Recently, Ashur and Liu introduced the Rotational-XOR-difference approach which is a modification of rotational cryptanalysis, for an ARX cipher Speck (Ashur and Liu, 2016). In this paper, we apply the Rotational-XOR-difference (RXD) approach to a non-ARX cipher Simon and evaluate its security. First, we studied how to calculate the probability of an RXD for bitwise AND operation that the round function of Simon is based on unlike Speck is on modular addition. Next, we prove that two RXD trails can be connected such that it becomes possible to construct a boomerang/rectangle distinguisher similar to the case using differential characteristics. Finally, we construct related-key rectangle distinguishers for round-reduced versions of Simon with block lengths of 32, 48, and 64, and we suggest a five- or six-round key recovery attack. To our knowledge, it is the first attempt to apply the notion of rotational cryptanalysis for a non-ARX cipher. Although our attack does not show the best results for Simon thus far, the attempt here to define and apply a new cryptanalytic characteristic is meaningful, and we expect further improvements and applications to other ciphers to be made in subsequent studies.

1. Introduction

In a cryptosystem for confidentiality, the block cipher is a necessary building block for core functionality. So, because the security of block ciphers affects the applicability of the algorithm and the usability of the cryptosystem which uses the cipher as well, the security of a block cipher should be evaluated comprehensively and precisely. Over the last decade, many researchers have studied various techniques by which to design outstanding lightweight ciphers. One notable result of such research stream is design paradigm is omitting S-box, such as ARX. ARX is a design methodology for secret key primitives which uses only modular Addition, Rotation, and eXclusive OR operations. A number of outperforming lightweight block ciphers, such as Threefish [1], Chaskey Cipher [2], HIGHT [3], Speck [4], LEA [5], and Sparx [6] are designed in this framework. Another design strategy is to use the bitwise AND operation for nonlinear part of an algorithm. Although this approach is somewhat less popular than ARX, outstanding hardware-oriented ciphers such as KATAN/KTANTAN [7], Simon [4], and Simeck [8] utilize this strategy.

Rotational cryptanalysis was initially proposed to attack the block cipher Threefish, which is an internal permutation of the hash function Skein [9]. It was combined with the notion of a rebound attack considering the results of the best attack against Skein. Subsequently, the rotational probability was recalculated [10] considering the failure of the Markov assumption of chained modular additions, and a new calculating algorithm was applied to correct the results on BLAKE2 and to provide valid results on simplified Skein. Nevertheless, it appears to be difficult to apply rotational cryptanalysis to ciphers in which constant XOR is used for the enciphering procedure. This problem has remained unsolved until the following result is presented.

Recently, Ashur and Liu proposed a new type of rotational cryptanalysis that can overcome the aforementioned disadvantage by injecting constants into states [11]. This new approach can be used to evaluate the security of ciphers with constant XOR in their encryption scheme. Therefore, they applied it to the block cipher Speck-32/64 and successfully constructed a seven-round distinguisher. To do this, they introduced the notion of the Rotational-XOR (RX) pair and the associated rotational-XOR-differences (RXD) , where is a random variable and are constants. In particular, they presented a closed formula for calculating the RX probability occurred upon a modular addition.

In the present paper, we attempt to apply Ashur’s constant injecting approach to a non-ARX cipher Simon which is based on the bitwise AND operation. While Ashur and Liu demonstrated how to calculate the RX probability and how to propagate an RX pair through the modular addition, we present a closed formula for calculating the probability and propagation rule of an RX pair through a bitwise AND operation. We also find that the propagation of the RX pair due to the operations used in Simon is similar to those of the ordinary differential characteristics and we show that the probability of boomerang/rectangle characteristics using RXD can be calculated similarly to the boomerang/rectangle characteristic using the ordinary differential characteristics. Therefore, we can construct boomerang/rectangle characteristics using two RXD trails. We refer to this cryptanalysis with such characteristics as Rotational-XOR boomerang (or rectangle) cryptanalysis. Our attack works in the related-key model in which the attacker uses ciphertexts encrypted with different but related keys because rotational cryptanalysis is naturally a related-key attack.

Based on our results, we evaluate the security of several instances of Simon in the related-key model. Because our approach is more effective on ciphers with smaller block sizes, we apply it to Simon with a block length of less than or equal to 64. As a result, for some parameters, we could obtain results very close to the best results on Simon thus far. Table 1 shows the results of our attacks compared to the results of other attacks.

