Differential Cryptanalysis of Reduced-Round Simon - Semantic Scholar

Differential Cryptanalysis of Reduced-Round Simon Farzaneh Abed, Eik List, Stefan Lucks, and Jakob Wenzel Bauhaus-Universität Weimar, Germany {farzaneh.abed, eik.list, stefan.lucks, jakob.wenzel}@uni-weimar.de

Abstract. In June 2013 the U.S. National Security Agency proposed two families of ultra-lightweight block ciphers, called Simon and Speck. In this paper we present the first cryptanalysis of round-reduced versions of Simon. We mount differential distinguishers and key-recovery attacks on up to 14/32, 17/36, 21/44, 26/54, and 32/72 rounds, for the 32-, 48-, 64-, 96-, and 128-bit versions, respectively. Furthermore, we briefly consider impossible-differential and rotational attacks. While our attacks are mostly academic, they demonstrate the drawback of the aggressive optimizations in Simon which allow powerful differential cryptanalysis. Keywords: Differential cryptanalysis, block cipher, lightweight, Simon

1

Introduction

Nowadays, due to the permanently growing impact of RFID tags, smartcards, and FPGAs, algorithms which are suitable for resource-constrained devices become more and more important. In 2012, the U.S. National Security Agency (NSA) designed two families of ultra-lightweight block ciphers – Simon and Speck, where Speck is optimized for software (like KLEIN [12]) and Simon for hardware implementations (like PRESENT [9], LED [13], or KATAN [10]). The first publication of Simon and Speck presented only performance and implementation footprints [2], and was noticed by the cryptography research community in the work by Saarinen and Engels [19] from Summer 2012. Though, in contrast to the usual disclosure policy of the NSA, the specifications of both constructions have recently been published [3], and are free for analysis. While the NSA certainly possesses both the resources and expertise to construct and analyze secure ciphers, their design team did not include a proper discussion regarding the resistance against common attacks. Rather they left the task of analyzing the security of their constructions to the research community. We devoted this work to analyze Simon (and later Speck) regarding to its resistance against differentials cryptanalysis. Contribution. First, we discuss observations regarding the round structure of Simon which are relevant to build efficient differential characteristics through parts of the cipher. In the following, we show a very basic distinguisher, which

State size

Key size

#Rounds

Method

32

64 64 64

12 13 14

Differential Dist. Impossible KR Differential KR

224 250.1 234.7

224 230 229.6

negl. 220 217

48

96 all all

15 16 18

Impossible KR Differential Dist. Differential KR

253 245 265.5

238 245 245.6

220.6 negl. 234.6

64

128 all 96 128

17 19 21 21

Impossible Differential Differential Differential

KR Dist. KR KR

271 259 259.8 271

252 259 259.6 260

221 negl. 228 228

96

144 all all

19 24 26

Impossible KR Differential Dist. Differential KR

2111 289 294.7

284 289 294.6

219.6 negl. 246.6

128

256 all 128 192/256

25 28 31 32

Impossible Differential Differential Differential

2195 2114 2124.7 2172

2119 2114 2124.6 2125

223 negl. 251 274

KR Dist. KR KR

Time Data Memory (CP) (bytes)

Table 1. Summary of our results on Simon. Dist. = distinguisher, KR = key recovery, negl. = negligible.

is subsequently extended with a key-guessing phase. There, we will show that we can apply our attack procedure a few times with rotated versions of our differential characteristics in order to efficiently decrease the computational effort of finding the remaining bits of the secret key. In addition, we show in brief impossible-differential attacks on all versions, and have a brief look on rotational cryptanalysis. A summary of our results can be found in Table 1. Outline. First, Section 2 reviews in brief the necessary details of Simon and shows some structural properties as well as some observations on our used differentials. Section 3 presents a basic distinguisher, which is transformed to a key-recovery attack in Section 4. Section 5 considers our impossible-differential attack. Finally, Section 6 concludes this work. Prior, Table 1 introduces the notions used in this paper.

2

Simon

Simon is an ARX-based balanced Feistel cipher that follows the approach of using a few extremely simple and highly-efficient operations in a round function that is then iterated many times – following the strategy of e.g., ThreeFish [11]. The round function of Simon processes the left half of the state (Li ) using 2

n 2n k Pi , C i (Lr , Rr ) Li,j ∆i ∆i,[j] ∆r p ∆r − → ∆s E

Word size of Simon2n/k. State size of Simon2n/k. Size of the secret key in bits. Plaintext-ciphertext pair. Left (L) and right (R) halves of the state after encryption of Round r in a Feistel-cipher. The i-th and j-th least-significant bit in L. An n-bit (XOR) difference, where only the i-th bit is active. with 0 ≤ i ≤ n − 1 and ∆0 denotes the least significant bit. An n-bit truncated difference, where only the i-th bit is active and the j-th bit is unknown. Difference after Round r. A differential characteristic which yields the output difference ∆s with probability p when encrypting over a (sub-)cipher E and starting from an input difference ∆r . Table 2. Notions used throughout this paper.

rotations and a logical AND, and XORs the results and one n-bit round key to the right half (Ri ) of the state before both halves are swapped. At the end, the result of the final round (Lr , Rr ) is output as the ciphertext. An illustration of the round function is depicted in Figure 1.

⋘

⋘

⋘

Fig. 1. The round function of Simon.

Key Schedule. The key schedule of Simon generates in total r round keys K 0 , . . . , K r−1 using an LSFR-like procedure. More precisely, there are in total three slightly different key schedules, depending on whether the secret key consists of two, three, or four words. At the beginning, the first w words K 0 , . . . , K w−1 are initialized with the secret key. The remaining key words K i are then

3

generated from these as follows, for all i ∈ {w, . . . , r − 1}: for w = 2 : for w = 3 : for w = 4 :

K i = K i−2 ⊕ (K i−1 ≫ 3) ⊕ (K i−1 ≫ 4) ⊕ (c ⊕ (zj )i−2 ), K i = K i−3 ⊕ (K i−2 ⊕ (K i−1 ≫ 3) ⊕ ((K i−2 ⊕ (K i−1 ≫ 3) ≫ 1) ⊕ (c ⊕ (zj )i−3 ), K i = K i−4 ⊕ (K i−3 ⊕ (K i−1 ≫ 3) ⊕ ((K i−3 ⊕ (K i−1 ≫ 3) ≫ 1) ⊕ (c ⊕ (zj )i−4 ),

To prevent slide attacks (and to complicate rotational cryptanalysis), the generated keys are XORed with a constant c = 0xff. . . fc, and a bit (zj )i , that denotes the i-th (least-significant) bit from one of five constant sequences z0 , z1 , z2 , z3 , or z4 . The exact specification of the sequences can be found in [3]. 2.1

