Abstract
This paper presents differential attacks on Simon and Speck, two families of lightweight block ciphers that were presented by the U.S. National Security Agency in June 2013. We describe attacks on up to slightly more than half the number of rounds. While our analysis is only of academic interest, it demonstrates the drawback of the intensive optimizations in Simon and Speck.
You have full access to this open access chapter, Download conference paper PDF
Similar content being viewed by others
Keywords
1 Introduction
Due to the continuously growing impact of RFID tags, smartcards, and FPGAs, cryptographic algorithms which are suitable for resourceconstrained devices become more and more important. Lightweight ciphers are optimized to operate in such environments which are limited with respect to their memory, battery supply, and computing power. For these applications, hard and software efficiency are crucial, and designing cryptographic primitives which preserve security under these constraints is a major challenge.
During the last decade, many lightweight ciphers have been developed including but not limited to HIGHT [11], KATAN [8], KLEIN [9], LBlock [16], LED [10], mCrypton [12], PRESENT [6], and PRINCE [7]. In June 2012, Beaulieu et al. from the U.S. National Security Agency (NSA) contributed to this ongoing research process with the announcement of two novel families of lightweight cipher families, called Simon and Speck [3]. Both constructions support an uncommonly large range of block sizes from 32 to 128 and key sizes from 64 to 256 bits in order to suit a variety of implementations. Simon was thereby optimized for hardware (like KATAN, LED, or PRESENT), and Speck for software implementations (such as KLEIN); though, due to immense optimizations in their round functions, both cipher families perform well in hard and software.
Related Work. Due to their simple structure, Simon and Speck were already target of various cryptanalytical efforts. Alkhzaimi and Lauridsen [2] presented – parallel to our work – differential attacks on up to 16, 18, 24, 29, and 40 rounds for Simon with 32, 48, 64, 96, and 128bit state size, respectively. In addition, the authors showed impossibledifferential attacks on up to 14, 15, 16, 19, and 22 rounds and discussed observations regarding rotational cryptanalysis and weak keys. Alizadeh et al. [1] recently presented the best linear attacks on Simon, with attacks on 12, 15, 19, 28, and 35 rounds.
Biryukov and Velichkov [5] followed another promising approach, where they showed differential characteristics and trails on up to 14, 15, and 21 rounds of Simon and 9, 10, and 13 rounds of Speck with 32, 48, and 64bit state size, respectively. The authors adapted Matsui’s algorithm (which can find optimal differential characteristics for Sboxbased ciphers) for ARX constructions by a concept they called highways and country roads. They pointed out that the computation of a complete differential distribution table (DDT) is infeasible for ARXbased primitives. To overcome this challenge, the authors constructed two partial DDTs: a first one with the characteristics of highest probability (highways), and a second one with trails of slightly lower probabilities (country roads) in order to connect and/or improve their previous characteristics.
Contribution and Outline. This paper describes our differential attacks on Simon and Speck, which are summarized in Table 1. In what follows, Sect. 2 first reviews the necessary details of the encryption functions of Simon and Speck. Section 3 recaps properties of the differential propagation through their respective round functions. Section 4 follows up with a description of how we constructed differential characteristics through parts of both ciphers, and how to extend these characteristics over further rounds. We later use these characteristics for basic differential keyrecovery attacks, which we explain first for Simon in Sect. 5. Then, Sect. 6 describes our differential attacks on Speck. Section 7 shows rectangle attacks on Speck. We conclude this work in Sect. 8.
Notions. We follow the notions of [3], where \(n\) denotes the word size in bits, \(2n \) the state size in bits, and the tuple \((L^r, R^r)\) (the left and right parts of) a state after the encryption of Round \(r\). Further, \(k\) represents the length of the secret key. Furthermore, \(\oplus \) denotes the bitwise XOR, \(+\) the addition modulo \(2^{n}\), \(\wedge \) bitwise AND, \(\vee \) bitwise OR, and \(\overline{x}\) the bitwise inverse of \(x\). We denote by \(x_i\) the \(i\)th least significant bit of value \(x\), and enumerate the bits by \(x = x_{n1}x_{n2}\ldots x_{1}x_{0}\). Alternatively, we write values in typewriter font, i.e., x for hex, and x \(_2\) for binary values, e.g., 1F = 31 and 110 \(_2\) = 6. Concerning differences, we denote by \(\varDelta _{i} \) a difference with all bits are zero, except for the \(i\)th (least significant) bit, and by \(\varDelta _{i,[j,k,\ldots ]} \) a difference where the \(i\)th bit is active and the values of the bits in square brackets are unknown. Further, we denote a differential characteristic or trail from an input difference \(\alpha \) to an output difference \(\beta \) by \(\alpha \rightarrow \beta \).
2 Brief Description of Simon and Speck
