Cryptanalysis of Reduced-round SIMON32 and
SIMON48
⋆
Qingju Wang
1,2
, Zhiqiang Liu
1,2⋆⋆
, Kerem Varıcı
2,3⋆⋆
, Yu Sasak i
4⋆⋆
,
Vincent Rijmen
2⋆⋆
, and Yosuke Todo
4⋆⋆
1
Department of Computer Science and Engineering,
Shanghai Jiao Tong University, China
2
KU Leu ven, ESAT/COSIC and iMinds, Belgium
3
ICTEAM-Crypto Group, Universite catholique de Louvain, Belgium
4
NTT Secure Platform Laboratories, Japan
Abstract. SIMON family is one of t he recent lightweight block cipher
designs introduced by NSA. S o far there have been several cryptanalytic
results on this cipher by means of differential, linear and impossible dif-
ferential cryptanalysis. In this paper, we study the security of SIMON32,
SIMON48/72 and SIMON48/96 by using integral, zero-correlation lin-
ear and impossible differential cryptanalysis. Firstly, we present a novel
experimental approach to construct the best known integral distinguish-
ers of SIMON32. The small block size, 32 bits, of SIMON32 enables us
to experimentally find a 15-round integral distinguisher, based on which
we present a key recovery attack on 21-round SIMON32, while previous
best results only achieved 19 rounds. Moreover, we att ack 20-round SI-
MON32, 20-round SIMON48/72 and 21-round SIMON48/96 based on 11
and 12-round zero-correlation linear hulls of SIMON32 and SIMON48 re-
sp ectively. Finally, we propose new impossible differential attacks which
improve the previous impossible differential attacks. Our analysis shows
that SIMON maintains enough security margin.
Keywords: SIMON, integral, zero-correlation, impossible differential
1 Introduction
Lightweight primitives are designed to be efficient for limited resource environ-
ments, but they should also ensure that the message is transmitted confidentially.
Therefore, the vital design motivation is to maintain a reasonable trade-off be-
tween the security and performance. During recent years, many lightweight ci-
phers have been designed. Prominent examples are included but not limited to
these: ICEBERG [2], mCrypton [3], HIGHT [4], PRESENT [5], KATAN [6],
LED [7], Piccolo [8], KLEIN [9], EPCBC [10], PRINCE [11] and TWINE [12].
In 20 13, NSA also proposed two families of highly-optimized block ciphers,
SIMON and SPECK [13], which are flexible to provide excellent performance
⋆
Due to page limitations, several details are omitted in this proceedings version. In
particular, impossible differential attacks are only described in the full version [1].
⋆⋆
Corresponding authors.
in both hardware and software environments. Moreover both families offer larg e
variety of block and key sizes such that the users can easily match the secur ity
requirements of their applications without sacrificing the performance. However,
no cryptanalysis results are included in the specification of these algorithms.
Related Work and Our Co ntributions. On the one hand, several external
cryptanalysis results on SIMON and SPECK were published. In [14, 15], differ-
ential attacks are presented on various state sizes of SIMON and SPECK, while
the best linear attacks on SIMON are given in [16]. In [17] Biryukov et al. ex-
ploit the thres hold s earch technique [18], where they showed better differential
characteristics and proposed attacks with better results on several versions of
SIMON and SPEC K. Very recently, there are some differential attack results
about SIMON32 a nd SIMON48 in ePrint [19]. These results need to be further
verified although they seem intriguing.
In this paper, we investigate the security of SIMON32, SIMON48/72 and SI-
MON48/9 6 by using integral, zero-correlation linear and impossible differential
cryptanalysis. We firstly apply integral cryptanalysis. Regarding SIMON32, be-
cause the block size is only 32 bits, we can experimentally observe the behaviors
of all the plaintexts under a fixed key. Our experiments show that the number of
distinguished rounds rapidly increases when the number of active bits becomes
close to the blo ck size . On the contrary, exploiting integral distinguishers with a
large number of active bits for recovering the key is hard in general. Indeed, our
distinguisher needs 31 a ctive bits. To make the data complexity smaller than
the code boo k, we ca nnot iter ate the analysis even for two sets of the distin-
guisher. We then exploit the fact that the key schedule consists of simple linear
equations, and show that reducing any fraction of subkey spac e can immediately
reduce the main key space by solving the linear equations with Gaussian elimina-
tion. B y combining several known cryptanalytic techniques we present an attack
on 21-round SIMON3 2/64. As for SIMON48, the approach cannot be applied
due to the large search space. However, according to the experimental results
for SIMON32, we may expect that there exist good integral distinguishers of
SIMON48 when the number of active bits is near the block size.
