Abstract
In this paper we analyse the general class of functions underlying the Simon block cipher. In particular, we derive efficiently computable and easily implementable expressions for the exact differential and linear behaviour of Simonlike round functions.
Following up on this, we use those expressions for a computer aided approach based on SAT/SMT solvers to find both optimal differential and linear characteristics for Simon. Furthermore, we are able to find all characteristics contributing to the probability of a differential for Simon32 and give better estimates for the probability for other variants.
Finally, we investigate a large set of Simon variants using different rotation constants with respect to their resistance against differential and linear cryptanalysis. Interestingly, the default parameters seem to be not always optimal.
You have full access to this open access chapter, Download conference paper PDF
Similar content being viewed by others
Keywords
1 Introduction
Lightweight cryptography studies the deployment of cryptographic primitives in resourceconstrained environments. This research direction is driven by a demand for costeffective, smallscale communicating devices such as RFID tags that are a cornerstone in the Internet of Things. Most often the constrained resource is taken to be the chiparea but other performance metrics such as latency [7], codesize [2] and ease of sidechannel protection [12] have been considered as well. Some of these criteria were already treated in Noekeon [9].
The increased importance of lightweight cryptography and its applications has lately been reflected in the NSA publishing two dedicated lightweight cipher families: Simon and Speck [5]. Considering that this is only the third time within four decades that the NSA has published a block cipher, this is quite remarkable. Especially as NIST has started shortly after this publication to investigate the possibilities to standardise lightweight primitives, Simon and Speck certainly deserve a thorough investigation. This is emphasised by the fact that, in contrast to common practice, neither a security analysis nor a justification of the daaesign choices were published by the NSA. This lack of openness necessarily gives rise to curiosity and caution.
In this paper we focus on the Simon family of block ciphers; an elegant, innovative and very efficient set of block ciphers. There exists already a large variety of papers, mainly focussed on evaluating Simon’s security with regard to linear and differential cryptanalysis. Most of the methods used therein are rather adhoc, often only using approximative values for the differential round probability and in particular for the linear square correlation of one round.
Our Contribution. With this study, we complement the existing work threefold. Firstly we develop an exact closed form expression for the differential probability and a \(\log (n)\) algorithm for determining the square correlation over one round. Their accuracy is proven rigorously. Secondly we use these expressions to implement a model of differential and linear characteristics for SAT/SMT solvers which allows us to find the provably best characteristics for different instantiations of Simon. Furthermore we are able to shed light on how differentials in Simon profit from the collapse of many differential characteristics. Thirdly by generalising the probability expressions and the SAT/SMT model, we are able to compare the quality of different parameter sets with respect to differential and linear cryptanalysis.
As a basis for our goal to understand both the security of Simon as well as the choice of its parameter set, we rigorously derive formulas for the differential probabilities and the linear square correlations of the Simonlike round function that can be evaluated in constant time and time linear in the word size respectively. More precisely, we study differential probabilities and linear correlations of functions of the form
where \(S^i(x)\) corresponds to a cyclic left shift of x and \(\odot \) denotes the bitwise AND operation.
We achieve this goal by first simplifying this question by considering equivalent descriptions both of the round function as well as the whole cipher (cf. Sect. 2.4). These simplifications, together with the theory of quadratic boolean functions, result in a clearer analysis of linear and differential properties (cf. Sects. 3 and 4). Importantly, the derived simple equations for computing the probabilities of the Simon round function can be evaluated efficiently and, more importantly maybe, are conceptually very easy. This allows them to be easily used in computeraided investigations of differential and linear properties over more rounds. It should be noted here that the expression for linear approximations is more complex than the expression for the differential case. However, with respect to the running time of the computeraided investigations this difference is negligible.
We used this to implement a framework based on SAT/SMT solvers to find the provably best differential and linear characteristics for various instantiations of Simon (cf. Sect. 5, in particular Table 1). Furthermore we are able to shed light on how differentials in Simon profit from the collapse of many differential characteristics by giving exact distributions of the probabilities of these characteristics for chosen differentials. The framework is open source and publicly available to encourage further research [13].
In Sect. 6 we apply the developed theory and tools to investigate the design space of Simonlike functions. In particular, using the computeraided approach, we find that the standard Simon parameters are not optimal with regard to the best differential and linear characteristics.
As a side result, we improve the probabilities for the best known differentials for several variants and rounds of Simon. While this might well lead to (slightly) improved attacks, those improved attacks are out of the scope of our work.
Interestingly, at least for Simon32 our findings indicate that the choices made by the NSA are good but not optimal under our metrics, leaving room for further investigations and questions. To encourage further research, we propose several alternative parameter choices for Simon32. Here, we are using the parameters that are optimal when restricting the criteria to linear, differential and dependency properties. We encourage further research on those alternative choices to shed more light on the undisclosed design criteria.
We also like to point out that the Simon keyscheduling was not part of our investigations. Its influence on the security of Simon is left as an important open question for further investigations. In line with this, whenever we investigate multiround properties of Simon in our work, we implicitly assume independent round keys in the computation of probabilities.
Finally, we note that most of our results can be applied to more general constructions, where the involved operations are restricted to AND, XOR, and rotations.
