Improved Integral Attacks on SIMON32 and SIMON48 with Dynamic Key-Guessing Techniques

Dynamic key-guessing techniques, which exploit the property of AND operation, could improve the differential and linear cryptanalytic results by reducing the number of guessed subkey bits and lead to good cryptanalytic results for SIMON. They have only been applied in differential and linear attacks as far as we know. In this paper, dynamic key-guessing techniques are first introduced in integral cryptanalysis. According to the features of integral cryptanalysis, we extend dynamic key-guessing techniques and get better integral cryptanalysis results than before. As a result, we present integral attacks on 24-round SIMON32, 24-round SIMON48/72, and 25-round SIMON48/96. In terms of the number of attacked rounds, our attack on SIMON32 is better than any previously known attacks, and our attacks on SIMON48 are the same as the best attacks.


Introduction
The integral attack, proposed by Daemen et al. [1], is an important cryptanalytic technique for symmetric-key primitives.The integral distinguisher is based on the property that when some parts of the input (constant bits) of distinguishers are held constant whereas the other parts (active bits) vary through all possibilities, the sum of all the output values equals zero at some particular locations (balanced bits).In the key recovery, the sum is random if the guessed key is incorrect, while the sum is zero if the guessed key is correct.As a powerful class of cryptanalytic techniques, integral cryptanalysis has been applied to many block ciphers, especially the ones with low-degree round functions.
SIMON is a family of ten lightweight block ciphers designed by the US National Security Agency [2].The SIMON2/ family of lightweight block ciphers have classical Feistel structures with 2-bit block size and -bit key, where  is the word size.SIMON has been extensively scrutinized .As an ultralightweight primitive, SIMON is a very good target for integral cryptanalysis.In integral cryptanalysis, Wang et al. [21] experimentally found an integral distinguisher for 14 rounds of SIMON32 and mounted a key-recovery attack on 21-round SIMON32.At EUROCRYPT 2015, Todo proposed the division property [17], which is a generalized integral property.This new technique enables the cryptographers to propagate the integral property in a more precise manner.As a result, an 11-round integral distinguisher of SIMON48 was found.Subsequently, using the bit-based division property, Todo and Morii proved the 14-round distinguisher of SIMON32 theoretically in [18].However, searching integral characteristics by the bit-based division property requires much time and memory complexity.In order to overcome the problem, Xiang et al. [23] proposed a state partition to achieve a trade-off between the accuracy of the integral distinguisher and the time-memory complexity.Accordingly, Todo's result was improved by one round for SIMON48.Afterwards, MILP method was applied by Xiang et al. [22] to find integral characteristics of some lightweight block ciphers, including a 15-round integral distinguisher for SIMON48.At ACNS 2016, some integral distinguishers of SIMON-like ciphers were constructed by Kondo et al. [10].However, the block size considered is only 32 bits.Later in [7], with the equivalentsubkey technique, Fu et al. presented integral attacks on 22-round SIMON32, 22-round SIMON48/72, and 23-round SIMON48/96.Good results [6,13,20] were achieved in differential and linear cryptanalysis, as well.The cryptanalytic results that attack the most rounds of SIMON were obtained in [6], and these results were achieved by linear hull cryptanalysis.The most efficient differential and linear attacks on SIMON were presented with the help of dynamic keyguessing techniques.
With regard to dynamic key-guessing techniques, they were initially proposed to improve the differential attacks on SIMON [20].The techniques, which exploit the property of AND operation, help reduce the average number of guessed key bits significantly in differential cryptanalysis.Then they were applied to linear hull attacks on SIMON [6].In both [6,20], with the techniques above, the adversaries are able to extend previous differential (resp., linear hull) results on SIMON by 2 to 4 more rounds, using existing differential (resp., linear hull) distinguishers.Subsequently, Qiao et al. [13] released a tool, which provides the differential security evaluation of SIMON given differential distinguishers of high probability.Moreover, with newly proposed differentials [9], Qiao et al. improved differential attacks against SIMON, using the techniques.Also in the differential cryptanalysis and linear cryptanalysis of Simeck [26], good results [13,27] have been obtained by using dynamic key-guessing techniques.Up to now, the dynamic key-guessing techniques have only been combined with linear and differential cryptanalysis methods.There is no attempt to combine the dynamic keyguessing techniques with integral attack so far.
Besides the above results under the single-key model, the security of SIMON has also been evaluated under the related-key [11] and known-key [8] models.In the related-key setting, Kondo et al. [11] constructed a 15-round related-key impossible differential distinguisher of SIMON32.
Our Contributions.In this paper, we first apply dynamic key-guessing techniques to integral attacks.In our improved integral cryptanalysis, we extend dynamic key-guessing techniques to compute the sum, which is in the form of where  is a nonlinear Boolean function and [] are counters for .The dynamic key-guessing techniques improve the time complexity of the computation significantly.Please see the following example.Suppose (, ) = 1 ⊕  1 ( 1 ,  1 )& 2 ( 2 ,  2 ), where  =  1 ‖  2 ,  =  1 ‖  2 , and  1 and  2 are two Boolean functions.We guess  1 at first; then we split  =  1 ‖  2 into two sets: We continue to compute the sum for each set.For set  1 , there is no need to guess  2 since (, ) = 1 when  ∈  1 .Finally, we sum them up.
Using the dynamic key-guessing techniques, we present improved integral attacks on SIMON32 and SIMON48 in the single-key model.We present integral attacks on 24round SIMON32, 24-round SIMON48/72, and 25-round SIMON48/96.In terms of the number of attacked rounds, our attack on SIMON32 is better than any previously known attacks, and our attacks on SIMON48 are the same as the best attacks.In order to verify the correctness of our approach, we implement the summation procedure of the integral attack on 22-round SIMON32.A summary of our results is given in Table 1.
Outline.This paper is structured as follows.Section 2 briefly describes the specification of SIMON and some integral distinguishers.In Section 3, we discuss the time reduction in integral cryptanalysis of bit-oriented block ciphers.In Section 4, we present improved integral attacks on SIMON32 and SIMON48.In Section 4.1, we give the experimental result.Finally, Section 5 draws conclusions.Note.This table summaries our results along with some previous major results of SIMON32 and SIMON48 in the single-key setting; E: encryption; A: addition; TWO: two rounds of encryption or decryption; ONE: one round of encryption or decryption.‖  +1  be the output of round .The subkey used in round  is denoted by   .The th round is as follows (also see Figure 1):

