observations on the simon block cipher family
play

observations on the simon block cipher family Stefan Klbl 1 - PowerPoint PPT Presentation

Jan 15, 2023 •199 likes •809 views

Gregor Leander 2 Tyge Tiessen 1 August 17, 2015 1 DTU Compute, Technical University of Denmark, Denmark 2 Horst Grtz Institute for IT Security, Ruhr-Universitt Bochum, Germany observations on the simon block cipher family Stefan Klbl 1

  1. Gregor Leander 2 Tyge Tiessen 1 August 17, 2015 1 DTU Compute, Technical University of Denmark, Denmark 2 Horst Görtz Institute for IT Security, Ruhr-Universität Bochum, Germany observations on the simon block cipher family Stefan Kölbl 1

  2. lightweight cryptography

  3. What is Lightweight Cryptography? ∙ Design primitives for resource-constraint environments like RFID tags. ∙ Lot of attention over the last few years. ∙ NIST started to investigate the possibility to standardize primitives. Design Criteria ∙ Chip-area ∙ Latency ∙ Code-size ∙ ... 2 Lightweight Cryptography

  4. 3 72, 96 128, 192, 256 128 96, 144 96 96, 128 64 48 Simon is a family of block ciphers designed by NSA. 64 32 key sizes block size ∙ Lightweight design for hardware. ∙ “Published” in 2013 on the ePrint archive. SIMON

  5. Feistel Network ∙ Simple round function ∙ Between 32 and 72 rounds S 8 S 1 S 2 K i 4 SIMON ∧

  6. Cryptanalysis of Simon ∙ No (public) cryptanalysis or security arguments from the designers. ∙ Many contributions by the cryptographic community. 5 SIMON ∙ Attacks cover up to 74 % of the rounds.

  7. properties of simon

  8. Any cipher should have reasonable security margin against differential and linear cryptanalysis. ∙ For SPN designs easier to show bounds. ∙ Difficult for ARX, Simon. ∙ Best attacks on Simon are based on differential and linear cryptanalysis. 7 Differential and Linear

  9. Differential Cryptanalysis: ∙ Observe how difference propagate through the round function. ∙ Find correlations between input and output difference. x f y f 8 Differential Cryptanalysis α = x ⊕ x ′ x ′ β = y ⊕ y ′ y ′

  10. 9 f f y f x f f We are interested in: ∙ Differentials: x ∙ Differential characteristics: ∙ Probability for one round: f f Differential Cryptanalysis α x ′ Pr ( α → β ) − Pr ( α → β → γ ) − − y ′ β ∑ Pr ( α → γ ) − → x −

  11. 9 ∙ Differentials: f f z f y f x f We are interested in: x f ∙ Differential characteristics: f f ∙ Probability for one round: f Differential Cryptanalysis α x ′ Pr ( α → β ) − y ′ β Pr ( α → γ ) → β − − ∑ Pr ( α → γ ) − → x − γ z ′

  12. 9 f ∙ Differentials: f f f x f f x ∙ Differential characteristics: z f f f ∙ Probability for one round: We are interested in: Differential Cryptanalysis α x ′ Pr ( α → β ) − Pr ( α → γ ) → β − − ∑ Pr ( α → γ ) → x − − γ z ′

  13. For the analysis we use an equivalent representation for Simon S 8 S 1 S 2 K i 10 Differential and Linear ∧

  14. For the analysis we use an equivalent representation for Simon S 1 K i 10 Differential and Linear ∧

  15. 11 0 1 1 m i 1 if d i 1 and d i 1 m i if d i m i 1 if d i 1 and d i 1 1 (1) 0 and d i m i Differential and Linear We look at a message m = ( m n − 1 , . . . , m 1 , m 0 ) and an input difference d = ( d n − 1 , . . . , d 1 , d 0 ) . The output difference f ( m ) ⊕ f ( m ⊕ d ) is then given by:  0 , if d i = 0 and d i − 1 = 0       D i ( m , d ) =      

  16. 11 m i (1) 1 1 1 and d i if d i 1 m i m i 0 1 1 and d i if d i 1 Differential and Linear We look at a message m = ( m n − 1 , . . . , m 1 , m 0 ) and an input difference d = ( d n − 1 , . . . , d 1 , d 0 ) . The output difference f ( m ) ⊕ f ( m ⊕ d ) is then given by:  0 , if d i = 0 and d i − 1 = 0     if d i = 0 and d i − 1 = 1  m i ,  D i ( m , d ) =      

