Security and Communication Networks

Security and Communication Networks / 2020 / Article

Research Article | Open Access

Volume 2020 |Article ID 5968584 |

Bonwook Koo, Younghoon Jung, Woo-Hwan Kim, "Rotational-XOR Rectangle Cryptanalysis on Round-Reduced Simon", Security and Communication Networks, vol. 2020, Article ID 5968584, 12 pages, 2020.

Rotational-XOR Rectangle Cryptanalysis on Round-Reduced Simon

Academic Editor: Kuo-Hui Yeh
Received13 Nov 2018
Revised24 Mar 2020
Accepted12 Jun 2020
Published22 Jul 2020


Recently, Ashur and Liu introduced the Rotational-XOR-difference approach which is a modification of rotational cryptanalysis, for an ARX cipher Speck (Ashur and Liu, 2016). In this paper, we apply the Rotational-XOR-difference (RXD) approach to a non-ARX cipher Simon and evaluate its security. First, we studied how to calculate the probability of an RXD for bitwise AND operation that the round function of Simon is based on unlike Speck is on modular addition. Next, we prove that two RXD trails can be connected such that it becomes possible to construct a boomerang/rectangle distinguisher similar to the case using differential characteristics. Finally, we construct related-key rectangle distinguishers for round-reduced versions of Simon with block lengths of 32, 48, and 64, and we suggest a five- or six-round key recovery attack. To our knowledge, it is the first attempt to apply the notion of rotational cryptanalysis for a non-ARX cipher. Although our attack does not show the best results for Simon thus far, the attempt here to define and apply a new cryptanalytic characteristic is meaningful, and we expect further improvements and applications to other ciphers to be made in subsequent studies.

1. Introduction

In a cryptosystem for confidentiality, the block cipher is a necessary building block for core functionality. So, because the security of block ciphers affects the applicability of the algorithm and the usability of the cryptosystem which uses the cipher as well, the security of a block cipher should be evaluated comprehensively and precisely. Over the last decade, many researchers have studied various techniques by which to design outstanding lightweight ciphers. One notable result of such research stream is design paradigm is omitting S-box, such as ARX. ARX is a design methodology for secret key primitives which uses only modular Addition, Rotation, and eXclusive OR operations. A number of outperforming lightweight block ciphers, such as Threefish [1], Chaskey Cipher [2], HIGHT [3], Speck [4], LEA [5], and Sparx [6] are designed in this framework. Another design strategy is to use the bitwise AND operation for nonlinear part of an algorithm. Although this approach is somewhat less popular than ARX, outstanding hardware-oriented ciphers such as KATAN/KTANTAN [7], Simon [4], and Simeck [8] utilize this strategy.

Rotational cryptanalysis was initially proposed to attack the block cipher Threefish, which is an internal permutation of the hash function Skein [9]. It was combined with the notion of a rebound attack considering the results of the best attack against Skein. Subsequently, the rotational probability was recalculated [10] considering the failure of the Markov assumption of chained modular additions, and a new calculating algorithm was applied to correct the results on BLAKE2 and to provide valid results on simplified Skein. Nevertheless, it appears to be difficult to apply rotational cryptanalysis to ciphers in which constant XOR is used for the enciphering procedure. This problem has remained unsolved until the following result is presented.

Recently, Ashur and Liu proposed a new type of rotational cryptanalysis that can overcome the aforementioned disadvantage by injecting constants into states [11]. This new approach can be used to evaluate the security of ciphers with constant XOR in their encryption scheme. Therefore, they applied it to the block cipher Speck-32/64 and successfully constructed a seven-round distinguisher. To do this, they introduced the notion of the Rotational-XOR (RX) pair and the associated rotational-XOR-differences (RXD) , where is a random variable and are constants. In particular, they presented a closed formula for calculating the RX probability occurred upon a modular addition.