Preliminaries
where the internal nonlinear function  is defined as The key schedules are different depending on the key size.Please refer to [2] for more details.

Integral Distinguishers of SIMON32 and SIMON48.
Attackers prepare a set of texts where some bits (constant bits) are fixed to same values and the other bits (active bits) range over all possible values.If some bits (balanced bits) in the encrypted texts sum to zero after  rounds encryption, the cipher has an -round integral distinguisher.Wang et al. [21] found a 14-round integral distinguisher of SIMON32 experimentally.Later, Todo and Morii [18] proved the correctness of this distinguisher using division property.Also, Fu et al. [7] revealed this distinguisher from the view of degree of the Boolean function.Integral characteristics of SIMON32 and SIMON48 were found in [7,18,21,22].And we apply them to our attacks.The constant bit, active bit, balanced bit, and unknown bit are labeled as c, a, b, and ?, respectively.The integral characteristics used in this literature are as follows.

Time Reduction in Integral Attacks on Bit-Oriented Block Ciphers
Suppose the input of the integral distinguisher is from the set After -round encryption, some bits of the output  + are balanced.For simplicity, let the first bit of the right part, that is,  + ,0 , be balanced.We add  rounds before the distinguisher and append  rounds after it.Let the Boolean expressions of   ,0 and  + ,0 be functions represented as    (  ,   ) and    (  ,   ), where   ,   ,   , and   are effective bit strings derived from the plaintext, the ciphertext, and involved subkeys.
We briefly outline the idea of our integral attacks on  +  +  rounds of ciphers.Given the entire codebook, we guess some subkey bits and carry out the first  rounds' encryption.Then choose a set of states that form the input space   .For the corresponding ciphertexts, we guess the related subkey bits and decrypt the last  rounds to check if the target bit  + ,0 is balanced.In general, the time complexity of the integral attack is roughly O(2  ⋅), where  is the number of guessed subkey bits and  denotes the number of plaintext-ciphertext pairs.But we can optimize it with dynamic key-guessing techniques.

