#### Abstract

Dynamic key-guessing techniques, which exploit the property of AND operation, could improve the differential and linear cryptanalytic results by reducing the number of guessed subkey bits and lead to good cryptanalytic results for SIMON. They have only been applied in differential and linear attacks as far as we know. In this paper, dynamic key-guessing techniques are first introduced in integral cryptanalysis. According to the features of integral cryptanalysis, we extend dynamic key-guessing techniques and get better integral cryptanalysis results than before. As a result, we present integral attacks on 24-round SIMON32, 24-round SIMON48/72, and 25-round SIMON48/96. In terms of the number of attacked rounds, our attack on SIMON32 is better than any previously known attacks, and our attacks on SIMON48 are the same as the best attacks.

#### 1. Introduction

The integral attack, proposed by Daemen et al. [1], is an important cryptanalytic technique for symmetric-key primitives. The integral distinguisher is based on the property that when some parts of the input (constant bits) of distinguishers are held constant whereas the other parts (active bits) vary through all possibilities, the sum of all the output values equals zero at some particular locations (balanced bits). In the key recovery, the sum is random if the guessed key is incorrect, while the sum is zero if the guessed key is correct. As a powerful class of cryptanalytic techniques, integral cryptanalysis has been applied to many block ciphers, especially the ones with low-degree round functions.

SIMON is a family of ten lightweight block ciphers designed by the US National Security Agency [2]. The SIMON/ family of lightweight block ciphers have classical Feistel structures with -bit block size and -bit key, where is the word size.

SIMON has been extensively scrutinized [3–25]. As an ultralightweight primitive, SIMON is a very good target for integral cryptanalysis. In integral cryptanalysis, Wang et al. [21] experimentally found an integral distinguisher for 14 rounds of SIMON32 and mounted a key-recovery attack on 21-round SIMON32. At EUROCRYPT 2015, Todo proposed the division property [17], which is a generalized integral property. This new technique enables the cryptographers to propagate the integral property in a more precise manner. As a result, an 11-round integral distinguisher of SIMON48 was found. Subsequently, using the bit-based division property, Todo and Morii proved the 14-round distinguisher of SIMON32 theoretically in [18]. However, searching integral characteristics by the bit-based division property requires much time and memory complexity. In order to overcome the problem, Xiang et al. [23] proposed a state partition to achieve a trade-off between the accuracy of the integral distinguisher and the time-memory complexity. Accordingly, Todo’s result was improved by one round for SIMON48. Afterwards, MILP method was applied by Xiang et al. [22] to find integral characteristics of some lightweight block ciphers, including a 15-round integral distinguisher for SIMON48. At ACNS 2016, some integral distinguishers of SIMON-like ciphers were constructed by Kondo et al. [10]. However, the block size considered is only 32 bits. Later in [7], with the equivalent-subkey technique, Fu et al. presented integral attacks on 22-round SIMON32, 22-round SIMON48/72, and 23-round SIMON48/96. Good results [6, 13, 20] were achieved in differential and linear cryptanalysis, as well. The cryptanalytic results that attack the most rounds of SIMON were obtained in [6], and these results were achieved by linear hull cryptanalysis. The most efficient differential and linear attacks on SIMON were presented with the help of dynamic key-guessing techniques.

With regard to dynamic key-guessing techniques, they were initially proposed to improve the differential attacks on SIMON [20]. The techniques, which exploit the property of AND operation, help reduce the average number of guessed key bits significantly in differential cryptanalysis. Then they were applied to linear hull attacks on SIMON [6]. In both [6, 20], with the techniques above, the adversaries are able to extend previous differential (resp., linear hull) results on SIMON by 2 to 4 more rounds, using existing differential (resp., linear hull) distinguishers. Subsequently, Qiao et al. [13] released a tool, which provides the differential security evaluation of SIMON given differential distinguishers of high probability. Moreover, with newly proposed differentials [9], Qiao et al. improved differential attacks against SIMON, using the techniques. Also in the differential cryptanalysis and linear cryptanalysis of Simeck [26], good results [13, 27] have been obtained by using dynamic key-guessing techniques. Up to now, the dynamic key-guessing techniques have only been combined with linear and differential cryptanalysis methods. There is no attempt to combine the dynamic key-guessing techniques with integral attack so far.