General Observations on Simon

Coming up, we discuss a few observations on Simon which are relevant for differential cryptanalysis [8]. First of all, we want to recall a general well-known property of the logical AND: Property 1 (Absorption of Logical AND). Let X, X ′ , Y, Z, Z ′ ∈ {0, 1}n , and Z = X ∧ Y and Z ′ = X ′ ∧ Y , where ∧ denotes the bit-wise logical AND. Say, that we have an input difference ∆X = X ⊕ X ′ and an output difference ∆Z = Z ⊕ Z ′ . Further, let ∆Xi = 1 denote that the i-th bit in ∆X is active, and let Yi denote that the i-th bit in Y is active. Then, ∆Zi = 1 iff Yi = 1. Hence, if we can assume that the bit value of Y is random, we say the AND operation absorbs an active bit with probability 1/2. From Property (1) follows for Simon: Property 2 (Absorption of Simon). Due to the rotations by one and eight positions to the left in the round function of Simon, the logical AND will absorb an active bit ∆Li with probability 2−2 iff L((i+7) mod n),((i−7) mod n) = 0. Moreover, since the round transformation consists of only AND, rotations and XORs, no carry-bits can ever occur (this is a major difference in comparison to other A(ddition)RX-based designs like BLAKE, Salsa20, or Threefish [1,4,11]. Thus, the difference propagation in Simon is independent from the indices of active bits in the input and output difference. Based on this, we define Property (3), which we call rotational invariance: Property 3 (Rotational Invariance of Differential Characteristics). Assume, we are given a differential characteristic p

∆in ←→ ∆out , E

which holds with probability p over the cipher E. Then, for any j ∈ [0, n − 1], it also applies that
p
∆in ≪ j ←→ ∆out ≪ j . E

In our case the cipher E denotes full or partial Simon. 4

2.2

Observations on Our Chosen Differential Characteristics

For our differential characteristics, we use Property (2) in a repeated fashion: in every round, we assume that all active bits in ∆Li be absorbed by the AND operation. Considering a single round, this event occurs with probability p = 2−2b , where b denotes the number of active bits in ∆Li . Tables 6 and 7 (see Appendix A) list our used characteristics for all versions of Simon in detail. For each of them, we started from a difference with a single active bit in the middle and propagated it towards start and end. Note, that the characteristics listed in the tables are only exemplary; due to Property (3), one can use any rotated versions of them with equal probability. Moreover, there are three interesting observations regarding their high regularity: Property 4 (Point-Symmetry). Our characteristics propagate somewhat “pointsymmetrically” around the starting difference. More formally, when starting from a difference ∆r = (∆Lr , ∆Rr ) at some round r and propagating s rounds in forward and s rounds in backward direction, one obtains p

p

s rounds

s rounds

(∆Ls , ∆Rs ) ←−−−−→ (∆Lr , ∆Rr ) ←−−−−→ (∆Rs , ∆Ls ). Note that Property (4) is due to first, the Feistel structure of the cipher, and second, to the fact that the round transformation does not possess additions. Property 5 (Cycles). Our characteristics are cyclic, i.e., one obtains p

p

r rounds

r rounds

∆i ←−−−−→ ∆i+r ←−−−−→ ∆i+2r . . . . For instance, the following characteristic holds for Simon32/64: 2−10

2−10

2−16

5 rounds 2−10

4 rounds 2−10

3 rounds 2−16

5 rounds

4 rounds

3 rounds

(∆14 , ∆0,8,12 ) −−−−−→ (∆8 , 0) −−−−−→ (∆0,8,12 , ∆14 ) −−−−−→ (∆6 , ∆0,4,8 ) −−−−−→ (∆0 , 0) −−−−−→ (∆0,4,8 , ∆6 ) −−−−−→ (∆14 , ∆0,8,12 ), which could be iterated arbitrarily often for any chosen start and end rounds. This is probably the most interesting property of our characteristics. However, we did not see a good way of exploiting this property for attacks in the single-key model – since even a single complete cycle already has a probability of p ≪ 2−n . Thus, our attacks use only fractions of cycles. Property 6 (Branches). Let δ : ∆s → ∆i → ∆j → ∆r denote a differential characteristic from Round s to Round r which includes a characteristic over the rounds i to j (s < i < j < r). We say that δ possesses a branch iff there exists ˆi → ∆ˆj → ∆r , with ∆i 6= ∆ˆi and/or ∆j 6= ∆ˆj . a characteristic ∆s → ∆ During our studies, we found that almost all of our proposed characteristics possess branches which diverge and merge after a few rounds. For instance, considering Simon32/64, there are four characteristics ∆2 → ∆5 with probabilities 5

2−8 , 2−10 , 2−10 , and 2−12 , respectively: 2−4

2−2

2−2

2−4

2−4

2−2

2−4

2−4

2−2

2−4

2−6

2−2

(∆8,12 , ∆14 ) −−→ (∆10 , ∆8,12 ) −−→ (∆8 , ∆10 ) −−→ (0, ∆8 ) (∆8,12 , ∆14 ) −−→ (∆0,10 , ∆8,12 ) −−→ (∆8 , ∆0,10 ) −−→ (0, ∆8 ) (∆8,12 , ∆14 ) −−→ (∆9,10 , ∆8,12 ) −−→ (∆8 , ∆9,10 ) −−→ (0, ∆8 ) (∆8,12 , ∆14 ) −−→ (∆0,9,10 , ∆8,12 ) −−→ (∆8 , ∆0,9,10 ) −−→ (0, ∆8 ). If we assume that all partial characteristics are independent from each other, we obtain a probability of p = 2−8 + 2−10 + 2−10 + 2−12 ≈ 2−7.36 for the trail p over ∆2 −−→ ∆5 . Similarly, there are four characteristics ∆6 → ∆9 , again with probabilities 2−8 , 2−10 , 2−10 , and 2−12 , respectively. Note that while our characteristics are point-symmetrically, their branches usually do not have to be. All in all, the probability of our plain characteristic over 10 rounds of Simon32/64, 2−2

2−8

1

2−8

2−2

→ ∆6 −−→ ∆9 −−→ ∆10 ∆0 −−→ ∆2 −−→ ∆5 − increases from 2−20 to approximately 2−18.72 when including branches: 2−2

2−7.36

1

2−7.36

2−2

∆0 −−→ ∆2 −−−−→ ∆5 − → ∆6 −−−−→ ∆9 −−→ ∆10 . We could also find branches for further versions of Simon. Those which contribute to significantly reduce the probability are described in brief in the following. A more detailed depiction can be seen in Appendix B. Simon48/k. There are five paths over ∆4 → ∆7 (with probabilities 2−8 , 2−10 , 2−10 , 2−10 , and 2−12 ) and four paths over ∆10 → ∆13 (with probabilities 2−12 , 2−14 , 2−14 , and 2−16 ). Thus, the probability of our characteristic increases from 2−40 to 2−38.5 . Simon64/k. There are four paths over ∆9 → ∆12 (with probabilities 2−8 , 2−10 , 2−10 , and 2−12 ), as well as three paths over ∆13 → ∆16 (with probabilities 2−16 , 2−18 , and 2−20 ), which yield a cumulative probability of 2−53 instead of 2−54 for the characteristic of this version. Simon96/k. We could not find branches with relevant probability for this version. Thus, the probability of our characteristic remains 2−84 . Simon128/k. There are four paths over ∆11 → ∆14 (with probabilities 2−8 , 2−10 , 2−10 , and 2−12 ), which increase the probability of our characteristic from 2−110 to 2−109.36 .

