Gregor Leander 2 Tyge Tiessen 1 August 17, 2015 1 DTU Compute, Technical University of Denmark, Denmark 2 Horst Görtz Institute for IT Security, Ruhr-Universität Bochum, Germany observations on the simon block cipher family Stefan Kölbl 1
lightweight cryptography
What is Lightweight Cryptography? ∙ Design primitives for resource-constraint environments like RFID tags. ∙ Lot of attention over the last few years. ∙ NIST started to investigate the possibility to standardize primitives. Design Criteria ∙ Chip-area ∙ Latency ∙ Code-size ∙ ... 2 Lightweight Cryptography
3 72, 96 128, 192, 256 128 96, 144 96 96, 128 64 48 Simon is a family of block ciphers designed by NSA. 64 32 key sizes block size ∙ Lightweight design for hardware. ∙ “Published” in 2013 on the ePrint archive. SIMON
Feistel Network ∙ Simple round function ∙ Between 32 and 72 rounds S 8 S 1 S 2 K i 4 SIMON ∧
Cryptanalysis of Simon ∙ No (public) cryptanalysis or security arguments from the designers. ∙ Many contributions by the cryptographic community. 5 SIMON ∙ Attacks cover up to 74 % of the rounds.
properties of simon
Any cipher should have reasonable security margin against differential and linear cryptanalysis. ∙ For SPN designs easier to show bounds. ∙ Difficult for ARX, Simon. ∙ Best attacks on Simon are based on differential and linear cryptanalysis. 7 Differential and Linear
Differential Cryptanalysis: ∙ Observe how difference propagate through the round function. ∙ Find correlations between input and output difference. x f y f 8 Differential Cryptanalysis α = x ⊕ x ′ x ′ β = y ⊕ y ′ y ′
9 f f y f x f f We are interested in: ∙ Differentials: x ∙ Differential characteristics: ∙ Probability for one round: f f Differential Cryptanalysis α x ′ Pr ( α → β ) − Pr ( α → β → γ ) − − y ′ β ∑ Pr ( α → γ ) − → x −
9 ∙ Differentials: f f z f y f x f We are interested in: x f ∙ Differential characteristics: f f ∙ Probability for one round: f Differential Cryptanalysis α x ′ Pr ( α → β ) − y ′ β Pr ( α → γ ) → β − − ∑ Pr ( α → γ ) − → x − γ z ′
9 f ∙ Differentials: f f f x f f x ∙ Differential characteristics: z f f f ∙ Probability for one round: We are interested in: Differential Cryptanalysis α x ′ Pr ( α → β ) − Pr ( α → γ ) → β − − ∑ Pr ( α → γ ) → x − − γ z ′
For the analysis we use an equivalent representation for Simon S 8 S 1 S 2 K i 10 Differential and Linear ∧
For the analysis we use an equivalent representation for Simon S 1 K i 10 Differential and Linear ∧
11 0 1 1 m i 1 if d i 1 and d i 1 m i if d i m i 1 if d i 1 and d i 1 1 (1) 0 and d i m i Differential and Linear We look at a message m = ( m n − 1 , . . . , m 1 , m 0 ) and an input difference d = ( d n − 1 , . . . , d 1 , d 0 ) . The output difference f ( m ) ⊕ f ( m ⊕ d ) is then given by: 0 , if d i = 0 and d i − 1 = 0 D i ( m , d ) =
11 m i (1) 1 1 1 and d i if d i 1 m i m i 0 1 1 and d i if d i 1 Differential and Linear We look at a message m = ( m n − 1 , . . . , m 1 , m 0 ) and an input difference d = ( d n − 1 , . . . , d 1 , d 0 ) . The output difference f ( m ) ⊕ f ( m ⊕ d ) is then given by: 0 , if d i = 0 and d i − 1 = 0 if d i = 0 and d i − 1 = 1 m i , D i ( m , d ) =
11 m i (1) 1 1 1 and d i if d i 1 m i Differential and Linear We look at a message m = ( m n − 1 , . . . , m 1 , m 0 ) and an input difference d = ( d n − 1 , . . . , d 1 , d 0 ) . The output difference f ( m ) ⊕ f ( m ⊕ d ) is then given by: 0 , if d i = 0 and d i − 1 = 0 if d i = 0 and d i − 1 = 1 m i , D i ( m , d ) = m i − 1 , if d i = 1 and d i − 1 = 0
11 (1) Differential and Linear We look at a message m = ( m n − 1 , . . . , m 1 , m 0 ) and an input difference d = ( d n − 1 , . . . , d 1 , d 0 ) . The output difference f ( m ) ⊕ f ( m ⊕ d ) is then given by: 0 , if d i = 0 and d i − 1 = 0 if d i = 0 and d i − 1 = 1 m i , D i ( m , d ) = m i − 1 , if d i = 1 and d i − 1 = 0 if d i = 1 and d i − 1 = 1 . m i ⊕ m i − 1 ,
Resulting difference only depends on m 0 m 2 m 4 . Therefore we have 12 1 8 possible output differences. (2) 0 m 0 m 2 m 2 m 4 0 0 0 1 0 0 0 d i 5 4 3 2 1 0 0 0 1 0 1 Differential and Linear Let us now look at a first example. Let n = 6, and d = 001010. We then calculate D ( m , d ) using the above bitwise definition of D : . S 1 ( d ) D ( m , d )