Simon and Speck are two simple Feistel constructions that apply a combination of rotation, XOR, and either addition (Speck) or the logical AND (Simon) iteratively over many rounds. The encryption process of Simon is given in Algorithm 1, that for Speck in Algorithm 2. Both cipher families are defined for state sizes \(2n \) and key sizes \(k \): \(32/64\), \(48/72\), \(48/96\), \(64/96\), \(64/128\), \(96/96\), \(96/144\), \(128/128\), \(128/192\), and \(128/256\).
For Simon, \(f: \{0,1\}^{n} \rightarrow \{0,1\}^{n}\) is defined as \(f(x) := (x \lll 1) \wedge (x \lll 8)\). The rotation constants in Speck are \(\alpha = 8\) and \(\beta = 3\) for the most versions of Speck; only Speck32/64 uses \(\alpha = 7\) and \(\beta = 2\).
3 Differential Properties of Simon and Speck
Differential Properties for the Round Function of Speck . For Speck, one requires only the wellknown XORdifferential probabilty of the modular addition (\(\text {xdp}^{+}\)), which was studied in detail by Lipmaa and Moriai [13, 14].
Definition 1
(XORDifferential Probabilty of Addition [14]). Let \(\alpha , \beta , \gamma \) be fixed \(n\)bit XOR differences, and \(f(x,y) = x + y~\mathrm{mod}~n\). Then, \(\text {xdp}^{+}\) is defined as the probability over all \(x \in \{0,1\}^{n}\), such that
Differential Properties for the Round Function of Simon . For Simon, one has to consider the differential probability for the round function \(f(x)\). At the end of this section, we provide an algorithm that yields the set and number of all possible output differences for a fixed input difference. In the following, we explain first the differential probability (DP) of logical AND; next, we derive the DP of AND in combination with rotation, and then consider the DP of AND with rotationally dependent inputs. We follow the notation by [5].
Property 1
(Absorption of Logical AND). Let \(x, x', y, y' \in \{0,1\}\) and \(f(x, y) = x \wedge y\). Let \(\alpha = x \oplus x', \beta = y \oplus y', \gamma = f(x,y) \oplus f(x',y')\). Then, it applies that
Property 1 states that the differential output of the logical AND is biased: if \(\alpha \) and \(\beta \) are 0, then \(\gamma \) must be 0. If \(\alpha \) and/or \(\beta \) is 1, there is still a probability of 1/2 that the AND operation will cancel the active bit in the output difference.
Definition 2
(XORDifferential Probability of AND). Let \(\alpha \), \(\beta \), \(\gamma \) be fixed \(n\)bit XOR differences, and let \(f(x, y) = x \wedge y\). The XORdifferential probability of the logical AND (\(\text {xdp}^{\wedge }\)) is the probability over all \(x, y \in \{0,1\}^{n}\), such that
Property 2
(XORDifferential Probability of AND). Let \(\alpha , \beta , \gamma \) be fixed \(n\)bit XOR differences and \(hw(\cdot )\) the hammingweight function. Then,
Property 2 transfers Property 1 from bits to \(n \)bit differences. Only those bits that are active in \(\alpha \) and/or \(\beta \) can be active in \(\gamma \) – each with probability 1/2. This is reflected by the term \((\alpha \vee \beta )\). If \(\gamma \) contains active bits at other positions, then, \(\gamma \wedge \overline{\alpha \vee \beta } \ne 0^{n}\) and \(\Pr [\alpha , \beta \rightarrow \gamma ] = 0\). Otherwise, all other possible differences \(\gamma \) are equally possible. Thus, the term \(\alpha \vee \beta \) can be interpreted as the definition of a set of possible output differences, i.e., one can efficiently iterate over all possible combinations of values for its active bits and will obtain all possible output differences \(\gamma \).
Definition 3
(XORDifferential Probabilty of AND with Rotations). Let \(\alpha \), \(\beta \), \(\gamma \) be fixed \(n\)bit XOR differences, \(r \in [0, n 1]\) be a fixed rotation amount, and \(f(x, y) = x \wedge (y \lll r)\). Then, \(\text {xdp}^{\wedge , \lll }\) is defined as the probability over all \(x, y \in \{0,1\}^{n}\), such that
Since rotation and bitwise logical AND are linear, we can derive
We can easily transform \(f(x) = (x \lll s) \wedge (x \lll t)\), with \(s, t \in [0,n1], s \ne t\) into \(f(x) = x \wedge (x \lll r)\) with \(r = s  t ~\mathrm{mod}~n \). In the following, we also take rotationally dependent inputs into account.
Definition 4
(XORDifferential Probabilty of AND with Rotationally Dependent Inputs). Let \(\alpha \), \(\beta \) be fixed \(n\)bit XOR differences, \(r \in [0,n1]\) be a fixed integer, and \(f(x) = x \wedge (x \lll r)\). Then, \(\text {xdp}^{x \wedge (x \lll r)} \) is defined as the probability over all \(x \in \{0,1\}^{n}\), such that
Property 3
(Differential Propagation of \(\text {xdp}^{x \wedge (x \lll r)} \)). Let \(\alpha \) be fixed \(n\)bit XOR difference and \(r\in [0,n1]\) be a fixed integer. Let \(f: \{0,1\}^{n} \rightarrow \{0,1\}^{n}\) be defined by \(f(x) = x \wedge (x \lll r)\). Then, the set of possible output differences \(\beta \) for \(\text {xdp}^{x \wedge (x \lll r)} \), can be efficiently computed in O\((n)\) as shown in Algorithm 3.
Example: \(n = 16, r = 7, \alpha = \mathtt 0500 \).Let \(x, x'\) be two 16bit values which serve as input to \(f(x)\), with \(x \oplus x' = \alpha \) and \(\beta = f(x) \oplus f(x')\). We see that
Algorithm 3 returns \(\beta =\) 1000010 \(*^1\) 000000 \(*^1\) 0 \(_2\), and \(count = 3\). The star symbol \(*\) denotes dependent bits and the index \(*^i\), indicates pairs of bits that are related.

