a brief comparison of simon and simeck
play

A Brief Comparison of Simon and Simeck Stefan Klbl 1 The Simeck - PowerPoint PPT Presentation

May 04, 2023 •322 likes •617 views

Arnab Roy 1 September 21, 2016 1 DTU Compute, Technical University of Denmark, Denmark A Brief Comparison of Simon and Simeck Stefan Klbl 1 The Simeck block cipher family 1 48 128, 192, 256 128 96, 144 96 96, 128 64 72, 96 64 32 Key

  1. Arnab Roy 1 September 21, 2016 1 DTU Compute, Technical University of Denmark, Denmark A Brief Comparison of Simon and Simeck Stefan Kölbl 1

  2. The Simeck block cipher family

  3. 1 48 128, 192, 256 128 96, 144 96 96, 128 64 72, 96 64 32 Key size Block size Parameters (gray only Simon): • Uses less (up to 3.5%) area than Simon. • Key-schedule reuses the round function. • Uses different rotation constants. • Combines ideas from Simon and Speck. Simeck Simeck is a family of lightweight block ciphers [YZS + 15]

  4. Construction of the round function S 5 S 1 k i S 8 S 1 S 2 k i 2 Simeck (a) Simeck (b) Simon

  5. • No design rationales for Simon and Speck published. Design of Simon and Simeck • Impact of the design changes on the security is unclear. 3 Simeck

  6. Comparison of Simeck and Simon

  7. 4 7 Rounds 11 Rounds 9 Rounds 8 Rounds Simeck 9 Rounds 8 Rounds Simon After how many rounds do we get full diffusion ? 64-bit 48-bit 32-bit Wordsize • Often influences efficiency of attacks. • Rotation constants have a strong effect on this. Comparison of Simeck and Simon Table 1: Number of rounds required for full diffusion.

  8. Best attacks on Simon are based on differential and linear cryptanalysis. • Various papers on this • We study how the design changes of Simeck affect the resistance against these type of attacks. 5 Comparison of Simeck and Simon topic [ALLW15, SHW + 15, AAA + 14, WWJZ14, BRV15, SHW + 14, CW16].

  9. 6 f 1 • Use framework from [KLT15] to compute probabilities. • Always involves some assumptions. A differential trail Q is a sequence of differences follows this trail? f 0 How to compute the probability that a random pair of plaintexts Differential cryptanalysis tries to find a correlation between pairs of Comparison of Simeck and Simon plaintexts ( p , p ′ ) and ciphertexts ( c , c ′ ) . Definition Q = ( α 0 → α 1 → · · · α r − 1 f r − 1 → α r ) . − − − −

  10. 7 Interested in the differential trail with highest probability https://github.com/kste/cryptosmt . • Publicly available tool f 0 • Use approach based on SAT solvers to find bounds on p max . (1) f 1 Comparison of Simeck and Simon p max = max α 0 ,...,α r Pr ( α 0 → α r ) − → α 1 − → · · · α r − 1 − − f r − 1

  11. 8 40 Simon64 Simeck64 Simon48 Simeck48 Simon32 Simeck32 Number of Rounds Probability of best trail 35 30 25 20 15 10 Comparison of Simeck and Simon 2 − 100 2 − 80 2 − 60 2 − 40 2 − 20

  12. 9 • For the large variants the bounds for Simeck are worse. 15 [KLT15] 36 Simeck48/96 Cipher Simeck64/128 36 Simon48/96 44 32 Simon64/128 Simeck32/64 • Takes significant less time finding bounds for Simeck. • Can cover more rounds for Simeck. 32 Simon32/64 linear differential Upper Bounds Rounds 44 Comparison of Simeck and Simon 32 32 32 32 19 20 36 36 17 40 41

  13. 10 In attack we only care about the probability of the differential . which have the same input and output difference. (2) f 1 f 0 f trails Comparison of Simeck and Simon Definition The probability of a differential is the sum of all r round differential ∑ Pr ( α 0 → α r ) = ( α 0 → α r ) − − → α 1 − → · · · α r − 1 − − f r − 1 α 1 ,...,α r − 1

  14. Example for Simeck64 using 26 rounds: f 26 • We need to collect a large set of trails to get a good estimate for the probability. 11 Comparison of Simeck and Simon • The best single trail Q has Pr ( Q ) = 2 − 68 . • The differential ( 0 , 4400000 ) → ( 8800000 , 400000 ) has a − probability of ≥ 2 − 60 . 02 .

