Optimal Differential Trails in SIMON-like Ciphers Zhengbin Liu, - PowerPoint PPT Presentation

Optimal Differential Trails in SIMON-like Ciphers Zhengbin Liu, Yongqiang Li, Mingsheng Wang State Key Laboratory of Information Security, Institute of Information Engineering, CAS; University of Chinese Academy of Science FSE 2017, Tokyo, Japan March 8, 2017 Z. Liu; Y. Li; M. Wang Optimal Differential Trails in SIMON-like Ciphers FSE 2017 1 / 26

Outline Background 1 The Probability of SIMON-like Round Function 2 3 Automatic Search Algorithm Application to SIMON and SIMECK 4 Conclusion 5 Z. Liu; Y. Li; M. Wang Optimal Differential Trails in SIMON-like Ciphers FSE 2017 2 / 26

Outline Background 1 The Probability of SIMON-like Round Function 2 3 Automatic Search Algorithm Application to SIMON and SIMECK 4 Conclusion 5 Z. Liu; Y. Li; M. Wang Optimal Differential Trails in SIMON-like Ciphers FSE 2017 3 / 26

SIMON-like Ciphers X Y i i SIMON-like round function: <<< a F ( x ) = (( x ≪ a ) ∧ ( x ≪ b )) ⊕ ( x ≪ c ) & <<< b For SIMON: K i <<< c ( a , b , c ) = (1 , 8 , 2) For SIMECK: ( a , b , c ) = (0 , 5 , 1) X � Y � 1 i i 1 Z. Liu; Y. Li; M. Wang Optimal Differential Trails in SIMON-like Ciphers FSE 2017 4 / 26

The Differential Trails for SIMON The threshold search algorithm (Biryukov et al., FSE’ 14 ) Improved differential trails for SIMON 32 , SIMON 48 and SIMON 64 . The SAT/SMT solvers (K ¨ o lbl et al., CRYPTO’ 15 ) The optimal differential trails for SIMON 32 , SIMON 48 and SIMON 64 . Pen and paper arguments (Beierle, SCN’ 16 ) An upper bound on the probability of differential trails. Z. Liu; Y. Li; M. Wang Optimal Differential Trails in SIMON-like Ciphers FSE 2017 5 / 26

Motivations and Contributions Motivations The optimal differential trails for SIMON 96 and SIMON 128 aren’t found. Our Contribution An efficient search algorithm for the optimal differential trails in SIMON-like ciphers. Our search algorithm can find the optimal differential trails for SIMON 96 and SIMON 128 . Z. Liu; Y. Li; M. Wang Optimal Differential Trails in SIMON-like Ciphers FSE 2017 6 / 26

Outline Background 1 The Probability of SIMON-like Round Function 2 3 Automatic Search Algorithm Application to SIMON and SIMECK 4 Conclusion 5 Z. Liu; Y. Li; M. Wang Optimal Differential Trails in SIMON-like Ciphers FSE 2017 7 / 26

Differential Probability of SIMON-like Round Function Theorem (K ¨ o lbl et al., CRYPTO’ 15 ) Let F ( x ) = (( x ≪ a ) ∧ ( x ≪ b )) ⊕ ( x ≪ c ) , n is even, a > b and gcd( n , a − b ) = 1 . Then with varibits = ( α ≪ a ) ∨ ( α ≪ b ) and doublebits = ( α ≪ b ) ∧ ( α ≪ a ) ∧ ( α ≪ (2 a − b )) and γ = β ⊕ ( α ≪ c ) , it holds if α = 2 n − 1 , wt ( γ ) ≡ 0 2 − n + 1  mod 2    if α � 2 n − 1 , γ ∧ varibits = 0 n , 2 − wt ( varibits ⊕ doublebits )       P ( α �→ β ) =  ( γ ⊕ ( γ ≪ ( a − b ))) ∧ doublebits    = 0 n       0 else .  Z. Liu; Y. Li; M. Wang Optimal Differential Trails in SIMON-like Ciphers FSE 2017 8 / 26

Upper Bound on the Differential Probability Theorem (Beierle, SCN’ 16 ) Let F ( x ) = (( x ≪ a ) ∧ ( x ≪ b )) ⊕ ( x ≪ c ) , n ≥ 6 is even, a > b and gcd( n , a − b ) = 1 . Let α be an input difference, then it holds that (1) If wt ( α ) = 1 , then P α ≤ 2 − 2 ; (2) If wt ( α ) = 2 , then P α ≤ 2 − 3 ; (3) If wt ( α ) � n , then P α ≤ 2 − wt ( α ) ; (4) If wt ( α ) = n , then P α ≤ 2 − n + 1 . Z. Liu; Y. Li; M. Wang Optimal Differential Trails in SIMON-like Ciphers FSE 2017 9 / 26

Upper Bound on the Differential Probability Theorem (Our Bound) Let F ( x ) = (( x ≪ a ) ∧ ( x ≪ b )) ⊕ ( x ≪ c ) , n is even, a > b and gcd( n , a − b ) = 1 . Let α be an input difference, then it holds that (1) If 1 ≤ wt ( α ) < n / 2 , then P α ≤ 2 − wt ( α ) − 1 ; (2) If n / 2 ≤ wt ( α ) < n , then P α ≤ 2 − wt ( α ) ; (3) If wt ( α ) = n , then P α ≤ 2 − n + 1 . With this bound, we can traverse plaintext differences from low to high Hamming weight. Z. Liu; Y. Li; M. Wang Optimal Differential Trails in SIMON-like Ciphers FSE 2017 10 / 26