Related Work. There are various papers published on the cryptanalysis of Simon [1, 3, 6, 17–19]. The most promising attacks so far are based on differential and linear cryptanalysis, however a clear methodology of how to derive the differential probabilities and square correlations seems to miss in most cases. Biryukov, Roy and Velichkov [6] derive a correct, but rather involved method to find the differential probabilities. Abed, List, Lucks and Wenzel [1] state an algorithm for the calculation of the differential probabilities but without further explanation. For the calculation of the square correlations an algorithm seems to be missing all together.
Previous work also identifies various properties like the strong differential effect and give estimate of the probability of differentials.
The concept behind our framework was previously also applied on the ARX cipher Salsa20 [14] and the CAESAR candidate NORX [4]. In addition to the applications proposed in previous work we extend it for linear cryptanalysis, examine the influence of rotation constants and use it to compute the distribution of characteristics corresponding to a differential.
2 Preliminaries
In this section, we start by defining our notation and giving a short description of the round function. We recall suitable notions of equivalence of Boolean functions that allow us to simplify our investigations of Simonlike round functions. Most of this section is generally applicable to ANDRX constructions, i.e. constructions that only make use of the bitwise operations AND, XOR, and rotations.
2.1 Notation
We denote by \({{\mathrm{\mathbb {F}}}}_2\) the field with two elements and by \({{\mathrm{\mathbb {F}}}}_2^n\) the ndimensional vector space over \({{\mathrm{\mathbb {F}}}}_2\). By \({{\mathrm{\mathbf {0}}}}\) and \({{\mathrm{\mathbf {1}}}}\) we denote the vectors of \({{\mathrm{\mathbb {F}}}}_2^n\) with all 0s and all 1s respectively. The Hamming weight of a vector \(a\in {{\mathrm{\mathbb {F}}}}_2^n\) is denoted as \({{\mathrm{wt}}}(a)\). By \({{\mathrm{\mathbb {Z}}}}_n\) we denote the integers modulo n.
The addition in \({{\mathrm{\mathbb {F}}}}_2^n\), i.e. bitwise XOR, is denoted by \(+\). By \(\odot \) we denote the AND operation in \({{\mathrm{\mathbb {F}}}}_2^n\), i.e. multiplication over \({{\mathrm{\mathbb {F}}}}_2\) in each coordinate:
By \(\vee \) we denote the bitwise OR operation. By \(\overline{x}\) we denote the bitwise negation of x, i.e. \(\overline{x} := (x + {{\mathrm{\mathbf {1}}}})\). We denote by \(S^i:{{\mathrm{\mathbb {F}}}}_2^n \rightarrow {{\mathrm{\mathbb {F}}}}_2^n\) the left circular shift by i positions. We also note that any arithmetic of bit indices is always done modulo the word size n.
In this paper we are mainly concerned with functions of the form
and we identify such functions with its triple (a, b, c) of parameters.
For a vectorial Boolean function on n bits, \(f:{{\mathrm{\mathbb {F}}}}_2^n \rightarrow {{\mathrm{\mathbb {F}}}}_2^n\), we denote by
the Walsh (or Fourier) coefficient with input mask \(\alpha \) and output mask \(\beta \). Here we use \(\mu (x)=(1)^x\) to simplify the notation.
The corresponding squared correlation of f is given by
For differentials we similarly denote by \(\Pr (\alpha \xrightarrow []{~~} \beta )\) the probability that a given input difference \(\alpha \) results in a given output difference \(\beta \), i.e.
Furthermore, \(\mathsf {Dom}(f)\) is the domain of a function f, \(\mathsf {Img}(f)\) is its image.
2.2 Description of SIMON
Simon is a family of lightweight block ciphers with block sizes 32, 48, 64, 96, and 128 bits. The constructions are Feistel ciphers using a word size n of 16, 24, 32, 48 or 64 bits, respectively. We will denote the variants as Simon2n. The key size varies between of 2, 3, and 4 nbit words. The round function of Simon is composed of AND, rotation, and XOR operations on the complete word (see Fig. 1). More precisely, the round function in Simon corresponds to
that is to the parameters (8, 1, 2) for f as given in Eq. (1). As we are not only interested in the original Simon parameters, but in investigating the entire design space of Simonlike functions, we denote by
the variant of Simon where the original round function is replaced by \(f_{a,b,c}\) (cf. Eq. (1)).
As it is out of scope for our purpose, we refer to [5] for the description of the keyscheduling.
2.3 Affine Equivalence of Boolean Functions
Given two (vectorial) Boolean functions \(f_1\) and \(f_2\) on \({{\mathrm{\mathbb {F}}}}_2^n\) related by
where A and B are affine permutations and C is an arbitrary affine mapping on \({{\mathrm{\mathbb {F}}}}_2^n\) we say that \(f_1\) and \(f_2\) are extended affine equivalent (cf. [8] for a comprehensive survey).
With respect to differential cryptanalysis, if \(f_1\) and \(f_2\) are extended affine equivalent then the differential \(\alpha \xrightarrow []{f_1} \beta \) over \(f_1\) has probability p if and only if the differential
over \(f_2\) has probability p as well.
For linear cryptanalysis, a similar relation holds for the linear correlation. If \(f_1\) and \(f_2\) are related as defined above, it holds that
Thus up to linear changes we can study \(f_2\) instead of \(f_1\) directly. Note that, for an actual attack, these changes are usually critical and can certainly not be ignored. However, tracing the changes is, again, simple linear algebra.