Although our results are not the best records for Simon, our approach can be adopted to analyze other existing or future ciphers based on the bitwise AND. Examples include Simeck and KATAN/KTANTAN.

The rest of this paper is organized as follows: in Section 2, we define some of the notations used here and give brief introductions of rotational cryptanalysis, the rotational-XOR-difference, and boomerang/rectangle cryptanalysis. The RX probability and RX characteristics of Simon are described in Section 3. In Section 4, we present the RX rectangle attack on Simon, including the key recovery phase, and calculate the computational and data complexities of the attacks. Finally, Section 5 concludes the paper.

2. Preliminaries

2.1. Notations

In this paper, we use the following notations:(i): Hamming weight of bit string (ii): modular addition of bit strings and (iii): bitwise OR of bit strings and (iv): bitwise AND of bit strings and (v): bit left shift of a bit string (vi), : bit left rotation (cyclic shift) of a bit string (vii): bit right rotation (cyclic shift) of a bit string (viii): left rotation (cyclic shift) of a bit string by a predefined , usually (ix): right rotation (cyclic shift) of a bit string by a predefined , usually (x): -th bit of a bit string (xi) means that every bit in is larger or equal to the corresponding bit in

2.2. Rotational Cryptanalysis

Since Khovratovich et al. introduced rotational cryptanalysis in 2010 [9], it has been used to evaluate symmetric key cryptographic primitives based on the ARX design framework [10, 18, 19]. Rotational cryptanalysis appears to be suitable for ARX ciphers because the rotational pair is preserved through rotations and XORes between variables and transformed by modular additions with high probability levels, unlike ciphers based on S-boxes.

Rotational cryptanalysis exploits the nonrandom behavior of ciphertext pairs generated from the rotational plaintext pairs where for some integer ( is typically selected to 1 for a higher probability). The probability that modular addition of two rotational pairs and is also a rotational pair is given bywhere is the bit length of both and [20]. For a large , that probability goes to when and to when .

However, XOR or modular addition with a constant destroys the rotational relationship of a pair when the constant cannot transform into itself by -bit rotation. So, the rotational cryptanalysis cannot be widely adopted in relation to the block cipher analysis.

2.3. Rotational-XOR-Difference

In 2016, Ashur and Liu introduced modified rotational cryptanalysis using the rotational-XOR-difference (RXD) to overcome the limitations caused by the constants and applied it to block cipher Speck [11]. They defined an RX pair as and its RXD as . It is obvious that the RX pair is preserved even if some constant is XORed to the values of the pair. In addition, they proved the following Theorem 1, which shows us how to calculate the transition probability of RX pair through modular addition. We assume that throughout this paper; hence, we let denote .

Theorem 1 (Theorem 1 in [11]). Let represent independent uniform random variables. Let , and be constants in and and be the most significant bits of , , and , respectively. Then,where and .
It is clear that the rotation of an RX pair is an RX pair and that the XOR of two RX pairs is also an RX pair.

2.4. Boomerang/Rectangle Characteristics

A boomerang attack [21] uses two differential characteristics for and for , whose probabilities are and , respectively, where the target block cipher is a composition of subciphers and , i.e., . If two plaintexts and such that satisfywith probability and bothare satisfied with probability , then, clearly

Hence,with probability .

Therefore, if we denote and as and , we can distinguish from the random permutation according to the distribution of , where and .

A boomerang attack is an adaptive chosen-ciphertext attack that can be transformed into a known-plaintext attack based on the following rectangle distinguisher [22].

Suppose that we have two pairs of plaintext and such that

In such a case, we havewith probability . Here, if we suppose that with probability , then we haveaccordinglywith probability .

Thus, we can distinguish from the random permutation using the distributions of and , if and .

2.5. Description of Simon

Simon [4] is a family of block ciphers which support various bit lengths of blocks and keys. For  = 16, 24, 32, 48, and 64, Simon- has a block size of and a key size of , , or . Encryption of Simon involves iterations of the round transformations shown in Figure 1, where and are bitwise AND and XOR, respectively. for denotes the -th round keys generated by one of the three key schedules shown in Figure 2 depending on the number of keywords, where is equal to and is the -th bit of , defined as follows.