  15. 12 We are interested in the number of pairs following the differential • For Simon32 and Simeck32 we can run experiments for the full codebook. • Use Poisson distribution to estimate the distribution for a random function. where p is the probability of the differential. Let X be a Poisson distributed random variable representing the (3) f Comparison of Simeck and Simon Definition number of pairs ( a , b ) with values in F n 2 following a differential Q = ( α → β ) , that means f ( a ) ⊕ f ( a ⊕ α ) = β , then − 2 ( 2 n p ) l e − ( 2 n p ) Pr ( X = l ) = 1 l !

  16. 13 0 Valid Pairs Number of Occurences 128 112 96 80 64 48 32 16 35000 Distribution for 202225 randomly chosen keys for the differential 30000 25000 20000 15000 10000 5000 0 f 13 Comparison of Simeck and Simon ( 0 , 40 ) → ( 4000 , 0 ) for Simon32. −

  17. 14 16000 Valid Pairs Number of Occurences 128 112 96 80 64 48 32 16 0 14000 Distribution for 134570 randomly chosen keys for the differential 12000 10000 8000 6000 4000 2000 0 f 13 Comparison of Simeck and Simon ( 8000 , 4011 ) → ( 4000 , 0 ) for Simeck32. −

  18. Approximation seems quite good but for some keys the number of valid pairs is significant higher. pairs for the previous Simon differential. 15 Comparison of Simeck and Simon Example: K = ( k 0 , k 1 , k 2 , k 3 ) = ( 8ec1 , 1cf8 , e84a , cee2 ) we get 1082

  19. Key Recovery

  20. 16 0 0100000000010001 0 0 13 f 13 Key recovery attacks based on differential distinguisher ***000**00***01* ***00***0******* 13 0100000000000000 0000000000000000 0 14 0 1*0000000000*000 0100000000000000 2 0 15 **00000*000**001 1*0000000000*000 5 2 16 ***000**00***01* **00000*000**001 9 1000000000000000 6 17 15 15 f r 16 ***0************ • Extend in both directions using truncated differentials. Round **************** 19 13 15 ***00***0******* ***0************ **************** 16 0 ***0************ **000***0****1** ***0************ 11 15 18 0*0000*000***01* **000***0****1** 6 11 9 0100000000010001 0*0000*000***01* 5 Comparison of Simeck and Simon • Use differential α − → β over r rounds. ∆ L ∆ R ∗ ∗ − 4 − 3 − 2 − 1 ( 8000 , 4011 ) → ( 4000 , 0 ) − −

  21. Attacks can cover more rounds for Simeck • Weaker diffusion allows better filtering and key guessing. • Differential distinguisher can cover more rounds for the larger variants. 17 Comparison of Simeck and Simon

  22. 18 Simeck48/96 key-guessing [QHS15]. • Can be improved further by two rounds with dynamic 33 44 Simeck64/128 26 36 19 Example attack on 26-round Simeck48 32 Simeck32/64 Attack Rounds Cipher Comparison of Simeck and Simon • Use four 20-round differentials with probability ≈ 2 − 44 . • Complexity: T = 2 62 , D = 2 47 , M = 2 47

  23. Results • Can show bounds for the best differential/linear trail for significant higher number of rounds. • Statistical attacks can cover more rounds. Open problems • Find better approximation for distribution of valid pairs. • Identify which (class of) keys give unusual high number of pairs. 19 Conclusion

  24. 19 Thank you for your attention!

  25. Javad Alizadeh, Hoda AlKhzaimi, Mohammad Reza Aref, Nasour Bagheri, Praveen Gauravaram, Abhishek Kumar, Martin M. Lauridsen, and Somitra Kumar Sanadhya, Cryptanalysis of SIMON variants with connections , Radio Frequency Identification: Security and Privacy Issues, RFIDSec 2014 (Nitesh Saxena and Ahmad-Reza Sadeghi, eds.), Lecture Notes in Computer Science, vol. 8651, Springer, 2014, pp. 90–107. Farzaneh Abed, Eik List, Stefan Lucks, and Jakob Wenzel, Differential cryptanalysis of round-reduced SIMON and SPECK , Fast Software Encryption, FSE 2014 (Carlos Cid and Christian Rechberger, eds.), Lecture Notes in Computer Science, vol. 8540, Springer, 2015, pp. 525–545. 20 References i