For differential and linear properties of Simonlike functions of the form
this implies that it is sufficient to find the differential and linear properties of the simplified variant
and then transfer the results back by simply using linear algebra.^{Footnote 1}
2.4 Structural Equivalence Classes in ANDRX Constructions
ANDRX constructions, i.e. constructions that make only use of the operations AND (\(\odot \)), XOR (\(+\)), and rotations (\(S^r\)), exhibit a high degree of symmetry. Not only are they invariant under rotation of all input words, output words and constants, they are furthermore structurally invariant under any affine transformation of the bitindices. As a consequence of this, several equivalent representations of the Simon variants exist.
Let T be a permutation of the bits of an nbit word that corresponds to an affine transformation of the bitindices. Thus there are \(s\in {{\mathrm{\mathbb {Z}}}}_n^*\) and \(t\in {{\mathrm{\mathbb {Z}}}}_n\) such that bit i is renamed to \(s\cdot i + t\). As the AND and XOR operations are bitwise, T clearly commutes with these:
where v and w are nbit words. A rotation to the left by r can be written bitwise as \( S^r(v)_i = v_{ir}\). For a rotation, we thus get the following bitwise relation after transformation with T
Substituting \(s\cdot i + t\) with j this is the same as
Thus the rotation by r has been changed to a rotation by \(s\cdot r\). Thus we can write
Commuting the linear transformation of the bitindices with a rotation thus only changes the rotation constant by a factor. In the special case where all input words, output words and constants are rotated, which corresponds to the case \(s=1\), the rotation constant are left untouched.
To summarize the above, when applying such a transformation T to all input words, output words and constants in an ANDRX construction, the structure of the constructions remains untouched apart from a multiplication of the rotation constants by the factor s.
This means for example for Simon32 that changing the rotation constants from (8, 1, 2) to \((3\cdot 8, 3\cdot 1, 3\cdot 2) = (8,3,6)\) and adapting the key schedule accordingly gives us the same cipher apart from a bit permutation. As s has to be coprime to n, all s with \(\gcd (s,n)=1\) are allowed, giving \(\varphi (n)\) equivalent tuples of rotation constants in each equivalence class where \(\varphi \) is Euler’s phi function.
Together with the result from Sect. 2.3, this implies the following lemma.
Lemma 1
Any function \(f_{a,b,c}\) as defined in Eq. (1) is extended affine equivalent to a function
where dn or \(d=0\).
When looking at differential and square correlations of Simonlike round functions this means that it is sufficient to investigate this restricted set of functions. The results for these functions can then simply be transferred to the general case.
3 Differential Probabilities of SIMONlike Round Functions
In this section, we derive a closed expression for the differential probability for all Simonlike round functions, i.e. all functions as described in Eq. (1). The main ingredients here are the derived equivalences and the observation that any such function is quadratic. Being quadratic immediately implies that its derivative is linear and thus the computation of differential probabilities basically boils down to linear algebra (cf. Theorem 1). However, to be able to efficiently study multipleround properties and in particular differential characteristics, it is important to have a simple expression for the differential probabilities. Those expressions are given for \(f(x)=x\odot S^1(x)\) in Theorem 2 and for the general case in Theorem 3.
3.1 A Closed Expression for the Differential Probability
The following statement summarises the differential properties of the f function.
Theorem 1
Given an input difference \(\alpha \) and an output difference \(\beta \) the probability p of the corresponding differential (characteristic) for the function \(f(x) = x \odot S^a(x)\) is given by
where
and
Proof
We have to count the number of solutions to the equation
This simplifies to
As this is an affine equation, it either has zero solutions or the number of solutions equals the kernel size, i.e. the number of elements in the subspace
Clearly, the equation has solutions if and only if \(\beta + \alpha \odot S^a(\alpha )\) is in the image of \(L_{\alpha }\). \(\square \)
Next we present a closed formula to calculate the differential probability in the case where \(a=1\). Furthermore we restrict ourselves to the case where n is even.
Theorem 2
Let
and
Then the probability that difference \(\alpha \) goes to difference \(\beta \) is
Proof
According to Theorem 1, we need to prove two things. Firstly we need to prove that the rank of \(L_\alpha \) (i.e. \(n\dim \ker L_\alpha \)) is \(n1\) when \(\alpha ={{\mathrm{\mathbf {1}}}}\), and \({{\mathrm{wt}}}(\mathtt {varibits} + \mathtt {doublebits})\) otherwise. Secondly we need to prove that \( \beta +\alpha \odot S^1(\alpha ) \in \mathsf {Img}(L_{\alpha })\) iff \({{\mathrm{wt}}}(\beta ) \equiv 0 \mod 2\) when \(\alpha = {{\mathrm{\mathbf {1}}}}\), and that \( \beta +\alpha \odot S^1(\alpha ) \in \mathsf {Img}(L_{\alpha })\) iff \(\beta \odot \mathtt {varibits} = {{\mathrm{\mathbf {0}}}} \text { and } (\beta + S^{1}(\beta )) \odot \mathtt {doublebits} = {{\mathrm{\mathbf {0}}}}\) when \(\alpha \ne {{\mathrm{\mathbf {1}}}}\).