\(\beta _1\) depends on \(\alpha _1\) (top) and \(\alpha _{10}\) (bottom), with \(\alpha _1 = 0\) and \(\alpha _{10} = 1\);

\(\beta _8\) depends on \(\alpha _{8}\) (top) and \(\alpha _1\) (bottom), with \(\alpha _1 = 0\) and \(\alpha _{8} = 1\);
From \(\alpha _1 = 0\) follows that \(x_2 = x'_2\). When \(x_2 = x'_2 = 0\) then \(\beta _1 = \beta _8 = 0\); otherwise, when \(x_2 = x'_2 = 1\), it must hold that \(\beta _1 = \beta _8 = 1\). We call \(\beta _1\) and \(\beta _8\) dependent bits. Since \(\beta \) contains four active bits and one pair of them depends on each other, there are \(2^{41} = 2^3\) possible output differences defined by \(\beta \), namely:
Each difference can be formed by \(2^{16  3} = 2^{13}\) possible pairs \((x, x')\).
4 Search for Differential Characteristics and Differentials
During our analysis, we applied a twostep approach to find our differentials. Firstly, we employed Matsui’s algorithm [15] to find some characteristics for the 32, 48, and 64bit versions of Simon:
Simon32/64  Simon48/\(k\)  Simon64/\(k\)  