3

Differential Distinguishers on Simon

In the following, we propose very basic distinguishers on Simon where we append two rounds to the characteristics of each individual version. For space reasons, we describe only the attack on Simon32/64 in detail since this version allows a simple practical verification. The attacks on the further variants are mostly 6

straight-forward. Thus, we specify their complexities, and list only the necessary details wherein the attacks on these differ from that on the smallest version. For our attack on 12-round Simon32/64, we use the 10-round differential characteristic listed in Table 6 (see Appendix A) over the first 10 rounds: 2−18.72

∆0 = (∆0,8,12 , ∆2,10 ) −−−−−−−−→ (∆0,8,12 , ∆14 ) = ∆10 . rounds 1−10

The adversary (or A, hereafter) can append two further rounds, yielding the truncated differential (∆L10 , ∆R10 ) → (∆L12 , ∆R12 ), with (∆L10 , ∆R10 ) = (∆0,8,12 , ∆14 ), (∆L11 , ∆R11 ) = (∆2,10,[0,1,4,8,9,13] , ∆0,8,12 ), (∆L12 , ∆R12 ) = (∆4,[0−3,5,6,8−12,14,15] , ∆2,10,[0,1,4,8,9,13] ), where the bits at the positions in square brackets are unknown. Attack Procedure. In order to obtain a sufficient number of correct pairs later, the adversary chooses 223 plaintext pairs (Pi , Pi′ ) with the input difference ∆0 as a first step. There, it fixes six bits of the left part of Pi and Pi′ , L01,3,5,7,9,15 , to ’0’, so that the result of the AND operation in the first round always produces a zero difference. Hence, A obtains the desired difference after the first round with probability 1. For all of its chosen plaintext pairs, the adversary requests the corresponding ciphertexts (Ci , Ci′ ) from an encryption oracle. The task is then to identify the correct pairs by inverting the final round. Since in the final round, R12 is only rotated, A can instantly determine the values L11 and L′11 , as well as the difference ∆R11 . At this point, the adversary has knowledge abour 26 bits that can be used to filter out false pairs: these include 10 known bits of ∆L11 2,3,5−7,10−12,14,15 (those not in the square brackets above) and the full 16 bits of ∆R11 . The probability that those 26 bits of ∆11 are equal to the expected difference ∆11 by random is 2−26 . Hence, for a random distribution, one would expect that more than three pairs that satisfy ∆11 occur only with probability P r[false real] := 1 − P rP oisson [n = 223 , p = 2−26 , x ≤ 3] ≈ 9.21 · 10−6 . On the other hand, one obtains a probability of P r[false random] := P rP oisson [n = 223 , p = 2−18.72 , x ≤ 3] ≈ 5.23 · 10−6 , that no more than three correct pairs occur when using Simon. We will call the number of three correct pairs threshold pairs, hereafter. As a result, the error probability of A is close to 0, when it outputs real in the case when at least four correct pairs occur, and random otherwise. Attack Complexity. The shown attack requires 224 chosen plaintexts. The computational cost for the encryption phase and the filtering phase is given by 7

224 full encryptions that have to be performed by an encryption oracle. The memory requirement is negligible, since one has to store only the current pair at a time, and a small counter. We can apply a similar argumentation for distinguishers on the further versions of Simon, where we use the characteristics from Table 6 and Table 7 over the first rounds and append two rounds to each. The parameters of our distinguishers with error probabilities of the adversary are summarized in Table 3.

State Key Rds. Pr[diff.] Prs. Known Thresh. size size bits prs. 32 48 64 96 128

64 all all all all

12 16 19 24 28

2−18.72 2−38.5 2−53 2−84 −109.36 2

224 244 259 288 2114

26 42 56 86 118

>4 >8 > 16 >8 >3

Pr[false real]

Pr[false random]

9.21 · 10−6 2.14 · 10−2 3.72 · 10−3 2.14 · 10−2 5.98 · 10−7

5.23 · 10−6 2.20 · 10−2 1.39 · 10−3 2.20 · 10−2 4.37 · 10−8

Table 3. Parameters of our distinguisher attacks on the versions of Simon2n/k. Rds. = rounds, Prs. = Pairs.

4

Key-Recovery Attacks on Simon

We can extend our basic 12-round distinguisher above to 14 rounds by guessing some key bits in the additional rounds. To mount this attack on Simon32/64, we apply our 10-round differential characteristic as we did before. However, this time, we use it to cover the last ten rounds, i.e., rounds 5-14: 2−18.72

∆4 = (∆14 , ∆0,8,12 ) ←−−−−−→ (∆2,10 , ∆0,8,12 ) = ∆14 . 10 rounds

This way, we can later guess key bits from the first rounds, which directly provide us with information of the secret key. Over Round 4, we append one truncated 3 round to the differential, where we say that the bits ∆R0,4,8,13 are not active, −4 which happens with probability 2 : 2−4

∆3 = (∆0,8,12 , ∆2,10,[1,9] ) ←−−−→ (∆14 , ∆0,8,12 ) = ∆4 . 1 round

We append three further rounds to the beginning of the cipher, yielding the 2−22.72

truncated differential (∆L0 , ∆R0 ) ←−−−−−→ (∆L14 , ∆R14 ), with 14 rounds

(∆L2 , ∆R2 ) = (∆2,10,[1,9] , ∆0,4,8,[1−3,9−11] ), (∆L1 , ∆R1 ) = (∆0,4,8,[1−3,9−11] , ∆6,[0−5,8−13] ), (∆L0 , ∆R0 ) = (∆6,[0−5,8−13] , ∆[0−15] ). 8

