observations on the simon block cipher family
play

observations on the simon block cipher family Stefan Klbl 1 - PowerPoint PPT Presentation

Jan 15, 2023 •199 likes •809 views

Gregor Leander 2 Tyge Tiessen 1 August 17, 2015 1 DTU Compute, Technical University of Denmark, Denmark 2 Horst Grtz Institute for IT Security, Ruhr-Universitt Bochum, Germany observations on the simon block cipher family Stefan Klbl 1

  1. Gregor Leander 2 Tyge Tiessen 1 August 17, 2015 1 DTU Compute, Technical University of Denmark, Denmark 2 Horst Görtz Institute for IT Security, Ruhr-Universität Bochum, Germany observations on the simon block cipher family Stefan Kölbl 1

  2. lightweight cryptography

  3. What is Lightweight Cryptography? ∙ Design primitives for resource-constraint environments like RFID tags. ∙ Lot of attention over the last few years. ∙ NIST started to investigate the possibility to standardize primitives. Design Criteria ∙ Chip-area ∙ Latency ∙ Code-size ∙ ... 2 Lightweight Cryptography

  4. 3 72, 96 128, 192, 256 128 96, 144 96 96, 128 64 48 Simon is a family of block ciphers designed by NSA. 64 32 key sizes block size ∙ Lightweight design for hardware. ∙ “Published” in 2013 on the ePrint archive. SIMON

  5. Feistel Network ∙ Simple round function ∙ Between 32 and 72 rounds S 8 S 1 S 2 K i 4 SIMON ∧

  6. Cryptanalysis of Simon ∙ No (public) cryptanalysis or security arguments from the designers. ∙ Many contributions by the cryptographic community. 5 SIMON ∙ Attacks cover up to 74 % of the rounds.

  7. properties of simon

  8. Any cipher should have reasonable security margin against differential and linear cryptanalysis. ∙ For SPN designs easier to show bounds. ∙ Difficult for ARX, Simon. ∙ Best attacks on Simon are based on differential and linear cryptanalysis. 7 Differential and Linear

  9. Differential Cryptanalysis: ∙ Observe how difference propagate through the round function. ∙ Find correlations between input and output difference. x f y f 8 Differential Cryptanalysis α = x ⊕ x ′ x ′ β = y ⊕ y ′ y ′

  10. 9 f f y f x f f We are interested in: ∙ Differentials: x ∙ Differential characteristics: ∙ Probability for one round: f f Differential Cryptanalysis α x ′ Pr ( α → β ) − Pr ( α → β → γ ) − − y ′ β ∑ Pr ( α → γ ) − → x −

  11. 9 ∙ Differentials: f f z f y f x f We are interested in: x f ∙ Differential characteristics: f f ∙ Probability for one round: f Differential Cryptanalysis α x ′ Pr ( α → β ) − y ′ β Pr ( α → γ ) → β − − ∑ Pr ( α → γ ) − → x − γ z ′

  12. 9 f ∙ Differentials: f f f x f f x ∙ Differential characteristics: z f f f ∙ Probability for one round: We are interested in: Differential Cryptanalysis α x ′ Pr ( α → β ) − Pr ( α → γ ) → β − − ∑ Pr ( α → γ ) → x − − γ z ′

  13. For the analysis we use an equivalent representation for Simon S 8 S 1 S 2 K i 10 Differential and Linear ∧

  14. For the analysis we use an equivalent representation for Simon S 1 K i 10 Differential and Linear ∧

  15. 11 0 1 1 m i 1 if d i 1 and d i 1 m i if d i m i 1 if d i 1 and d i 1 1 (1) 0 and d i m i Differential and Linear We look at a message m = ( m n − 1 , . . . , m 1 , m 0 ) and an input difference d = ( d n − 1 , . . . , d 1 , d 0 ) . The output difference f ( m ) ⊕ f ( m ⊕ d ) is then given by:  0 , if d i = 0 and d i − 1 = 0       D i ( m , d ) =      

  16. 11 m i (1) 1 1 1 and d i if d i 1 m i m i 0 1 1 and d i if d i 1 Differential and Linear We look at a message m = ( m n − 1 , . . . , m 1 , m 0 ) and an input difference d = ( d n − 1 , . . . , d 1 , d 0 ) . The output difference f ( m ) ⊕ f ( m ⊕ d ) is then given by:  0 , if d i = 0 and d i − 1 = 0     if d i = 0 and d i − 1 = 1  m i ,  D i ( m , d ) =      