In the present paper, we attempt to apply Ashur’s constant injecting approach to a non-ARX cipher Simon which is based on the bitwise AND operation. While Ashur and Liu demonstrated how to calculate the RX probability and how to propagate an RX pair through the modular addition, we present a closed formula for calculating the probability and propagation rule of an RX pair through a bitwise AND operation. We also find that the propagation of the RX pair due to the operations used in Simon is similar to those of the ordinary differential characteristics and we show that the probability of boomerang/rectangle characteristics using RXD can be calculated similarly to the boomerang/rectangle characteristic using the ordinary differential characteristics. Therefore, we can construct boomerang/rectangle characteristics using two RXD trails. We refer to this cryptanalysis with such characteristics as Rotational-XOR boomerang (or rectangle) cryptanalysis. Our attack works in the related-key model in which the attacker uses ciphertexts encrypted with different but related keys because rotational cryptanalysis is naturally a related-key attack.

Based on our results, we evaluate the security of several instances of Simon in the related-key model. Because our approach is more effective on ciphers with smaller block sizes, we apply it to Simon with a block length of less than or equal to 64. As a result, for some parameters, we could obtain results very close to the best results on Simon thus far. Table 1 shows the results of our attacks compared to the results of other attacks.


Linear hull23/32[13]
Zero correlation21/32[15]
Correlated sequence27/32[16]
Related-key linear23/32[17]
Related-key RX rectangle22/32This paper

48/72Linear hull24/36[13]
Zero correlation21/36[15]
Related-key RX rectangle21/36This paper

Linear hull25/36[13]
Zero correlation22/36[15]
Related-key linear28/36[17]
Related-key RX rectangle24/36This paper

Linear hull30/42[13]
Zero correlation23/42[15]
Related-key RX rectangle22/42This paper

Linear hull31/44[13]
Zero correlation24/44[15]
Related-key linear34/44[17]
Related-key RX rectangle25/44This paper

Although our results are not the best records for Simon, our approach can be adopted to analyze other existing or future ciphers based on the bitwise AND. Examples include Simeck and KATAN/KTANTAN.

The rest of this paper is organized as follows: in Section 2, we define some of the notations used here and give brief introductions of rotational cryptanalysis, the rotational-XOR-difference, and boomerang/rectangle cryptanalysis. The RX probability and RX characteristics of Simon are described in Section 3. In Section 4, we present the RX rectangle attack on Simon, including the key recovery phase, and calculate the computational and data complexities of the attacks. Finally, Section 5 concludes the paper.

2. Preliminaries

2.1. Notations

In this paper, we use the following notations:(i): Hamming weight of bit string (ii): modular addition of bit strings and (iii): bitwise OR of bit strings and (iv): bitwise AND of bit strings and (v): bit left shift of a bit string (vi), : bit left rotation (cyclic shift) of a bit string (vii): bit right rotation (cyclic shift) of a bit string (viii): left rotation (cyclic shift) of a bit string by a predefined , usually (ix): right rotation (cyclic shift) of a bit string by a predefined , usually (x): -th bit of a bit string (xi) means that every bit in is larger or equal to the corresponding bit in

2.2. Rotational Cryptanalysis

Since Khovratovich et al. introduced rotational cryptanalysis in 2010 [9], it has been used to evaluate symmetric key cryptographic primitives based on the ARX design framework [10, 18, 19]. Rotational cryptanalysis appears to be suitable for ARX ciphers because the rotational pair is preserved through rotations and XORes between variables and transformed by modular additions with high probability levels, unlike ciphers based on S-boxes.

Rotational cryptanalysis exploits the nonrandom behavior of ciphertext pairs generated from the rotational plaintext pairs where for some integer ( is typically selected to 1 for a higher probability). The probability that modular addition of two rotational pairs and is also a rotational pair is given bywhere is the bit length of both and [20]. For a large , that probability goes to when and to when .

However, XOR or modular addition with a constant destroys the rotational relationship of a pair when the constant cannot transform into itself by -bit rotation. So, the rotational cryptanalysis cannot be widely adopted in relation to the block cipher analysis.