Find Collections of Ciphertexts.
Let [  ,   ] denote the counters into which we store the frequency of (  ,   ).For each guessed   , we traverse the whole plaintext space and make partial encryptions.If    (  ,   ) = , we store the corresponding ciphertext.
We compute the sum for each set, then we sum them up.Therefore, using dynamic keyguessing techniques, the improved time complexity becomes ).Again, we provide a toy example that illustrates the idea behind the improvement.Let  ∈ F 3  2 ,  ∈ F 3 2 , and Next, we create four counters  0,0 ,  0,1 ,  1,0 , and  1,1 and assign some values to them: and

Integral Attacks on SIMON32 and SIMON48
4.1.Integral Attack on 22-Round SIMON32.We start with a key-recovery attack over four rounds of partial encryption and four rounds of partial decryption, exploiting the 14round integral characteristic.Any of balanced bits can be taken as the target bit.Here, we pick  +14 ,0 .In the attack, we compress each plaintext-ciphertext pair into counters.Then we apply the approach given above to the reduced SIMON32.
The Boolean expression of the constant bit   ,15 has the same general form as that of the balanced bit  +14 ,0 .The general form is shown in (6).The specific information on each bit is listed in Tables 3 and 4. In the tables,  −4 and  +18 , respectively, denote the plaintext and the ciphertext.

𝑓 (𝑥, 𝑘) = 𝑥
During the computation of [   ,    ], we first guess    ; then we guess    .Since there is no difference between the first and the second halves of the computation, in the following, we mainly discuss the first half, that is, the computation of To describe our procedure in a convenient way, we simplify our modeling.We give a brief description of the modeling.We aim to compute another counter    (  ), which is defined as ∑    (,   ) ⋅  [𝑥], where  =  0 ‖   and (, ) =  0 ⊕   (,   ).Our approach is as follows.
(1) The next guesses,  5,6 and  13,14 , are constrained by the simplified Boolean function  111 .The corresponding texts are split into four sets.The Boolean functions simplified even further are shown in Table 6.
(c) For each  1 ,  3 ,  7 , we sum the eight temporary variables up.The summation yields a time complexity of 2 13 × 7 addition operations.
Thus, for each   , the time complexity of computing [   ,   ] is approximately 2 19.87 additions.The details are given in Table 7.  1 denotes the time complexity of creating new counters according to guessed key bits. 2 denotes the time complexity of computing the sum for each set. 3 denotes the time complexity of summing them up.
Let us review the procedure proc simon 32 bit cond used to compute [   ,    ] and the key-recovery attack on 22round SIMON32.The procedure is as follows.
(1) For each of 2 15   We briefly explain why there is no need to guess  −5 7 .Let the first bit of   (resp.,   ) be  ,0 (resp.,  ,0 ).In our attack, .The elements of it can be computed on-the-fly.As soon as a value of [   ,    ] is computed, the bit condition is checked.If the condition is satisfied, then exhaustively search for the remaining 6-bit key.

Improved Integral Attacks on SIMON48.
We can improve the integral attacks on SIMON48/72 and SIMON48/96, using dynamic key-guessing techniques.Since the attack procedures for them are similar, we present these integral attacks in Appendix B. The results are summarized in Table 1.

Conclusion
In this paper, dynamic key-guessing techniques are first introduced in integral cryptanalysis, and we extend dynamic key-guessing techniques to fit our needs.Dynamic keyguessing techniques significantly improve the complexity of calculating ∑  (, ) ⋅  [𝑥].Using dynamic key-guessing techniques, we can attack two more rounds than previously known integral attacks on SIMON32 and SIMON48.
Table 9: Time complexity of the calculation  3 .
(3) Check the bit condition.If the condition is satisfied, use the key schedule to recover 36 bits of the master key; then exhaustively search for the remaining key bits.Otherwise, discard the 36-bit subkey guess.
In the key-recovery attack (procedure proc attack simon 48), the whole plaintext-ciphertext pairs are compressed into counters.Thus, the memory complexity of our attack is only determined by the size of counters used in the attack.This corresponds to a memory requirement of about 2 33 bytes.Note that there is no need to store [   ,    ], since we can compute the elements of [   ,    ] on-the-fly, similar to the integral attack on 24-round SIMON32.