  17. 11 m i (1) 1 1 1 and d i if d i 1 m i Differential and Linear We look at a message m = ( m n − 1 , . . . , m 1 , m 0 ) and an input difference d = ( d n − 1 , . . . , d 1 , d 0 ) . The output difference f ( m ) ⊕ f ( m ⊕ d ) is then given by:  0 , if d i = 0 and d i − 1 = 0     if d i = 0 and d i − 1 = 1  m i ,  D i ( m , d ) = m i − 1 , if d i = 1 and d i − 1 = 0      

  18. 11 (1) Differential and Linear We look at a message m = ( m n − 1 , . . . , m 1 , m 0 ) and an input difference d = ( d n − 1 , . . . , d 1 , d 0 ) . The output difference f ( m ) ⊕ f ( m ⊕ d ) is then given by:  0 , if d i = 0 and d i − 1 = 0     if d i = 0 and d i − 1 = 1  m i ,  D i ( m , d ) = m i − 1 , if d i = 1 and d i − 1 = 0     if d i = 1 and d i − 1 = 1 .  m i ⊕ m i − 1 , 

  19. Resulting difference only depends on m 0 m 2 m 4 . Therefore we have 12 1 8 possible output differences. (2) 0 m 0 m 2 m 2 m 4 0 0 0 1 0 0 0 d i 5 4 3 2 1 0 0 0 1 0 1 Differential and Linear Let us now look at a first example. Let n = 6, and d = 001010. We then calculate D ( m , d ) using the above bitwise definition of D : . S 1 ( d ) D ( m , d )

  20. Resulting difference only depends on m 0 m 2 m 4 . Therefore we have 12 1 8 possible output differences. (2) 0 m 0 m 2 m 2 m 4 0 0 0 1 0 0 0 d i 5 4 3 2 1 0 0 0 1 0 1 Differential and Linear Let us now look at a first example. Let n = 6, and d = 001010. We then calculate D ( m , d ) using the above bitwise definition of D : . S 1 ( d ) D ( m , d )

  21. Resulting difference only depends on m 0 m 2 m 4 . Therefore we have 12 1 8 possible output differences. (2) 0 m 0 m 2 m 2 m 4 0 0 0 1 0 0 0 d i 5 4 3 2 1 0 0 0 1 0 1 Differential and Linear Let us now look at a first example. Let n = 6, and d = 001010. We then calculate D ( m , d ) using the above bitwise definition of D : . S 1 ( d ) D ( m , d )

  22. Resulting difference only depends on m 0 m 2 m 4 . Therefore we have 12 1 8 possible output differences. (2) 0 m 0 m 2 m 2 m 4 0 0 0 1 0 0 0 d i 5 4 3 2 1 0 0 0 1 0 1 Differential and Linear Let us now look at a first example. Let n = 6, and d = 001010. We then calculate D ( m , d ) using the above bitwise definition of D : . S 1 ( d ) D ( m , d )

  23. Resulting difference only depends on m 0 m 2 m 4 . Therefore we have 12 1 8 possible output differences. (2) 0 m 0 m 2 m 2 m 4 0 0 0 1 0 0 0 d i 5 4 3 2 1 0 0 0 1 0 1 Differential and Linear Let us now look at a first example. Let n = 6, and d = 001010. We then calculate D ( m , d ) using the above bitwise definition of D : . S 1 ( d ) D ( m , d )

  24. Resulting difference only depends on m 0 m 2 m 4 . Therefore we have 12 1 8 possible output differences. (2) 0 m 0 m 2 m 2 m 4 0 0 0 1 0 0 0 d i 5 4 3 2 1 0 0 0 1 0 1 Differential and Linear Let us now look at a first example. Let n = 6, and d = 001010. We then calculate D ( m , d ) using the above bitwise definition of D : . S 1 ( d ) D ( m , d )

  25. 12 0 8 possible output differences. (2) 0 m 0 m 2 m 2 m 4 0 0 0 1 0 1 0 1 0 i 5 4 3 2 1 d 0 0 1 0 Differential and Linear Let us now look at a first example. Let n = 6, and d = 001010. We then calculate D ( m , d ) using the above bitwise definition of D : . S 1 ( d ) D ( m , d ) Resulting difference only depends on m 0 , m 2 , m 4 . Therefore we have

  26. Can compute the differential probability with simple bit operations. The bits which can be non-zero at the output: (3) The bits which have to be equal to their right neighbour: (4) 13 Differential and Linear varibits = α ∨ S 1 ( α ) doublebits = α ∧ S 1 ( α ) ∧ S 2 ( α )

  27. For our previous example: Possible output differences: 000000 000010 001100 001110 010000 010010 011100 011110 14 Differential and Linear varibits = 011110 doublebits = 001000