We first consider the first part. Let us write \(L_\alpha (x)\) in matrix form and let us take x to be a column vector. \(S^1(\alpha )\odot x\) can be written as \(M_{S^1(\alpha )\odot }x\) with
Equivalently we can write \(\alpha \odot x\) and \(S^1(x)\) with matrices as \(M_{\alpha \odot }x\) and \(M_{S^1}x\) respectively where
i.e. \(M_{S^1}\) consists of two identity and two zero submatrices. The result of \(M_{S^1(\alpha )\odot } + M_{\alpha \odot }M_{S^1}\) can now be written as
Clearly the rank of the matrix is \(n1\) when all \(\alpha _i\) are 1. Suppose now that not all \(\alpha _i\) are 1. In that case, a set of nonzero rows is linearly dependent iff there exist two identical rows in the set. Thus to calculate the rank of the matrix, we need to calculate the number of unique nonzero rows.
By associating the rows in the above matrix with the bits in \(\mathtt {varibits}\), we can clearly see that the number of nonzero rows in the matrices corresponds to the number of 1s in \(\mathtt {varibits} = S^1(\alpha ) \vee \alpha \).
To count the number of nonunique rows, first notice that a nonzero row can only be identical to the row exactly above or below. Suppose now that a nonzero row i is identical to the row \((i1)\) above. Then \(\alpha _{i1}\) has to be 0 while \(\alpha _i\) and \(\alpha _{i2}\) have to be 1. But then row i cannot simultaneously be identical to row \((i+1)\) below. Thus it is sufficient to calculate the number of nonzero rows minus the number of rows that are identical to the row above it to find the rank of the matrix. Noting that row i is nonzero iff \(\alpha _i \alpha _{i1}\) and that \(\alpha _i \overline{\alpha _{i1}} \alpha _{i2}\) is only equal 1 when row i is nonzero and equal to the row above it. Thus calculating the number of i for which
is equal 1 gives us the rank of \(L_\alpha \). This corresponds to calculating \({{\mathrm{wt}}}(\mathtt {varibits} + \mathtt {doublebits})\).
For the second part of the proof, we need to prove the conditions that check whether \(\beta +\alpha \odot S^1(\alpha ) \in \mathsf {Img}(L_{\alpha })\). First notice that \(\alpha \odot S^1(\alpha )\) is in the image of \(L_\alpha \) (consider for x the vector with bits alternately set to 0 and 1). Thus it is sufficient to test whether \(\beta \) is in \(\mathsf {Img}L_\alpha \). Let \(y = L_\alpha (x)\). Let us first look at the case of \(\alpha = {{\mathrm{\mathbf {1}}}}\). Then \(L_\alpha (x) = x+S^1(x)\). We can thus deduce from bit \(y_i\) whether \(x_i=x_{i1}\) or \(x_i\ne x_{i1}\). Thus the bits in y create a chain of equalities/inequalities in the bits of x which can only be fulfilled if there the number of inequalities is even. Hence in that case \(\beta \in \mathsf {Img}L_\alpha \) iff \({{\mathrm{wt}}}(\beta ) \equiv 0 \mod 2\).
For the case that \(\alpha \ne {{\mathrm{\mathbf {1}}}}\), we first note that \(y_i\) has to be zero if the corresponding row i in the matrix of Eq. (4) is all zeroes. Furthermore following our discussion of this matrix earlier, we see that \(y_i\) is independent of the rest of y if the corresponding row is linearly independent of the other rows and that \(y_i\) has to be the same as \(y_{i1}\) if the corresponding rows are identical. Thus we only need to check that the zerorows of the matrix correspond to zero bits in \(\beta \) and that the bits in \(\beta \) which correspond to identical rows in the matrix are equal. Thus \(\beta \) is in the image of \(L_\alpha \) iff \(\beta \odot \overline{\mathtt {varibits}} = {{\mathrm{\mathbf {0}}}}\) and \((\beta + S^{1}(\beta )) \odot \mathtt {doublebits} = {{\mathrm{\mathbf {0}}}}\). \(\square \)
3.2 The Full Formula for Differentials
Above we treated only the case for the simplified function \(f(x)=x\cdot S^1(x)\). As mentioned earlier, the general case where \(\gcd (ab,n) = 1\) can be deduced from this with linear algebra. When \(\gcd (d,n) \ne 1\) though, the function \(f(x) = x \odot S^d(x)\) partitions the output bits into independent classes. This not only raises differential probabilities (worst case \(d=0\)), it also makes the notation for the formulas more complex and cumbersome, though not difficult. We thus restrict ourselves to the most important case when \(\gcd (ab,n) = 1\). The general formulas are then
Theorem 3
Let \(f(x) = S^a(x) \odot S^b(x) + S^c(x)\), where \(\gcd (n,ab)=1\), n even, and \(a > b\) and let \(\alpha \) and \(\beta \) be an input and an output difference. Then with
and
and
we have that the probability that difference \(\alpha \) goes to difference \(\beta \) is
For a more intuitive approach and some elaboration on the differential probabilities, we refer to the ePrint version of this paper.
4 Linear Correlations of SIMONlike Round Functions
As in the differential case, for the study of linear approximations, we also build up on the results from Sects. 2.3 and 2.4. We will thus start with studying linear approximations for the function \(f(x) = x \odot S^a(x)\). Again, the key point here is that all those functions are quadratic and thus their Fourier coefficient, or equivalently their correlation, can be computed by linear algebra (cf. Theorem 4). Theorem 5 is then, in analogy to the differential case, the explicit expression for the linear correlations. It basically corresponds to an explicit formula for the dimension of the involved subspace.
