Family Of Lightweight Block Ciphers Research Articles

Differential-Linear Cryptanalsis on SIMECK32/64 and SIMON32/64

In this paper, we give differential-linear cryptanalysis of SIMON, which is a family of lightweight block ciphers published by the National Security Agency, and SIMECK, which is a family of lightweight block ciphers proposed by Yang et al. Firstly, all input difference and output masks with one active bit are traversed to obtain a 9-round SIMON32/64 differential-linear distinguisher and a 10-round SIMECK32/64 differential-linear distinguisher. Then, a 12-round SIMON32/64 differential-linear distinguisher with bias 2−12.69 and a 13-round SIMECK32/64 differential-linear distinguisher with bias 2−14.03 can be obtained by searching one round of differential characteristics forward and two rounds of linear approximations backward. The dynamic key guessing technique proposed by Wang et al. has excellent advantages in the SIMON-like cipher key recovery process. Therefore, we have applied it to differential-linear cryptanalysis. Then, the 12-round SIMON32/64 differential-linear distinguisher is extended forward by four rounds and backward by four rounds to attack the 20-round SIMON32/64 with time complexity 255.68 and data complexity 228. And the 13-round SIMECk32/64 differential-linear distinguisher is extended forward by four rounds and backward by four rounds to attack the 21-round SIMECK32/64 with time complexity 250.67 and data complexity 230. These are the best differential-linear cryptanalysis results for SIMON32/64 and SIMECK32/64 in the open literature.

Linear Cryptanalysis of Reduced-Round Simeck Using Super Rounds

The Simeck family of lightweight block ciphers was proposed by Yang et al. in 2015, which combines the design features of the NSA-designed block ciphers Simon and Speck. Previously, we proposed the use of linear cryptanalysis using super-rounds to increase the efficiency of implementing Matsui’s second algorithm and achieved good results on all variants of Simon. The improved linear attacks result from the observation that, after four rounds of encryption, one bit of the left half of the state of the cipher depends on only 17 key bits (19 key bits for the larger variants of the cipher). We were able to follow a similar approach, in all variants of Simeck, with an improvement in Simeck 32 and Simeck 48 by relaxing the previous constraint of a single active bit, using multiple active bits instead. In this paper we present improved linear attacks against all variants of Simeck: attacks on 19-rounds of Simeck 32/64, 28-rounds of Simeck 48/96, and 34-rounds of Simeck 64/128, often with the direct recovery of the full master key without repeating the attack over multiple rounds. We also verified the results of linear cryptanalysis on 8, 10, and 12 rounds for Simeck 32/64.

Automatic Demirci–Selçuk Meet-In-The-Middle Attack On SIMON

Abstract Demirci–Selçuk meet-in-the-middle (DS-MITM) attack is an effective method for cryptanalysis. As far as we know, the published automatic results of DS-MITM attack are all for byte-oriented ciphers. In this article, we first propose the automatic analysis method of DS-MITM attack for bit-oriented ciphers based on constraint programming, which is integrated with key-bridging technique. Based on the automatic modeling method, we propose the first result of DS-MITM attack on SIMON, which is a family of lightweight block ciphers proposed by the National Security Agency (NSA) in 2013.

The differential fault analysis on block cipher KLEIN-96

KLEIN is a new family of lightweight block ciphers designed for resource-constrained devices. Compared to other schemes, it also has great advantages in both software and hardware performances. In recent works, many researchers have studied its security against differential fault analysis (DFA). Note that all the works only focused on the scheme KLEIN-64, which only has 64 bits key length. In fact, the 64-bit's security is obviously not enough for the current ciphers. In this paper, we investigate the differential fault attack on the key schedule of KLEIN-96, which has 96 bits key length. More specifically, by deeply developing the inner-relationship of input-output differentials for its S-box, we reduce the complexity of exhaustive searching from the original 296 to an acceptable boundary by injecting a certain number of byte-faults. Finally, we also demonstrate the efficiency of our proposed attack by simulations, which show that our method has great advantages over other cryptanalysis on KLEIN cipher.