  28. For our previous example: Possible output differences: 000000 000010 001100 001110 010000 010010 011100 011110 15 Differential and Linear varibits = 011110 doublebits = 001000

  29. For our previous example: Possible output differences: 000000 000010 001100 001110 010000 010010 011100 011110 16 Differential and Linear varibits = 011110 doublebits = 001000

  30. (5) The probability is then given by: 17 Differential and Linear A valid differential ( α → β ) has to satisfy: ∙ There can only be a difference at β i , if varibits i is equal to 1 . ∙ If doublebits i is 1 , then β i = β i − 1 . Pr ( α → β ) = 2 − wt ( varibits ⊕ doublebits )

  31. (5) The probability is then given by: 17 Differential and Linear A valid differential ( α → β ) has to satisfy: ∙ There can only be a difference at β i , if varibits i is equal to 1 . ∙ If doublebits i is 1 , then β i = β i − 1 . Pr ( α → β ) = 2 − wt ( varibits ⊕ doublebits )

  32. ∙ Proofs in the paper. Apply affine transformation for Simon round function. ∙ Similar approach for linear cryptanalysis. 18 Differential and Linear

  33. finding optimal differential and linear characteristics

  34. We are interested in differential and linear characteristics with high probability. ∙ We use an approach based on SAT/SMT solvers, similar to results on Salsa20 [MP13] or NORX [AJN15]. ∙ Gives upper bounds on the probability. ∙ Estimate probability of the differentials. ∙ Open Source 1 1 https://github.com/kste/cryptosmt 20 Optimal Characteristics

  35. x i y i S 8 S 1 S 2 z i Constraints: ∙ Use our previous observations on varibits and doublebits . ∙ Probability for one round is 21 Optimal Characteristics w i = wt ( varibits ⊕ doublebits ) . x i + 1 y i + 1

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

A Brief Comparison of Simon and Simeck Stefan Klbl 1 The Simeck block cipher family 1 48 128,

A Brief Comparison of Simon and Simeck Stefan Klbl 1 The Simeck block cipher family 1 48 128,

Arnab Roy 1 September 21, 2016 1 DTU Compute, Technical University of Denmark, Denmark A Brief Comparison of Simon and Simeck Stefan Klbl 1 The Simeck block cipher family 1 48 128, 192, 256 128 96, 144 96 96, 128 64 72, 96 64 32 Key

617 views • 28 slides
Problem 1 k zero bits n bits IV Block Block Block Block Cipher Cipher Cipher Cipher

Problem 1 k zero bits n bits IV Block Block Block Block Cipher Cipher Cipher Cipher

Problem 1 k zero bits n bits IV Block Block Block Block Cipher Cipher Cipher Cipher removed January 27, 2011 Practical Aspects of Modern Cryptography 2 Problem 1 IV Inverse Inverse Inverse Inverse Cipher Cipher Cipher Cipher

464 views • 20 slides
Tweakable Block Cipher Secure Beyond the Birthday Bound in the Ideal Cipher Model Jooyoung Lee ,

Tweakable Block Cipher Secure Beyond the Birthday Bound in the Ideal Cipher Model Jooyoung Lee ,

Tweakable Block Cipher Secure Beyond the Birthday Bound in the Ideal Cipher Model Jooyoung Lee , Byeonghak Lee KAIST Tweakable Block Cipher A tweakable block cipher accepts an additional input "tweak - Tweaks are publicly used

519 views • 30 slides
Block Cipher Modes of Operation Electronic Code Book Cipher Block Chaining Mode Cryptography

Block Cipher Modes of Operation Electronic Code Book Cipher Block Chaining Mode Cryptography

Cryptography Block Cipher Modes of Operation Block Ciphers with Multiple Blocks Block Cipher Modes of Operation Electronic Code Book Cipher Block Chaining Mode Cryptography Cipher Feedback Mode School of Engineering and Technology

428 views • 32 slides
Advanced Block Cipher Design My crazy boss asked me to design a new block cipher. Whats next?

Advanced Block Cipher Design My crazy boss asked me to design a new block cipher. Whats next?