More specific descriptions for each instance of Simon can be found in the literature [4].

3. Rotational-XOR-Differences for Simon

Unlike Speck, based on modular addition, Simon uses the bitwise AND for its round function, though this operation does not always preserve RX pairs. Consequently, here it is necessary to calculate the probability that two RX pairs are transformed into another RX pair through the bitwise AND operation.

3.1. Calculating the Probabilities of Rotational-XOR Pairs for the Bitwise AND Operation

Suppose and are two input RX pairs of a bitwise AND operation. In such a case, the output pair is . Let and for some constants and . The probability that the output pair becomes an RX pair then becomes

We can observe when the probability is nonzero and how to calculate the probability by Theorem 2, under the assumption that two inputs of the bitwise AND are independent uniformly random variables.

Theorem 2 (bitwise AND of two random variables). Let represent independent uniformly random variables for some positive integer , and let , and be constants in and , , and . Then,

Proof. Let and . In this case, we will calculate the probability that .
Because and are bitwise operations, it is clear thatTherefore, now we calculate the probability thatAccording to the definitions of , , and , we have the following equations:At this point, we consider equation (16) in bit by bit. For each , if the -th bits of and are 0, i.e., , then the -th bit of the left-hand side of equation (16) is 0; hence, the stipulations of the -th bit of equation (16) are met only if with a probability of 1. Otherwise, if and , in this case, equation (16) implies which is satisfied depending on . Because we assume be a uniform random variable, the probability that the requirements associated with the -th bit of equation (16) are satisfied is 1/2. Similarly, if and , the conditions of the -th bit of equation (16) are met with a probability of 1/2 depending on regardless of the value of . The last case is one in which and . In this case, (16) implies that and the conditions of this equation are also satisfied with a probability of 1/2 regardless of the value of because and are fixed values.
Thus, for some fixed , , and , if there exists such that and , the probability is then 0. Therefore, the probability is nonzero only if . And for each such that , the conditions of the -th bit of (16) are met with a probability of 1/2. Therefore, the probability that the conditions of (16) are met (which we want to calculate) is .
However, as shown in Figure 1, the two inputs and of the bitwise AND operation in Simon are highly dependent on each other. Therefore, we need to calculate the probability more precisely. The following Theorem 3 is analogous to Theorem 3 for covering the Simon case and the case of is relevant to Simon-.

Theorem 3. (bitwise AND of two values from one random variable). Let be an uniformly random variable for a positive integer and be a positive integer that does not divide . Additionally, let , and be constants in and and . In this case,where .

Proof. Similar to the proof of Theorem 3, we now calculate the probability that the following equation holds:Here, we consider equation (18) in bit by bit.
For each , if , thenwith a probability of 1.
Else if and , according to equation (18),However, because would appear again when we define , it is necessary to consider the subcases along with the value of . If , does not contribute to the definition of . Therefore, can be regarded as a free random variable (which means it is not used to define other bits of ); therefore, can be 0 or 1 with a probability of 1/2. Otherwise (i.e., ), as , and we have the relationship of .
Otherwise, if and , similar to the above case, is defined as a free random variable when . On the other hand, and then we have the relationship of .
Otherwise, and , according to equation (18),It is necessary to check for subcases for and . We already know that and . If , is defined as a free random variable, , , or both conditions apply. Hence, is 0 or 1 with a probability of 1/2. Otherwise, ; then, is defined as and , and is defined according to and . This means that three bits of are defined as four independent bits of the random variable . Such chain ends with the bit of , which is independently defined except when because . Thus, every bit in the chain, including , has a value of 0 or 1 with a probability of 1/2. If , every single bit of is defined by two bits of and they are related to each other. Hence, the probability that has some value is . Consequently, if for some , then the freedom of and is decreased by 1 bit and there are exactly pairs of bits in .

3.2. Searching for the Rotational-XOR-Differences Trail of Simon
3.2.1. How to Define the Rotational-XOR-Differences Trail

Because we let , the RXD of an RX pair can be denoted as . However, we use to calculate the probability of the occurrence of the bitwise AND of the RX pair regardless of the actual values of and . Thus, we can redefine the RXD of an RX pair as for the following reason.

