found by the conventional division property. In particular, we showed that the new method can discover the tight characteristic on Simon32. However, a problem is left about the feasibility, i.e., the propagation of the division property requires much time and memory complexity. For instance, if we want to evaluate the propagation of the division property \(\mathcal{D}_{\mathbb {K}}^{n^m}\), the time and memory complexity is upper-bounded by \((n+1)^m\). Therefore, if the upper bound is too large, e.g., \((n+1)^m \gg 2^{32}\), it is difficult to evaluate the propagation ^{4}. In the bit-based division property, the time and memory complexity is upper-bounded by \(2^n\), where n denotes the block length. Moreover, the bit-based division property using three subsets requires more complexity than that using two subsets. Therefore, we cannot apply the bit-based division property to the Simon family except for Simon32.
5.1 Provable Security for Designers
We cannot apply the bit-based division property to the Simon family except for Simon32, but we can show the “provable security” alternatively. When we design new symmetric-key primitives, we have to guarantee the security against several cryptanalyses. Provable security has been discussed in detail for differential and linear cryptanalyses [12, 13], but such tools do not exist for integral cryptanalysis.
Let \(\mathcal{D}_{\mathbb {K}_i,\mathbb {L}_i}^{1^m}\) denotes the division property of the output set of the ith round function. We want to find R-round integral characteristics. Then, for any \(\varvec{u}\) with \(w(\varvec{u})=1\), we have to evaluate that there are not \(\varvec{k} \in \mathbb {K}_R\) satisfying \(W(\varvec{u}) \succeq \varvec{k}\) and \(\varvec{\ell }\in \mathbb {L}_R\) satisfying \(W(\varvec{u}) = \varvec{\ell }\). Therefore, we have to get all vectors in \(\mathbb {K}_R\) and \(\mathbb {L}_R\), and such vectors are searched by an algorithm like breadth-first search. On the other hand, we want to show that an R-round integral characteristic cannot exist. Then, it is enough to show that \(\mathbb {K}_R\) has m distinct vectors whose Hamming weight is one, i.e., there is not balanced bits, and such vectors are searched by an algorithm like depth-first search. In our provable security, we aim to get such number of rounds efficiently, and a lazy propagation is useful to find such number of rounds.
Definition 3
(Lazy Propagation). Let \(\mathcal{D}_{\mathbb {K}_{i-1},\mathbb {L}_{i-1}}^{1^m}\) be the bit-based division property of the input set of the ith round function. The ith round function is applied, and let \(\mathcal{D}_{\bar{\mathbb {K}}_i, \bar{\mathbb {L}}_i}^{1^m}\) be the bit-based division property from the lazy propagation. Then, \(\bar{\mathbb {K}}_i\) is computed from only a part of vectors in \(\mathbb {K}_{i-1}\), and \(\bar{\mathbb {L}}_i\) always becomes the empty set \(\phi \).
The lazy propagation first removes all vectors from \(\mathbb {L}_{i-1}\). Moreover, it only evaluates the propagation from vectors with low Hamming weight in \(\mathbb {K}_{i-1}\) because such vectors are more close to unknown. Therefore, it is more efficiently evaluated than the accurate propagation.