Table 1 :
Summary of some related results for SIMON32 and SIMON48.
Thus, we generate new counters [  ,   ], which are defined as ∑   ,   (  ,  )= [  ,   ].Furthermore, if    is linear with some bit of   , say  ,0 , we let    (  ,   ) =  ,0 ⊕     (  ,    ), where   =  ,0 ‖    .We now assign  the value  ,0 ⊕ 1. Accordingly, [   ,   ] = ∑   ,    (  ,   )=1 [  ,   ], which means that the condition    Boolean function of  and , and [] denotes the number of .Let  be a  1 -bit value and  be a  2 -bit value.In a naive way, it needs O(2  1 + 2 ) calculations of  to get the counters [].Using dynamic key-guessing techniques, the calculation can be done with improved time complexity.The basic idea is as follows.Let  =   ‖   ‖   ‖   , where   ,   ,   , and   are   2 ,   2 ,   2 , and   2 bits.After guessing   , the set of  can be split into two sets   and   with   and   elements, respectively.For values in   ,  is independent of   .Similarly, for values in   ,  is independent of   .Thus, (  ,    ) = 1 can be transformed to a coefficient.Therefore, it is sufficient to calculate [   ,   ] = ∑      (  ,    ) ⋅ [  ,   ]. 3.2.Compute ∑  (, ) ⋅ [] with Dynamic Key-Guessing Techniques.As described above, the modeling to find the collections of ciphertexts can be converted into the task of computing another counter [] which is defined as  [] = ∑   (, ) ⋅  [] ,(4)where  is a 1, 0 ⊕ 2 ⊕1 .Thus, the calculation of [] essentially requires 2 × (2 + 2 + 2 2 ) = 2 4 additions, while it takes 2 6 operations in a straightforward method.See Appendix A for more information on the time complexity of the calculation of ∑  (, ) ⋅ [].3.3.Compute the XOR Sum of theRecovered Bit.Assume now that we obtain the new counters [   ,   ].For a fixed    , we guess   and partially decrypt each effective bit string   to get the value of the target bit, that is,    (  ,   ).Then, check whether the XOR sum of the recovered bit is zero.Note that the XOR sum amounts to the parity of ∑      (  ,   ) ⋅ [   ,   ].For simplicity, let    (  ,   ) be  ,0 ⊕     (  ,    ), where  ,0 is the first bit of   ,   =  ,0 ‖    .We can omit  ,0 since it does not affect the XOR sum. Hene, the XOR sum essentially equals the parity of new counters [   ,    ] which is defined as ∑ (  ,    ) ⋅ [   ,   ].Also, dynamic key-guessing techniques can be applied in the last  rounds to improve the time complexity.

Table 3 :
Each effective bit of the Boolean expression of   ,15 .

Table 4 :
Each effective bit of the Boolean expression of  +14 ,0 .

Table 6 :
Variants of the Boolean function  111 .
, we compute [   ,   ]. (2) For each of 2 16    , we compute [   ,    ].The time complexity of proc simon 32 bit cond procedure is 2 15 × 2 19.87 + 2 16 × 2 19.87 = 2 36.45additions.The attack works as follows.(1) Compress the whole plaintext-ciphertext pairs into 2 30 counters [  ,   ].Check the parity of [   ,    ].If the parity is odd, discard the 32-bit subkey guess.Otherwise, use the key schedule to recover 32 bits of the master key and then exhaustively search for the remaining 32-bit keys.It is noted that there is one AND operation and three XOR operations in one round of SIMON.In our analysis, we approximate them as four XOR operations.The time complexity of step 1 is 2 32 compressions, which is equivalent to about 2 32 × (104/(4 × 16 × 22)) = 2 28.24 encryptions.Since we care about the parity of [   ,    ], all counters can be taken modulo 2. The addition is actually the bitwise XOR operation in the calculation of [   ,    ].Thus, the time complexity of step 2 is equivalent to about 2 36.45 × (1/(4 × 16 × 22)) = 2 26 encryptions.The time complexity of step 3 is 2 63 encryptions.Hence, the proposed attack on 22-round SIMON32 requires 2 32 known plaintexts and has a total time complexity equivalent to about 2 63 encryptions.

Table 7 :
Time complexity of calculating [   ,   ] with a fixed   .Guess  1 ⊕  1 ,  3 ⊕  3 ,  7 ⊕  7 ,15 can be obtained after guessing 13 bits' subkey   .Consequently, we still have    (  ,    ) = 1.The 23-round attack has a data complexity of 2 32 known plaintexts and a time complexity of about 2 63 encryptions.4.3.Integral Attack on 24-Round SIMON32.The 22-round attack can be extended by one round in forward and one round in backward direction in a straightforward way.The improved attack proceeds as follows.Guess 26 bits subkey   ‖   , where   =  +18 the same as the case mentioned above.In this attack, the dominant part of the time complexity is still exhaustively searching half of the key space.The total time complexity of our attack is about 2 63 encryptions.The number of the required known plaintexts is 2 32 .The success probability of our attack is 100%.The total memory complexity of our attack is determined by the size of the entire SIMON32 codebook, [  ,   ] and [   ,   ].This corresponds to a memory requirement of about 2 33.64 bytes.Note that we can only store ( +19