Comparison of the three bounds Table: The impact of the three bounds on SIMON 128 Round Probability ( log 2 p ) K ¨ o lbl’s bound Beierle’s bound our bound 1 − 0 0 . 00 s 0 . 00 s 0 . 00 s 2 − 2 0 . 00 s 0 . 00 s 0 . 00 s 3 − 4 0 . 02 s 0 . 01 s 0 . 00 s 4 − 6 0 . 11 s 0 . 12 s 0 . 02 s 5 − 8 0 . 14 s 0 . 13 s 0 . 02 s 6 − 12 15 . 69 s 14 . 89 s 2 . 51 s 7 − 14 13 . 79 s 13 . 06 s 2 . 36 s 8 − 18 16 . 30 s 13 . 81 s 3 . 41 s 9 − 20 14 . 49 s 12 . 05 s 2 . 33 s 10 − 26 0 . 47 h 0 . 44 h 0 . 08 h 11 − 30 22 . 66 h 22 . 67 h 6 . 52 h 12 − 36 53 . 12 h 52 . 88 h 12 . 20 h 13 − 38 0 . 33 h 0 . 33 h 0 . 06 h 14 − 44 4 . 74 h 4 . 70 h 3 . 42 h Z. Liu; Y. Li; M. Wang Optimal Differential Trails in SIMON-like Ciphers FSE 2017 11 / 26

Outline Background 1 The Probability of SIMON-like Round Function 2 3 Automatic Search Algorithm Application to SIMON and SIMECK 4 Conclusion 5 Z. Liu; Y. Li; M. Wang Optimal Differential Trails in SIMON-like Ciphers FSE 2017 12 / 26

Matsui’s Algorithm Round- 1 : For all α 1 : � � � 1 1 F � p 1 = max β p ( α 1 �→ β ) � � � � If p 1 B n − 1 ≥ B n then � � Call Round- 2 � � Round- 2 : � � 2 F 2 � For all α 2 and β 2 : � � � � p 2 = p ( α 2 �→ β 2 ) � If p 1 p 2 B n − 2 ≥ B n then Call Round- 3 ... � � � � � � i i 2 � i 1 Round- i : � � � � � � � � α i = α i − 2 ⊕ β i − 1 : i F i � � � � � p i = p ( α i �→ β i ) � � If p 1 p 2 · · · p i B n − i ≥ B n then Call Round- ( i + 1) Z. Liu; Y. Li; M. Wang Optimal Differential Trails in SIMON-like Ciphers FSE 2017 13 / 26

Matsui’s Algorithm for SIMON-like ciphers Matsui’s Algorithm Returns optimal results if B n ≤ B n . Applicable to S-box based ciphers. Main Idea Adapt Matsui’s algorithm to SIMON-like ciphers. Compute the probability according to K ¨ o lbl et al.. Use lookup tables to obtain the output differences. Z. Liu; Y. Li; M. Wang Optimal Differential Trails in SIMON-like Ciphers FSE 2017 14 / 26

The Search Strategy Traverse plaintext differences from low to high Hamming weight According to the upper bound, the maximum probability decreases with the Hamming weight of input difference increasing. IF find some difference with P max B n − 1 < B n , break the branch and needn’t traverse differences with higher Hamming weight. Z. Liu; Y. Li; M. Wang Optimal Differential Trails in SIMON-like Ciphers FSE 2017 15 / 26

The Search Strategy Compute the probability and then find output differences According to K ¨ o lbl et al., the differential probability P ( α �→ β ) is the same for all possible output differences β . Compute the probability firstly, and if it satisfies the search condition, then find the output differences and search the next round. Z. Liu; Y. Li; M. Wang Optimal Differential Trails in SIMON-like Ciphers FSE 2017 16 / 26

The Search Strategy The difference distribution table For n -bit AND operation ( n = mt ), build the difference distribution table of t -bit AND operation. S S S 1 0 m x � x � x x � x x � � � � � � � � � 1 � 1 � � � 0 n n t 2 1 t t t y � y � y y y � y ＆ � � � � � � � � � � � � � 1 2 1 1 0 n n t t t t z � z � z � z z � z � � � � � � � � � � � � 1 2 1 1 0 n n t t t t Z. Liu; Y. Li; M. Wang Optimal Differential Trails in SIMON-like Ciphers FSE 2017 17 / 26

The Search Strategy Find output differences with lookup tables For an n -bit input difference α , compute α ≪ a and α ≪ b . Look up the tables to obtain corresponding output differences. Check whether the input and output differences satisfy the condition in K ¨ o lbl’s Theorem. Z. Liu; Y. Li; M. Wang Optimal Differential Trails in SIMON-like Ciphers FSE 2017 18 / 26

Outline Background 1 The Probability of SIMON-like Round Function 2 3 Automatic Search Algorithm Application to SIMON and SIMECK 4 Conclusion 5 Z. Liu; Y. Li; M. Wang Optimal Differential Trails in SIMON-like Ciphers FSE 2017 19 / 26

Optimal Differential Trails for SIMON and SIMECK 1 Table: The optimal differential trails for SIMON. Block Size Round Probability ( log 2 p ) time Reference 12 − 34 K ¨ o lbl et al., CRYPTO’ 15 − 32 12 − 34 40 s this paper 16 − 50 K ¨ o lbl et al., CRYPTO’ 15 − 48 16 − 50 5 h this paper K ¨ o lbl et al., CRYPTO’ 15 16 − 54 − 64 6 d this paper 19 − 64 − − − − 96 28 − 96 35 d this paper − − − − 128 37 − 128 66 d this paper 1 All experiments are performed on a PC with a single core. Z. Liu; Y. Li; M. Wang Optimal Differential Trails in SIMON-like Ciphers FSE 2017 20 / 26