The first result is the following:
Theorem 4
where
and
Proof
We compute
Now for the sum over x only two outcomes are possible, \(2^n\) or zero. More precisely, it holds that
Thus, defining
we get
Now as
Now, the function \(f_{\beta }:=\langle \beta ,f(y)\rangle \) is linear over \(U_\beta \) as can be easily seen by the definition of \(U_\beta \). Moreover, as \(f_{\beta }\) is unbalanced for all \(\beta \), it follows that actually \(f_{\beta }\) is constant zero on \(U_{\beta }\). We thus conclude that
With a similar argument as above, it follows that \({\widehat{f}}(\alpha ,\beta )^2\) is nonzero if and only if \(\alpha \) is contained in \(U_{\beta }^{\perp }\). \(\square \)
Let us now restrict ourselves to the case where \(f(x) = x\odot S^1(x)\). The general case can be deduced analogously to the differential probabilities. For simplicity we also restrict ourselves to the case where n is even.
First we need to introduce some notation. Let \(x\in {{\mathrm{\mathbb {F}}}}_2^n\) with not all bits equal to 1. We now look at blocks of consecutive 1s in x, including potentially a block that “wraps around” the ends of x. Let the lengths of these blocks, measured in bits, be denoted as \(c_0,\dots , c_m\). For example, the bitstring 100101111011 has blocks of length 1, 3, and 4. With this notation define \(\theta (x) := \sum \limits _{i=0}^{m} \lceil \frac{c_i}{2} \rceil .\)
Noting that the linear square correlation of f is \(\frac{{\widehat{f}}(\alpha ,\beta )^2}{2^{2n}}\), we then have the following theorem:
Theorem 5
With the notation from above it holds that the linear square correlation of \(\alpha \mathop {\rightarrow }\limits ^{f} \beta \) can be calculated as
Proof
Define \(L_\beta (x) :=\beta \odot S^1(x) + S^{1}(\beta \odot x)\). Clearly \(L_\beta \) is linear. Also \(U_\beta = \ker L_\beta (x)\). Let us determine the rank of this mapping. Define the matrices \(M_{\beta \cdot }\), \(M_{S^1}\), and \(M_{S^{1}}\) as
We can then write \(L_\beta \) in matrix form as
Clearly, if \(\beta \) is all 1s, the rank of the matrix is \(n2\) as n is even.^{Footnote 2} Let us therefore now assume that \(\beta \) is not all 1s. When we look at a block of 1s in \(\beta \) e.g., \(\beta _{i1}=0\), \(\beta _{i}, \beta _{i+1},\dots , \beta _{i+l1}=1\), and \(\beta _l=0\). Then clearly the l rows \(i,i+1,\dots ,i+l1\) are linearly independent when l is even. When l is odd though, the sum of rows i, \(i+2\), \(i+4\), up to row \(i+l3\) will equal row \(i+l1\). In that case there are thus only \(l1\) linearly independent rows. As the blocks of 1s in \(\beta \) generate independent blocks of rows, we can summarise that the rank of the matrix is exactly \(\theta (\beta )\). \(\square \)
Analogously to the differential probabilities, the linear probabilities in the general case can be derived from this. It is likewise straightforward to derive how to determine whether \(\alpha \in U^\perp _\beta \). As an explicit formulation of this is rather tedious, we instead refer to the implementation in Python given in the Appendix A where both is achieved in the case where \(\gcd (ab,n) = 1\) and n is even.
For a more intuitive approach and some elaboration on the linear probabilities, we refer to the ePrint version of this paper.
5 Finding Optimal Differential and Linear Characteristics
While there are various methods for finding good characteristics, determining optimal differential or linear characteristics remains a hard problem in general. The formulas derived for both differential and linear probabilities enable us to apply an algebraic approach to finding the best characteristics. A similar technique has been applied to the ARX cipher Salsa20 [14] and the CAESAR candidate NORX [4]. For finding the optimal characteristics for Simon we implemented an open source tool [13] based on the SAT/SMT solvers CryptoMiniSat [15] and STP [11].
In the next section we will show how Simon can be modeled to find both the best differential and linear characteristics in this framework and how this can be used to solve cryptanalytic problems.
5.1 Model for Differential Cryptanalysis of SIMON
First we define the variables used in the model of Simon. We use two nbit variables \(x_i\), \(y_i\) to represent the XORdifference in the left and right halves of the state for each round and an additional variable \(z_i\) to store the XORdifference of the output of the AND operation.
For representing the \(\log _2\) probability of the characteristic we introduce an additional variable \(w_i\) for each round. The sum over all probabilities \(w_i\) then gives the probability of the corresponding differential characteristic. The values \(w_i\) are computed according to Theorem 3 as
where \({{\mathrm{wt}}}(x)\) is the Hamming weight of x and
Therefore, for one round of Simon we get the following set of constraints:
A model for linear characteristics, though slightly more complex, can be implemented in a similar way. A description of this model can be found in the implementation of our framework. Despite the increase in complexity, we could not observe any significant impact on the solving time for the linear model.
5.2 Finding Optimal Characteristics
We can now use the previous model for Simon to search for optimal differential characteristics. This is done by formulating the problem of finding a valid characteristic, with respect to our constraints, for a given probability w. This is important to limit the search space and makes sense as we are usually more interested in differential characteristics with a high probability as they are more promising to lead to attacks with a lower complexity. Therefore, we start with a high probability and check if such a characteristic exists. If not we lower the probability.