Besides the above results under the single-key model, the security of SIMON has also been evaluated under the related-key [11] and known-key [8] models. In the related-key setting, Kondo et al. [11] constructed a 15-round related-key impossible differential distinguisher of SIMON32.

*Our Contributions.* In this paper, we first apply dynamic key-guessing techniques to integral attacks. In our improved integral cryptanalysis, we extend dynamic key-guessing techniques to compute the sum, which is in the form of , where is a nonlinear Boolean function and are counters for . The dynamic key-guessing techniques improve the time complexity of the computation significantly. Please see the following example. Suppose , where , , and and are two Boolean functions. We guess at first; then we split into two sets: and . We continue to compute the sum for each set. For set , there is no need to guess since when . Finally, we sum them up.

Using the dynamic key-guessing techniques, we present improved integral attacks on SIMON32 and SIMON48 in the single-key model. We present integral attacks on 24-round SIMON32, 24-round SIMON48/72, and 25-round SIMON48/96. In terms of the number of attacked rounds, our attack on SIMON32 is better than any previously known attacks, and our attacks on SIMON48 are the same as the best attacks. In order to verify the correctness of our approach, we implement the summation procedure of the integral attack on 22-round SIMON32. A summary of our results is given in Table 1.

*Outline*. This paper is structured as follows. Section 2 briefly describes the specification of SIMON and some integral distinguishers. In Section 3, we discuss the time reduction in integral cryptanalysis of bit-oriented block ciphers. In Section 4, we present improved integral attacks on SIMON32 and SIMON48. In Section 4.1, we give the experimental result. Finally, Section 5 draws conclusions.

#### 2. Preliminaries

##### 2.1. Notations

: the word size : the th bit of bit string : the th to the th bits of bit string : the XOR sum of , where , i.e., : concatenation of two bit strings and : the input of round or output of round : the left and right halves of , that is, : the th bit of bit string : the th to the th bits of bit string : the th to the th bits of bit string : the subkey used in th round : a new bit string, of which bits are derived from bit string , excluding : bitwise XOR : bitwise AND : a left circular shift of bit string by bits : counters for bit string : , where is a Boolean function of and (actually, are counters for ) : : the th bit of bit string

##### 2.2. Description of SIMON/

SIMON/ is a two-branch balanced Feistel network with -bit block size and -bit key, where is the word size. There are 10 variants for SIMON. The parameters of SIMON32/64, SIMON48/72, and SIMON48/96 are listed in Table 2, since only these three variants are considered in this paper. Let denote the input of round and be the output of round . The subkey used in round is denoted by . The th round is as follows (also see Figure 1): where the internal nonlinear function is defined as The key schedules are different depending on the key size. Please refer to [2] for more details.

##### 2.3. Integral Distinguishers of SIMON32 and SIMON48

Attackers prepare a set of texts where some bits (constant bits) are fixed to same values and the other bits (active bits) range over all possible values. If some bits (balanced bits) in the encrypted texts sum to zero after rounds encryption, the cipher has an -round integral distinguisher.

Wang et al. [21] found a 14-round integral distinguisher of SIMON32 experimentally. Later, Todo and Morii [18] proved the correctness of this distinguisher using division property. Also, Fu et al. [7] revealed this distinguisher from the view of degree of the Boolean function. Integral characteristics of SIMON32 and SIMON48 were found in [7, 18, 21, 22]. And we apply them to our attacks. The constant bit, active bit, balanced bit, and unknown bit are labeled as c, a, b, and ?, respectively. The integral characteristics used in this literature are as follows.(i)SIMON32’s 14-round distinguisher: Input: (caaaaaaaaaaaaaaa, aaaaaaaaaaaaaaaa) Output: (????????????????, ?b??????b??????b)(ii)SIMON48’s 15-round distinguisher: Input: (caaaaaaaaaaaaaaaaaaaaaaa, aaaaaaaaaaaaaaaaaaaaaaaa) Output: (????????????????????????, bbbbbbbbbbbbbbbbbbbbbbbb)

#### 3. Time Reduction in Integral Attacks on Bit-Oriented Block Ciphers

Suppose the input of the integral distinguisher is from the setAfter -round encryption, some bits of the output are balanced. For simplicity, let the first bit of the right part, that is, , be balanced. We add rounds before the distinguisher and append rounds after it. Let the Boolean expressions of and be functions represented as and , where , , , and are effective bit strings derived from the plaintext, the ciphertext, and involved subkeys.