  17. 11 m i (1) 1 1 1 and d i if d i 1 m i Differential and Linear We look at a message m = ( m n − 1 , . . . , m 1 , m 0 ) and an input difference d = ( d n − 1 , . . . , d 1 , d 0 ) . The output difference f ( m ) ⊕ f ( m ⊕ d ) is then given by:  0 , if d i = 0 and d i − 1 = 0     if d i = 0 and d i − 1 = 1  m i ,  D i ( m , d ) = m i − 1 , if d i = 1 and d i − 1 = 0      

  18. 11 (1) Differential and Linear We look at a message m = ( m n − 1 , . . . , m 1 , m 0 ) and an input difference d = ( d n − 1 , . . . , d 1 , d 0 ) . The output difference f ( m ) ⊕ f ( m ⊕ d ) is then given by:  0 , if d i = 0 and d i − 1 = 0     if d i = 0 and d i − 1 = 1  m i ,  D i ( m , d ) = m i − 1 , if d i = 1 and d i − 1 = 0     if d i = 1 and d i − 1 = 1 .  m i ⊕ m i − 1 , 

  19. Resulting difference only depends on m 0 m 2 m 4 . Therefore we have 12 1 8 possible output differences. (2) 0 m 0 m 2 m 2 m 4 0 0 0 1 0 0 0 d i 5 4 3 2 1 0 0 0 1 0 1 Differential and Linear Let us now look at a first example. Let n = 6, and d = 001010. We then calculate D ( m , d ) using the above bitwise definition of D : . S 1 ( d ) D ( m , d )

  20. Resulting difference only depends on m 0 m 2 m 4 . Therefore we have 12 1 8 possible output differences. (2) 0 m 0 m 2 m 2 m 4 0 0 0 1 0 0 0 d i 5 4 3 2 1 0 0 0 1 0 1 Differential and Linear Let us now look at a first example. Let n = 6, and d = 001010. We then calculate D ( m , d ) using the above bitwise definition of D : . S 1 ( d ) D ( m , d )

  21. Resulting difference only depends on m 0 m 2 m 4 . Therefore we have 12 1 8 possible output differences. (2) 0 m 0 m 2 m 2 m 4 0 0 0 1 0 0 0 d i 5 4 3 2 1 0 0 0 1 0 1 Differential and Linear Let us now look at a first example. Let n = 6, and d = 001010. We then calculate D ( m , d ) using the above bitwise definition of D : . S 1 ( d ) D ( m , d )

  22. Resulting difference only depends on m 0 m 2 m 4 . Therefore we have 12 1 8 possible output differences. (2) 0 m 0 m 2 m 2 m 4 0 0 0 1 0 0 0 d i 5 4 3 2 1 0 0 0 1 0 1 Differential and Linear Let us now look at a first example. Let n = 6, and d = 001010. We then calculate D ( m , d ) using the above bitwise definition of D : . S 1 ( d ) D ( m , d )

  23. Resulting difference only depends on m 0 m 2 m 4 . Therefore we have 12 1 8 possible output differences. (2) 0 m 0 m 2 m 2 m 4 0 0 0 1 0 0 0 d i 5 4 3 2 1 0 0 0 1 0 1 Differential and Linear Let us now look at a first example. Let n = 6, and d = 001010. We then calculate D ( m , d ) using the above bitwise definition of D : . S 1 ( d ) D ( m , d )

  24. Resulting difference only depends on m 0 m 2 m 4 . Therefore we have 12 1 8 possible output differences. (2) 0 m 0 m 2 m 2 m 4 0 0 0 1 0 0 0 d i 5 4 3 2 1 0 0 0 1 0 1 Differential and Linear Let us now look at a first example. Let n = 6, and d = 001010. We then calculate D ( m , d ) using the above bitwise definition of D : . S 1 ( d ) D ( m , d )

  25. 12 0 8 possible output differences. (2) 0 m 0 m 2 m 2 m 4 0 0 0 1 0 1 0 1 0 i 5 4 3 2 1 d 0 0 1 0 Differential and Linear Let us now look at a first example. Let n = 6, and d = 001010. We then calculate D ( m , d ) using the above bitwise definition of D : . S 1 ( d ) D ( m , d ) Resulting difference only depends on m 0 , m 2 , m 4 . Therefore we have

  26. Can compute the differential probability with simple bit operations. The bits which can be non-zero at the output: (3) The bits which have to be equal to their right neighbour: (4) 13 Differential and Linear varibits = α ∨ S 1 ( α ) doublebits = α ∧ S 1 ( α ) ∧ S 2 ( α )