The procedure can be described in the following way:

For each round of the cipher add the corresponding constraints as defined in (11). This system of constraints then exactly describes the form of a valid characteristic for the given parameters.

Add a condition which accumulates the probabilities of each round as defined in (10) and check if it is equal to our target probability w.

Query if there exists an assignment of variables which is satisfiable under the constraints.

Decrement the probability w and repeat the procedure.
One of the main advantages compared to other approaches is that we can prove an upper bound on the probability of characteristics for a given cipher and number of rounds. If the solvers determines the set of conditions unsatisfiable, we know that no characteristic with the specified probability exists. We used this approach to determine the characteristics with optimal probability for different variants of Simon. The results are given in Table 1.
Upper Bound for the Characteristics. During our experiments we observed that it seems to be an easy problem for the SMT/SAT solver to prove the absence of differential characteristics above \(w_{\text {max}}\). This can be used to get a lower bound on the probability of characteristics contributing to the differential. The procedure is similar to finding the optimal characteristics.

Start with a very low initial probability \(w_i\).

Add the same system of constraints which were used for finding the characteristic.

Add a constraint fixing the variables \((x_0, y_0)\) to \(\varDelta _{\text {in}}\) and \((x_r, y_r)\) to \(\varDelta _{\text {out}}\).

Query if there is a solution for this weight.

Increase the probability \(w_i\) and repeat the procedure until a solution is found.
5.3 Computing the Probability of a Differential
Given a differential characteristic it is of interest to determine the probability of the associated differential \(\Pr (\varDelta _{\text {in}} \xrightarrow {f^r} \varDelta _{\text {out}})\) as it might potentially have a much higher probability then the single characteristic. It is often assumed that the probability of the best characteristic can be used to approximate the probability of the best differential. However, this assumption only gives an inaccurate estimate in the case of Simon.
Similarly to the previous approach for finding the characteristic, we can formalise the problem of finding the probability of a given differential in the following way:

Add the same system of constraints which were used for finding the characteristic.

Add a constraint fixing the variables \((x_0, y_0)\) to \(\varDelta _{\text {in}}\) and \((x_r, y_r)\) to \(\varDelta _{\text {out}}\).

Use a SAT solver to find all solutions \(s_i\) for the probability w.

Decrement the probability w and repeat the procedure.
The probability of the differential is then given by
where \(s_i\) is the number of characteristics with a probability of \(2^{i}\).
We used this approach to compute better estimates for the probability of various differentials (see Table 2). In the case of Simon32 we were able to find all characteristics contributing to the differentials for 13 and 14 rounds. The distribution of the characteristics and accumulated probability of the differential is given in Fig. 2. It is interesting to see that the distribution of w in the range [55, 89] is close to uniform and therefore the probability of the corresponding differential improves only negligible and converges quickly towards the measured probability^{Footnote 3}.
The performance of the whole process is very competitive compared to dedicated approaches. Enumerating all characteristics up to probability \(2^{46}\) for the 13round Simon32 differential takes around 90 seconds on a single CPU core and already gives a better estimate compared to the results in [6]. A complete enumeration of all characteristics for 13round Simon32 took close to one core month using CryptoMiniSat4 [15]. The computational effort for other variants of Simon is comparable given the same number of rounds. However, for these variants we can use differentials with a lower probability covering more rounds due to the increased block size. In this case the running time increases due to the larger interval \([w_{\text {min}}, w_{\text {max}}]\) and higher number of rounds.
For Simon48 and Simon64 we are able to improve the estimate given in [16]. Additionally we found differentials which can cover 17 rounds for Simon48 and 22 rounds for Simon64 which might have potential to improve previous attacks. Our results are also closer to the experimentally obtained estimates given in [10] but give a slightly lower probability. This can be due to the limited number of characteristics we use for the larger Simon variants or the different assumptions on the independence of rounds.
Our results are limited by the available computing power and in general it seems to be difficult to count all characteristics for weights in \([w_{\text {min}}, w_{\text {max}}]\), especially for the larger variants of Simon. However the whole process is embarrassingly parallel, as one can split up the computation for each probability \(w_i\). Furthermore, the improvement that one gets decreases quickly. For all differentials we observed that the distribution of differential characteristics becomes flat after a certain point.
6 Analysis of the Parameter Choices
The designers of Simon so far gave no justification for their choice of the rotation constants. Here we evaluate the space of rotation parameters with regard to different metrics for the quality of the parameters. Our results are certainly not a definite answer but are rather intended as a starting point to evaluating the design space and reverse engineering the design choices. We consider all possible sets of rotation constants (a, b, c)^{Footnote 4} and checked them for diffusion properties and the optimal differential and linear characteristics.
6.1 Diffusion
As a very simple measure to estimate the quality of the rotation constants, we measure the number of rounds that are needed to reach full diffusion. Full diffusion is reached when every state bit principally depends on all input bits. Compared to computing linear and differential properties it is an easy task to determine the dependency.
In Table 3 we give a comparison to how well the standard Simon rotation parameters fare within the distribution of all possible parameter sets. The exact distributions for all Simon variants can be found in the appendix in Table 8.
