Cryptanalysis of SIMON Variants with Connections
21 Jul 2014-Vol. 8651, pp 90-107
TL;DR: This work presents several linear characteristics for reduced-round SIMON32/64 that can be used for a key-recovery attack and extend them further to attack other variants of SIMON, and exploits a connection between linear and differential characteristics for SIMON to constructlinear characteristics for different variants of reduced- round SIMON.
Abstract: SIMON is a family of 10 lightweight block ciphers published by Beaulieu et al. from the United States National Security Agency (NSA). A cipher in this family with \(K\)-bit key and \(N\)-bit block is called SIMON\({N}/{K}\). We present several linear characteristics for reduced-round SIMON32/64 that can be used for a key-recovery attack and extend them further to attack other variants of SIMON. Moreover, we provide results of key recovery analysis using several impossible differential characteristics starting from 14 out of 32 rounds for SIMON32/64 to 22 out of 72 rounds for SIMON128/256. In some cases the presented observations do not directly yield an attack, but provide a basis for further analysis for the specific SIMON variant. Finally, we exploit a connection between linear and differential characteristics for SIMON to construct linear characteristics for different variants of reduced-round SIMON. Our attacks extend to all variants of SIMON covering more rounds compared to any known results using linear cryptanalysis. We present a key recovery attack against SIMON128/256 which covers 35 out of 72 rounds with data complexity \(2^{123}\). We have implemented our attacks for small scale variants of SIMON and our experiments confirm the theoretical bias presented in this work.
Citations
More filters
07 Jun 2015
TL;DR: Simplicity, security, and flexibility are ever-present yet conflicting goals in cryptographic design and these goals were balanced in the design of Simon and Speck.
Abstract: The Simon and Speck families of block ciphers were designed specifically to offer security on constrained devices, where simplicity of design is crucial. However, the intended use cases are diverse and demand flexibility in implementation. Simplicity, security, and flexibility are ever-present yet conflicting goals in cryptographic design. This paper outlines how these goals were balanced in the design of Simon and Speck.
504 citations
Cites background from "Cryptanalysis of SIMON Variants wit..."
...See, for example, [3, 13, 4, 15, 19, 2, 6, 5, 1, 14, 26] To date, all published “attacks” on Simon and Speck are of the reduced-round variety....
[...]
Posted Content•
TL;DR: The U.S. National Security Agency developed the Simon and Speck families of lightweight block ciphers as an aid for securing applications in very constrained environments where AES may not be suitable.
Abstract: The U.S. National Security Agency (NSA) developed the Simon and Speck families of lightweight block ciphers as an aid for securing applications in very constrained environments where AES may not be suitable. This paper summarizes the algorithms, their design rationale, along with current cryptanalysis and implementation results.
259 citations
Cites background from "Cryptanalysis of SIMON Variants wit..."
...It seems clear to us that there isn’t: After all, a complex round function can always be factored into a composition of simple functions (transpositions, even), and so every block cipher is a composition of simple functions....
[...]
13 Sep 2015
TL;DR: Simeck as discussed by the authors combines the good design components from both Simon and Speck, in order to devise even more compact and efficient block ciphers, which can satisfy the area, power, and throughput requirements in passive RFID tags.
Abstract: Two lightweight block cipher families, Simon and Speck, have been proposed by researchers from the NSA recently. In this paper, we introduce Simeck, a new family of lightweight block ciphers that combines the good design components from both Simon and Speck, in order to devise even more compact and efficient block ciphers. For Simeck32/64, we can achieve 505 GEs (before the Place and Route phase) and 549 GEs (after the Place and Route phase), with the power consumption of 0.417 \(\mu W\) in CMOS 130 nm ASIC, and 454 GEs (before the Place and Route phase) and 488 GEs (after the Place and Route phase), with the power consumption of 1.292 \(\mu W\) in CMOS 65 nm ASIC. Furthermore, all of the instances of Simeck are smaller than the ones of hardware-optimized cipher Simon in terms of area and power consumption in both CMOS 130 nm and CMOS 65 nm techniques. In addition, we also give the security evaluation of Simeck with respect to many traditional cryptanalysis methods, including differential attacks, linear attacks, impossible differential attacks, meet-in-the-middle attacks, and slide attacks. Overall, all of the instances of Simeck can satisfy the area, power, and throughput requirements in passive RFID tags.
215 citations
Book•
01 Jan 2007
TL;DR: Two New Techniques of Side-Channel Cryptanalysis and Problems and Solutions for Lightweight Devices on the Implementation of a Fast Prime Generation Algorithm are presented.