  27. For our previous example: Possible output differences: 000000 000010 001100 001110 010000 010010 011100 011110 14 Differential and Linear varibits = 011110 doublebits = 001000

  28. For our previous example: Possible output differences: 000000 000010 001100 001110 010000 010010 011100 011110 15 Differential and Linear varibits = 011110 doublebits = 001000

  29. For our previous example: Possible output differences: 000000 000010 001100 001110 010000 010010 011100 011110 16 Differential and Linear varibits = 011110 doublebits = 001000

  30. (5) The probability is then given by: 17 Differential and Linear A valid differential ( α → β ) has to satisfy: ∙ There can only be a difference at β i , if varibits i is equal to 1 . ∙ If doublebits i is 1 , then β i = β i − 1 . Pr ( α → β ) = 2 − wt ( varibits ⊕ doublebits )

  31. (5) The probability is then given by: 17 Differential and Linear A valid differential ( α → β ) has to satisfy: ∙ There can only be a difference at β i , if varibits i is equal to 1 . ∙ If doublebits i is 1 , then β i = β i − 1 . Pr ( α → β ) = 2 − wt ( varibits ⊕ doublebits )

  32. ∙ Proofs in the paper. Apply affine transformation for Simon round function. ∙ Similar approach for linear cryptanalysis. 18 Differential and Linear

  33. finding optimal differential and linear characteristics

  34. We are interested in differential and linear characteristics with high probability. ∙ We use an approach based on SAT/SMT solvers, similar to results on Salsa20 [MP13] or NORX [AJN15]. ∙ Gives upper bounds on the probability. ∙ Estimate probability of the differentials. ∙ Open Source 1 1 https://github.com/kste/cryptosmt 20 Optimal Characteristics

  35. x i y i S 8 S 1 S 2 z i Constraints: ∙ Use our previous observations on varibits and doublebits . ∙ Probability for one round is 21 Optimal Characteristics w i = wt ( varibits ⊕ doublebits ) . x i + 1 y i + 1

Recommend

A Brief Comparison of Simon and Simeck Stefan Klbl 1 The Simeck block cipher family 1 48 128,

A Brief Comparison of Simon and Simeck Stefan Klbl 1 The Simeck block cipher family 1 48 128,

Arnab Roy 1 September 21, 2016 1 DTU Compute, Technical University of Denmark, Denmark A Brief Comparison of Simon and Simeck Stefan Klbl 1 The Simeck block cipher family 1 48 128, 192, 256 128 96, 144 96 96, 128 64 72, 96 64 32 Key

617 views • 28 slides
Problem 1 k zero bits n bits IV Block Block Block Block Cipher Cipher Cipher Cipher

Problem 1 k zero bits n bits IV Block Block Block Block Cipher Cipher Cipher Cipher

Problem 1 k zero bits n bits IV Block Block Block Block Cipher Cipher Cipher Cipher removed January 27, 2011 Practical Aspects of Modern Cryptography 2 Problem 1 IV Inverse Inverse Inverse Inverse Cipher Cipher Cipher Cipher

464 views • 20 slides
Tweakable Block Cipher Secure Beyond the Birthday Bound in the Ideal Cipher Model Jooyoung Lee ,

Tweakable Block Cipher Secure Beyond the Birthday Bound in the Ideal Cipher Model Jooyoung Lee ,

Tweakable Block Cipher Secure Beyond the Birthday Bound in the Ideal Cipher Model Jooyoung Lee , Byeonghak Lee KAIST Tweakable Block Cipher A tweakable block cipher accepts an additional input "tweak - Tweaks are publicly used

519 views • 30 slides
Block Cipher Modes of Operation Electronic Code Book Cipher Block Chaining Mode Cryptography

Block Cipher Modes of Operation Electronic Code Book Cipher Block Chaining Mode Cryptography

Cryptography Block Cipher Modes of Operation Block Ciphers with Multiple Blocks Block Cipher Modes of Operation Electronic Code Book Cipher Block Chaining Mode Cryptography Cipher Feedback Mode School of Engineering and Technology

428 views • 32 slides
Advanced Block Cipher Design My crazy boss asked me to design a new block cipher. Whats next?

Advanced Block Cipher Design My crazy boss asked me to design a new block cipher. Whats next?