6.2 Differential and Linear
As a second criteria for our parameters, we computed for all \(a > b\) and \(\gcd (ab, n) = 1\) the optimal differential and linear characteristics for 10 rounds of Simon32, Simon48 and Simon64. A list of the parameters which are optimal for all three variants of Simon can be found in Appendix C.
It is important here to note that there are also many parameter sets, including the standard choice, for which the best 10round characteristics of Simon32 have a probability of \(2^{25}\) compared to the optimum of \(2^{26}\). However, this difference by a factor of 2 does not seem to occur for more than 10 rounds and also not any larger variants of Simon.
6.3 Interesting Alternative Parameter Sets
As one result of our investigation we chose three exemplary sets of parameters that surpass the standard parameters with regards to some metrics. Those variants are Simon[12, 5, 3], Simon[7, 0, 2] and Simon[1, 0, 2].
Simon[12, 5, 3] has the best diffusion amongst the parameters which have optimal differential and linear characteristics for 10 rounds. The two other choices are both restricted by setting \(b = 0\) as this would allow a more efficient implementation in software. Among those Simon[7, 0, 2] has the best diffusion and the characteristics behave similar to the standard parameters. Ignoring the diffusion Simon[1, 0, 2] seems also an interesting choice as it is optimal for the differential and linear characteristics.
If we look though at the differential corresponding to the best differential characteristic of Simon[7, 0, 2] and Simon[1, 0, 2], then we can see the number of characteristics contributing to it is significantly higher than for the standard parameters (see Appendix Table 6). However, for Simon[12, 5, 3] the differential shows a surprisingly different behaviour and the probability of the differential is much closer to the probability of the characteristic. On the other side, the characteristics seem to be worse for the larger variants as can be seen in Table 7. Furthermore it might be desirable to have at least one rotation parameter that corresponds to a byte length, something that the standard parameter set features.
7 Conclusion and Future Work
In this work we analysed the general class of functions underlying the Simon block cipher. First we rigorously derived efficiently computable and easily implementable expressions for the exact differential and linear behaviour of Simonlike round functions.
Building upon this, we used those expressions for a computer aided approach based on SAT/SMT solvers to find both optimal differential and linear characteristics for Simon. Furthermore, we were able to find all characteristics contributing to the probability of a differential for Simon32 and gave better estimates for the probability for other variants.
Finally, we investigated the space of Simon variants using different rotation constants with respect to diffusion, and the optimal differential and linear characteristics. Interestingly, the default parameters seem to be not always optimal.
This work opens up for further investigations. In particular, the choice and justifications of the NSA parameters for Simon remains unclear. Besides our first progress concerning the round function, the design of the key schedule remains largely unclear and further investigation is needed here.
Notes
 1.
Note that we can transform the equation \(f(x) = S^a(x)\odot S_b(x)+S^c(x)\) to the equation \(S^{a}(f(x)) + S^{ca}(x) = x\odot S^{ba}(x)\).
 2.
The rank is \(n1\) when n is odd.
 3.
We encrypted all \(2^{32}\) possible texts under 100 random keys to obtain the estimate of the probability for 13round Simon32.
 4.
Without lack of generality, we assume though that \(a\ge b\).
References
Abed, F., List, E., Lucks, S., Wenzel, J.: Differential cryptanalysis of roundreduced SIMON and SPECK. In: Cid, C., Rechberger, C. (eds.) FSE 2014. LNCS, vol. 8540, pp. 525–545. Springer, Heidelberg (2015)
Albrecht, M.R., Driessen, B., Kavun, E.B., Leander, G., Paar, C., Yalçın, T.: Block ciphers – focus on the linear layer (feat. PRIDE). In: Garay, J.A., Gennaro, R. (eds.) CRYPTO 2014, Part I. LNCS, vol. 8616, pp. 57–76. Springer, Heidelberg (2014)
Alizadeh, J., Alkhzaimi, H.A., Aref, M.R., Bagheri, N., Gauravaram, P., Kumar, A., Lauridsen, M.M., Sanadhya, S.K.: Cryptanalysis of SIMON variants with connections. In: Sadeghi, A.R., Saxena, N. (eds.) RFIDSec 2014. LNCS, vol. 8651, pp. 90–107. Springer, Heidelberg (2014)
Aumasson, J.P., Jovanovic, P., Neves, S.: Analysis of NORX: investigating differential and rotational properties. In: Aranha, D.F., Menezes, A. (eds.) LATINCRYPT 2014. LNCS, vol. 8895, pp. 306–323. Springer, Heidelberg (2015)
Beaulieu, R., Shors, D., Smith, J., TreatmanClark, S., Weeks, B., Wingers, L.: The SIMON and SPECK families of lightweight block ciphers. Cryptology ePrint Archive, Report 2013/404 (2013). http://eprint.iacr.org/
Biryukov, A., Roy, A., Velichkov, V.: Differential analysis of block ciphers SIMON and SPECK. In: Cid, C., Rechberger, C. (eds.) FSE 2014. LNCS, vol. 8540, pp. 546–570. Springer, Heidelberg (2015)
Borghoff, J., et al.: PRINCE – a lowlatency block cipher for pervasive computing applications  extended abstract. In: Wang, X., Sako, K. (eds.) ASIACRYPT 2012. LNCS, vol. 7658, pp. 208–225. Springer, Heidelberg (2012)