We briefly outline the idea of our integral attacks on rounds of ciphers. Given the entire codebook, we guess some subkey bits and carry out the first rounds’ encryption. Then choose a set of states that form the input space . For the corresponding ciphertexts, we guess the related subkey bits and decrypt the last rounds to check if the target bit is balanced.

In general, the time complexity of the integral attack is roughly , where is the number of guessed subkey bits and denotes the number of plaintext-ciphertext pairs. But we can optimize it with dynamic key-guessing techniques.

##### 3.1. Find Collections of Ciphertexts

Let denote the counters into which we store the frequency of . For each guessed , we traverse the whole plaintext space and make partial encryptions. If , we store the corresponding ciphertext. Thus, we generate new counters , which are defined as .

Furthermore, if is linear with some bit of , say , we let , where . We now assign the value . Accordingly, , which means that the condition can be transformed to a coefficient. Therefore, it is sufficient to calculate .

##### 3.2. Compute with Dynamic Key-Guessing Techniques

As described above, the modeling to find the collections of ciphertexts can be converted into the task of computing another counter which is defined as where is a Boolean function of and , and denotes the number of . Let be a -bit value and be a -bit value. In a naive way, it needs calculations of to get the counters . Using dynamic key-guessing techniques, the calculation can be done with improved time complexity. The basic idea is as follows.

Let , where , , , and are , , , and bits. After guessing , the set of can be split into two sets and with and elements, respectively. For values in , is independent of . Similarly, for values in , is independent of . Thus, . We compute the sum for each set, then we sum them up. Therefore, using dynamic key-guessing techniques, the improved time complexity becomes .

Again, we provide a toy example that illustrates the idea behind the improvement. Let , and . Firstly, we guess . Then,Next, we create four counters , , , and and assign some values to them: , , , and . Finally, . Thus, the calculation of essentially requires additions, while it takes operations in a straightforward method.

See Appendix A for more information on the time complexity of the calculation of .

##### 3.3. Compute the XOR Sum of the Recovered Bit

Assume now that we obtain the new counters . For a fixed , we guess and partially decrypt each effective bit string to get the value of the target bit, that is, . Then, check whether the XOR sum of the recovered bit is zero. Note that the XOR sum amounts to the parity of . For simplicity, let be , where is the first bit of , . We can omit since it does not affect the XOR sum. Hence, the XOR sum essentially equals the parity of new counters which is defined as . Also, dynamic key-guessing techniques can be applied in the last rounds to improve the time complexity.

#### 4. Integral Attacks on SIMON32 and SIMON48

##### 4.1. Integral Attack on 22-Round SIMON32

We start with a key-recovery attack over four rounds of partial encryption and four rounds of partial decryption, exploiting the 14-round integral characteristic. Any of balanced bits can be taken as the target bit. Here, we pick . In the attack, we compress each plaintext-ciphertext pair into counters. Then we apply the approach given above to the reduced SIMON32.

The Boolean expression of the constant bit has the same general form as that of the balanced bit . The general form is shown in (6). The specific information on each bit is listed in Tables 3 and 4. In the tables, and , respectively, denote the plaintext and the ciphertext.

During the computation of , we first guess ; then we guess . Since there is no difference between the first and the second halves of the computation, in the following, we mainly discuss the first half, that is, the computation of To describe our procedure in a convenient way, we simplify our modeling. We give a brief description of the modeling. We aim to compute another counter , which is defined as , where and . Our approach is as follows.

Guess and then split the texts into 8 sets according to the value . Table 5 shows corresponding variants of the Boolean function . Accordingly, we have

Then we create new counters for the next step. For example, if , is equal to . Thus, we compress corresponding counters into new counters , where is initialized to Due to , is uniquely determined by . Besides, 3-bit information is independent of the value . Consequently, the creation in this example costs additions.

For each set of texts and corresponding Boolean function, we compute . We take as an example when .

The next guesses, and , are constrained by the simplified Boolean function . The corresponding texts are split into four sets. The Boolean functions simplified even further are shown in Table 6.

(i) .