  26. Alex Biryukov, Arnab Roy, and Vesselin Velichkov, Differential analysis of block ciphers SIMON and SPECK , Fast Software Encryption, FSE 2014 (Carlos Cid and Christian Rechberger, eds.), Lecture Notes in Computer Science, vol. 8540, Springer, 2015, pp. 546–570. Huaifeng Chen and Xiaoyun Wang, Improved linear hull attack on round-reduced simon with dynamic key-guessing techniques , Fast Software Encryption - 23rd International Conference, FSE 2016, 2016, pp. 428–449. Stefan Kölbl, Gregor Leander, and Tyge Tiessen, Observations on the SIMON block cipher family , Advances in Cryptology - CRYPTO 2015, 2015, pp. 161–185. 21 References ii

  27. Kexin Qiao, Lei Hu, and Siwei Sun, Differential security evaluation of simeck with dynamic key-guessing techniques , Cryptology ePrint Archive, Report 2015/902, 2015, http://eprint.iacr.org/ . Siwei Sun, Lei Hu, Peng Wang, Kexin Qiao, Xiaoshuang Ma, and Ling Song, Automatic security evaluation and (related-key) differential characteristic search: Application to SIMON, PRESENT, LBlock, DES(L) and other bit-oriented block ciphers , Advances in Cryptology - ASIACRYPT 2014 (Palash Sarkar and Tetsu Iwata, eds.), Lecture Notes in Computer Science, vol. 8873, Springer, 2014, pp. 158–178. 22 References iii

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

The Simeck Family of Lightweight Block Ciphers Gangqiang Yang , Bo Zhu, Valentin Suder, Mark D.

The Simeck Family of Lightweight Block Ciphers Gangqiang Yang , Bo Zhu, Valentin Suder, Mark D.

The Simeck Family of Lightweight Block Ciphers Gangqiang Yang , Bo Zhu, Valentin Suder, Mark D. Aagaard, and Guang Gong Electrical and Computer Engineering, University of Waterloo Sept 15, 2015 Yang, Zhu, Suder, Aagaard, Gong Simeck Family

537 views • 30 slides
A Comparison of Calculated and Cloud- Cleared Radiances Over Land and Water Evan Fishbein Simon

A Comparison of Calculated and Cloud- Cleared Radiances Over Land and Water Evan Fishbein Simon

National Aeronautics and Space Administration Jet Propulsion Laboratory California Institute of Technology Pasadena, California A Comparison of Calculated and Cloud- Cleared Radiances Over Land and Water Evan Fishbein Simon Hook JPL AIRS

573 views • 54 slides
Revisiting Counter Mode to Repair Galois/Counter Mode Bo Zhu, Yin Tan and Guang Gong University

Revisiting Counter Mode to Repair Galois/Counter Mode Bo Zhu, Yin Tan and Guang Gong University

Intro Repairing GCM Simeck Design Summery Revisiting Counter Mode to Repair Galois/Counter Mode Bo Zhu, Yin Tan and Guang Gong University of Waterloo, Canada Aug 12, 2013 1 of 32 Revisiting CM to Repair GCM Intro Repairing GCM Simeck

917 views • 70 slides
IEEE P1528.3 CAD interlaboratory comparison Vikass Monebhurrun vikass.monebhurrun@supelec.fr

IEEE P1528.3 CAD interlaboratory comparison Vikass Monebhurrun vikass.monebhurrun@supelec.fr

La simulation en CEM et Hyperfrquences IEEE P1528.3 CAD interlaboratory comparison Vikass Monebhurrun vikass.monebhurrun@supelec.fr Contributors: Yannis Braux (CST France), Mikhail Kozlov (Max Planck Institute, Germany) Winfried Simon

566 views • 19 slides
Annual General Meeting 27 June 2019 Simon Thompson Chairman Todays agenda Simon Thompson

Annual General Meeting 27 June 2019 Simon Thompson Chairman Todays agenda Simon Thompson

Annual General Meeting 27 June 2019 Simon Thompson Chairman Todays agenda Simon Thompson Introductory remarks Simon Borrows Review of the year Simon Thompson Q&A Simon Thompson Formal business including Resolutions 3