\(\alpha \)  \((\varDelta _{5}, 0)\)  \((\varDelta _{8,16}, \varDelta _{6,14,18})\)  \((\varDelta _{6}, 0)\) 
\(\beta \)  \((\varDelta _{14}, 0)\)  \((\varDelta _{6,14,18,22}, \varDelta _{20})\)  \((\varDelta _{6,10,14}, \varDelta _{12})\) 
Rounds  12  15  20 
\(\Pr [\alpha \rightarrow \beta ]\)  \(2^{36}\)  \(2^{52}\)  \(2^{70}\) 
Secondly, we applied a branchandbound search, similar to the approach of [2]. There, we started from the input difference \(\alpha \) and propagated it roundwise in forward and backward direction. For each round, we collected all possible output characteristics \(\alpha \rightarrow \beta \) and their probability \(p\) as a tuple \((\beta , p)\) in a set and used them as a starting point for the next round in a depthfirst manner. Therefore, we used Algorithm 3 for Simon and a variant of the Algorithm by Lipmaa and Moriai [14] for Speck.
Since following each path is infeasible, we pruned the search tree by considering only characteristics \(\alpha \rightarrow \beta \) with a probability above a chosen threshold. Therefore, we used the characteristic found with Matsui’s algorithm as a reference, i.e., say Matsui’s characteristic had probability \(p = 2^{q}\) after some round \(r\), we only considered those characteristics \(\beta \) as input to round \(r + 1\) that had a probability \(p \gg 2^{q  thresh}\). We further pruned the search tree by only storing a (chosen) maximal number of characteristics.
Every time two differential characteristics lead to the same output difference \(\beta \) after a round, we merged them to one differential trail and added their probabilities. We emphasize that our characteristics have been found experimentally and do not necessarily represent the best possible ones. Further, note that we rely on the assumption that all possible round keys are equally probable and uniformly distributed for every round.
Extending Differential Characteristics to Attacks. A given differential can be extended by a few more rounds in a keyrecovery attack for any version of Simon2\(n\)/\(k\). Assume, we are given an \(r\)round differential \((\alpha , \beta ) \rightarrow (\gamma , \delta )\). Because Simon injects the subkey at the end of the rounds, the adversary itself can compute the output of \(f(x)\) in the first round, choose \((\beta , \alpha \oplus f(\beta ))\) as input difference and obtains an \((r + 1)\)round differential with equal probability. A similar strategy can be applied at the output side. Given an output difference \((\gamma , \delta )\) after \((r + 1)\) rounds, the difference after \((r + 2)\) rounds is \((\delta \oplus f(\gamma ), \gamma )\). Since the subkey in the last round of a characteristic does not affect the output difference \(\delta \oplus f(\gamma )\), the adversary can compute \(f(\gamma )\) itself and obtains an \((r + 2)\)round differential with equal probability.
For the versions 48/72, 64/96, 96/144, and 128/192bit versions, one can append a further round by simply guessing its full subkey. The total computational effort for collecting plaintextciphertext pairs and testing all subkey candidates for the appended round remains significantly smaller than that for exhaustively searching the full key space. Moreover, for the 32/64, 48/96, 64/128, and 128/256bit versions, one can append another round by guessing its subkey.
5 KeyRecovery Attacks on Simon
In this section we describe a keyrecovery attack on roundreduced Simon32/64. Since attacks on the further variants follow a similar procedure, we specify only their complexities at the end of this section. For Simon32/64 we use the \(13\)round differential characteristic with \(p \approx 2^{30.2}\) (see Table 4 in Appendix A) over the rounds \(214\):
Note that we can choose the left part of the plaintext pairs \(P, P'\), s.t. we obtain the desired difference \(\varDelta ^1\) after the first round. We can append four additional rounds to the end of the cipher, where we will guess in total 18 key bits. From the obtained ciphertexts, we still know many bits from the truncated trail:
Attack Procedure. The full attacking procedure can be split into a collection, a pairfiltering, a keyguessing, and a bruteforce phase:

Collection Phase

1.
Initialize an empty set \(\mathcal {C} = \emptyset \).

2.
Choose \(2^{30.2}\) plaintext pairs \((P_i, P'_i)\), s.t. their difference after the first round yields \(\varDelta ^1\).

3.
Collect their corresponding ciphertext pairs \((C_i, C'_i)\) from an encryption oracle, where \(C_i = E_K (P_i)\) and \(C'_i = E_K (P'_i)\).

1.

PairFiltering Phase

4.
For all ciphertext pairs, invert the final round to derive \(\varDelta ^{17}\) and store all pairs \((C_i, C'_i)\) with the correct difference at the known bits \(\varDelta ^{17}\) in \(\mathcal {C}\). We know seven bits of \(\varDelta L^{17}\) and 11 bits of \(\varDelta R^{17}\). Assuming the differences \(\varDelta ^{17}\) are uniformly distributed, we can expect \(2^{30.218} = 2^{12.2}\) pairs in average.

4.

KeyGuessing Phase

5.
Create a list of counters for all \(2^{18}\) possible values of the roundkey bits \(K^{17}_{0,1,5,711,14,15}\), \(K^{16}_{69,13,15}\), and \(K^{15}_{9,7}\), and perform the following steps for each candidate:

–
For all pairs \((C_i, C'_i) \in \mathcal {C}\):

–
Partially decrypt \((C_i, C'_i)\) to the state after the encryption of Round \(14\). If their difference matches \(\varDelta ^{14}\), increment the counter for the current key candidate.

–

–

6.
Output the key candidate(s) which is/are associated to the highest counter values.

5.

BruteForce Phase

7.
For all bits of \(K^{17}\), \(K^{16}\), \(K^{15}\), and \(K^{14}\) that are not guessed in the previous steps, perform further encryptions to identify their correct values.