Carlet, C.: Vectorial boolean functions for cryptography. In: Crama, Y., Hammer, P.L. (eds.) Boolean Models and Methods in Mathematics, Computer Science, and Engineering. Encyclopedia of Mathematics and its Applications, vol. 134, pp. 398–469. Cambridge University Press, Cambridge (2010)
Daemen, J., Peeters, M., Assche, G.V., Rijmen, V.: The NOEKEON block cipher. Submission to the NESSIE project (2000)
Dinur, I., Dunkelman, O., Gutman, M., Shamir, A.: Improved topdown techniques in differential cryptanalysis. Cryptology ePrint Archive, Report 2015/268 (2015). http://eprint.iacr.org/
Ganesh, V., Hansen, T., Soos, M., Liew, D., Govostes, R.: STP constraint solver (2014). https://github.com/stp/stp
Grosso, V., Leurent, G., Standaert, F.X., Varıcı, K.: LSdesigns: bitslice encryption for efficient masked software implementations. In: Cid, C., Rechberger, C. (eds.) FSE 2014. LNCS, vol. 8540, pp. 18–37. Springer, Heidelberg (2015)
Kölbl, S.: CryptoSMT: An easy to use tool for cryptanalysis of symmetric primitives (2015). https://github.com/kste/cryptosmt
Mouha, N., Preneel, B.: Towards finding optimal differential characteristics for ARX: Application to Salsa20. Cryptology ePrint Archive, Report 2013/328 (2013). http://eprint.iacr.org/
Soos, M.: CryptoMiniSat SAT solver (2014). https://github.com/msoos/cryptominisat/
Sun, S., Hu, L., Wang, M., Wang, P., Qiao, K., Ma, X., Shi, D., Song, L., Fu, K.: Towards finding the best characteristics of some bitoriented block ciphers and automatic enumeration of (relatedkey) differential and linear characteristics with predefined properties. Cryptology ePrint Archive, Report 2014/747 (2014). http://eprint.iacr.org/
Sun, S., Hu, L., Wang, M., Wang, P., Qiao, K., Ma, X., Shi, D., Song, L., Fu, K.: Constructing mixedinteger programming models whose feasible region is exactly the set of all valid differential characteristics of SIMON. Cryptology ePrint Archive, Report 2015/122 (2015). http://eprint.iacr.org/
Sun, S., Hu, L., Wang, P., Qiao, K., Ma, X., Song, L.: Automatic security evaluation and (relatedkey) differential characteristic search: application to SIMON, PRESENT, LBlock, DES(L) and other bitoriented block ciphers. In: Sarkar, P., Iwata, T. (eds.) ASIACRYPT 2014. LNCS, vol. 8873, pp. 158–178. Springer, Heidelberg (2014)
Wang, Q., Liu, Z., Varici, K., Sasaki, Y., Rijmen, V., Todo, Y.: Cryptanalysis of reducedround SIMON32 and SIMON48. In: Meier, W., Mukhopadhyay, D. (eds.) INDOCRYPT 2014. LNCS, vol. 8885, pp. 143–160. Springer, Heidelberg (2014)
Acknowledgments
First of all, we wish to thank Tomer Ashur. Both the method to check whether a linear input mask gives a correlated or uncorrelated linear 1round characteristic for a given output mask as well as the first version of the SMT/SAT model for linear characteristics in Simon were an outcome of our discussions. We furthermore wish to thank the reviewers for comments that helped to improve the paper.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Appendices
A Python Code to Calculate Linear and Differential Probabilities
In the following, code for calculating the differential and linear probabilities are given in Python. Restrictions are that the constants need to fulfil \(\gcd (ab,n)=1\) and n has to be even. We assume that the functions \(S^a(x)\) and \({{\mathrm{wt}}}(x)\) have been implemented as well as a function \(\mathtt {parity}\) that calculates the parity \({{\mathrm{wt}}}(x)\mod 2\) of a bit vector x. a, b, and c have to be defined in the program as well.
The differential probability of \(\alpha \mathop {\rightarrow }\limits ^{f} \beta \) can then be calculated with the following function:
The squared correlation of \(\alpha \mathop {\rightarrow }\limits ^{f} \beta \) can be calculated with the following function:
B Additional Differential Bounds
In Table 4 resp. 5 we give the distributions for the characteristics contributing to a differential up to the bound we computed them.
C Optimal Parameters for Differential Characteristics
The following sets of rotation constants (a, b, c) are optimal for 10 rounds regarding differential characteristics for Simon32, Simon48, and Simon64
Similar to the experiments for the default parameters, we used our framework to evaluate the quality of various rotation constants. In Table 7 we give an overview of the best differential characteristics for variants of Simon using a different set of rotation constants. Table 6 shows that a carefully chosen set of constants can have a very strong effect on the differentials.
Rights and permissions
Copyright information
© 2015 International Association for Cryptologic Research
About this paper
Cite this paper
Kölbl, S., Leander, G., Tiessen, T. (2015). Observations on the SIMON Block Cipher Family. In: Gennaro, R., Robshaw, M. (eds) Advances in Cryptology  CRYPTO 2015. CRYPTO 2015. Lecture Notes in Computer Science(), vol 9215. Springer, Berlin, Heidelberg. https://doi.org/10.1007/9783662479896_8
Download citation
DOI: https://doi.org/10.1007/9783662479896_8
Published:
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 9783662479889
Online ISBN: 9783662479896
eBook Packages: Computer ScienceComputer Science (R0)