The new counters are created. They are given byThe creation of new counters takes addition operations. Accordingly, we have In Appendix A, the time complexity of computing (Case 2 in Appendix A) is estimated. The calculation of requires additions.

(ii) .

Similarly,

The creation of new counters takes addition operations. And the calculation of costs additions.

(iii) .

The creation of new counters takes addition operations. And the calculation of costs additions.

(iv) .

The creation of new counters takes addition operations. And the calculation of costs additions.

After this, we sum the four temporary variables up; namely, Thus, the time complexity of the summation requires no more than additions, for each .

In this example, it takes additions to compute .

For each , we sum the eight temporary variables up. The summation yields a time complexity of addition operations.

Thus, for each , the time complexity of computing is approximately additions. The details are given in Table 7. denotes the time complexity of creating new counters according to guessed key bits. denotes the time complexity of computing the sum for each set. denotes the time complexity of summing them up.

Let us review the procedure proc_simon_32_bit_cond used to compute and the key-recovery attack on 22-round SIMON32. The procedure is as follows.(1)For each of , we compute .(2)For each of , we compute .

The time complexity of proc_simon_32_bit_cond procedure is additions.

The attack works as follows.(1)Compress the whole plaintext-ciphertext pairs into counters .(2)Call proc_simon_32_bit_cond.(3)Check the parity of . If the parity is odd, discard the 32-bit subkey guess. Otherwise, use the key schedule to recover 32 bits of the master key and then exhaustively search for the remaining 32-bit keys.

It is noted that there is one AND operation and three XOR operations in one round of SIMON. In our analysis, we approximate them as four XOR operations. The time complexity of step 1 is compressions, which is equivalent to about encryptions. Since we care about the parity of , all counters can be taken modulo 2. The addition is actually the bitwise XOR operation in the calculation of . Thus, the time complexity of step 2 is equivalent to about encryptions. The time complexity of step 3 is encryptions. Hence, the proposed attack on 22-round SIMON32 requires known plaintexts and has a total time complexity equivalent to about encryptions.

We have implemented the calculation of . The experiment was performed on Intel Core i7-4790 with 8 GBytes of DDR3 memory. The experimental result confirmed the correctness of our technique.

##### 4.2. Integral Attack on 23-Round SIMON32

In this section, we extend the 22-round attack by one round. The improved attack is as follows. Guess 13 bits’ subkey and partially encrypt plaintexts, where . Then carry out the 22-round attack.

We briefly explain why there is no need to guess . Let the first bit of (resp., ) be (resp., ). In our attack, we make the redefinitions, and . It is evident that can be obtained after guessing 13 bits’ subkey . Consequently, we still have .

The 23-round attack has a data complexity of known plaintexts and a time complexity of about encryptions.

##### 4.3. Integral Attack on 24-Round SIMON32

The 22-round attack can be extended by one round in forward and one round in backward direction in a straightforward way. The improved attack proceeds as follows. Guess 26 bits subkey , where . Partially encrypt plaintexts and partially decrypt corresponding ciphertexts. Then carry out the 22-round attack presented above. It should be noted that we do not guess . The reason is essentially the same as the case mentioned above.

In this attack, the dominant part of the time complexity is still exhaustively searching half of the key space. The total time complexity of our attack is about encryptions. The number of the required known plaintexts is . The success probability of our attack is 100%.

The total memory complexity of our attack is determined by the size of the entire SIMON32 codebook, and . This corresponds to a memory requirement of about bytes. Note that we can only store for each ciphertext. In addition, there is no need to store . The elements of it can be computed on-the-fly. As soon as a value of is computed, the bit condition is checked. If the condition is satisfied, then exhaustively search for the remaining 6-bit key.

##### 4.4. Improved Integral Attacks on SIMON48

We can improve the integral attacks on SIMON48/72 and SIMON48/96, using dynamic key-guessing techniques. Since the attack procedures for them are similar, we present these integral attacks in Appendix B. The results are summarized in Table 1.

#### 5. Conclusion

In this paper, dynamic key-guessing techniques are first introduced in integral cryptanalysis, and we extend dynamic key-guessing techniques to fit our needs. Dynamic key-guessing techniques significantly improve the complexity of calculating . Using dynamic key-guessing techniques, we can attack two more rounds than previously known integral attacks on SIMON32 and SIMON48.