Attack Procedure. This time, A chooses 228 ciphertext pairs (Ci , Ci′ ) with the 14 difference ∆14 . At the beginning, it can fix the six bits R1,3,5,7,9,15 to ’0’, so that the AND operation of the last round always produces a zero difference. Note that in order to generate more than 226 texts, the adversary can set combinations of 14 the bits R1,3,5,7,9,15 to ’1’, and adapt the difference in ∆L14 s.t. it still obtains the desired difference ∆13 after the decryption of Round 14. The full attacking procedure can be split into a collection phase, a first filtering phase, and a second filtering phase. The steps for the collection phase can be written as: 1. Choose 228 pairs (Ci , Ci′ ) with Ci ⊕ Ci′ = ∆14 . −1 2. Collect the corresponding plaintext pairs (Pi , Pi′ ), where Pi = EK (Ci ), and −1 ′ ′ Pi = EK (Ci ). Those for the first filtering phase are as follows: 3. For all plaintext pairs, encrypt the first round and derive ∆1 . Store all pairs (Pi , Pi′ ), that have the correct difference at the known bits ∆L10,4−8,12−15 1 in a list P. Since there are 14 known bits, we can say that, and ∆R6,7,14,15 in average, A can reduce the number of pairs to 228−14 = 214 . 0 1 4. For all key combinations K of the round-key bits K0−4,7−13,15 and K0−3,8−11 : 4.1 Initialize count ← 0. 4.2 For all pairs (Pi , Pi′ ) ∈ P: – Partially encrypt (Pi , Pi′ ) to the state after the encryption of Round 3 and derive ∆3 . If the 30 known bits of ∆3 match the expected ones, increment count. 4.3 If count > 11, output “real”. Additionally, one can output the current key as key candidate, and/or the list of pairs which lead the current counter to be incremented as potentially correct pairs. 5. Output “random”. The attack works from the following reason. The probability of a pair to follow our differential is given by 2−22.72 . Hence, the probability that no more than 11 correct pairs occur when using Simon can be approximated by P r[false random] := P rP oisson [n = 228 , p = 2−22.72 , x ≤ 11] ≈ 1.40 · 10−7 . It remains open to clarify the probability of a false “real” decision. The probability of a pair to produce the 30 known bits of ∆3 by random can be assumed to be 2−30 . Then, we can say that for one specific value of the guessed key bits the probability that more than 11 false-positive pairs occur is 1 − P rP oisson [n = 228 , p = 2−30 , x ≤ 11] ≈ 2−53.38 . Since A guesses 21 key bits, the probability that any key candidate produces more than 11 false-positive pairs is about P r[false real] := 1 − P rP oisson [n = 221 , p = 2−53.38 , x ≤ 0] ≈ 4.59 · 10−8 . Concluding, the error probability of A is very close to 0, if it interprets a key candidate as the secret key where it finds at least 12 pairs for that satisfy ∆3 . 9

Second Filtering Phase. After the first filtering step, the adversary has obtained 21 bits of the secret key. At this point, a trivial brute-force search could easily find the rest of the key with 264−21 ≈ 243 partial encryptions. While this would result in a valid attack, however, this step would dominate the total attack complexity. To effectively reduce the effort of finding the remaining key bits, we can instead exploit Property (3) (see Section 2). Recall that, given a characteristic p ∆in ←→ ∆out , E

it also applies that


p
∆in ≪ j ←→ ∆out ≪ j . E

Thus, the adversary can actually run the attack procedure above twice, but in the second run, it can use a version of our characteristic rotated by four bits in any direction. This time, it has to choose ciphertext pairs with the difference ∆14 ≪ 0 1 4, where it considers the key bits K0,1,3,4−8,11−15 and K4−7,11−15 . With the same argumentation as above, A will most-likely identify the correct values for these 1 0 from and K0−3,8−11 key bits. Together with the recovered key bits K0−4,7−13,15 0 the first run, the adversary obtains the full round keys K and K 1 with only double the effort, which should be significantly lower than the 243 encryptions of a trivial brute-force search. Attack Complexity. Let us first discuss the complexity of a single run of the attack. Considering the data complexity, the adversary requires 229 chosen ciphertexts. Concerning the memory complexity, A can store either a list of 229 counters for each key candidate or a list of all ciphertext pairs. Since one can reduce the plaintext pairs quickly to 214 by testing ∆1 , the requirements for the latter is smaller. Concluding, the attack needs memory for 2 · 214 texts of 32 bits each, which is equivalent to 217 bytes. The computational effort for the collection phase, Ctexts , is equivalent to 229 full decryptions performed by the oracle. The filtering effort can be split into two phases: we denote by C1st filter the costs for 229 one-round encryptions to check for 14 bits of ∆1 . Further, we denote by C2nd filter the effort of the key-guessing phase, wherein the adversary encrypts the remaining pairs for each of the 221 key candidates over the final three rounds. In total, the complexity of a single run can be approximated by 3 1 + 2 · 214 · 221 · ≈ 234 encryptions. 228} + 2 · 228 · |2 ·{z 14 14 {z } {z } | | Ctexts C1st

filter

C2nd

filter

For an attack with two runs, the data complexity increases slightly. Note that the adversary can re-cycle at least one half of the texts from the first run, and only has to collect 228 new texts to build the pairs of the second run. Thus, the data complexity becomes 3 · 228 ≈ 229.6 chosen ciphertexts. In addition, the encryption of 228 texts as well as the one-round decryption of 228 pairs has to be carried out three times for two runs instead of two times for a single run. However, the second filtering step has to be carried out in full for the second run 10

since the key bits in the second run differ from those used in the first one. The total time complexity, including the brute-force phase to identify K 2 and K 3 , is then given by 1 3 + 2 · 2 · 214 · 221 · + |{z} 232 ≈ 235 encryptions. 3 228} + 3 · 228 · | ·{z 14 14 {z } Cbrutef orce | {z } | Ctexts C1st

C2nd

filter

filter

We can apply the same strategy to the further versions of Simon. Table 4 summarizes the probabilities, required number of pairs, known key bits and threshold pairs for each attack. The detailed complexities can be found in Table 1.

State Key Rds. Pr[diff.] Prs. Known bits Key Thresh. size size at ∆1 at ∆3 bits prs. 32 48 64 96 128

64 all all all all

14 18 21 26 31

2−22.72 2−38.5 2−53 2−88 −117.36 2

228 244 258 293 2123

14 13 34 51 77

30 42 62 92 122

21 35 32 47 56

> 11 > 28 >8 > 21 > 21

Table 4. Parameters of our distinguisher attacks on the versions of Simon2n/k. Rds. = rounds, Prs. = pairs.