Advanced Block Cipher Design My crazy boss asked me to design a new block cipher. Whats next? Pascal Junod University of Applied Sciences Western Switzerland Pascal Junod -- Advanced Block Cipher Design 1 ECRYPT II Summer School - May

914 views • 56 slides
Block Cipher Cryptanalysis: An Overview Subhabrata Samajder Indian Statistical Institute, Kolkata

Block Cipher Cryptanalysis: An Overview Subhabrata Samajder Indian Statistical Institute, Kolkata

Block Cipher Cryptanalysis: An Overview Subhabrata Samajder Indian Statistical Institute, Kolkata 17 th May, 2017 0/52 Iterated Block Cipher Outline Iterated Block Cipher 1 S-Boxes 2 A Basic Substitution Permutation Network 3 Linear

1.58k views • 113 slides
Simon: NSA-designed Cipher in the Post-snowden World Tomer Ashur KU Leuven 28/12/2015 The

Simon: NSA-designed Cipher in the Post-snowden World Tomer Ashur KU Leuven 28/12/2015 The

Simon: NSA-designed Cipher in the Post-snowden World Tomer Ashur KU Leuven 28/12/2015 The SIMON and SPECK Families of Lightweight Block Ciphers Two families of lightweight block ciphers (10 variants for each) Tomer Ashur Simon:

784 views • 51 slides
Block Cipher Cryptanalysis II: Block Cipher Cryptanalysis II: Linear Cryptanalysis yp y Andrey

Block Cipher Cryptanalysis II: Block Cipher Cryptanalysis II: Linear Cryptanalysis yp y Andrey

Block Cipher Cryptanalysis II: Block Cipher Cryptanalysis II: Linear Cryptanalysis yp y Andrey Bogdanov Andrey Bogdanov K.U.Leuven, ESAT/COSIC Outline Outline Distribution of Correlation Data Complexity Linear Hulls Zero

659 views • 30 slides
COBRA: A Parallelizable Authenticated Online Cipher without Block Cipher Inverse 1 Atul Luykx

COBRA: A Parallelizable Authenticated Online Cipher without Block Cipher Inverse 1 Atul Luykx

COBRA: A Parallelizable Authenticated Online Cipher without Block Cipher Inverse 1 Atul Luykx COSIC KU Leuven and iMinds March 3, 2014 1 Joint work with E. Andreeva, B. Mennink, and K. Yasuda. 1 / 23 Overview COBRA 1 Misuse resistance 2

711 views • 58 slides
Block Cipher Operation CBC CFB OFB CSS441: Security and Cryptography CTR Feedback Sirindhorn

Block Cipher Operation CBC CFB OFB CSS441: Security and Cryptography CTR Feedback Sirindhorn

CSS441 Block Cipher Operation Modes ECB Block Cipher Operation CBC CFB OFB CSS441: Security and Cryptography CTR Feedback Sirindhorn International Institute of Technology XTS-AES Thammasat University Prepared by Steven Gordon on 20

871 views • 32 slides
PSEUDO-RANDOM FUNCTIONS We want to answer the question: What is a good block cipher? where

PSEUDO-RANDOM FUNCTIONS We want to answer the question: What is a good block cipher? where

Recall We studied security of function families (in particular, block ciphers) against key recovery. But we saw that security against key recovery is not su ffi cient to ensure that natural usages of a block cipher are secure. PSEUDO-RANDOM

268 views • 13 slides
Overview of the DES A block cipher: encrypts blocks of 64 bits using a 64 bit key

Overview of the DES A block cipher: encrypts blocks of 64 bits using a 64 bit key

Overview of the DES A block cipher: encrypts blocks of 64 bits using a 64 bit key outputs 64 bits of ciphertext A product cipher basic unit is the bit performs both substitution and transposition (permutation) on the

512 views • 35 slides
Attacks on the KeeLoq Block Cipher and Authentication Systems Andrey Bogdanov Chair for

Attacks on the KeeLoq Block Cipher and Authentication Systems Andrey Bogdanov Chair for

Attacks on the KeeLoq Block Cipher and Authentication Systems Andrey Bogdanov Chair for Communication Security Ruhr University Bochum, Germany abogdanov@crypto.rub.de www.crypto.rub.de Abstract. KeeLoq is a block cipher used in numerous

143 views • 13 slides
Block Cipher Cryptanalysis: Basic and Advanced Techniques I

Block Cipher Cryptanalysis: Basic and Advanced Techniques I

Block Cipher Cryptanalysis: Basic and Advanced Techniques I & II Andrey Bogdanov KU Leuven, ESAT/COSIC Outline I. Block Ciphers II.