565 views • 27 slides
Trials and the Exploratory/Confirmatory Paradigm Richard Simon, D.Sc. R Simon Consulting

Trials and the Exploratory/Confirmatory Paradigm Richard Simon, D.Sc. R Simon Consulting

Designs for Basket Clinical Trials and the Exploratory/Confirmatory Paradigm Richard Simon, D.Sc. R Simon Consulting rmaceysimon@gmail.com http://rsimon.us Richard Simon, D.Sc. Formerly, Director Biometric Research Program Chief

737 views • 27 slides
What you get is what you C: Controlling side effects in mainstream C compilers Laurent Simon,

What you get is what you C: Controlling side effects in mainstream C compilers Laurent Simon,

What you get is what you C: Controlling side effects in mainstream C compilers Laurent Simon, David Chisnall, Ross Anderson Laurent Simon l.simon@samsung.com https://sites.google.com/view/laurent-simon/ Approved for public release;

868 views • 57 slides
Differential expression analysis for sequencing count data Simon Anders Two applications of

Differential expression analysis for sequencing count data Simon Anders Two applications of

Differential expression analysis for sequencing count data Simon Anders Two applications of RNA-Seq Discovery find new transcripts find transcript boundaries find splice junctions Comparison Given samples from different

715 views • 70 slides
Sequence comparison: Sequence comparison: Significance of alignment scores

Sequence comparison: Sequence comparison: Significance of alignment scores

Sequence comparison: Sequence comparison: Significance of alignment scores http://faculty.washington.edu/jht/GS559_2014/ Genome 559: Introduction to Statistical and Computational Genomics d C i l G i Prof. James H. Thomas Unscaled EVD

781 views • 13 slides
The Perceptual Proxies of Visual Comparison Presented by: Youssef Sherif 1 Visual comparison

The Perceptual Proxies of Visual Comparison Presented by: Youssef Sherif 1 Visual comparison

The Perceptual Proxies of Visual Comparison Presented by: Youssef Sherif 1 Visual comparison Bigger Mean? Bigger Range? 2 A bit of History Examine the precision of comparison tasks with different arrangements Max Correlation Max Delta 3

1.24k views • 35 slides
Statistical methodology for bio iosimil ilars, comparison of f process changes and comparison

Statistical methodology for bio iosimil ilars, comparison of f process changes and comparison

Statistical methodology for bio iosimil ilars, comparison of f process changes and comparison of f dis issolution profi files A persp specti tive fr from EFSPI Mike Denham (GlaxoSmithKline) on behalf of EFSPI WG Three Fundamental

548 views • 29 slides
Comparison Sorting II A comparison function (consistent and total) Effect: Reorganize the

Comparison Sorting II A comparison function (consistent and total) Effect: Reorganize the

2/28/2016 The comparison sorting problem Assume we have n comparable elements in an array and we want to rearrange them to be in increasing order Input: CSE373: Data Structures and Algorithms An array A of data records A key value in

458 views • 6 slides
Peer Presentation Activities Simon Says- Various Learning Styles Exemplified When I do the Simon

Peer Presentation Activities Simon Says- Various Learning Styles Exemplified When I do the Simon

Peer Presentation Activities Simon Says- Various Learning Styles Exemplified When I do the Simon Says game I stand at the front of the room and say "Simon Says put your hands on your head" while I say this I actually put my hands on my

274 views • 3 slides
Comparison of Transportation Comparison of Transportation Finance Models Finance Models Ray D.

Comparison of Transportation Comparison of Transportation Finance Models Finance Models Ray D.

Comparison of Transportation Comparison of Transportation Finance Models Finance Models Ray D. Pethtel Driving Transportation with Technology Director, Transportation Policy Group Virginia Tech Transportation Institute February 5, 2008 For

222 views • 11 slides
Optimizing XML for Comparison and Change Nigel Whitaker & Robin La Fontaine DeltaXML 1

Optimizing XML for Comparison and Change Nigel Whitaker & Robin La Fontaine DeltaXML 1

Optimizing XML for Comparison and Change Nigel Whitaker & Robin La Fontaine DeltaXML 1 Tuesday, 29 October 13 About DeltaXML Software company based in Worcestershire, UK First XML comparison product: 2002 Comparison engine,

451 views • 33 slides
Innovation in Liberalized Electricity Markets: A Comparison of Regulatory Incentives A Comparison