5

Impossible-Differential Attacks on Simon

We had a look at further differential attacks, including impossible differentials. In contrast to conventional differential cryptanalysis, where the adversary searches for characteristics with a preferably high probability, impossible-differential attacks use characteristics with zero probability to reduce the key space. The technique was first shown independently by Biham, Biryukov, and Shamir in 1998 [6] to attack the NSA cipher Skipjack, as well as by Knudsen [16] to analyze 6 rounds of his AES proposal DEAL. 5.1

Impossible-Differential Cryptanalysis

In an attack, an adversary splits a given cipher E = E4 ◦ E3 ◦ E2 ◦ E1 , and searches for a characteristic pin

1

E1

E2

′

′

1

pout

E3−1

E4−1

∆in −−→ ∆x −−→ ∆x 6= ∆y ←−−− ∆y ←−−− ∆out . Next, it chooses a set of plaintext pairs with difference ∆in (or ciphertext pairs with difference ∆out ) and collects the corresponding ciphertext pairs from an oracle, where it keeps only those that satisfy ∆out (or plaintext pairs that satisfy 11

∆in , respectively). In the following, let K in denote those key bits, which affect the characteristic ∆in → ∆x , and let K out denote those key bits which affect the characteristic ∆y ← ∆out . For all possible values of K in ∪ K out , A partially encrypts all remaining pairs over E1 and decrypts them over E4 . If, for a given key value, there is at least one pair that has ∆x after E1 and ∆y after the inverse E4 , then the differential path over E3 ◦ E2 is not possible, and A can discard the current key value. This way, the key space can be filtered effectively. Note that for Simon, we do not need to consider K out since the key words K in already provide us with the secret key. Remark 1. We must point out that the number of rounds of the characteristic ∆in → ∆x is limited (and so is that of ∆y ← ∆out ) since each value of the key bits K in ∪ K out is used to encrypt a potentially high number of pairs. Obviously, this effort must not exceed that of exhaustive search, or formally written: |K E1 ∪ K E4 | · |Pavg | ≪ 2n , where |Pavg | denotes the average number of pairs that have to be en-/decrypted with one non-correct key value to obtain the impossible differential. For Simon, the length of E1 limits to the first four rounds, when the secret key consists of three words, and to the first five rounds, when the secret key consists of four words. For the smallest variant, Simon32/64, this is not a problem; concerning the larger versions, this significantly affects the maximal number of rounds we can attack. Thus, only our impossible-differential attack on reduced Simon32/64 covers more rounds than our conventional attacks, and hence, will be described in this section. The characteristics used in our attacks of the further versions of Simon are listed in Table 5 in Appendix C. 5.2

Impossible-Differential Attack on Simon32/64

For this attack, we denote by E = E3 ◦ E2 ◦ E1 a version of Simon32/64 that is reduced to the rounds 1-13, where E1 denotes rounds 1-5, E2 the rounds 6-11, and E3 the rounds 12 and 13. A uses the following characteristic: pin = 2−10

1

(∆0,4,8 , ∆2,10 ) −−−−−−−→ (0, ∆0 ) −−→ (∆[0−15] , ∆8,[0,2−7,9−15] ) E1 | {z } E2 | {z } | {z } ∆x

∆in

∆ x′

1

−− (∆[1−5,9−15] , ∆[1−3,9−13] ) . 6= (∆[1−5,9−15] , ∆[0−7,9−15] ) ←−−1 {z } E3 | {z } | ∆out

∆y ′

Note that ∆in , as above, would require that the six bits L01,7,9,11,13,15 = 0, which would restrict the plaintext space to 226 values. Again, to collect enough pairs, A can also set the bits L01,7,9,11,13,15 = 1 and adapt the difference in the right part of ∆in s.t. the difference after the first round is still (∆6 , ∆0,4,8 ).

12

Attack Procedure. We can split the attack into two parts, a collection and a filtering step. The collection phase can be written as: 1. Initialize an empty set P = ∅. 2. Collect 229 plaintext pairs (Pi , Pi′ ) with P ⊕ P ′ = ∆in and obtain the corresponding ciphertext pairs (Ci , Ci′ ) from an encryption oracle. Thereupon, A performs the filtering phase as follows: 3. Store all tuples (Pi , Pi′ ) for which the corresponding ciphertexts Ci , Ci′ satisfy Ci ⊕ Ci′ = ∆out in P. Since there are 229 pairs and only 12 bits of ∆out are specified, A can expect 229 · 2−12 = 217 pairs which satisfy our characteristic. 2 3 4. In the following, let K = K 0 kK 1 kK1,5,6,7,8,9,11,15 kK7,9 . For all possible values of K: – For each tuple (Pi , Pi′ ) ∈ P: − Encrypt Si = E1 (K, Pi ), Si′ = E1 (K, Pi′ ). If Si ⊕ Si′ = ∆x , then discard the current value K and increment it. The probability that a value K survives the test for one plaintext pair is given 17 by (1 − 2−10 ), and the probability to survive all pairs is equal to (1 − 2−10 )2 ≈ 2−184 . Thus, the probability of a false-positive key to survive is 264 · 2−184 ≈ 2−120 , which leads us to the claim that A will find the correct value K after the filtering procedure. Attack complexity. The data complexity is given by 230 chosen plaintexts. The adversary needs memory to store 217 pairs in average, which is equivalent to 218 texts or 221 bytes. Like in our previous attacks, the computational complexity again consists of several substeps that have to be considered. The costs for collecting 229 pairs are given by 230 encryptions. For every pair, A then tests the keys K = K 0 kK 1 3 2 by encrypting a number of pairs over five rounds. Note kK7,9 kK1,5,6,7,8,9,11,15 that these 16 + 16 + 8 + 2 = 42 key bits are derived from the fact that only these ′ bits affect ∆5 = ∆x . Still, we are interested in the number of pairs |Pavg | that A has to encrypt in ′ order that it can find one that satisfies ∆x . Therefore, we require p = 1 − ((1 − 2−10 )|Pavg | ) ≥ 0.5. Using simple calculus, we find   log(0.5) = 710 pairs (711 texts). |Pavg | = log(1 − 2−10 ) 5 Summing up, the effort for the filtering phase can be estimated by 242 · 711 · 13 ≈ 50.1 2 full encryptions. Afterwards, A will find the correct value of the 42 bits in K with overwhelming probability, and can test all 222 candidates for the remaining keys via exhaustive search. Thus, the total complexity is given by

Ctime = 230 + 242 · 711 ·

5 + 222 ≈ 250.1 encryptions. 13 13

Table 5 summarizes the parameters of our impossible-differential attacks on this and further versions of Simon. The differential trails used to mount them can be found in Appendix 5. Note that, for example, one could easily add three or four more rounds to the impossible differential attack on Simon128/256 by guessing some more subkey bits, thus, reducing the effort for exhaustive search. But, since this would not lead to an attack on more rounds than with the use of conventional differentials, we left the shorter attack as an easy-to-grasp example.