Advanced Block Cipher Design My crazy boss asked me to design a new block cipher. Whats next? Pascal Junod University of Applied Sciences Western Switzerland Pascal Junod -- Advanced Block Cipher Design 1 ECRYPT II Summer School - May

914 views • 56 slides
Block Cipher Cryptanalysis: An Overview Subhabrata Samajder Indian Statistical Institute, Kolkata

Block Cipher Cryptanalysis: An Overview Subhabrata Samajder Indian Statistical Institute, Kolkata

Block Cipher Cryptanalysis: An Overview Subhabrata Samajder Indian Statistical Institute, Kolkata 17 th May, 2017 0/52 Iterated Block Cipher Outline Iterated Block Cipher 1 S-Boxes 2 A Basic Substitution Permutation Network 3 Linear

1.58k views • 113 slides
Simon: NSA-designed Cipher in the Post-snowden World Tomer Ashur KU Leuven 28/12/2015 The

Simon: NSA-designed Cipher in the Post-snowden World Tomer Ashur KU Leuven 28/12/2015 The

Simon: NSA-designed Cipher in the Post-snowden World Tomer Ashur KU Leuven 28/12/2015 The SIMON and SPECK Families of Lightweight Block Ciphers Two families of lightweight block ciphers (10 variants for each) Tomer Ashur Simon:

784 views • 51 slides
Block Cipher Cryptanalysis II: Block Cipher Cryptanalysis II: Linear Cryptanalysis yp y Andrey

Block Cipher Cryptanalysis II: Block Cipher Cryptanalysis II: Linear Cryptanalysis yp y Andrey

Block Cipher Cryptanalysis II: Block Cipher Cryptanalysis II: Linear Cryptanalysis yp y Andrey Bogdanov Andrey Bogdanov K.U.Leuven, ESAT/COSIC Outline Outline Distribution of Correlation Data Complexity Linear Hulls Zero

659 views • 30 slides
COBRA: A Parallelizable Authenticated Online Cipher without Block Cipher Inverse 1 Atul Luykx

COBRA: A Parallelizable Authenticated Online Cipher without Block Cipher Inverse 1 Atul Luykx

COBRA: A Parallelizable Authenticated Online Cipher without Block Cipher Inverse 1 Atul Luykx COSIC KU Leuven and iMinds March 3, 2014 1 Joint work with E. Andreeva, B. Mennink, and K. Yasuda. 1 / 23 Overview COBRA 1 Misuse resistance 2

711 views • 58 slides
Block Cipher Operation CBC CFB OFB CSS441: Security and Cryptography CTR Feedback Sirindhorn

Block Cipher Operation CBC CFB OFB CSS441: Security and Cryptography CTR Feedback Sirindhorn

CSS441 Block Cipher Operation Modes ECB Block Cipher Operation CBC CFB OFB CSS441: Security and Cryptography CTR Feedback Sirindhorn International Institute of Technology XTS-AES Thammasat University Prepared by Steven Gordon on 20

871 views • 32 slides
PSEUDO-RANDOM FUNCTIONS We want to answer the question: What is a good block cipher? where

PSEUDO-RANDOM FUNCTIONS We want to answer the question: What is a good block cipher? where

Recall We studied security of function families (in particular, block ciphers) against key recovery. But we saw that security against key recovery is not su ffi cient to ensure that natural usages of a block cipher are secure. PSEUDO-RANDOM

268 views • 13 slides
Overview of the DES A block cipher: encrypts blocks of 64 bits using a 64 bit key

Overview of the DES A block cipher: encrypts blocks of 64 bits using a 64 bit key

Overview of the DES A block cipher: encrypts blocks of 64 bits using a 64 bit key outputs 64 bits of ciphertext A product cipher basic unit is the bit performs both substitution and transposition (permutation) on the

512 views • 35 slides
Attacks on the KeeLoq Block Cipher and Authentication Systems Andrey Bogdanov Chair for

Attacks on the KeeLoq Block Cipher and Authentication Systems Andrey Bogdanov Chair for

Attacks on the KeeLoq Block Cipher and Authentication Systems Andrey Bogdanov Chair for Communication Security Ruhr University Bochum, Germany abogdanov@crypto.rub.de www.crypto.rub.de Abstract. KeeLoq is a block cipher used in numerous

143 views • 13 slides
Block Cipher Cryptanalysis: Basic and Advanced Techniques I

Block Cipher Cryptanalysis: Basic and Advanced Techniques I

Block Cipher Cryptanalysis: Basic and Advanced Techniques I & II Andrey Bogdanov KU Leuven, ESAT/COSIC Outline I. Block Ciphers II.