7.
Attack Complexity. The attack requires \(2^{31.2}\) chosen plaintexts. Regarding the memory complexity, we store \(2 \cdot 2^{12.2}\) texts of \(32\) bits each, or \(2^{15.2}\) bytes for the attack. The computational effort for the collection phase, \(C_{\text {collect}} \), is equivalent to \(2^{30.2}\) full encryptions performed by the oracle. The filtering effort, \(C_{\text {filter}} \), is given by \(2^{30.2}\) oneround decryptions to check 18 bits of \(\varDelta ^{17}\). The effort for the keyguessing phase, \(C_{\text {keyguessing}} \), consists of decrypting the remaining pairs for each of the \(2^{18}\) key candidates over three further rounds.
Assuming that both filtering steps of the pairfiltering and the keyguessing phase are independent from each other, we can identify the correct value of the 18 guessed key bits. A trivial bruteforce search can find the correct value of the 46 remaining bits of the considered subkeys \(K^{14},K^{15},K^{16},K^{17}\) with about \(2^{46}\) encryptions. The total computational complexity can be estimated by
Remark 1
Note that in the case that our assumption would not hold, we still have a differential that is satisfied with probability \(p = 2^{30.2}\), and a 32bit filter at \(\varDelta ^{14}\). Hence, we can expect to be able to reduce the candidates of the 18 key bits we guess in the final four rounds to \(2^{30.2} \cdot 2^{18} \cdot 2^{32} = 2^{16.2}\), increasing the complexity of the bruteforce step to \(2^{46} \cdot 2^{16.2} = 2^{62.2}\) encryptions, which is still significantly faster than exhaustive search. In general case, the computational effort for our attacks would then be dominated by the costs for a simple exhaustive search on the remaining key space. Hence, the time complexities would then become approximately \(2^k/(p\cdot 2^{2n})\) (\(k = 64\), \(n = 16\), \(p \approx 2^{30.2}\) for Simon32/64).
Success Rate. Since the probability of a pair to follow our differential is about \(2^{30.2}\), the probability that at least one correct pair occurs for the correct key can be approximated by
Similar Attacks on Further Versions. We can apply the same procedure to further versions of Simon. To cover one additional round, we use chosen ciphertexts in the attack on Simon48/\(k\). Table 2 summarizes the probabilities, required number of pairs, known state bits to filter (1st filter), guessed key bits (key bits), and success rates (where false random shows the probability that no correct pair occurs during execution of the respective attack, and false real denotes the probability of a falsepositive pair to occur) for each attack. The differential characteristics for the further version are illustrated in Tables 4, 5 and 6 in Appendix A.
6 Differential Attacks on Speck
In this section we describe our differential analysis of Speck. Since the small version of Speck (Speck32/64) allows a simple practical verification, in the following, we only discuss this version in detail. We apply the same strategy to the remaining family members of Speck and present only their complexities at the end of this section.
6.1 KeyRecovery Attack on Speck32/64
We use the characteristic for Speck32/64 from Table 7 in Appendix A with \(p \approx 2^{24}\) over rounds \(29\) to mount a \(10\)round attack.
Attack Procedure. Again, we split the attacking procedure into a collection, a keyguessing, and a bruteforce phase:

Collection Phase

1.
Initialize an empty list \(\mathcal {C} = \emptyset \).

2.
Choose \(2^{28}\) pairs \((P_i, P'_i)\) s.t. their difference after the first round is \(\varDelta ^1\).

3.
Collect the corresponding ciphertext pairs \((C_i, C'_i)\) from a decryption oracle, where \(C_i = E_K (P_i)\) and \(C'_i = E_K (P'_i)\). Derive \(\varDelta L^9_{03}, \varDelta R^9\) and store all pairs \((C_i, C'_i)\) with \(\varDelta L^9_{03} = \varDelta _{3} \) and \(\varDelta R^9 = \varDelta _{3,5,7,10,12,14,15} \) in the list \(\mathcal {C}\).

1.

KeyGuessing Phase

4.
Create a list of \(2^{12}\) counters.

5.
For all possible values of the 12 key bits \(K^{9}_{415}\):

–
For all pairs \((C_i, C'_i) \in \mathcal {C}\):

–
Partially decrypt \((C_i, C'_i)\) to the state after the encryption of Round \(9\), and derive \(\varDelta L^{9}\). If \(\varDelta L^{9} = \varDelta _{1,3,5,15} \), then increment the counter for the current key candidate.

–

–

6.
Output those keys as potentially correct for which their counter has a value of at least four.

7.
Mark all pairs which yielded the correct \(\varDelta ^{9}\) for the potentially correct key(s) as correct pairs.

4.

BruteForce Phase

8.
Partially decrypt all correct pairs round by round to get the correct subkey bits \(K^{9}_{03}\), \(K^8\), \(K^7\), and \(K^6\).