2.3. Rotational-XOR-Difference

In 2016, Ashur and Liu introduced modified rotational cryptanalysis using the rotational-XOR-difference (RXD) to overcome the limitations caused by the constants and applied it to block cipher Speck [11]. They defined an RX pair as and its RXD as . It is obvious that the RX pair is preserved even if some constant is XORed to the values of the pair. In addition, they proved the following Theorem 1, which shows us how to calculate the transition probability of RX pair through modular addition. We assume that throughout this paper; hence, we let denote .

Theorem 1 (Theorem 1 in [11]). Let represent independent uniform random variables. Let , and be constants in and and be the most significant bits of , , and , respectively. Then,where and .
It is clear that the rotation of an RX pair is an RX pair and that the XOR of two RX pairs is also an RX pair.

2.4. Boomerang/Rectangle Characteristics

A boomerang attack [21] uses two differential characteristics for and for , whose probabilities are and , respectively, where the target block cipher is a composition of subciphers and , i.e., . If two plaintexts and such that satisfywith probability and bothare satisfied with probability , then, clearly

Hence,with probability .

Therefore, if we denote and as and , we can distinguish from the random permutation according to the distribution of , where and .

A boomerang attack is an adaptive chosen-ciphertext attack that can be transformed into a known-plaintext attack based on the following rectangle distinguisher [22].

Suppose that we have two pairs of plaintext and such that

In such a case, we havewith probability . Here, if we suppose that with probability , then we haveaccordinglywith probability .

Thus, we can distinguish from the random permutation using the distributions of and , if and .

2.5. Description of Simon

Simon [4] is a family of block ciphers which support various bit lengths of blocks and keys. For  = 16, 24, 32, 48, and 64, Simon- has a block size of and a key size of , , or . Encryption of Simon involves iterations of the round transformations shown in Figure 1, where and are bitwise AND and XOR, respectively. for denotes the -th round keys generated by one of the three key schedules shown in Figure 2 depending on the number of keywords, where is equal to and is the -th bit of , defined as follows.

More specific descriptions for each instance of Simon can be found in the literature [4].

3. Rotational-XOR-Differences for Simon

Unlike Speck, based on modular addition, Simon uses the bitwise AND for its round function, though this operation does not always preserve RX pairs. Consequently, here it is necessary to calculate the probability that two RX pairs are transformed into another RX pair through the bitwise AND operation.

3.1. Calculating the Probabilities of Rotational-XOR Pairs for the Bitwise AND Operation

Suppose and are two input RX pairs of a bitwise AND operation. In such a case, the output pair is . Let and for some constants and . The probability that the output pair becomes an RX pair then becomes

We can observe when the probability is nonzero and how to calculate the probability by Theorem 2, under the assumption that two inputs of the bitwise AND are independent uniformly random variables.

Theorem 2 (bitwise AND of two random variables). Let represent independent uniformly random variables for some positive integer , and let , and be constants in and , , and . Then,

Proof. Let and . In this case, we will calculate the probability that .
Because and are bitwise operations, it is clear thatTherefore, now we calculate the probability thatAccording to the definitions of , , and , we have the following equations:At this point, we consider equation (16) in bit by bit. For each , if the -th bits of and are 0, i.e., , then the -th bit of the left-hand side of equation (16) is 0; hence, the stipulations of the -th bit of equation (16) are met only if with a probability of 1. Otherwise, if and , in this case, equation (16) implies which is satisfied depending on . Because we assume be a uniform random variable, the probability that the requirements associated with the -th bit of equation (16) are satisfied is 1/2. Similarly, if and , the conditions of the -th bit of equation (16) are met with a probability of 1/2 depending on regardless of the value of . The last case is one in which and . In this case, (16) implies that and the conditions of this equation are also satisfied with a probability of 1/2 regardless of the value of because and are fixed values.
Thus, for some fixed , , and , if there exists such that and , the probability is then 0. Therefore, the probability is nonzero only if . And for each such that , the conditions of the -th bit of (16) are met with a probability of 1/2. Therefore, the probability that the conditions of (16) are met (which we want to calculate) is .
However, as shown in Figure 1, the two inputs and of the bitwise AND operation in Simon are highly dependent on each other. Therefore, we need to calculate the probability more precisely. The following Theorem 3 is analogous to Theorem 3 for covering the Simon case and the case of is relevant to Simon-.