Accurate propagations up to six rounds
#rounds | Simon48 | Simon64 | Simon96 | Simon128 | ||||
---|---|---|---|---|---|---|---|---|
\(\min _w(\mathbb {L})\) | \(\min _w(\mathbb {K})\) | \(\min _w(\mathbb {L})\) | \(\min _w(\mathbb {K})\) | \(\min _w(\mathbb {L})\) | \(\min _w(\mathbb {K})\) | \(\min _w(\mathbb {L})\) | \(\min _w(\mathbb {K})\) | |
0 | 47 | 48 | 63 | 64 | 95 | 96 | 127 | 128 |
1 | 47 | 48 | 63 | 64 | 95 | 96 | 127 | 128 |
2 | 46 | 47 | 62 | 63 | 94 | 96 | 126 | 128 |
3 | 45 | 46 | 61 | 62 | 93 | 94 | 125 | 126 |
4 | 43 | 44 | 59 | 60 | 91 | 92 | 123 | 124 |
5 | 40 | 41 | 56 | 57 | 88 | 89 | 120 | 121 |
6 | 35 | 36 | 51 | 52 | 83 | 84 | 115 | 116 |
Lazy propagation of the bit-based division property for the Simon family
#rounds | Simon48 | Simon64 | Simon96 | Simon128 | ||||
---|---|---|---|---|---|---|---|---|
\(\min _w(\mathbb {K})\) | Limit | \(\min _w(\mathbb {K})\) | Limit | \(\min _w(\mathbb {K})\) | Limit | \(\min _w(\mathbb {K})\) | Limit | |
7 | 30 | 33 | 46 | 61 | 78 | 81 | 110 | 113 |
8 | 20 | 23 | 35 | 38 | 68 | 71 | 100 | 103 |
9 | 11 | 14 | 23 | 26 | 55 | 57 | 87 | 88 |
10 | 7 | 10 | 13 | 15 | 40 | 41 | 71 | 71 |
11 | 5 | 8 | 9 | 10 | 27 | 28 | 59 | 59 |
12 | 3 | 8 | 6 | 8 | 17 | 17 | 42 | 42 |
13 | 2 | 5 | 4 | 7 | 11 | 11 | 32 | 32 |
14 | 2 | 3 | 3 | 7 | 8 | 9 | 21 | 21 |
15 | 1 | 2 | 2 | 7 | 5 | 6 | 15 | 15 |
16 | 1(u) | 1 | 2 | 4 | 4 | 6 | 10 | 10 |
17 | 1 | 3 | 3 | 6 | 8 | 8 | ||
18 | 1 | 1 | 2 | 6 | 5 | 6 | ||
19 | 1(u) | 1 | 2 | 6 | 4 | 6 | ||
20 | 1 | 6 | 3 | 6 | ||||
21 | 1 | 6 | 2 | 6 | ||||
22 | 1 | 6 | 2 | 6 | ||||
23 | 1 | 1 | 2 | 6 | ||||
24 | 1(u) | 1 | 1 | 6 | ||||
25 | 1 | 6 | ||||||
26 | 1 | 6 | ||||||
27 | 1 | 6 | ||||||
28 | 1(u) | 1 |
5.2 Application to Simon Family
Even if there is a vector \(\varvec{k} \in \mathbb {K}\) satisfying \(\mathrm{Limit} < \sum _{i=1}^{2n}w(k_i)\), we do not evaluate the propagation from the \(\varvec{k}\). Therefore, if the propagation from the removed vector \(\varvec{k}\) immediately reaches the unknown, there is a gap between the accurate propagation and the lazy propagation. However, if the lazy propagation reaches the unknown in a specific number of rounds, the accurate propagation at least reaches the unknown in the same number of rounds. Therefore, the lazy propagation is not useful for attackers, but it guarantees the number of rounds that the bit-based division property cannot find integral characteristics.
As a result, the lazy propagation shows that 16-, 19-, 24-, and 28-round Simon48, 64, 96, and 128 probably do not have integral characteristics, respectively. However, we can get \((r+1)\)-round integral characteristics from r-round integral characteristics because round keys are XORed after the round function. Therefore, we expect that 17-, 20-, 25-, and 29-round Simon48, 64, 96, and 128 probably do not have integral characteristics, respectively.
5.3 Characteristics that Bit-Based Division Property Cannot Find
We consider characteristics that the bit-based division property cannot find. Our provable security supposes that all round keys are randomly and secretly chosen. However, practical ciphers generate round keys from the secret key using the key scheduling algorithm. Therefore, our provable security does not suppose integral characteristics that exploit the key scheduling algorithm.
The bit-based division property using three subsets focuses on the parity \(\bigoplus _{\varvec{x} \in \mathbb {X}} \pi _{\varvec{u}}(\varvec{x})\), and divide the set of \(\varvec{u}\) into three subsets. Then, the propagation simply regard \(\bigoplus _{\varvec{x} \in \mathbb {X}} \pi _{\varvec{u}_1}(\varvec{x}) \oplus \pi _{\varvec{u}_2}(\varvec{x})\) as unknown if either \(\bigoplus _{\varvec{x} \in \mathbb {X}} \pi _{\varvec{u}_1}(\varvec{x})\) or \(\bigoplus _{\varvec{x} \in \mathbb {X}} \pi _{\varvec{u}_2}(\varvec{x})\) is unknown. For instance, if \(\bigoplus _{\varvec{x} \in \mathbb {X}} \pi _{\varvec{u}_1}(\varvec{x}) \oplus \pi _{\varvec{u}_2}(\varvec{x})\) is always 0 or 1 although \(\bigoplus _{\varvec{x} \in \mathbb {X}} \pi _{\varvec{u}_1}(\varvec{x})\) and \(\bigoplus _{\varvec{x} \in \mathbb {X}} \pi _{\varvec{u}_2}(\varvec{x})\) are unknown, the bit-based division property cannot exploit such property.