Moreover, we construct 11 and 12-round zero-correlation linear hulls of SI-
MON32 and SIMON48 respectively by using miss-in-the-middle technique. Then
based on these distinguishers , we mount attacks on 20-round SIMON32, 20-
round SIMON48/72 and 21-round SIMON48/96 delicately with the help of
divide-and-conque r technique. Finally, we demonstrate impossible differential at-
tacks on 18-round SIMON32, 18-round SIMON48/72 and 19-round SIMON48/96.
Although these results are not better than the ones achieved by using differen-
tial, integral and zero-correlation linear cryptanalysis, they are the currently best
impossible differential attacks for SIMON32 and SIMON48. Our improvements
upon the state-of-the-art cryptanalysis for SIMON are given in Table 1.
Organization. The remainder o f this paper is organized as follows. In Section 2,
we give a brief description of SIMON. Section 3 cove rs the integral attack. In
Table 1. Summar y of Attack Results on SIMON
Cipher Full Attack Attacked Complexity Source
Rounds Rounds Time(EN) Data Memory(Bytes)
SIMON32/64
32
Imp. Diff. 13 2
50.1
2
30.0
KP 2
20.0
[20]
Imp. D iff. 18 2
61.14
2
32
KP 2
47.67
[1]
Diff. 16 2
26.481
2
29.481
CP 2
16
[15]
Diff. 18 2
46.0
2
31.2
CP 2
15.0
[14]
Diff. 19 2
32
2
31
CP - [17]
Zero-Corr. 20 2
56.96
2
32
KP 2
41.42
Subsec 4.2
Integral 21 2
63.00
2
31
CP 2
54
Subsec 3.2
SIMON48/72
36
Imp. D iff. 18 2
61.87
2
48
KP 2
42.12
[1]
Diff. 18 2
43.253
2
46.426
CP 2
24
[15]
Diff. 19 2
52.0
2
46.0
CC 2
20.0
[14]
Diff. 20 2
52
2
46
CP - [17]
Zero-Corr. 20 2
59.7
2
48
KP 2
43
Subsec 4.3
SIMON48/96
36
Imp. Diff. 15 2
53.0
2
38.0
KP 2
20.6
[20]
Imp. D iff. 19 2
85.82
2
48
KP 2
66.68
[1]
Diff. 18 2
69.079
2
50.262
CP 2
45.618
[15]
Diff. 19 2
76.0
2
46.0
CC 2
20.0
[14]
Diff. 20 2
75
2
46
CP - [17]
Zero-Corr. 21 2
72.63
2
48
KP 2
46.73
Subsec 4.3
CP: Chosen Plaintext; KP: Known Plaintext; CC: Chosen Ciphertext; EN: Encryptions
Section 4, zero-correlation cr yptanalysis is studied. Finally, we conclude the pa-
per in Section 5. Impossible differential attacks a re shown in [1]. Table 2 contains
the notations that we use throughout this pape r.
2 Brief Description of SIMON
We denote the SIMON block cipher using n-bit words by SIMON2n, with n ∈
{16, 24, 32, 48, 64}. SIMO N2n with an m-word key is referred to SIMON2n/mn.
SIMON is a two-branch balanced Feistel networ k with simple round functions
consisting of three operations: AND (&), XOR (⊕) and rotation (≪). In round
i−1, by using a function F (x) = (x ≪ 1)&(x ≪ 8)⊕(x ≪ 2), (L
i−1
, R
i−1
) are
updated to (L
i
, R
i
) by L
i
= F (L
i−1
) ⊕ R
i−1
⊕ k
i−1
and R
i
= L
i−1
. The o utput
of the last round (L
r
, R
r
) (r is the number of rounds) yields the ciphertext. The
structure of the round function of SIMON is depicted in Figure 6 in Appendix A.
The key schedule of SIMON processe s three different procedures depe nding
on the key size. The first mn round keys are directly initialized with the main
key, while the remaining key words are generated by three slightly different
Table 2. Nota tions: Top 8 are for general and bottom 4 are for integral attack.
L
r
, R
r
left and right branches of the input state to the r-th round
L
r,{i∼j}
, R
r,{i∼j}
the bits from bit i to bit j of L
r
and R
r
∆L
r
, ∆R
r
left and right branches of the input difference of state to the r-th round
Γ L
r
, Γ R
r
left and right branches of the input linear mask of state to the r-th round
∆F (·) the output difference after round function F
k
r
the sub key in the r-th round
k
r,{i∼j}
the bits from bit i to bit j of k
r
? an undetermined difference or linear mask
Let Λ be a collection of state vectors X = (x
0
, . . . , x
n−1
) where x
i
∈ F
2
is the i-th word of X:
A if all i-th words x
i
in Λ are distinct, x
i
is called active
B if the sum of all i-th words x
i
in Λ can be predicted, x
i
is called balanced
C if the values of all i-th words x
i
in Λ are equal, x
i
is called passive/constant
* if the sum of all i-th words x
i
in Λ can not be predicted
procedures depending on the key words value m:
k
i+m
= c ⊕ (z
j
)
i
⊕ k
i
⊕ Y
m
⊕ (Y
m
≪ 1), Y
m
=
k
i+1
≪ 3, if m = 2,
k
i+2
≪ 3, if m = 3,
k
i+3
≪ 3 ⊕ k
i+1
, if m = 4.