1.03k views • 79 slides
PSEUDO-RANDOM FUNCTIONS 1 / 65 Recall We studied security of a block cipher against key

PSEUDO-RANDOM FUNCTIONS 1 / 65 Recall We studied security of a block cipher against key

PSEUDO-RANDOM FUNCTIONS 1 / 65 Recall We studied security of a block cipher against key recovery. But we saw that security against key recovery is not sufficient to ensure that natural usages of a block cipher are secure. We want to answer the

920 views • 88 slides
The QARMA Block Cipher Family Roberto Avanzi Qualcomm Product Security Germany Tokyo, March 7,

The QARMA Block Cipher Family Roberto Avanzi Qualcomm Product Security Germany Tokyo, March 7,

Qualcomm QARMA T E C H N O L O G I E S , I N C PRODUCT SECURITY Use cases The road to QARMA Analysis Implementation Conclusion The QARMA Block Cipher Family Roberto Avanzi Qualcomm Product Security Germany Tokyo, March 7, 2017 Roberto

537 views • 52 slides
Objectives Electronic Code Book Cipher Block Chaining Output Boolean functions

Objectives Electronic Code Book Cipher Block Chaining Output Boolean functions

Modes of Operation of Block Ciphers Debdeep Mukhopadhyay Assistant Professor Department of Computer Science and Engineering Indian Institute of Technology Kharagpur INDIA -721302 Objectives Electronic Code Book Cipher Block Chaining

183 views • 16 slides
Block Ciphers Chester Rebeiro IIT Madras CR CR STINSON : chapters 3 Block Cipher K D K E

Block Ciphers Chester Rebeiro IIT Madras CR CR STINSON : chapters 3 Block Cipher K D K E

Block Ciphers Chester Rebeiro IIT Madras CR CR STINSON : chapters 3 Block Cipher K D K E untrusted communicaGon link Alice Bob E D #%AR3Xf34^$ A?ack at Dawn!! decrypGon encrypGon (ciphertext) message A?ack at Dawn!!

1.71k views • 143 slides
Deck-Based Wide Block Cipher Modes and an Exposition of the Blinded Keyed Hashing Model Aldo

Deck-Based Wide Block Cipher Modes and an Exposition of the Blinded Keyed Hashing Model Aldo

Deck-Based Wide Block Cipher Modes and an Exposition of the Blinded Keyed Hashing Model Aldo Gunsing, Joan Daemen and Bart Mennink FSE 2020 1 / 15 Block cipher K n n P B C Plaintext P encrypted to ciphertext C with secret key K

632 views • 41 slides
Block Ciphers Chester Rebeiro IIT Madras CR STINSON : chapters 3 Block Cipher K D K E

Block Ciphers Chester Rebeiro IIT Madras CR STINSON : chapters 3 Block Cipher K D K E

Block Ciphers Chester Rebeiro IIT Madras CR STINSON : chapters 3 Block Cipher K D K E untrusted communication link Alice Bob E D #%AR3Xf34^$ Attack at Dawn!! decryption encryption (ciphertext) message message Attack at

1.56k views • 143 slides
Block ciphers What is a block cipher? Dan Boneh Block

Block ciphers What is a block cipher? Dan Boneh Block

Online Cryptography Course

1.24k views • 65 slides
CS 4803 A block cipher E is a collection of functions from n bits to n bits. Each function is

CS 4803 A block cipher E is a collection of functions from n bits to n bits. Each function is

Block ciphers Building blocks for symmetric cryptography. M EK C Examples: DES, 3DES, AES... CS 4803 A block cipher E is a collection of functions from n bits to n bits. Each function is fully specified by a k-bit key. Computer and

317 views • 4 slides
A Methodology for Differential-Linear Cryptanalysis and Its Applications Jiqiang Lu Presenter:

A Methodology for Differential-Linear Cryptanalysis and Its Applications Jiqiang Lu Presenter:

1. Preliminaries 2. Differential-Linear Cryptanalysis: Previous and Our Methodologies 3. Application to 13 Rounds of the DES Block Cipher 4. Application to 10 Rounds of the CTC2 Block Cipher 5. Application to 12 Rounds of the Serpent Block

1.18k views • 25 slides
H were created in the late 18th and 19th 2 n 2nd preimages centuries; they federated and became

H were created in the late 18th and 19th 2 n 2nd preimages centuries; they federated and became

Introduction Iterated hash functions Block cipher constructions SHA-3 Outtro Introduction Iterated hash functions Block cipher constructions SHA-3 Outtro 1 Introduction Hash Functions and SHA-3 2 Iterated hash functions 3 Block cipher

786 views • 13 slides

More recommend