Abstract: Differential and Higher Order Attacks.- A First-Order DPA Attack Against AES in Counter Mode with Unknown Initial Counter.- Gaussian Mixture Models for Higher-Order Side Channel Analysis.- Side Channel Cryptanalysis of a Higher Order Masking Scheme.- Random Number Generation and Device Identification.- High-Speed True Random Number Generation with Logic Gates Only.- FPGA Intrinsic PUFs and Their Use for IP Protection.- Logic Styles: Masking and Routing.- Evaluation of the Masked Logic Style MDPL on a Prototype Chip.- Masking and Dual-Rail Logic Don't Add Up.- DPA-Resistance Without Routing Constraints?.- Efficient Algorithms for Embedded Processors.- On the Power of Bitslice Implementation on Intel Core2 Processor.- Highly Regular Right-to-Left Algorithms for Scalar Multiplication.- MAME: A Compression Function with Reduced Hardware Requirements.- Collision Attacks and Fault Analysis.- Collision Attacks on AES-Based MAC: Alpha-MAC.- Secret External Encodings Do Not Prevent Transient Fault Analysis.- Two New Techniques of Side-Channel Cryptanalysis.- High Speed AES Implementations.- AES Encryption Implementation and Analysis on Commodity Graphics Processing Units.- Multi-gigabit GCM-AES Architecture Optimized for FPGAs.- Public-Key Cryptography.- Arithmetic Operators for Pairing-Based Cryptography.- FPGA Design of Self-certified Signature Verification on Koblitz Curves.- How to Maximize the Potential of FPGA Resources for Modular Exponentiation.- Implementation Cost of Countermeasures.- TEC-Tree: A Low-Cost, Parallelizable Tree for Efficient Defense Against Memory Replay Attacks.- Power Analysis Resistant AES Implementation with Instruction Set Extensions.- Security Issues for RF and RFID.- Power and EM Attacks on Passive RFID Devices.- RFID Noisy Reader How to Prevent from Eavesdropping on the Communication?.- RF-DNA: Radio-Frequency Certificates of Authenticity.- Special Purpose Hardware for Cryptanalysis.- CAIRN 2: An FPGA Implementation of the Sieving Step in the Number Field Sieve Method.- Collision Search for Elliptic Curve Discrete Logarithm over GF(2 m ) with FPGA.- A Hardware-Assisted Realtime Attack on A5/2 Without Precomputations.- Side Channel Analysis.- Differential Behavioral Analysis.- Information Theoretic Evaluation of Side-Channel Resistant Logic Styles.- Problems and Solutions for Lightweight Devices.- On the Implementation of a Fast Prime Generation Algorithm.- PRESENT: An Ultra-Lightweight Block Cipher.- Cryptographic Hardware and Embedded Systems - CHES 2007.
204 citations
16 Aug 2015
TL;DR: In this paper, efficiently computable and easily implementable expressions for the exact differential and linear behaviour of Simon-like round functions are derived.
Abstract: In this paper we analyse the general class of functions underlying the Simon block cipher In particular, we derive efficiently computable and easily implementable expressions for the exact differential and linear behaviour of Simon-like round functions
157 citations
Cites background from "Cryptanalysis of SIMON Variants wit..."
...Simon[12, 5, 3] has the best diffusion amongst the parameters which have optimal differential and linear characteristics for 10 rounds....
[...]
...Those variants are Simon[12, 5, 3], Simon[7, 0, 2] and Simon[1, 0, 2]....
[...]
...However, for Simon[12, 5, 3] the differential shows a surprisingly different behaviour and the probability of the differential is much closer to the probability of the characteristic....
[...]
...Related Work There are various papers published on the cryptanalysis of Simon [1,3,6,17,18,19]....
[...]
References
More filters
02 Jan 1994
TL;DR: A new method is introduced for cryptanalysis of DES cipher, which is essentially a known-plaintext attack, that is applicable to an only-ciphertext attack in certain situations.
Abstract: We introduce a new method for cryptanalysis of DES cipher, which is essentially a known-plaintext attack. As a result, it is possible to break 8-round DES cipher with 221 known-plaintexts and 16-round DES cipher with 247 known-plaintexts, respectively. Moreover, this method is applicable to an only-ciphertext attack in certain situations. For example, if plaintexts consist of natural English sentences represented by ASCII codes, 8-round DES cipher is breakable with 229 ciphertexts only.
2,753 citations
10 Sep 2007
TL;DR: An ultra-lightweight block cipher, present, which is competitive with today's leading compact stream ciphers and suitable for extremely constrained environments such as RFID tags and sensor networks.
Abstract: With the establishment of the AES the need for new block ciphers has been greatly diminished; for almost all block cipher applications the AES is an excellent and preferred choice. However, despite recent implementation advances, the AES is not suitable for extremely constrained environments such as RFID tags and sensor networks. In this paper we describe an ultra-lightweight block cipher, present . Both security and hardware efficiency have been equally important during the design of the cipher and at 1570 GE, the hardware requirements for present are competitive with today's leading compact stream ciphers.
2,202 citations
Journal Article•
TL;DR: In this paper, the authors describe an ultra-lightweight block cipher, present, which is suitable for extremely constrained environments such as RFID tags and sensor networks, but it is not suitable for very large networks such as sensor networks.
Abstract: With the establishment of the AES the need for new block ciphers has been greatly diminished; for almost all block cipher applications the AES is an excellent and preferred choice. However, despite recent implementation advances, the AES is not suitable for extremely constrained environments such as RFID tags and sensor networks. In this paper we describe an ultra-lightweight block cipher, present . Both security and hardware efficiency have been equally important during the design of the cipher and at 1570 GE, the hardware requirements for present are competitive with today's leading compact stream ciphers.
1,750 citations
Book•
01 Jan 2001
TL;DR: Simplified variants that omit a quadratic function and a fixed rotation in RC6 are examined to clarify their essential contribution to the overall security of RC6.
Abstract: RC6 has been submitted as a candidate for the Advanced Encryption Standard (AES). Two important features of RC6 that were absent from its predecessor RC5 are a quadratic function and a fixed rotation. By examining simplified variants that omit these features we clarify their essential contribution to the overall security of RC6.
1,487 citations