8.
Success Rate. The probability that a pair follows our differential characteristic is about \(2^{24}\). Hence, the probability that no more than three correct pairs occur when using Speck (i.e., the correct subkey will not be found) is about
and hence, the success probability of the attack approx. \(1  9.31 \cdot 10^{5} > 0.99\).
Attack Complexity. Our attack on Speck32/64 requires \(2^{29}\) chosen plaintexts. The computational effort for \(C_{\text {collect}} \) covers \(2^{29}\) full encryptions performed by an encryption oracle. The filtering effort, \(C_{\text {filter}} \), is twofold. First, we partially decrypt all ciphertext pairs over the final round. There, we have a 20bit filter from the four leastsignificant bits of \(\varDelta L^9\) and the full \(\varDelta R^9\). Assuming all differences occur uniformly at random, we expect to have \(2^{28  20} = 2^8\) remaining pairs afterwards. Thereupon, for \(2^{12}\) values of \(K^{9}_{415}\), we derive the remaining \(2^8\) pairs and derive \(\varDelta L^9\). In the bruteforce phase, the adversary partially decrypts the remaining pairs round by round to identify the correct round keys. Therefore, the full computational complexity is given by
encryptions. Concerning the memory complexity, we store a list of counters for all key candidates, which requires \(2^{12}\) bytes for the first filtering phase and \(2^{16}\) bytes for the counters of the round keys in the bruteforce phase.
We can apply a similar procedure for the remaining versions of Speck and obtain the results of Table 3. In all cases, the computational effort is dominated by the bruteforce step. The differentials for the individual versions of Speck can be found in the Tables 7, 8, 9 and 10 in Appendix A.
7 Rectangle Attacks on Speck
Boomerangs and Rectangles. Boomerangs and rectangles allow to use two short differential characteristics with high probabilities instead of a single long differential. Therefore, one first splits a given cipher \(E \) into parts \(E = E ^2 \circ E ^1\), and searches for two differentials \(\alpha \xrightarrow [E ^1]{p} \beta \text { and } \gamma \xrightarrow [E ^2]{q} \delta \). Next, one collects quartets of plaintexts \((P, P', Q, Q')\) with \(P \oplus P' = Q \oplus Q' = \alpha \). In the following we denote by \((R, R', S, S')\) their encryptions after \(E ^1\) and by \((C, C', D, D')\) their encryptions after \(E ^2\).
Each quartet has a probability of \(p^2\) that \((R, R', S, S')\) fulfils \(R \oplus R' = S \oplus S' = \beta \). We are interested in the case when \(R \oplus S = \gamma \) since then, it automatically applies that \(R' \oplus S' = \gamma \). With probability \(q^2\), a ciphertext quartet \((C, C', D, D')\) fulfils \(C \oplus D = C' \oplus D' = \delta \). In this case, we call it a right quartet. If an adversary collects \(m\) pairs with difference \(\alpha \), then, the expected number of right quartets according to [4] is:
Hence, it must apply that \(pq < 2^{n/2}\) in order to mount an attack on \(E\).
As an improvement Biham et al. proposed in [4] to use quartets with any possible difference \(\beta '\) and \(\gamma '\) in the middle, as long as both pairs in a quartet share the same difference \(\beta '\) and \(\gamma '\) after \(E ^1\). Thus, the probabilities of \(p\) and \(q\) increase to
In the remainder of this section, we describe in details a rectangle attack on 11 rounds of Speck32/64. Since our attacks on the further versions of Speck work similar, we only specify the used trails and their complexities in Tables 11 and 12 in Appendix B.
7.1 Rectangle Attack on Speck32/64
For the attack on Speck32/64 we use the following trails \(\alpha \rightarrow \beta '\) and \(\gamma ' \rightarrow \delta \):
\(E _1\) represents the rounds 2–6, and \(E _2\) the rounds 7–10. Again, we can split the attacking procedure into a collection, a keyguessing, and a bruteforce phase:

Collection Phase

1.
Initialize two empty hash tables \(\mathcal {C}\), \(\mathcal {D}\), and a list \(\mathcal {Q}\).

2.
Choose \(\frac{2^{(n + 2)/2}}{\hat{p}\hat{q}} = \frac{2^{34/2}}{2^{8.01}2^{4.56}} = 2^{29.57}\) plaintext pairs \((P, P')\) s.t. their difference after the first round is \(\alpha \).

3.
Ask for the encryption of \((P,P')\) and receive the corresponding ciphertext pair \((C,C')\). Then, partially decrypt \(C, C'\) over the final round to the state after Round 10, \((R^{10}, {R'}^{10})\) and store the result in \(\mathcal {C}\). XOR the right part of \(\delta \) to \((R^{10} \oplus \varDelta _{1,3,10,15}, {R'}^{10} \oplus \varDelta _{1,3,10,15} \) and store them in \(\mathcal {D}\).