6 Conclusions
The division property is a useful technique to find integral characteristics, but it has not been applied to non-S-box-based ciphers effectively. This paper focused on the bit-based division property. More precisely, this paper proposed a new variant using three subsets. The conventional bit-based division property divides the set of \(\varvec{u}\) into two subsets, but the new variant divides the set of \(\varvec{u}\) into three subsets. The bit-based division property using three subsets can prove that the experimental integral characteristic for Simon32 shown in [18] works for all keys. Moreover, we focused on the propagation of the division property. Then, we showed that the lazy propagation is useful to guarantee the security against integral cryptanalyses using the division property. As a result, we showed that 17-, 20-, 25-, and 29-round Simon48, 64, 96, and 128 probably do not have integral characteristics, respectively.
Footnotes
- 1.
Since the round key is XORed after the round function in Simon, we can trivially get one-round extended integral characteristics.
- 2.
If we truly guarantee the security against integral attack, we have to consider the key recovery part.
- 3.
In [17], the division property was referred to as \(\mathcal{D}_{\mathbb {K}}^{n,m}\).
- 4.
In [16], the propagation for MISTY1 was evaluated, and the division property \(\mathcal{D}_{\mathbb {K}}^{7,2,7,7,2,7,7,2,7,7,2,7}\) was used. Then, \(|\mathbb {K}|\) is upper bounded by \(8^8 \times 3^4=1358954496 \approx 2^{30.3}\), and it is feasible.
- 5.
In our implementation, we could not calculate the accurate propagation up to 7 rounds because of the limitation of the memory size.
Notes
Acknowledgments
The authors would like to thank the anonymous referees for their helpful comments.
References
- 1.Abed, F., List, E., Lucks, S., Wenzel, J.: Differential cryptanalysis of round-reduced Simon and speck. In: Cid, C., Rechberger, C. (eds.) FSE 2014. LNCS, vol. 8540, pp. 525–545. Springer, Heidelberg (2015)Google Scholar
- 2.Aumasson, J.P., Jovanovic, P., Neves, S.: Norx v2.0, submission to CAESAR competition (2015)Google Scholar
- 3.Beaulieu, R., Shors, D., Smith, J., Treatman-Clark, S., Weeks, B., Wingers, L.: The SIMON and SPECK families of lightweight block ciphers. IACR Cryptology ePrint Archive 2013/404 (2013). http://eprint.iacr.org/2013/404
- 4.Beaulieu, R., Shors, D., Smith, J., Treatman-Clark, S., Weeks, B., Wingers, L.: SIMON and SPECK: block ciphers for the internet of things. IACR Cryptology ePrint Archive 2015/585 (2015). http://eprint.iacr.org/2015/585
- 5.Biryukov, A., Roy, A., Velichkov, V.: Differential analysis of block ciphers SIMON and SPECK. In: Cid, C., Rechberger, C. (eds.) FSE 2014. LNCS, vol. 8540, pp. 546–570. Springer, Heidelberg (2015)Google Scholar
- 6.Boura, C., Naya-Plasencia, M., Suder, V.: Scrutinizing and improving impossible differential attacks: applications to CLEFIA, Camellia, LBlock and Simon. In: Sarkar, P., Iwata, T. (eds.) ASIACRYPT 2014. LNCS, vol. 8873, pp. 179–199. Springer, Heidelberg (2014)Google Scholar