An efficient differential fault attack against SIMON key schedule

SIMON, a family of lightweight block ciphers, has received much attention from the cryptology community due to its improved performance for hardware compared with that of other ciphers. A popular physical attack method, differential fault attack (DFA), works for SIMON. With the aim of improving the efficiency of attacks applied to the SIMON family, in this work, an efficient DFA against SIMON key schedule is presented under a random bit fault model. First, we analyze in detail how to identify the fault induction position. Then, on the basis of the position, we show in detail how to recover 4 bits, 7.5 bits, and 2 bits of KT-1 (the (T-1)th round key), KT-2 (the (T-2)th round key) and KT-3 (the (T-3)th round key), respectively, by inducing a one-bit fault on average in KT-5 (the (T-5)th round key). As a result, by inducing one round of faults, our attack can recover three rounds of keys. Compared with previously developed DFAs on SIMON under the random bit fault model, to recover the full keys of the SIMON family, our attack requires the fewest fault inductions and locations of the induced fault. Moreover, when the value of key words m is 2 or 3, our attack can reduce the number of required rounds of fault induction to one. Finally, simulation experiments and comparisons are carried out to demonstrate the correctness and effectiveness of our attack.

Robustness Test of SIMON-32, SPECK-32, and SIMECK-32 Algorithms Using Fixed-Point Attacks

SIMON-32 and SPECK-32 are a family of lightweight block ciphers publicly released by the National Security Agency (NSA) in June 2013. Meanwhile, SIMECK-32 is a lightweight block cipher based on the combination of good design components from SIMON- 32 and SPECK-32 block ciphers. In this paper, we tested the robustness of the SIMON-32, SPECK-32, and SIMECK-32 algorithms against fixed-point attacks. Block cipher fixed-points may facilitate fixed-point attacks if an adversary can control the block cipher key input. The results of fixed-point attacks on the SIMON-32, SPECK-32, and SIMECK-32 algorithms show that all three variants of the algorithm have fixed-points.

Fixslicing: A New GIFT Representation

The GIFT family of lightweight block ciphers, published at CHES 2017, offers excellent hardware performance figures and has been used, in full or in part, in several candidates of the ongoing NIST lightweight cryptography competition. However, implementation of GIFT in software seems complex and not efficient due to the bit permutation composing its linear layer (a feature shared with PRESENT cipher). In this article, we exhibit a new non-trivial representation of the GIFT family of block ciphers over several rounds. This new representation, that we call fixslicing, allows extremely efficient software bitsliced implementations of GIFT, using only a few rotations, surprisingly placing GIFT as a very efficient candidate on micro-controllers. Our constant time implementations show that, on ARM Cortex-M3, 128-bit data can be ciphered with only about 800 cycles for GIFT-64 and about 1300 cycles for GIFT-128 (assuming pre-computed round keys). In particular, this is much faster than the impressive PRESENT implementation published at CHES 2017 that requires 2116 cycles in the same setting, or the current best AES constant time implementation reported that requires 1617 cycles. This work impacts GIFT, but also improves software implementations of all other cryptographic primitives directly based on it or strongly related to it.

MILP-Based Differential Cryptanalysis on Round-Reduced Midori64

Mixed integer linear programming (MILP) model was presented by Sun et al. at Asiacrypt 2014 to search for differential characteristics of block ciphers. Based on this model, it is easy to assess block ciphers against differential attack. In this paper, the MILP model is improved to search for differential trails of Midori64 which is a family of lightweight block ciphers provided by Banik et al. at Asiacrypt 2015. We find the best 5-round differential characteristics of Midori64 with MILP-based model, and the probabilities are 2 <sup xmlns:mml="http://www.w3.org/1998/Math/MathML" xmlns:xlink="http://www.w3.org/1999/xlink">-52</sup> and 2 <sup xmlns:mml="http://www.w3.org/1998/Math/MathML" xmlns:xlink="http://www.w3.org/1999/xlink">-58</sup> respectively. Based on these distinguishers, we give key recovery attacks on the 11-round reduced Midori64 with data complexities of 2 <sup xmlns:mml="http://www.w3.org/1998/Math/MathML" xmlns:xlink="http://www.w3.org/1999/xlink">55.6</sup> and 2 <sup xmlns:mml="http://www.w3.org/1998/Math/MathML" xmlns:xlink="http://www.w3.org/1999/xlink">61.2</sup> , and time complexities of 2 <sup xmlns:mml="http://www.w3.org/1998/Math/MathML" xmlns:xlink="http://www.w3.org/1999/xlink">109.35</sup> and 2 <sup xmlns:mml="http://www.w3.org/1998/Math/MathML" xmlns:xlink="http://www.w3.org/1999/xlink">100.26</sup> .

