Differential Analysis on Simeck and SIMON with Dynamic Key-Guessing Techniques

Abstract

In CHES 2015, a new lightweight block cipher Simeck was proposed that combines good design components of SIMON and SPECK, two lightweight ciphers designed by NSA. As a great tool to improve differential attack, dynamic key-guessing techniques were proposed by Wang et al. that work well on SIMON. In this paper, we convert the dynamic key-guessing techniques to a program that can automatically give out the data in dynamic key-guessing procedure. With our tool, the differential security evaluation of SIMON and Simeck like block ciphers becomes very convenient. We apply the method to Simeck and four members of SIMON family. With a differential of lower Hamming weight we find by Mixed Integer Linear Programming method and differentials in Kölbl et al.’s work, we launch attacks on 21, 22-round Simeck32, 28-round Simeck48 and 34, 35-round Simeck64. Besides, by use of newly proposed differentials in CRYPTO 2015 we get new attack results on 22-round SIMON32/64, 24-round SIMON48/96, 28, 29-round SIMON64/96 and 29, 30-round SIMON64/128. As far as we are concerned, our results on SIMON64 are currently the best results.

Appendix

1.1 Related Keys in Decryption Direction

For sufficient bit condition \(\varDelta X^i_j=0 \text { or }1\) and \(j\in [0,n-1]\), in decrypt direction we have

$$\begin{aligned} \begin{aligned} \varDelta X^i_{j}=\,&\varDelta X^{i+1}_{(j+b)\%n}\wedge X^{i+1}_{(j+a)\%n}\oplus \varDelta X^{i+1}_{(j+a)\%n} \wedge X^{i+1}_{(j+b)\%n} \\&\oplus \varDelta X^{i+1}_{j+b}\wedge \varDelta X^{i+1}_{(j+a)\%n}\oplus \varDelta X^{i+1}_{(j+c)\%n}\oplus \varDelta X^{i+2}_{j}, \end{aligned} \end{aligned}$$

(5)

where

$$\begin{aligned} \begin{aligned} X^{i+1}_{(j+a)\%n}=\,&X^{i+2}_{(j+a+b)\%n}\wedge X^{i+2}_{(j+a+a)\%n}\oplus X^{i+2}_{(j+a+c)\%n} \oplus \\&X^{i+3}_{(j+a)\%n} \oplus K^{i+1}_{(j+a)\%n},\\ X^{i+1}_{(j+b)\%n}=\,&X^{i+2}_{(j+b+b)\%n}\wedge X^{i+2}_{(j+b+a)\%n}\oplus X^{i+2}_{(j+b+c)\%n} \oplus \\&X^{i+3}_{(j+b)\%n} \oplus K^{i+1}_{(j+b)\%n}. \end{aligned} \end{aligned}$$

(6)

Algorithm 3 demonstrates how to get subkey bits that influence \(X^i_j\) and that are linear to \(X^i_j.\)

1.2 Sufficient Conditions of Extended Differential Path for Simeck

We provide the sufficient conditions of extended differential paths of 22-round Simeck32/64, 28-round Simeck48/96 and 35-round Simeck64/128 in Tables 9, 10 and 11.

Table 9. Extended differential path of 22-round Simeck32/64.

Table 10. Extended differential path of 28-round Simeck48/96.

Table 11. Extended differential path of 34-round Simeck64/128.

1.3 Extended Differential Path for SIMON

We provide the sufficient conditions of extended differential paths of 22-round SIMON32, 24-round SIMON48 and 29, 30-round SIMON64 in Tables 12, 13, 14 and 15.

Table 12. Extended differential path of 22-round SIMON32.

Table 13. Extended differential path of 24-round SIMON48.

Table 14. Extended differential path of 29-round SIMON64.

Table 15. Extended differential path of 30-round SIMON64.