State Key Rounds #Pairs Known |P| size size E1 /E2 /E3 bits 32 48 64 96 128

64 96 128 144 256

5/6/2 5/7/3 5/8/4 4/9/6 5/12/8

229 237 251 283 2118

12 20 34 68 100

217 217 217 215 218

pin 2−10 2−10 2−10 2−8 2−10

|Kin | Filter |Pavg | 42 44 57 33 61

2−184 2−184 2−184 2−185 2−368

710 710 710 178 710

Table 5. Impossible-differential attacks on Simon. The filter results from (1 − pin )|P| .

5.3

Rotational Cryptanalysis

There are numerous further techniques exploiting differential properties of a cryptographic algorithm [7,14,18,20]. In addition to our attacks shown in the last sections, we further considered rotational cryptanalysis (see [15] and [17] for examples). There, instead of using texts with an XOR difference, an adversary −), where ← − is x rotated by a fixed value r. Note collects pairs of texts (x, ← x x that this technique requires that also the round keys used for the encryption − are rotated versions of each other. Thus, rotational cryptanalysis of x and ← x usually targets the less practical related-key model introduced by Biham [5]. Since the key schedule of Simon complicates rotational cryptanalysis, we did not get better results than using conventional differentials, e.g., about 13 to 14 rounds of Simon32/64. Thus, we do not describe the attack here.

6

Conclusion

In this work we presented differential-based distinguishers and key-recovery attacks on reduced-round versions of Simon. Furthermore, we briefly considered attacks based on impossible differentials. Since the round function of Simon only employs rotations, XOR, and AND, it allows to construct comparably long differential characteristics. Moreover, the source of vulnerability of Simon against differential cryptanalysis is obviously the lack of additions and round-dependent varying rotation amounts. Thus, each new attacks on generalized ARX ciphers such as ThreeFish will be much more a threat to the security of Simon and 14

Speck. However, one positive security gain of both NSA constructions is the round-wise key addition and the simple, yet powerful key schedule, which protects very effectively against slide, but also against meet-in-the-middle attacks over a reasonable number of rounds. Even though we considered only round-reduced variants of the Simon family of block ciphers, we are not fully convinced that the NSA constructions are actually mid-term-secure.

References 1. Jean-Philippe Aumasson, Luca Henzen, Willi Meier, and Raphael C.-W. Phan. SHA-3 proposal BLAKE. Submission to NIST (Round 3), 2010. 2. Ray Beaulieu, Douglas Shors, Jason Smith, Stefan Treatman-Clark, Bryan Weeks, and Louis Wingers. Performance of the SIMON and SPECK Families of Lightweight Block Ciphers. Technical report, National Security Agency, May 2012. 3. Ray Beaulieu, Douglas Shors, Jason Smith, Stefan Treatman-Clark, Bryan Weeks, and Louis Wingers. The SIMON and SPECK Families of Lightweight Block Ciphers. Cryptology ePrint Archive, Report 2013/404, 2013. http://eprint.iacr.org/. 4. Daniel J. Bernstein. The Salsa20 Family of Stream Ciphers. In The eSTREAM Finalists, pages 84–97. Springer, 2008. 5. Eli Biham. New Types of Cryptanalytic Attacks Using Related Keys. J. Cryptology, 7(4):229–246, 1994. 6. Eli Biham, Alex Biryukov, and Adi Shamir. Cryptanalysis of Skipjack Reduced to 31 Rounds Using Impossible Differentials. In Jacques Stern, editor, EUROCRYPT, volume 1592 of Lecture Notes in Computer Science, pages 12–23. Springer, 1999. 7. Eli Biham, Orr Dunkelman, and Nathan Keller. The Rectangle Attack - Rectangling the Serpent. In Birgit Pfitzmann, editor, EUROCRYPT, volume 2045 of Lecture Notes in Computer Science, pages 340–357. Springer, 2001. 8. Eli Biham and Adi Shamir. Differential Cryptanalysis of DES-like Cryptosystems. In Alfred Menezes and Scott A. Vanstone, editors, CRYPTO, volume 537 of Lecture Notes in Computer Science, pages 2–21. Springer, 1990. 9. Andrey Bogdanov, Lars R. Knudsen, Gregor Leander, Christof Paar, Axel Poschmann, Matthew J. B. Robshaw, Yannick Seurin, and C. Vikkelsoe. PRESENT: An Ultra-Lightweight Block Cipher. In Pascal Paillier and Ingrid Verbauwhede, editors, CHES, volume 4727 of Lecture Notes in Computer Science, pages 450–466. Springer, 2007. 10. Christophe De Cannière and Orr Dunkelman and Miroslav Knezevic. KATAN and KTANTAN - A Family of Small and Efficient Hardware-Oriented Block Ciphers. In CHES, pages 272–288, 2009. 11. Niels Ferguson, Stefan Lucks, Bruce Schneier, Doug Whiting, Mihir Bellare, Tadayoshi Kohno, Jon Callas, and Jesse Walker. The Skein Hash Function Family. Submission to NIST (Round 3), 2010. 12. Zheng Gong, Svetla Nikova, and Yee Wei Law. KLEIN: A New Family of Lightweight Block Ciphers. In Ari Juels and Christof Paar, editors, RFIDSec, volume 7055 of Lecture Notes in Computer Science, pages 1–18. Springer, 2011. 13. Jian Guo, Thomas Peyrin, Axel Poschmann, and Matthew J. B. Robshaw. The LED Block Cipher. In Bart Preneel and Tsuyoshi Takagi, editors, CHES, volume 6917 of Lecture Notes in Computer Science, pages 326–341. Springer, 2011.

15

14. Dmitry Khovratovich and Ivica Nikolić. Rotational Cryptanalysis of ARX. In Proceedings of the 17th international conference on Fast software encryption, FSE’10, pages 333–346, Berlin, Heidelberg, 2010. Springer-Verlag. 15. Dmitry Khovratovich, Ivica Nikolic, and Christian Rechberger. Rotational Rebound Attacks on Reduced Skein. In Advances in Cryptology - ASIACRYPT 2010 - 16th International Conference on the Theory and Application of Cryptology and Information Security, pages 1–19, 2010. 16. Lars Knudsen. DEAL—A 128-bit Block Cipher. Technical report, Department of Informatics, University of Bergen, Norway, 1998. 17. Lars Knudsen, Krystian Matusiewicz, and Søren S Thomsen. Observations on the shabal keyed permutation, 2009. 18. Florian Mendel, Christian Rechberger, Martin Schläffer, and Søren S. Thomsen. The rebound attack: Cryptanalysis of reduced whirlpool and grøstl. In Orr Dunkelman, editor, FSE, volume 5665 of Lecture Notes in Computer Science, pages 260– 276. Springer, 2009. 19. Markku-Juhani O. Saarinen and Daniel Engels. A Do-It-All-Cipher for RFID: Design Requirements (Extended Abstract). Cryptology ePrint Archive, Report 2012/317, 2012. http://eprint.iacr.org/. 20. David Wagner. The Boomerang Attack. In Lars R. Knudsen, editor, FSE, volume 1636 of Lecture Notes in Computer Science, pages 156–170. Springer, 1999.