Side channel analysis of SPECK

SPECK is a family of lightweight block ciphers developed by Beaulieu et al. of the US National Security Agency (NSA) for the Internet of Things (IoT). It is an ARX-based design with a Feistel-like structure which supports keys of size ranging from 64 bits to 256 bits. SPECK has been standardised by ISO/IEC for radio frequency identification (RFID) devices. It has drawn the attention of many cryptanalysts and several cryptanalysis results have been published. In this paper, carry flag attacks on the full SPECK ciphers are presented. Depending on the key size and block size, the complexities of our attacks, to nearly ensure success, vary from 2 59 time and 2 14 data to 2 227 time and 2 62 data.

Bright - Proposed Family of Lightweight Block Ciphers for IoT-Enabled Smart Environment

Lightweight security algorithms are tailored for resource-constrained environment. To improve the efficiency of an algorithm, usually, a tradeoff is involved in lightweight cryptography in terms of its memory requirements and speed. This paper proposes a software-oriented new family of lightweight block ciphers, BRIGHT. Proposed family of ciphers support a range of block and key sizes for constraint environment. BRIGHT family has 6 variants and all variants fulfill Strict Avalanche Criteria and key sensitivity test. It is believed that BRIGHT family of ciphers provides better security and performance in IoT-enabled smart environment. Our aim, while designing BRIGHT is to enhance the cipher for IoT applications. For this, we have used the concept of key whitening that helps to resist against attacks like MITM and brute-force. Round permutation in BRIGHT results in stronger and faster diffusion and provides resistance against linear, differential, impossible differential, related-key rectangle, biclique, MITM, and statistical saturation attack which is likely to be applied to GFN based ciphers. BRIGHT using round constant thwarts attacks like rotational cryptanalysis, self-similarity, invariant attack, related-key attacks, and weak key attacks.

Unbalanced biclique cryptanalysis of a full round Midori

Midori is a family of lightweight block ciphers presented by Banik et al . at Asiacrypt 2015. Biclique cryptanalysis is a typical key-recovery attack that is proposed to attack the full AES by Bogdanov et al . in ASIACRYPT 2011. The method can attack a great deal of ciphers utilising the main idea of MITM attack and the basic principle of the biclique structure. In this study, the authors first provide an unbalanced biclique attack on full round Midori with partial matching and precomputation. They demonstrate that full round Midori64/128 are not secure against unbalanced biclique attacks. They construct a five-round 4×8 unbalanced biclique on Midori64, with data complexity of 2 36 and time complexity of 2 126.25 by investigating the simple key schedule and the encryption structure. Furthermore, they present a four-round 8×16 unbalanced biclique on Midori128 with data complexity of 2 72 and computational complexity of 2 126.91 . To the best of authors' knowledge, the result is the best single-key cryptanalytic result of Midori.

Security analysis of SIMECK block cipher against related-key impossible differential

SIMECK is a family of lightweight block ciphers that relies on Feistel structure. Being proposed at CHES in 2015, the round function of SIMECK is slightly modified from SIMON. A cipher in this family with K-bit key and n-bit block is called SIMECKn/K, for n/K∈{32/64,48/96,64/128}. SIMECK has already received a number of third-party analyses. However, the security level on SIMECK against the related-key impossible differential has never been evaluated. In this paper, we consider related-key impossible differential distinguishers for the variants of SIMECK. We first propose some distinguishers on SIMECK using the miss-in-the-middle approach. More specifically, 15/16/19-round related-key impossible differential distinguishers on SIMECK32/48/64 are presented first while the best previously known results were 11/15/17-round on SIMECK32/48/64 in the single-key setting. Afterwards, thanks to MILP approach, we automatically prove that these characteristics are the best related-key impossible differentials of SIMECK when we limit the input and output differences to 1 active bit.