Resulting difference only depends on m 0 m 2 m 4 . Therefore we have 12 1 8 possible output differences. (2) 0 m 0 m 2 m 2 m 4 0 0 0 1 0 0 0 d i 5 4 3 2 1 0 0 0 1 0 1 Differential and Linear Let us now look at a first example. Let n = 6, and d = 001010. We then calculate D ( m , d ) using the above bitwise definition of D : . S 1 ( d ) D ( m , d )
Resulting difference only depends on m 0 m 2 m 4 . Therefore we have 12 1 8 possible output differences. (2) 0 m 0 m 2 m 2 m 4 0 0 0 1 0 0 0 d i 5 4 3 2 1 0 0 0 1 0 1 Differential and Linear Let us now look at a first example. Let n = 6, and d = 001010. We then calculate D ( m , d ) using the above bitwise definition of D : . S 1 ( d ) D ( m , d )
Resulting difference only depends on m 0 m 2 m 4 . Therefore we have 12 1 8 possible output differences. (2) 0 m 0 m 2 m 2 m 4 0 0 0 1 0 0 0 d i 5 4 3 2 1 0 0 0 1 0 1 Differential and Linear Let us now look at a first example. Let n = 6, and d = 001010. We then calculate D ( m , d ) using the above bitwise definition of D : . S 1 ( d ) D ( m , d )
Resulting difference only depends on m 0 m 2 m 4 . Therefore we have 12 1 8 possible output differences. (2) 0 m 0 m 2 m 2 m 4 0 0 0 1 0 0 0 d i 5 4 3 2 1 0 0 0 1 0 1 Differential and Linear Let us now look at a first example. Let n = 6, and d = 001010. We then calculate D ( m , d ) using the above bitwise definition of D : . S 1 ( d ) D ( m , d )
Resulting difference only depends on m 0 m 2 m 4 . Therefore we have 12 1 8 possible output differences. (2) 0 m 0 m 2 m 2 m 4 0 0 0 1 0 0 0 d i 5 4 3 2 1 0 0 0 1 0 1 Differential and Linear Let us now look at a first example. Let n = 6, and d = 001010. We then calculate D ( m , d ) using the above bitwise definition of D : . S 1 ( d ) D ( m , d )
12 0 8 possible output differences. (2) 0 m 0 m 2 m 2 m 4 0 0 0 1 0 1 0 1 0 i 5 4 3 2 1 d 0 0 1 0 Differential and Linear Let us now look at a first example. Let n = 6, and d = 001010. We then calculate D ( m , d ) using the above bitwise definition of D : . S 1 ( d ) D ( m , d ) Resulting difference only depends on m 0 , m 2 , m 4 . Therefore we have
Can compute the differential probability with simple bit operations. The bits which can be non-zero at the output: (3) The bits which have to be equal to their right neighbour: (4) 13 Differential and Linear varibits = α ∨ S 1 ( α ) doublebits = α ∧ S 1 ( α ) ∧ S 2 ( α )
For our previous example: Possible output differences: 000000 000010 001100 001110 010000 010010 011100 011110 14 Differential and Linear varibits = 011110 doublebits = 001000
For our previous example: Possible output differences: 000000 000010 001100 001110 010000 010010 011100 011110 15 Differential and Linear varibits = 011110 doublebits = 001000
For our previous example: Possible output differences: 000000 000010 001100 001110 010000 010010 011100 011110 16 Differential and Linear varibits = 011110 doublebits = 001000
(5) The probability is then given by: 17 Differential and Linear A valid differential ( α → β ) has to satisfy: ∙ There can only be a difference at β i , if varibits i is equal to 1 . ∙ If doublebits i is 1 , then β i = β i − 1 . Pr ( α → β ) = 2 − wt ( varibits ⊕ doublebits )
(5) The probability is then given by: 17 Differential and Linear A valid differential ( α → β ) has to satisfy: ∙ There can only be a difference at β i , if varibits i is equal to 1 . ∙ If doublebits i is 1 , then β i = β i − 1 . Pr ( α → β ) = 2 − wt ( varibits ⊕ doublebits )
∙ Proofs in the paper. Apply affine transformation for Simon round function. ∙ Similar approach for linear cryptanalysis. 18 Differential and Linear
finding optimal differential and linear characteristics
We are interested in differential and linear characteristics with high probability. ∙ We use an approach based on SAT/SMT solvers, similar to results on Salsa20 [MP13] or NORX [AJN15]. ∙ Gives upper bounds on the probability. ∙ Estimate probability of the differentials. ∙ Open Source 1 1 https://github.com/kste/cryptosmt 20 Optimal Characteristics
x i y i S 8 S 1 S 2 z i Constraints: ∙ Use our previous observations on varibits and doublebits . ∙ Probability for one round is 21 Optimal Characteristics w i = wt ( varibits ⊕ doublebits ) . x i + 1 y i + 1
Recommend
More recommend