Cryptanalysis of SIMON Variants with Connections

Abstract

SIMON is a family of 10 lightweight block ciphers published by Beaulieu et al. from the United States National Security Agency (NSA). A cipher in this family with \(K\)-bit key and \(N\)-bit block is called SIMON\({N}/{K}\). We present several linear characteristics for reduced-round SIMON32/64 that can be used for a key-recovery attack and extend them further to attack other variants of SIMON. Moreover, we provide results of key recovery analysis using several impossible differential characteristics starting from 14 out of 32 rounds for SIMON32/64 to 22 out of 72 rounds for SIMON128/256. In some cases the presented observations do not directly yield an attack, but provide a basis for further analysis for the specific SIMON variant. Finally, we exploit a connection between linear and differential characteristics for SIMON to construct linear characteristics for different variants of reduced-round SIMON. Our attacks extend to all variants of SIMON covering more rounds compared to any known results using linear cryptanalysis. We present a key recovery attack against SIMON128/256 which covers 35 out of 72 rounds with data complexity \(2^{123}\). We have implemented our attacks for small scale variants of SIMON and our experiments confirm the theoretical bias presented in this work.

Appendices

A Addenda to Impossible Differentials Cryptanalysis

In this appendix, we provide an example on impossible differential for Simon32/64 in Fig. 3. A detailed description on the attack and its complexity analysis can be found in an extended version of this part, see [4].

Fig. 3.

A 10-round impossible differential for Simon32/64. Tracing truncated output differences in respectively forward and backward directions give a contradiction on the right half truncated mask after 5 rounds, where a 0 overlaps a 1.

B Experimental Results of Linear Cryptanalysis for SIMON32/64

We evaluated the theoretical results presented in Eq. 11 for 11-round SIMON32/64 experimentally. Table 7 presents the results. It shows that experimental results justify the theory and the bias of the presented path is not less than \(2^{-16}\).

Table 7. Experimental results for the linear characteristic of 11-round SIMON32/64 of Eq. 11. \(P_n\) is the number of known plaintexts; \(C_n\) is the number of plaintext/ciphertext pairs that satisfy Eq. 11; \(p = 1/2 + \epsilon \) is the probability that Eq. 11 holds.

C Sequences of Approximation Used Through Driving the Linear Characteristic of Each Variant of SIMON

In Table 8 we give the propagation of our linear characteristics for SIMON32/64.

Table 8. Sequences of approximation for SIMON32/64. \(\mathcal{A}_L\) and \(\mathcal{A}_R\) denote the active bits in the left and right side respectively and App. denotes the approximation used for the corresponding bit(s) of \(\mathcal{A}_R\).