Open AccessImproved rotational‐XOR cryptanalysis of Simon‐like block ciphers
Author(s) -
Lu Jinyu,
Liu Yunwen,
Ashur Tomer,
Sun Bing,
Li Chao
Publication year - 2022
Publication title -
iet information security
Language(s) - English
Resource type - Journals
SCImago Journal Rank - 0.308
H-Index - 34
eISSN - 1751-8717
pISSN - 1751-8709
DOI - 10.1049/ise2.12061
Subject(s) - block cipher , linear cryptanalysis , differential cryptanalysis , cryptanalysis , boomerang attack , computer science , bitwise operation , cipher , block size , algorithm , theoretical computer science , mathematics , key (lock) , arithmetic , discrete mathematics , cryptography , encryption , computer security , programming language
Rotational‐XOR (RX) cryptanalysis is a cryptanalytic method aimed at finding distinguishable statistical properties in Addition‐Rotation‐XOR‐C ciphers, that is, ciphers that can be described only by using modular addition, cyclic rotation, XOR and the injection of constants. In this study, we extend RX‐cryptanalysis to AND‐RX ciphers, a similar design paradigm where the modular addition is replaced by vectorial bitwise AND; such ciphers include the block cipher families Simon and Simeck. We analyse the propagation of RX‐differences through AND‐RX rounds and develop a closed form formula for their expected probability. Inspired by the MILP verification model proposed by Sadeghi et al., we develop a SAT/SMT model for searching compatible RX‐characteristics in Simon‐like ciphers, that is, that there is at least one right pair of messages/keys to satisfy the RK‐characteristics. To the best of our knowledge, this is the first model that takes the RX‐difference transitions and value transitions simultaneously into account in Simon‐like ciphers. Meanwhile, we investigate how the choice of the round constants affects the resistance of Simon‐like ciphers against RX‐cryptanalysis. Finally, we show how to use an RX‐distinguisher for a key recovery attack. Evaluating our model we find compatible RX‐characteristics of up to 20, 27 and 34 rounds with respective probabilities of 2 −26 , 2 −44 and 2 −56 for versions of Simeck with block sizes of 32, 48 and 64 bits, respectively, for large classes of weak keys in the related‐key model. In most cases, these are the longest published distinguishers for the respective variants of Simeck. In the case of Simon, we present compatible RX‐characteristics for round‐reduced versions of all 10 instances. We observe that for equal block and key sizes, the RX‐distinguishers cover fewer rounds in Simon than in Simeck. Concluding the paper, we present a key recovery attack on Simeck 64 reduced to 28 rounds using a 23‐round RX‐characteristic.