Improved Rotational-XOR Cryptanalysis of Simon-like Block Ciphers

Jinyu Lu, Yunwen Liu (Corresponding author), Tomer Ashur, Bing Sun, Chao Li

Research output: Contribution to journalArticleAcademicpeer-review

7 Citations (Scopus)
78 Downloads (Pure)

Abstract

Rotational-XOR (RX) cryptanalysis is a cryptanalytic method aimed at finding distinguishable statistical properties in ARX-C ciphers, i.e., ciphers that can be described only by using modular addition, cyclic rotation, XOR, and the injection of constants. In this paper we extend RX-cryptanalysis to AND-RX ciphers, a similar design paradigm where the modular addition is replaced by vectorial bitwise AND; such ciphers include the block cipher families Simon and Simeck. We analyze the propagation of RX-differences through AND-RX rounds and develop a closed form formula for their expected probability. Inspired by the MILP verification model proposed by Sadeghi et al., we develop a SAT/SMT model for searching compatible RX-characteristics in Simon-like ciphers, i.e., that there are at least one right pair of messages/keys to satisfy the RK-characteristics. To the best of our knowledge, this is the first model that takes the RX-difference transitions and value transitions simultaneously into account in Simon-like ciphers. Meanwhile, we investigate how the choice of the round constants affects the resistance of Simon-like ciphers against RX-cryptanalysis. Finally, we show how to use an RX-distinguisher for a key recovery attack. Evaluating our model we find compatible RX-characteristics of up to 20, 27, and 34 rounds with respective probabilities of 2-26, 2-44, and $2-56 for versions of Simeck with block sizes of 32, 48, and 64 bits, respectively, for large classes of weak keys in the related-key model. In most cases, these are the longest published distinguishers for the respective variants of Simeck. In the case of Simon, we present compatible RX-characteristics for round-reduced versions of all ten instances. We observe that for equal block and key sizes, the RX-distinguishers cover fewer rounds in Simon than in Simeck. Concluding the paper, we present a key recovery attack on Simeck64 reduced to 28 rounds using a 23-round RX-characteristic.
Original languageEnglish
Pages (from-to)282-300
Number of pages19
JournalIET Information Security
Volume16
Issue number4
DOIs
Publication statusPublished - Jul 2022

Keywords

  • ARX
  • Simeck
  • Simon
  • rotational-XOR cryptanalysis
  • round constants

Fingerprint

Dive into the research topics of 'Improved Rotational-XOR Cryptanalysis of Simon-like Block Ciphers'. Together they form a unique fingerprint.

Cite this