16

A

Differential Characteristics for Simon2n/k

Rd.

Simon32/64 ∆L

0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 Σ

i

∆0,8,12 ∆14 ∆8,12 ∆10 ∆8 0 ∆8 ∆10 ∆8,12 ∆14 ∆0,8,12

∆R

i

∆2,10 ∆0,8,12 ∆14 ∆8,12 ∆10 ∆8 0 ∆8 ∆10 ∆8,12 ∆14

Simon48/k ℓ ∆L 0 −2 −4 −2 −2 0 −2 −2 −4 −2

i

∆0,8,12 ∆2,10 ∆0,4,8 ∆6 ∆0,4 ∆2 ∆0 0 ∆0 ∆2 ∆0,4 ∆6 ∆0,4,8 ∆2,10 ∆0,8,12

∆R

i

∆14 ∆0,8,12 ∆2,10 ∆0,4,8 ∆6 ∆0,4 ∆2 ∆0 0 ∆0 ∆2 ∆0,4 ∆6 ∆0,4,8 ∆2,10

−20

Simon64/k ℓ ∆L 0 −4 −6 −2 −4 −2 −2 0 −2 −2 −4 −2 −6 −4

−40

i

∆30 ∆16,24,28 ∆18,26 ∆16,20,24 ∆22 ∆16,20 ∆18 ∆16 0 ∆16 ∆18 ∆16,20 ∆22 ∆16,20,24 ∆18,26 ∆16,24,28 ∆30 ∆0,16,24,28

∆Ri ∆0,16,24,28 ∆30 ∆16,24,28 ∆18,26 ∆16,20,24 ∆22 ∆16,20 ∆18 ∆16 0 ∆16 ∆18 ∆16,20 ∆22 ∆16,20,24 ∆18,26 ∆16,24,28 ∆30

ℓ 0 −6 −4 −6 −2 −4 −2 −2 0 −2 −2 −4 −2 −6 −4 −6 −2 −54

Table 6. Differential characteristics for the smaller variants of Simon2n/k. ℓ denotes log2 (Pr).

17

Round

0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26

Simon96/k

Simon128/k

∆Li

∆Ri

ℓ ∆Li

∆24,28,32,40,44 ∆26,34,42 ∆24,32,36,40 ∆38 ∆24,32,36 ∆26,34 ∆24,28,32 ∆30 ∆24,28 ∆26 ∆24 0 ∆24 ∆26 ∆24,28 ∆30 ∆24,28,32 ∆26,34 ∆24,32,36 ∆38 ∆24,32,36,40 ∆26,34,42 ∆24,28,32,40,44

∆30,46 ∆24,28,32,40,44 ∆26,34,42 ∆24,32,36,40 ∆38 ∆24,32,36 ∆26,34 ∆24,28,32 ∆30 ∆24,28 ∆26 ∆24 0 ∆24 ∆26 ∆24,28 ∆30 ∆24,28,32 ∆26,34 ∆24,32,36 ∆38 ∆24,32,36,40 ∆26,34,42

Σ

0 −6 −8 −2 −6 −4 −6 −2 −4 −2 −2 0 −2 −2 −4 −2 −6 −4 −6 −2 −8 −6

∆Ri

∆32,40,44,48 ∆46 ∆32,40,44 ∆34,42 ∆32,36,40 ∆38 ∆32,36 ∆34 ∆32 0 ∆32 ∆34 ∆32,36 ∆38 ∆32,36,40 ∆34,42 ∆32,40,44 ∆46 ∆32,40,44,48 ∆34,42,50 ∆32,36,40,48,52 ∆38,54 ∆32,36,48,52,56 ∆34,50,58 ∆32,48,56,60 ∆62 ∆0,32,48,56,60

∆34,42,50 ∆32,40,44,48 ∆46 ∆32,40,44 ∆34,42 ∆32,36,40 ∆38 ∆32,36 ∆34 ∆32 0 ∆32 ∆34 ∆32,36 ∆38 ∆32,36,40 ∆34,42 ∆32,40,44 ∆46 ∆32,40,44,48 ∆34,42,50 ∆32,36,40,48,52 ∆38,54 ∆32,36,48,52,56 ∆34,50,58 ∆32,48,56,60 ∆62

−84

ℓ 0 −2 −6 −4 −6 −2 −4 −2 −2 0 −2 −2 −4 −2 −6 −4 −6 −2 −8 −6 −10 −4 −10 −6 −8 −2 −110

Table 7. Differential characteristics for the larger variants of Simon2n/k. ℓ denotes log2 (Pr).

B

Branches of Differential Characteristics within Simon

Simon32/64. Considering Simon32/64, there are four paths over ∆6 → ∆9 : 2−2

2−2

2−4

2−2

2−4

2−4

2−2

2−4

2−4

2−2

2−6

2−4

(∆8 , 0) −−→ (∆10 , ∆8 ) −−→ (∆8,12 , ∆10 ) −−→ (∆14 , ∆8,12 ) (∆8 , 0) −−→ (∆0,10 , ∆8 ) −−→ (∆8,12 , ∆0,10 ) −−→ (∆14 , ∆8,12 ) (∆8 , 0) −−→ (∆9,10 , ∆8 ) −−→ (∆8,12 , ∆9,10 ) −−→ (∆14 , ∆8,12 ) (∆8 , 0) −−→ (∆0,9,10 , ∆8 ) −−→ (∆8,12 , ∆0,9,10 ) −−→ (∆14 , ∆8,12 ). 18