4.
Prior, lookup if there is already an entry in \(\mathcal {D}\) under the index
$$(R^{10} \oplus \varDelta _{1,3,10,15}, {R'}^{10} \oplus \varDelta _{1,3,10,15}). $$If there is, label the existing ciphertext pair in \(\mathcal {D}\) as \((D, D')\) and store the quartet \((C, C', D, D')\) in \(\mathcal {Q}\). We can build \((2^{29.57})^2 / 2 = 2^{58.14}\) quartets from our pairs. Since this event requires a match in 16 bits of the first, and 16 bits of the second pair, we can expect to have at average a number of \(2^{58.14  32} \approx 2^{26.14}\) false positive quartets for which this condition holds. Since the probability of a right quartet is \(2^{2 \cdot 8.01 + 2 \cdot 4.56} = 2^{25.14}\), we can expect \(2^{58.14  25.14} = 2^{33}\) right quartets in addition. We approximate \(2^{33} + 2^{26.14} \approx 2^{33}\) hereafter.

1.

Filtering Phase

5.
Initialize a table \(\mathcal {T}\) of \(2^{16}\) counters.

6.
For all possible values of the subkeys \(K^{10}\):

6.1
Decrypt all quartets over the final round and check whether their difference \(\varDelta L^{10}\) is equal to \(\varDelta _{15} \). If yes, then increment the counter for the current key candidate in \(\mathcal {T}\).

6.1

7.
Output the key candidate(s) with the maximal count(s) in \(\mathcal {T}\).

5.

BruteForce Phase

8.
Partially decrypt the remaining pairs round by round to identify the further round keys \(K^9\), \(K^8\), and \(K^7\).