Let there be another RX pair such that and for some random variable . In this case, we have

This means that the relationship between the constants (i.e., ’s) is sufficient to represent the RX pair and thus is also sufficient to trace the transition of ’s instead of RX pairs to search for an RXD trail. We also refer to this value as RXD and we denote an RXD trail from pair to pair such that and as . To find a suitable RXD trail, we need to know how the RXDs are transformed by the operations used in the target cipher.

Because Simon uses only three operations, XOR, rotation, and the bitwise AND, we can discuss these operations. An RXD is transformed by XOR as follows. Let there be two RX pairs and , and and . If a new variable is introduced, two RX pairs and are XORed into an RX pair such that and . Because and , we have

If a constant is XORed into an RXD , the RX pair is transformed into . Then, clearly,

For the rotation operations, similar to the above case of XOR, if , then .

The transition of an RXD by the bitwise AND is as follows. Let ; then, every satisfying could be with the probability given in Theorem 2 In the case of Simon, the random variables and are dependent on each other such that the values that could be differ lightly from the general case, as shown in Theorem 3

3.2.2. Considerations

We took the following considerations into account during the search for the RXD trails of Simon.

(1)Round indices. The indices of start and end round of the characteristic should be specified because a rotational attack is basically in the related-key model and the values (RXDs) of the round keys vary according to the round constants ’s XORed in the key schedule.(2)Including Rounds with an RXD Probability of 1. If RXDs with two input words of encryption and keywords for a round are all zero, we find some output RXD that is maximally rounds with a probability of 1. Thus, it is effective to search for RXD trails forward and backward beginning with such zero (or with a lower Hamming weight) states to find trails with a high probability.(3)Maximizing the Probability of the Next Round. The probability of an RXD trail of a round is determined by the RXD of the left half of the input. Hence, if we can control the right half of the output of the current round, we can maximize the RX probability of the next round. According to Theorem 3, one input RXD can be transformed into several output RXDs through the bitwise AND, and because their probabilities are identical, we can choose one of them with a condition identical to that of the current round. Let and be the RXDs of the left and the right inputs of -th round, respectively, and be the value of the -th round key. To maximize the RX probability of the -th round, should have a lower Hamming weight. Because where is the RXD of the output of the bitwise AND in the -th round, we can choose for which minimizes the Hamming weight of . Note that minimizing the Hamming weight of does not always guarantee the best RXD trail; however, we searched for RXD trails with such conditions in mind.
3.3. Rotational-XOR-Differences Trails of Simon

Putting the aforementioned considerations together, we searched for RXD trails with a high probability for Simon-32/64, 48/72, 48/96, 64/96, and 64/128. Initially, we let the pairs of both intermediate value and key state of the starting round have the values of Hamming weight 0 or 1. We then searched for the RXD trail with the maximum probability for each number of rounds by adding rounds forward and backward, while varying the starting round.

As a result, we can find numerous trails with the maximum probability for various starting round indices. Therefore, we can construct rectangle characteristics using short trails with high probabilities with considering the round indices.

4. Rotational Rectangle Attack on Simon

4.1. Rotational Rectangle Characteristic

In this section, we show that rotational-XOR-differences can be used to construct rectangle characteristics similar to differential characteristics by proving the following Theorem 4.

Theorem 4. Le and be independent random variables and , and be constants in for some positive integer . In addition, let and be RX pairs with and . If forms an RX pair with RXD , then also forms an RX pair and its RXD is .

Proof. Because we assumed that is an RX pair and that its RXD is , we can assume thatfor a random variable and for some constants and such that .
We will show that and .
According to this assumption, we haveThus, we haveTherefore, if we let and , we then haveAccordingly, the proof is complete.
With Theorem 4 in mind, we introduce the rotational rectangle distinguisher as follows. Denote an encryption algorithm with a key by . Suppose that is a composition of and such that . We have RXD trails satisfied with probability for and with probability for .
Suppose that and are plaintext pairs whose values are both . The probability that the pairs of intermediate values and are both RX pair and their values are both is .
According to Theorem 4, if is an RX pair and its RXD is , then is also an RX pair with RXD . If , it holdsare both RX pairs with RXD with a probability of .
Because the probability that is for block length , two RX pairs and with are transformed into two RX pairs:according to , , , and with a probability of .
However, if is a random permutation, the probability that the resulting four values form two RX pairs both with the expected RXDs is . Therefore, we can mount an RX rectangle attack when .