1.03k views • 79 slides
PSEUDO-RANDOM FUNCTIONS 1 / 65 Recall We studied security of a block cipher against key

PSEUDO-RANDOM FUNCTIONS 1 / 65 Recall We studied security of a block cipher against key

PSEUDO-RANDOM FUNCTIONS 1 / 65 Recall We studied security of a block cipher against key recovery. But we saw that security against key recovery is not sufficient to ensure that natural usages of a block cipher are secure. We want to answer the

920 views • 88 slides
The QARMA Block Cipher Family Roberto Avanzi Qualcomm Product Security Germany Tokyo, March 7,

The QARMA Block Cipher Family Roberto Avanzi Qualcomm Product Security Germany Tokyo, March 7,

Qualcomm QARMA T E C H N O L O G I E S , I N C PRODUCT SECURITY Use cases The road to QARMA Analysis Implementation Conclusion The QARMA Block Cipher Family Roberto Avanzi Qualcomm Product Security Germany Tokyo, March 7, 2017 Roberto

537 views • 52 slides
Lightweight Block Cipher Design Gregor Leander DTU Mathematics, Denmark ECRYPT II summer school

Lightweight Block Cipher Design Gregor Leander DTU Mathematics, Denmark ECRYPT II summer school

Motivation Industry Academia We Start To Cheat... And Fail! Lightweight Block Cipher Design Gregor Leander DTU Mathematics, Denmark ECRYPT II summer school May/June 2011 G. Leander Lightweight Block Cipher Design Motivation Industry

577 views • 56 slides
January 15, 2013 MEMORANDUM TO: Chairman Macfarlane Commissioner Svinicki Commissioner

January 15, 2013 MEMORANDUM TO: Chairman Macfarlane Commissioner Svinicki Commissioner

January 15, 2013 MEMORANDUM TO: Chairman Macfarlane Commissioner Svinicki Commissioner Apostolakis Commissioner Magwood Commissioner Ostendorff FROM: R. W. Borchardt /RA/ Executive Director for Operations SUBJECT: BACKGROUND MATERIAL ON

287 views • 5 slides
Extending and Updating the Tool Interfaces in MPI: A Request for Feedback Martin Schulz

Extending and Updating the Tool Interfaces in MPI: A Request for Feedback Martin Schulz

Extending and Updating the Tool Interfaces in MPI: A Request for Feedback Martin Schulz Technische Universitt Mnchen Fakultt fr Informatik Scalable Tools Workshop 2018 Solitude, UT July 2018 With material from Marc-Andre

336 views • 18 slides
CSE 120 July 13, 2006 Scheduling Day 4 Scheduling Deadlock Instructor: Neil Rhodes

CSE 120 July 13, 2006 Scheduling Day 4 Scheduling Deadlock Instructor: Neil Rhodes

CSE 120 July 13, 2006 Scheduling Day 4 Scheduling Deadlock Instructor: Neil Rhodes Scheduling Scheduling Goals Scheduler Throughput Part of the operating system that decides which ready process to run next Number of jobs per time

280 views • 10 slides
Robot-Assisted Discovery of Evacuation Routes in Emergency Scenarios Ettore Ferranti Niki

Robot-Assisted Discovery of Evacuation Routes in Emergency Scenarios Ettore Ferranti Niki

Robot-Assisted Discovery of Evacuation Routes in Emergency Scenarios Ettore Ferranti Niki Trigoni Computing Laboratory, University of Oxford, UK Multi-Service Networks, 11th July 2008 Scenario A Group of mini robots (agents) is exploring

863 views • 34 slides
Ferrites-by-design for Millimeter waves and Terahertz Technologies (FeMiT) The FeMiT project

Ferrites-by-design for Millimeter waves and Terahertz Technologies (FeMiT) The FeMiT project

Ferrites-by-design for Millimeter waves and Terahertz Technologies (FeMiT) The FeMiT project explained in 5 minutes Have you ever experienced connectivity issues with your mobile? What will happen if as expected there are much more mobiles, in

528 views • 6 slides
Magnetics Design Tables Geometrical data for several standard ferrite core shapes are listed here.

Magnetics Design Tables Geometrical data for several standard ferrite core shapes are listed here.

Fundamentals of Power Electronics Appendix 2 Magnetics Design Tables Geometrical data for several standard ferrite core shapes are listed here. The geometrical constant K g is a measure of core size, useful for designing inductors and

61 views • 5 slides
MI/RR Upgrades: Overview and Plans Ioanis Kourbanis Fermilab PIP-II Collaboration Meeting

MI/RR Upgrades: Overview and Plans Ioanis Kourbanis Fermilab PIP-II Collaboration Meeting

MI/RR Upgrades: Overview and Plans Ioanis Kourbanis Fermilab PIP-II Collaboration Meeting June 3-4 2014 MI/RR Performance Requirements 50% more beam intensity Operate at different energies PIP-II, Collaboration Meeting, June 2

533 views • 26 slides

More recommend