A Novel Differential Fault Analysis on the Key Schedule of SIMON Family

As a family of lightweight block ciphers, SIMON has attracted lots of research attention since its publication in 2013. Recent works show that SIMON is vulnerable to differential fault analysis (DFA) and existing DFAs on SIMON assume the location of induced faults are on the cipher states. In this paper, a novel DFA on SIMON is proposed where the key schedule is selected as the location of induced faults. Firstly, we assume a random one-bit fault is induced in the fourth round key KT−4 to the last. Then, by utilizing the key schedule propagation properties of SIMON, we determine the exact position of induced fault and demonstrate that the proposed DFA can retrieve 4 bits of the last round key KT−1 on average using one-bit fault. Till now this is the largest number of bits that can be cracked as compared to DFAs based on random bit fault model. Furthermore, by reusing the induced fault, we prove that 2 bits of the penultimate round key KT−2 could be retrieved. To the best of our knowledge, the proposed attack is the first one which extracts a key from SIMON based upon DFA on the key schedule. Finally, correctness and validity of our proposed attack is verified through detailed simulation and analysis.

Improved Integral Attack on Reduced-Round Simeck

Simeck, a family of lightweight block ciphers utilizing Simon-like structure, is widely used under resource constrained environment. So far, many cryptanalysis methods have been used to attack Simeck. In this paper, we give the new results of integral cryptanalysis on reduced-round Simeck. First, the exact algebraic degree of Simeck32 is given by parallel computing, and then the 13-round theoretical integral distinguisher is proposed to attack 20-round Simeck32(64). Besides, by using the equivalent-subkey and partial-sum technology, combined with the meet-in-the-middle strategy and subkey relationship, the 22-round Simeck32(64) integral attack is first proposed based on the 15-round integral distinguisher. Furthermore, based on 18-round and 21-round integral distinguishers, the new integral attacks on 26-round Simeck48(96) and 30-round Simeck64(128) are proposed, respectively. These new attacks greatly improve the results of the previous integral attacks for Simeck.

Cryptanalysis of Reduced-Round SPECK

SPECK, a family of lightweight block ciphers proposed by the National Security Agency (NSA), is widely used under resource constrained environment. There are many cryptanalytic results on SPECK concentrated on differential and linear attacks. However, the security evaluation against other popular cryptanalysis methods seems to lag behind. In this paper, we investigate both the security of SPECK against impossible differential, zero-correlation linear, and integral attacks as well as the design choice of NSA. First, we construct the satisfiability (SAT)-based model to automatically search impossible differentials and zero-correlation linear hulls and then obtain several integral distinguishers based on the links between the zero-correlation linear hull and integral distinguisher. Second, based on the new distinguishers, we propose the first zero-correlation attack on 11-round SPECK64 and integral attack on 11-round SPECK32, SPECK48, and SPECK64 by exploring the iterated expression of the modulo subtraction operation and utilizing the partial-sum technique. Finally, we study the design principle of the rotation parameters selection of SPECK32. We show that SPECK32 with parameters (8, 3) is better than SPECK32 with the original parameters (7, 2) with respect to security against impossible differential, zero-correlation linear and integral cryptanalysis.

Unbalanced Biclique Cryptanalysis of Full-Round GIFT

GIFT is a family of lightweight block ciphers presented at CHES 2017. Biclique cryptanalysis is proposed to attack the full AES by Bogdanov et al. in ASIACRYPT 2011. The attack can decrease computation complexity using the technology of meet-in-the-middle and reduce data complexity utilising the biclique structure. In this paper, we first provide an unbalanced biclique attack on full round GIFT. The master key has been recovered for the full round GIFT-64 by a 5-round $4\times 16$ unbalanced biclique with data complexity of 2 16 and time complexity of 2 122.95 . Furthermore, a 4-round $8\times 24$ unbalanced biclique is constructed on GIFT-128 to recover the master key with data complexity of 2 80 and computational complexity of 2 118.38 , respectively. The research results show GIFT algorithm has weak immunity to biclique cryptanalysis.