#### Appendix

#### A. Time Complexities under Some Variations of Boolean Functions

In this section, we estimate the time complexity of calculating , which is defined as , under some variations of Boolean functions. Let Guess denote the bit guessed at first. Let denote the set of texts, where the value of is the same. Let be the simplified Boolean function after guessing. In addition, the form of is the same as that of . And the new counters are created with a time complexity of additions. Computing the sum for each set costs addition operations. It takes additions to sum all of them up. Moreover, total time denotes the overall time complexity.

All the cases are similar, so we focus on Case 3 in the following. is a Boolean function of 5-bit and 4-bit , where and . First, we guess and the texts are split into two sets. One set contains the texts where , and the other contains the texts where . Obviously, we obtain the corresponding simplified Boolean functions, and . The new counters can be created according to simplified Boolean functions. Note that when , we only need to compute . Next, we try to compute the corresponding temporary variables. When , we obtain , referring to Case 2. And when , . Finally, we sum them up and get .

*Case 1. * (see Table 8).

*Case 2. * (see Table 10).

*Case 3. * (see Table 9).

*Case 4. * (see Table 11).

#### B. Improved Integral Attacks on SIMON48

##### B.1. Integral Attack on 23-Round SIMON48

Using the 15-round integral characteristic, we provide a key-recovery attack (procedure proc_attack_simon_48) over four rounds of partial encryption and four rounds of partial decryption. The constant bit is and we take the balanced bit as the bit condition. It is obvious that the Boolean expressions of and have the same general form, as follows.

In the above function, and .

*Procedure proc_simon_48_comp_w/proc_simon_48_comp_y*(1)Guess and create corresponding counters.(2)When and , guess and create corresponding counters. The other situations can be treated in a similar way.(3)When , , , and , guess and create corresponding counters. The other situations can be treated in a similar way.(4)Compute temporary variables and sum them up.

Time complexity evaluation: Steps (3)-(4) cost bitwise XOR operations; Steps (2)–(4) cost bitwise XOR operations; Steps –(4) cost bitwise XOR operations.

*Procedure proc_simon_48_bit_cond*(1)For each of , call proc_simon_48_comp_w.(2)For each of , call proc_simon_48_comp_y.

Time complexity evaluation: bitwise XOR operations.

*Procedure proc_attack_simon_48*(1)Compress the whole plaintext-ciphertext pairs into counters.(2)Call proc_simon_48_bit_cond.(3)Check the bit condition. If the condition is satisfied, use the key schedule to recover 36 bits of the master key; then exhaustively search for the remaining key bits. Otherwise, discard the 36-bit subkey guess.

Complexity evaluation includes known plaintexts, / encryptions, and bytes.

In the key-recovery attack (procedure proc_attack_simon_48), the whole plaintext-ciphertext pairs are compressed into counters. Thus, the memory complexity of our attack is only determined by the size of counters used in the attack. This corresponds to a memory requirement of about bytes. Note that there is no need to store , since we can compute the elements of on-the-fly, similar to the integral attack on 24-round SIMON32.

##### B.2. Integral Attack on 24-Round SIMON48/72

*Procedure proc_attack_simon_48_72_24*(1)Guess 18 bits’ subkey and partially encrypt plaintexts, where .(2)Call proc_attack_simon_48.

Complexity evaluation includes known plaintexts, encryptions, and bytes.

In this attack, the dominant part of the memory complexity is the size of the entire SIMON48 codebook. This corresponds to a memory requirement of about bytes. It is noted that we can only store for each ciphertext.

##### B.3. Integral Attack on 25-Round SIMON48/96

*Procedure proc_attack_simon_48_96_25*(1)Guess 36 bits’ subkey , where and . Partially encrypt plaintexts and partially decrypt corresponding ciphertexts.(2)Call proc_attack_simon_48.

Complexity evaluation includes known plaintexts, encryptions, and bytes.

Similar to the integral attack on 24-round SIMON48/72, the dominant part of the memory complexity is the size of the entire SIMON48 codebook.

#### Conflicts of Interest

The authors declare that there are no conflicts of interest regarding the publication of this article.

#### Acknowledgments

This work is supported by China’s 973 Program (no. 2013CB834205).