8.
Attack Complexity. The attack requires \(2^{30.07}\) chosen plaintexts. We have to store the corresponding ciphertexts, the remaining \(2^{33}\) quartets, and a list of \(2^{16}\) counters for all roundkey candidates. So, we can approximate the required memory by \((2^{30.07} + 4 \cdot 2^{33}) \cdot 32/8 + 2^{16} \approx 2^{37.1}\) bytes. The computational effort for the collection phase, \(C_{\text {collect}} \), consists of \(2^{30.07}\) full encryptions performed by the oracle, and \(2^{30.07}\) halfround decryptions. Additionally, we need \(2^{30.07}\) memory accesses to look up potential quartets and about \(4 \cdot 2^{33}\) memory accesses in average to store the remaining quartets.
To use consistent units, we overestimate a memory access by a halfround computation. In the filtering phase, we have to perform \(2^{16} \cdot 4 \cdot 2^{33} = 2^{51}\) halfround decryptions to obtain the difference in the left word after Round 10. Summing up, we obtain a computational effort of
encryptions.
8 Discussion and Conclusion
This work presented differential attacks on roundreduced versions of the Simon and Speck. Furthermore, we briefly considered rectangle attacks on Speck. We also studied rectangle attacks on Simon and impossibledifferential attacks; however, we omitted those since they did not improve our results with conventional differentials.
Our analysis can be seen as a starting point for further research on Simon and Speck. For Simon, it demonstrates that up to half the number of rounds are vulnerable against differential attacks due to its highly optimizied round function. Moreover, the cipher shows a strong differential effect, i.e., there are many possible characteristics for given input and output difference.
Speck is much closer to previous ARX designs such as ThreeFish than Simon. However, while ThreeFish has been published four years ago, still only 1/3 of the rounds have been attacked so far, whereas the current analysis of Speck already threatened the security of up to half of the rounds little time after publication. Moreover, any new analysis method on additionbased ARX would be a threat to both NSA constructions as well. In conclusion, we can learn from Simon that ARX designs should incorporate additions to provide reasonably fast diffusion.
References
Alizadeh, J., Bagheri, N., Gauravaram, P., Kumar, A., Sanadhya, S.K.: Linear Cryptanalysis of Round Reduced SIMON. Cryptology ePrint Archive, Report 2013/663 (2013). http://eprint.iacr.org/
Alkhzaimi, H.A., Lauridsen, M.M.: Cryptanalysis of the SIMON Family of Block Ciphers. Cryptology ePrint Archive, Report 2013/543 (2013). http://eprint.iacr.org/
Beaulieu, R., Shors, D., Smith, J., TreatmanClark, S., Weeks, B., Wingers, L.: The SIMON and SPECK Families of Lightweight Block Ciphers. Cryptology ePrint Archive, Report 2013/404 (2013). http://eprint.iacr.org/
Biham, E., Dunkelman, O., Keller, N.: The Rectangle Attack  Rectangling the Serpent. In: Pfitzmann, B. (ed.) EUROCRYPT 2001. LNCS, vol. 2045, pp. 340–357. Springer, Heidelberg (2001)
Biryukov, A., Velichkov, V.: Automatic Search for Differential Trails in ARX Ciphers (Extended Version). Cryptology ePrint Archive, Report 2013/853 (2013). http://eprint.iacr.org/
Bogdanov, A.A., Knudsen, L.R., Leander, G., Paar, C., Poschmann, A., Robshaw, M., Seurin, Y., Vikkelsoe, C.: PRESENT: An UltraLightweight Block Cipher. In: Paillier, P., Verbauwhede, I. (eds.) CHES 2007. LNCS, vol. 4727, pp. 450–466. Springer, Heidelberg (2007)
Borghoff, J., et al.: PRINCE: A LowLatency Block Cipher for Pervasive Computing Applications  Extended Abstract. In: Sako, K., Wang, X. (eds.) ASIACRYPT 2012. LNCS, vol. 7658, pp. 208–225. Springer, Heidelberg (2012)
De Cannière, C., Dunkelman, O., Knežević, M.: KATAN and KTANTAN: A Family of Small and Efficient HardwareOriented Block Ciphers. In: Clavier, C., Gaj, K. (eds.) CHES 2009. LNCS, vol. 5747, pp. 272–288. Springer, Heidelberg (2009)
Gong, Z., Nikova, S., Law, Y.W.: KLEIN: A New Family of Lightweight Block Ciphers. In: Juels, A., Paar, C. (eds.) RFIDSec 2011. LNCS, vol. 7055, pp. 1–18. Springer, Heidelberg (2012)
Guo, J., Peyrin, T., Poschmann, A., Robshaw, M.: The LED Block Cipher. In: Preneel, B., Takagi, T. (eds.) CHES 2011. LNCS, vol. 6917, pp. 326–341. Springer, Heidelberg (2011)
Hong, D., et al.: HIGHT: A New Block Cipher Suitable for LowResource Device. In: Goubin, L., Matsui, M. (eds.) CHES 2006. LNCS, vol. 4249, pp. 46–59. Springer, Heidelberg (2006)
Lim, C.H., Korkishko, T.: mCrypton  A Lightweight Block Cipher for Security of LowCost RFID Tags and Sensors. In: Song, J.S., Kwon, T., Yung, M. (eds.) WISA 2005. LNCS, vol. 3786, pp. 243–258. Springer, Heidelberg (2006)
Lipmaa, H.: On Differential Properties of PseudoHadamard Transform and Related Mappings. In: Menezes, A., Sarkar, P. (eds.) INDOCRYPT 2002. LNCS, vol. 2551, pp. 48–61. Springer, Heidelberg (2002)
Lipmaa, H., Moriai, S.: Efficient Algorithms for Computing Differential Properties of Addition. In: Matsui, M. (ed.) FSE 2001. LNCS, vol. 2355, pp. 336–350. Springer, Heidelberg (2002)
Matsui, M.: On Correlation Between the Order of Sboxes and the Strength of DES. In: De Santis, A. (ed.) EUROCRYPT 1994. LNCS, vol. 950, pp. 366–375. Springer, Heidelberg (1995)
Wu, W., Zhang, L.: LBlock: A Lightweight Block Cipher. In: Lopez, J., Tsudik, G. (eds.) ACNS 2011. LNCS, vol. 6715, pp. 327–344. Springer, Heidelberg (2011)
Acknowledgments
We thank all reviewers of the FSE 2014 for their helpful comments and furthermore, we would like to thank Christian Forler, Ivica Nikolić, Douglas Shors, and Vesselin Velichkov for fruitful discussions.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Appendices
A Differential Characteristics for Simon and Speck
We use the following notions for the tables in this section. Each table contains at least a differential characteristic for one version of Simon or Speck. We denote by \(\sum \) the total probability of the full characteristic, and by \(\sum _{acc}\) the accumulated probability of all found trails from start to end difference.
B Rectangle Attacks on Speck
Rights and permissions
Copyright information
© 2015 International Association for Cryptologic Research
About this paper
Cite this paper
Abed, F., List, E., Lucks, S., Wenzel, J. (2015). Differential Cryptanalysis of RoundReduced Simon and Speck . In: Cid, C., Rechberger, C. (eds) Fast Software Encryption. FSE 2014. Lecture Notes in Computer Science(), vol 8540. Springer, Berlin, Heidelberg. https://doi.org/10.1007/9783662467060_27
Download citation
DOI: https://doi.org/10.1007/9783662467060_27
Published:
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 9783662467053
Online ISBN: 9783662467060
eBook Packages: Computer ScienceComputer Science (R0)