Cryptanalysis of Simpira v1

  • Christoph Dobraunig
  • Maria EichlsederEmail author
  • Florian Mendel
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 10532)


Simpira v1 is a recently proposed family of permutations, based on the AES round function. The design includes recommendations for using the Simpira permutations in block ciphers, hash functions, or authenticated ciphers. The designers’ security analysis is based on computer-aided bounds for the minimum number of active S-boxes. We show that the underlying assumptions of independence, and thus the derived bounds, are incorrect. For family member Simpira-4, we provide differential trails with only 40 (instead of 75) active S-boxes for the recommended 15 rounds. Based on these trails, we propose full-round collision attacks on the proposed Simpira-4 Davies-Meyer hash construction, with complexity \(2^{82.62}\) for the recommended full 15 rounds and a truncated 256-bit hash value, and complexity \(2^{110.16}\) for 16 rounds and the full 512-bit hash value. These attacks violate the designers’ security claims that there are no structural distinguishers with complexity below \(2^{128}\).


Simpira Permutation-based cryptography Cryptanalysis Hash functions Collisions 



We thank the Simpira designers Shay Gueron and Nicky Mouha for verifying our results and providing useful suggestions. The research leading to these results has received funding from the European Union’s Horizon 2020 research and innovation programme under grant agreement No 644052 (HECTOR) and from the Austrian Science Fund (project P26494-N15).


  1. 1.
    Biham, E., Dunkelman, O.: The SHAvite-3 hash function. Submission to NIST (2009).
  2. 2.
    Gueron, S., Mouha, N.: Simpira: a family of efficient permutations using the AES round function. Cryptology ePrint Archive, Report 2016/122 (2016).
  3. 3.
    Gueron, S., Mouha, N.: Simpira v2: a family of efficient permutations using the AES round function. In: Cheon, J.H., Takagi, T. (eds.) ASIACRYPT 2016. LNCS, vol. 10031, pp. 95–125. Springer, Heidelberg (2016). doi: 10.1007/978-3-662-53887-6_4 CrossRefGoogle Scholar
  4. 4.
    Jean, J.: Cryptanalysis of Haraka. Cryptology ePrint Archive, Report 2016/396 (2016).
  5. 5.
    Jean, J., Nikolić, I.: Efficient design strategies based on the AES round function. In: Peyrin, T. (ed.) FSE 2016. LNCS, vol. 9783, pp. 334–353. Springer, Heidelberg (2016). doi: 10.1007/978-3-662-52993-5_17 CrossRefGoogle Scholar
  6. 6.
    Jean, J., Nikolić, I., Sasaki, Y., Wang, L.: Practical cryptanalysis of PAES. In: Joux, A., Youssef, A. (eds.) SAC 2014. LNCS, vol. 8781, pp. 228–242. Springer, Cham (2014). doi: 10.1007/978-3-319-13051-4_14 CrossRefGoogle Scholar
  7. 7.
    Jean, J., Nikolić, I., Sasaki, Y., Wang, L.: Practical forgeries and distinguishers against PAES. IEICE Trans. 99(A(1)), 39–48 (2016)CrossRefGoogle Scholar
  8. 8.
    Keliher, L., Sui, J.: Exact maximum expected differential and linear probability for two-round advanced encryption standard. IET IFS 1(2), 53–57 (2007)Google Scholar
  9. 9.
    Kölbl, S., Lauridsen, M.M., Mendel, F., Rechberger, C.: Haraka - efficient short-input hashing for post-quantum applications. Cryptology ePrint Archive, Report 2016/098 (2016).
  10. 10.
    Lamport, L.: Constructing digital signatures from a one-way function. Technical Report SRI-CSL-98, SRI International Computer Science Laboratory (1979)Google Scholar
  11. 11.
    Mouha, N., Wang, Q., Gu, D., Preneel, B.: Differential and linear cryptanalysis using mixed-integer linear programming. In: Wu, C.K., Yung, M., Lin, D. (eds.) Inscrypt 2011. LNCS, vol. 7537, pp. 57–76. Springer, Heidelberg (2012). doi: 10.1007/978-3-642-34704-7_5 CrossRefGoogle Scholar
  12. 12.
    Nikolić, I.: Tiaoxin v2. Submission to the CAESAR competition (2015).
  13. 13.
    Peyrin, T.: Chosen-salt, chosen-counter, pseudo-collision for the compression function of SHAvite-3. NIST mailing list (2009).
  14. 14.
    Rønjom, S.: Invariant subspaces in Simpira. Cryptology ePrint Archive, Report 2016/248 (2016).
  15. 15.
    Wu, H., Preneel, B.: AEGIS v1: Submission to the CAESAR competition (2014).
  16. 16.
    Yanagihara, S., Iwata, T.: Type 1.x generalized feistel structures. IEICE Trans. 97(A(4)), 952–963 (2014)CrossRefGoogle Scholar
  17. 17.
    Ye, D., Wang, P., Hu, L., Wang, L., Xie, Y., Sun, S., Wang, P.: PAES v1. Submission to the CAESAR competition (2014).

Copyright information

© Springer International Publishing AG 2017

Authors and Affiliations

  • Christoph Dobraunig
    • 1
  • Maria Eichlseder
    • 1
    Email author
  • Florian Mendel
    • 1
  1. 1.Graz University of TechnologyGrazAustria

Personalised recommendations