4.2. Constructing RX Rectangle Distinguishers

We have found many RXD trails for each of the Simon parameters that correspond to the probabilities presented in Table 2. Using these trails, we construct RX rectangle distinguishers by joining two RXD trails with consideration of round indices. As an example of Simon-32/64, we found that there exist eight-round RXD trails which start at eighth and sixteenth rounds. Therefore, we successfully combined them for the rectangle distinguisher with the maximum probability . However, for Simon-48/72, we did not find two eight-round trails that could be combined for a rectangle distinguisher to maximize the probability. Therefore, we use a nine-round trail starting at fifth round and a seven-round trail starting at fourteenth round for the rectangle distinguisher with a probability of . The number of rounds and the probability of the RX rectangle distinguisher for each of the Simon parameters are given in Table 3 and examples of RXD trails are presented in Tables 4 and 5.

4.3. Key Recovery Attack and Complexity

In this section, we present the key recovery attack framework on Simon with block sizes of 32, 48, and 64 using the RX rectangle distinguishers.

We assume the following: and denote the probabilities of RXD trails for and , respectively, and for each version of Simon. Therefore, the probabilities of RX rectangle distinguishers are .We add rounds on top and three rounds at the bottom of the distinguisher for each version of Simon. Thus, the numbers of attacked rounds are , where is the number of rounds of distinguishers for each version of Simon. Consequently, we attack round-reduced Simon from the -th round to the -th round. The actual round indices of attacked rounds for each version of Simon can be found in Tables 4 and 5.We use plaintexts for adequate positive values and ., , and denote the RXDs of the left half of an input, the right half of an input, and a round key of -th round, respectively. || and are RXDs of an input and an output of the characteristic, respectively.

4.3.1. Generation of Pairs

Because we add rounds on top, it is necessary to explain how to construct the quartets of the plaintexts for each key. We need to generate more than quartets to distinguish from a random permutation when the expected number of right quartets is . To generate more than quartets, we need two sets of pairs which contains at least pairs.

We generate the first set of pairs as follows. Let be set of plaintexts. First, we select a random plaintext from and let this value be for a fixed . And then, we encrypt it for rounds with a guessed subkey of and let this value be . Next, we should define the intermediate value of the opposite side of a pair. By rotating and adding an adequate RXD , the value is defined by . Finally, we could have another plaintext of the pair by decrypting for rounds with subkeys of the related . If the decryption result which is considered as is in again, then the two plaintexts and corresponding ciphertexts by and , respectively, are regarded as an RX pair. Similarly, another set of pairs are generated from the and subkeys of and . The numbers of elements in required to obtain pairs will be discussed later in terms of data complexity.

4.3.2. Attack Procedure

The key recovery attack against Simon- proceeds as follows. Let denote the round function of Simon; i.e., . Note that we assume that for Simon-48/72 and Simon-64/96; otherwise, .(1)Generate of a sufficient size from the oracles.(2)Guess -bit subkeys for , and for each guessed key, do the following:Calculate the corresponding related subkeys , , and , for , , and , respectively.For each element in , do the following: Encrypt for rounds with , , to obtain (round encryptions). Calculate using and ||. Decrypt for rounds with , , to obtain (round decryptions). If , register and their corresponding ciphertexts as a RX pair.For each element in , do the following: Encrypt for rounds with , , to obtain (round encryptions). Calculate using and ||. Decrypt for rounds with , , to obtain (round decryptions). If , register and their corresponding ciphertexts as a RX pair.Using two sets of pairs, construct a set of quartets , and for each quartet, do the following: For ciphertext pairs and , calculate the values of and . Using these values and , calculate . Then, first check that is in the set of candidates for calculated by , , and . Second, check that is in the set of candidates calculated for by , , and (filtering ratio, three round decryptions). Guess the -bit key and calculate the related subkeys , , and , and for each guessed key, do the following:  For the remaining quartets, decrypt one round for . Using these values and , calculate and check that . And check that is in the set of candidates calculated for by , , and (filtering ratio, three round decryptions).  Guess the -bit key and calculate the related subkeys , , and , and for each guessed keys, do the following:  For the remaining quartets, decrypt one more round for . Using , calculate and check (filtering ratio, two round decryptions).  Increase the counter of the current guessed key by the number of remaining quartets.(3)Sort the guessed keys by the number of remaining quartets and exhaustively search the remaining key bits using highly ranked guessed keys.