Simon48/k. For Simon48/k, there are five paths over ∆4 → ∆7 : 2−4

2−2

2−2

2−4

2−4

2−2

2−4

2−4

2−2

2−4

2−4

2−2

2−4

2−6

2−2

(∆0,4 , ∆6 ) −−→ (∆2 , ∆0,4 ) −−→ (∆0 , ∆2 ) −−→ (0, ∆0 ) (∆0,4 , ∆6 ) −−→ (∆2,8 , ∆0,4 ) −−→ (∆0 , ∆2,8 ) −−→ (0, ∆0 ) (∆0,4 , ∆6 ) −−→ (∆1,2 , ∆0,4 ) −−→ (∆1 , ∆1,2 ) −−→ (0, ∆0 ) (∆0,4 , ∆6 ) −−→ (∆1,2 , ∆0,4 ) −−→ (∆0 , ∆1,2 ) −−→ (0, ∆0 ) (∆0,4 , ∆6 ) −−→ (∆1,2,8 , ∆0,4 ) −−→ (∆0 , ∆1,2,8 ) −−→ (0, ∆0 ), and four paths over ∆10 → ∆13 : 2−4

(∆0,4 , ∆2 ) −−→

(∆6 , ∆0,4 )

2−2

−−→

(∆0,4,8 , ∆6 )

2−6

−−→ (∆2,10 , ∆0,4,8 )

2−4

2−4

2−6

2−4

2−4

2−6

2−4

2−6

2−6

(∆0,4 , ∆2 ) −−→ (∆5,6 , ∆0,4 ) −−→ (∆0,4,8 , ∆5,6 ) −−→ (∆2,10 , ∆0,4,8 ) (∆0,4 , ∆2 ) −−→ (∆6,12 , ∆0,4 ) −−→ (∆0,4,8 , ∆6,12 ) −−→ (∆2,10 , ∆0,4,8 ) (∆0,4 , ∆2 ) −−→ (∆5,6,12 , ∆0,4 ) −−→ (∆0,4,8 , ∆5,6,12 ) −−→ (∆2,10 , ∆0,4,8 ). This results in a more exact trail of: 2−12

2−8 +3·2−10 +2−12

2−4

2−12 +2·2−14 +2−16

2−4

∆0 −−−→ ∆4 −−−−−−−−−−−−→ ∆7 −−→ ∆10 −−−−−−−−−−−−→ ∆13 −−→ ∆14 . Simon64/k. Concerning Simon64/k, there are four paths over ∆9 → ∆12 : 2−2

(∆16 , 0) −−→

(∆18 , ∆16 )

2−2

−−→

(∆16,20 , ∆18 )

2−4

−−→ (∆22 , ∆16,20 )

2−2

2−4

2−4

2−2

2−4

2−4

2−2

2−6

2−4

(∆16 , 0) −−→ (∆17,18 , ∆16 ) −−→ (∆16,20 , ∆17,18 ) −−→ (∆22 , ∆16,20 ) (∆16 , 0) −−→ (∆18,24 , ∆16 ) −−→ (∆16,20 , ∆18,24 ) −−→ (∆22 , ∆16,20 ) (∆16 , 0) −−→ (∆17,18,24 , ∆16 ) −−→ (∆16,20 , ∆17,18,24 ) −−→ (∆22 , ∆16,20 ), and three paths over ∆13 → ∆16 : 2−6

(∆16,20,24 , ∆22 ) −−→ 2−6

−−→

(∆18,26 , ∆16,20,24 )

2−4

−−→

(∆16,24,28 , ∆18,26 )

(∆30 , ∆16,24,28 )

2−6

2−6

(∆16,20,24 , ∆22 ) −−→ (∆18,25,26 , ∆16,20,24 ) −−→ (∆16,24,28 , ∆18,25,26 ) 2−6

−−→

(∆30 , ∆16,24,28 )

2−6

2−8

(∆16,20,24 , ∆22 ) −−→ (∆17,18,25,26 , ∆16,20,24 ) −−→ (∆16,24,28 , ∆17,18,25,26 ) 2−6

−−→

(∆30 , ∆16,24,28 ).

Hence, we obtain the following trail: 2−26

2−8 +2·2−10 +2−12

2−2

2−16 +2−18 +2−20

2−2

∆0 −−−→ ∆9 −−−−−−−−−−−−→ ∆12 −−→ ∆13 −−−−−−−−−−−→ ∆16 −−→ ∆17 .

19

Simon128/k. For Simon128/k, there are four paths over ∆11 → ∆14 : 2−2

(∆32 , 0) −−→

2−2

−−→

(∆34 , ∆32 )

(∆32,36 , ∆34 )

2−4

−−→ (∆38 , ∆32,36 )

2−2

2−4

2−4

2−2

2−4

2−4

2−2

2−6

2−4

(∆32 , 0) −−→ (∆33,34 , ∆32 ) −−→ (∆32,36 , ∆33,34 ) −−→ (∆38 , ∆32,36 ) (∆32 , 0) −−→ (∆34,40 , ∆32 ) −−→ (∆32,36 , ∆34,40 ) −−→ (∆38 , ∆32,36 ) (∆32 , 0) −−→ (∆33,34,40 , ∆32 ) −−→ (∆32,36 , ∆33,34,40 ) −−→ (∆38 , ∆32,36 ). This gives us the following characteristic: 2−36

2−8 +2·2−10 +2−12

2−74

∆0 −−−→ ∆11 −−−−−−−−−−−−→ ∆14 −−−→ ∆27 .

C

Impossible Differentials for Simon2n/k

Simon48/k: 2−10

1

5R

7R

(∆0,4,8 , ∆2,10 ) −−−→ (0, ∆0 ) −−→ (∆[0−23] , ∆[0−22] ) 6= 1 (∆[0−14,16−20,23] , ∆23,[0−22] ) ←−− (∆23,[0−6,8−12,15−18,22] , ∆[0−4,7−10,14,16] ). 3R

Simon64/k: 2−10

(∆0,4,8 , ∆2,10 ) −−−→ (0, ∆0 ) 5R

1

−−→ (∆[0−31] , ∆[0,2−30] ) 6= (∆[0−22,24−28,31] , ∆31,[0−30] ) 8R 1

←−− (∆[0−6,8−12,15−18,22,24,31] , ∆31,[0−4,7−10,14,16,30] ). 4R

Simon96/k: 2−8

1

4R

9R

(∆6 , ∆0,4,8 ) −−→ (0, ∆0 ) −−→ (∆[0−47] , ∆[0,2−46] ) 6= 1 (∆[0−38,40−44,47] , ∆47,[0−46] ) ←−− (∆[1−6,8−12,16−18,22,24] , ∆47,[0−4,7−10,14,16] ). 6R

Simon128/k: 2−10

1

5R

12R

(∆0,4,8 , ∆2,10 ) −−−→ (0, ∆0 ) −−→ (∆[0−63] , ∆[0,2−62] ) 6=

1

(∆[0−54,56−60,63] , ∆63,[0−62] ) ←−− (∆[1−6,8−12,15−18,22,24] , ∆63,[0−4,7−10,14,16] ). 8R

20