Innovation in Liberalized Electricity Markets: A Comparison of Regulatory Incentives A Comparison

Innovation in Liberalized Electricity Markets: A Comparison of Regulatory Incentives A Comparison of Regulatory Incentives in California and Germany Mi h Michael Holtermann l H lt European School of Management and Technology

617 views • 34 slides
Rotational-XOR cryptanalysis on ARX and AND-RX ciphers Yunwen Liu ASK 2019 at Kobe National

Rotational-XOR cryptanalysis on ARX and AND-RX ciphers Yunwen Liu ASK 2019 at Kobe National

Rotational-XOR cryptanalysis on ARX and AND-RX ciphers Yunwen Liu ASK 2019 at Kobe National University of Defense Technology 1 Acknowledgement This talk is based on the joint works with: Tomer Ashur, Adrin Ranea & Glenn De Witte from

552 views • 31 slides
Matt. 7:1, Judge not, that you be not judged. Matt. 7:2, For with what judgment you judge,

Matt. 7:1, Judge not, that you be not judged. Matt. 7:2, For with what judgment you judge,

Matt. 7:1, Judge not, that you be not judged. Matt. 7:2, For with what judgment you judge, you will be judged; and with the measure you use, it will be measured back to you. Matt. 7:3, And why do you look at the speck in your

172 views • 5 slides
Differential Cryptanalysis of Round-Reduced Simon and Speck Farzaneh Abed Eik List Stefan Lucks

Differential Cryptanalysis of Round-Reduced Simon and Speck Farzaneh Abed Eik List Stefan Lucks

Differential Cryptanalysis of Round-Reduced Simon and Speck Farzaneh Abed Eik List Stefan Lucks Jakob Wenzel Bauhaus-Universitt Weimar FSE 2014 March 27, 2014 March 27, 2014 Agenda Motivation Simon and Speck Our Method Results

533 views • 31 slides
Multi-class Support Vector Machine Rizal Zaini Ahmad Fathony November 10, 2016 University of

Multi-class Support Vector Machine Rizal Zaini Ahmad Fathony November 10, 2016 University of

Multi-class Support Vector Machine Rizal Zaini Ahmad Fathony November 10, 2016 University of Illinois at Chicago Introduction Support Vector Machine The Support Vector Machine is a classification algorithm developed based on a geometric

1.65k views • 129 slides
Resolution and logarithmic resolution by weighted blowing up Dan Abramovich, Brown University

Resolution and logarithmic resolution by weighted blowing up Dan Abramovich, Brown University

Resolution and logarithmic resolution by weighted blowing up Dan Abramovich, Brown University Work with Michael T emkin and Jaros law W lodarczyk and work by Ming Hao Quek Also parallel work by M. McQuillan Algebraic geometry and

797 views • 77 slides
Passages worth the dig Passages worth the dig Matt 7.1-5 Judge not, that ye not be judged

Passages worth the dig Passages worth the dig Matt 7.1-5 Judge not, that ye not be judged

Passages worth the dig Passages worth the dig Matt 7.1-5 Judge not, that ye not be judged David Capes Senior Research Fellow Lanier Theological Library Judge Not . . . Really David Kinnamon, Barna Group Gabe Lyons, Fermi Project

390 views • 15 slides
TOUCAN: A proTocol tO secUre Controller Area Network Giampaolo Bella Gianpiero Costantino

TOUCAN: A proTocol tO secUre Controller Area Network Giampaolo Bella Gianpiero Costantino

AutoSec 2019 Dallas, TX, USA TOUCAN: A proTocol tO secUre Controller Area Network Giampaolo Bella Gianpiero Costantino Pietro Biondi Ilaria Matteucci 1 Automotive communication domains User to Vehicle Vehicle to Infrastructure

363 views • 12 slides
Lightweight S Stream C Cipher Scheme f for R Resource- Constrained I IoT D Devices WIMOB

Lightweight S Stream C Cipher Scheme f for R Resource- Constrained I IoT D Devices WIMOB

Lightweight S Stream C Cipher Scheme f for R Resource- Constrained I IoT D Devices WIMOB 2019 October 21st 23rd, 2019 Casa Convalescncia, Barcelona, Spain Authors: Hassan Noura, Raphal Couturier, CongDuc Pham and Ali Chehab

149 views • 13 slides

More recommend