Here, the value c is constant 0xff . . . fc, and (z
j
)
i
denotes the i-th (least signif-
icant) bit from one of the five constant sequences z
j
(0 ≤ j ≤ 4). The main key
can be derived if any seque nc e of m consecutive subkeys are known.
3 Integral Cryptanalysis of SIMON
The integral attack [2 1, 22] first constructs an integral distinguisher, which is a
set of plaintexts such tha t the states after several rounds have a certa in pr operty,
e.g. the XOR sum of all states in the set is 0. Then, several rounds are appended
to the distinguisher for recovering subkeys. In this section, we investigate the
integral properties and present integral attacks on 21-round SIMON32/64.
3.1 Integral Distinguishers of SIMON32
We experimentally find integrals of SIMON32. The results are shown in Table 3.
Here the active bits are the ones in the input of round 1. An interesting obser-
vation is that the number of rounds increases rapidly when the number of a c tive
bits b e comes clo se to the block size. Giving a theoretical reasoning for this ob-
servation seems hard. In other words, experimental approaches are use ful for a
small block size such tha t all plaintexts can be processed in a practical time.
We explain the algorithm of our experiments as follows:
Table 3. The Number of Rounds of SIMON32 Integral Distinguishers
Num. of Active Bits 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31
Num. of Rounds 9 9 9 9 10 10 10 10 11 11 11 12 13 13 14 15
1. Firstly, we g enerate 2
t
plaintexts (t ≥ 16) by setting the right half (16 bits)
and (t − 16) bits of the left half of the input in round 1 to be active, while
keeping the remaining bits as constant.
2. (a) Choose the main key randomly. Encrypt 2
t
plaintexts r rounds and check
whether certain bits of the output are balanced (i.e., for each of these
bits, the XOR sum of the bit over 2
t
output states is 0). If yes, keep this
as an integral candidate.
(b) Repeat (a) 2
13
times and verify if the integral candidate always holds. If
not, discard it.
3. If ther e is an integral candidate for all the structures with the same pattern
(i.e., with the same t active bits), we re gard this as an r-round integral
distinguisher of SIMON32.
As a result, we obtain a 15-round distinguisher (Figure 1) with 31 active bits:
(CAAA, AAAA, AAAA, AAAA, AAAA, AAAA, AAAA, AAAA)
→ (∗ ∗ ∗∗, ∗ ∗ ∗∗, ∗ ∗ ∗∗, ∗ ∗ ∗∗, ∗B ∗ ∗, ∗ ∗ ∗∗, B ∗ ∗∗, ∗ ∗ ∗B). (1)
The distinguisher in (1) is not ensured for all of 2
64
keys. Because our e xperi-
ment did not return any failure, we expect that the success probability of this
distinguisher is at least 1 − 2
−13
.
3.2 21-round Integral Attack of SIMON32/64
We use a 15-round integ ral distinguisher shown in Figure 1. We first prepare
2
31
internal state va lues (X
L
kX
R
) in which 31 bits are active, then compute the
corres ponding plaintext (L
0
kR
0
) as L
0
← X
R
and R
0
← F (X
R
) ⊕ X
L
. Those
2
31
plaintexts yield balanced bits in 3 positions after 15 rounds, i.e. (L
15
, R
15
).
Moreover, the subsequent subkey XOR to R
15
in round 16 never breaks the
balanced property as long as the number of plaintexts in a set is even. We then
mount a key recovery attack on 21 -round SIMON-32/64 by adding six rounds
after the distinguisher, which is illustrated in Figure 2.
3.2.1 Overall Strategy. The attacker guesses a part of the last 5-round
subkeys k
16
, k
17
, . . . , k
20
. Then he partially decrypts the 2
31
ciphertexts up to the
state R
15
⊕k
15
, and computes their XOR sum at the balance d bits. The 15-round
distinguisher in Figure 1 has 3 balanced bits. Because the partial decryption up
to a ll of those 3 bits requires too much subkey guess es, we only use 1 balanced
bit at position 0. Thus, the subkey space c an be reduced by 1 bit per se t of 2
31