- 7.Daemen, J., Knudsen, L.R., Rijmen, V.: The block cipher SQUARE. In: Biham, E. (ed.) FSE 1997. LNCS, vol. 1267, pp. 149–165. Springer, Heidelberg (1997)CrossRefGoogle Scholar
- 8.Knudsen, L.R.: Truncated and higher order differentials. In: Preneel, B. (ed.) FSE. LNCS, vol. 1008, pp. 196–211. Springer, Heidelberg (1994)CrossRefGoogle Scholar
- 9.Knudsen, L.R., Wagner, D.: Integral cryptanalysis. In: Daemen, J., Rijmen, V. (eds.) FSE 2002. LNCS, vol. 2365, pp. 112–127. Springer, Heidelberg (2002)CrossRefGoogle Scholar
- 10.Kölbl, S., Leander, G., Tiessen, T.: Observations on the SIMON block cipher family. In: Gennaro, R., Robshaw, M. (eds.) CRYPTO 2015. LNCS, vol. 9215, pp. 161–185. Springer, Heidelberg (2015)CrossRefGoogle Scholar
- 11.Lai, X.: Higher order derivatives and differential cryptanalysis. In: Blahut, R.E., Costello Jr., D.J., Maurer, U., Mittelholzer, T. (eds.) CC. SISECS, vol. 276, pp. 227–233. Springer, Heidelberg (1994)CrossRefGoogle Scholar
- 12.Matsui, M.: New structure of block ciphers with provable security against differential and linear cryptanalysis. In: Gollmann, D. (ed.) FSE. LNCS, vol. 1039, pp. 205–218. Springer, Heidelberg (1996)CrossRefGoogle Scholar
- 13.Nyberg, K., Knudsen, L.R.: Provable security against a differential attack. J. Cryptol. 8(1), 27–37 (1995)MathSciNetCrossRefzbMATHGoogle Scholar
- 14.Sun, B., Hai, X., Zhang, W., Cheng, L., Yang, Z.: New observation on division property. IACR Cryptology ePrint Archive 2015/459 (2015). http://eprint.iacr.org/2015/459
- 15.Sun, S., Hu, L., Wang, P., Qiao, K., Ma, X., Song, L.: Automatic security evaluation and (Related-key) differential characteristic search: application to SIMON, PRESENT, LBlock, DES(L) and other bit-oriented block ciphers. In: Sarkar, P., Iwata, T. (eds.) ASIACRYPT 2014. LNCS, vol. 8873, pp. 158–178. Springer, Heidelberg (2014)Google Scholar
- 16.Todo, Y.: Integral Cryptanalysis on Full MISTY1. In: Gennaro, R., Robshaw, M. (eds.) CRYPTO 2015. LNCS, vol. 9215, pp. 413–432. Springer, Heidelberg (2015)CrossRefGoogle Scholar
- 17.Todo, Y.: Structural evaluation by generalized integral property. In: Oswald, E., Fischlin, M. (eds.) EUROCRYPT 2015. LNCS, vol. 9056, pp. 287–314. Springer, Heidelberg (2015)Google Scholar
- 18.Wang, Q., Liu, Z., Varici, K., Sasaki, Y., Rijmen, V., Todo, Y.: Cryptanalysis of reduced-round SIMON32 and SIMON48. In: Meier, W., Mukhopadhyay, D. (eds.) INDOCRYPT 2014. LNCS, vol. 8885, pp. 143–160. Springer, Heidelberg (2014)Google Scholar
- 19.Yang, G., Zhu, B., Suder, V., Aagaard, M.D., Gong, G.: The simeck family of lightweight block ciphers. In: Güneysu, T., Handschuh, H. (eds.) CHES 2015. LNCS, vol. 9293, pp. 307–329. Springer, Heidelberg (2015)CrossRefGoogle Scholar
- 20.Zhang, H., Wu, W.: Structural evaluation for generalized feistel structures and applications to Lblock and TWINE. In: Biryukov, A., Goyal, V. (eds.) INDOCRYPT 2015. LNCS, vol. 9462, pp. 218–237. Springer, Heidelberg (2015)CrossRefGoogle Scholar
- 21.Zhang, H., Wu, W., Wang, Y.: Integral attack against bit-oriented block ciphers. In: Kwon, S., Yun, A. (eds.) ICISC 2015. LNCS, vol. 9558, pp. 102–118. Springer, Heidelberg (2016). doi: 10.1007/978-3-319-30840-1_7 CrossRefGoogle Scholar