The discard ratios for each filtering step are denoted by , , and . These would be determined by the exact RXDs of the characteristic and should satisfy .

4.3.3. Data Complexity

The data complexity of this attack is estimated by the required number of elements in . Using elements in , we generate two sets of pairs so that we have quartets. Let . We define pairs by choosing a text in , encrypting it for the round with a guessed key, adding some differences, and decrypting for rounds with the related key. Therefore, we should assume that the processes after choosing a text are random permutations from to , for counting the required number of elements in . The question is that if we have set of random texts in with elements and a random permutation of , what is the condition of such that we have more than pairs where . Because we assume that is a random permutation,for an . Therefore, the expected number of pairs that we could have is . Given that we would like to have more than pairs, should satisfy

So, we could have a lower bound of the as follows:

As we have assumed that , a straightforward computation gives the condition:

Thus, if we choose the minimum , we can have the required number of pairs on average. Table 6 shows the data complexities of these attacks for each version of Simon.

4.3.4. Computational Complexity

At this stage, we calculate the computational complexities of this attack. At the beginning of the attack, we perform four rounds of encryption on texts to define the pairs for each guessed -bit key. We then filter out quartets with two rounds of decryption without key guessing. Next, we consume one round of encryption for each filtering step with -bit key guessing. Finally, we should exhaustively search the remaining key bits. Therefore, we can estimate the computational complexity of this attack as follows while taking the above factors into account:

We have assumed that and . Therefore, if we apply these assumptions to equation (36), then we have the following formula for computational complexity:

Table 6 shows the computational complexities of these attacks as calculated using equation (37) along with the data complexities when and has the minimum value. The filtering ratio , which is most crucial with regard to the computational complexity among the ratios, is affected by how many types of RXDs of the outputs that could be produced by the round function where and a random value are the respective inputs. According to our investigation, on average; thus, we assume that .

4.3.5. Signal-to-Noise Ratio and Success Probabilities

Similar to differential cryptanalysis, rotational cryptanalysis uses randomly selected dataset so the attack works with probability less than or equal to one. Thus, we should calculate the success probability of each attack to make sure the possibility of the attack. By an earlier literature [23], the success probability of differential cryptanalysis could be calculated using signal-to-noise (S/N) ratio. We adopt that methodology for calculating the success probability of our attacks. We use the following equation for estimating success probabilities:where is the cumulative distribution function of the standard normal distribution, denotes the number of right quartets, and we set the advantage to 8. The S/N ratio is calculated as follows:

In the above equation, denotes the bit length of the target subkey, which is assumed to be equal to the bit length of the secret key. denotes probability of characteristic, which is . is the average number of subkeys suggested by one analysed quartet. Since this attack generates quartets, . is the ratio of filtering before key guessing but is fixed to 1 for all attacks because there is no filtering before key guessing. Therefore, the S/N ratio is , and thus, the success probability is 0.73 when .

5. Conclusion

In this paper, we study how to apply cryptanalysis based on the rotational-XOR-difference approach to the block cipher Simon. We present a closed formula that is used to calculate the transition probability of an RXD trail according to the bitwise AND operation. Moreover, we demonstrate that we could construct the rectangle characteristic using RXD trails in a manner similar to how ordinary differential trails are used. Consequently, we could define a new RX rectangle attack and mount it onto some instances of the Simon family. Although our results are not the best for Simon to date, it is the first result for rotational cryptanalysis applied to a non-ARX cipher and it would be a worthwhile endeavor to attempt to improve our approach or to apply to other ciphers based on bitwise AND.

6. RXD Trails for Rectangle Distinguishers

Tables 4 and 5 show actual RXD trails for which establish the rectangle distinguishers for each version of Simon, presented in Table 3.

Data Availability

The RXD trails used to support the findings of this study are included within Tables 4 and 5. More trails are available from the corresponding author upon reasonable request.

Conflicts of Interest

The authors declare that there are no conflicts of interest regarding the publication of this paper.


This work was supported by an Institute for Information and Communications Technology Promotion (IITP) grant funded by the Korean government (MSIT) (Grant no. 2017-0-00267).