Differential-linear cryptanalysis of SIMON32/64

Simon is a family of lightweight block ciphers designed by the U.S National Security Agency in 2013. Simon 2n/k is a cipher in this family with k-bit key and 2n-bit block. So far, there have been several cryptanalytic results on this cipher by means of differential cryptanalysis, linear cryptanalysis and impossible differential cryptanalysis. In this paper, we improve the previous linear cryptanalysis by differential-linear cryptanalysis, which is based on the use of a differential-linear distinguisher constructed by concatenating a linear approximation with a differential. The number of attacks is not increased, but the time complexity of attacks on 18-round Simon32 is reduced from 232 to 219. In addition, we present a key recovery attack on 18 and 19 rounds of Simon32 based on differential-linear distinguisher.

Impossible differential attacks on the SKINNY family of block ciphers

SKINNY is a family of lightweight block ciphers proposed at CRYPTO 2016, which follows the TWEAKEY framework and takes a tweakey input. It is shown that SKINNY family not only has good hardware/software performances, but also provides strong security guarantees against differential/linear cryptanalysis. In this study, the authors study the security of SKINNY against the impossible differential attack. First, they get some properties of the subkeys of SKINNY by analysing its key schedule. Then, combining with the early-abort technique and the greedy strategy, they present impossible differential attacks on SKINNY based on an 11-round impossible differential. Let SKINNY-n -k be the SKINNY cipher with n -bit block size and k -bit tweakey size. On the basis of their method, 17-round SKINNY-64-64 (resp. SKINNY-128-128) can be broken in (resp. ) 17-round encryptions, 19-round SKINNY-64-128 (resp. SKINNY-128-256) can be broken in (resp. ) 19-round encryptions and 21-round SKINNY-64-192 (resp. SKINNY-128-384) can be broken in (resp. ) 21-round encryptions. To the best of their knowledge, these results are currently the best results with respect to the attacked rounds.

New integral attacks on SIMON

SIMON is a family of lightweight block ciphers publicly released by National Security Agency (NSA). Up to now, there have been many cryptanalytic results on it by means of impossible differential, integral, zero-correlation linear cryptanalysis and so forth. In this study, the authors analyse the characteristic of the Boolean functions of SIMON32 and find that the presentation of zero-sum property is influenced by the degree of the corresponding Boolean function. As a result, the zero-sum integral distinguisher for 14-round SIMON32 is identified which is same to the one given by Wang et.al. Inspired by this finding, they also experimentally find the zero-sum integral distinguisher for 16-round SIMON48. Then, the integral attacks on 22-round SIMON32, 22-round SIMON48/72 and 23-round SIMON48/96 are given. They improve the previous integral attack on SIMON32 from 21-round to 22-round, and the first integral attack on SIMON48 is proposed.

An Improved Truncated Differential Cryptanalysis of Klein

Abstract KLEIN is a family of lightweight block ciphers which was proposed at RFIDSec 2011 by Gong et. al. It has three versions with 64, 80 or 96-bit key size, all with a 64-bit state size. It uses 16 identical 4-bit S-boxes combined with two AES’s MixColumn transformations for each round. This approach allows compact implementations of KLEIN in both low-end software and hardware. Such an unconventional combination attracts the attention of cryptanalysts, and several security analyses have been published. The most successful one was presented at FSE 2014 which was a truncated differential attack. They could attack up to 12, 13 and 14 rounds out of total number of 12, 16 and 20 rounds for KLEIN-64, -80 and -96, respectively. In this paper, we present improved attacks on three versions of KLEIN block cipher, which recover the full secret key with better time and data complexities for the previously analyzed number of rounds. The improvements also enable us to attack up to 14 and 15 rounds for KLEIN-80 and -96, respectively, which are the highest rounds ever analyzed. Our improvements are twofold: the first, finding two new truncated differential paths with probabilities better than that of the previous ones, and the second, a slight modification in the key recovery method which makes it faster.