Theorem 3. (bitwise AND of two values from one random variable). Let be an uniformly random variable for a positive integer and be a positive integer that does not divide . Additionally, let , and be constants in and and . In this case,where .

Proof. Similar to the proof of Theorem 3, we now calculate the probability that the following equation holds:Here, we consider equation (18) in bit by bit.
For each , if , thenwith a probability of 1.
Else if and , according to equation (18),However, because would appear again when we define , it is necessary to consider the subcases along with the value of . If , does not contribute to the definition of . Therefore, can be regarded as a free random variable (which means it is not used to define other bits of ); therefore, can be 0 or 1 with a probability of 1/2. Otherwise (i.e., ), as , and we have the relationship of .
Otherwise, if and , similar to the above case, is defined as a free random variable when . On the other hand, and then we have the relationship of .
Otherwise, and , according to equation (18),It is necessary to check for subcases for and . We already know that and . If , is defined as a free random variable, , , or both conditions apply. Hence, is 0 or 1 with a probability of 1/2. Otherwise, ; then, is defined as and , and is defined according to and . This means that three bits of are defined as four independent bits of the random variable . Such chain ends with the bit of , which is independently defined except when because . Thus, every bit in the chain, including , has a value of 0 or 1 with a probability of 1/2. If , every single bit of is defined by two bits of and they are related to each other. Hence, the probability that has some value is . Consequently, if for some , then the freedom of and is decreased by 1 bit and there are exactly pairs of bits in .

3.2. Searching for the Rotational-XOR-Differences Trail of Simon
3.2.1. How to Define the Rotational-XOR-Differences Trail

Because we let , the RXD of an RX pair can be denoted as . However, we use to calculate the probability of the occurrence of the bitwise AND of the RX pair regardless of the actual values of and . Thus, we can redefine the RXD of an RX pair as for the following reason.

Let there be another RX pair such that and for some random variable . In this case, we have

This means that the relationship between the constants (i.e., ’s) is sufficient to represent the RX pair and thus is also sufficient to trace the transition of ’s instead of RX pairs to search for an RXD trail. We also refer to this value as RXD and we denote an RXD trail from pair to pair such that and as . To find a suitable RXD trail, we need to know how the RXDs are transformed by the operations used in the target cipher.

Because Simon uses only three operations, XOR, rotation, and the bitwise AND, we can discuss these operations. An RXD is transformed by XOR as follows. Let there be two RX pairs and , and and . If a new variable is introduced, two RX pairs and are XORed into an RX pair such that and . Because and , we have

If a constant is XORed into an RXD , the RX pair is transformed into . Then, clearly,

For the rotation operations, similar to the above case of XOR, if , then .

The transition of an RXD by the bitwise AND is as follows. Let ; then, every satisfying could be with the probability given in Theorem 2 In the case of Simon, the random variables and are dependent on each other such that the values that could be differ lightly from the general case, as shown in Theorem 3

3.2.2. Considerations

We took the following considerations into account during the search for the RXD trails of Simon.

(1)Round indices. The indices of start and end round of the characteristic should be specified because a rotational attack is basically in the related-key model and the values (RXDs) of the round keys vary according to the round constants ’s XORed in the key schedule.(2)Including Rounds with an RXD Probability of 1. If RXDs with two input words of encryption and keywords for a round are all zero, we find some output RXD that is maximally rounds with a probability of 1. Thus, it is effective to search for RXD trails forward and backward beginning with such zero (or with a lower Hamming weight) states to find trails with a high probability.(3)Maximizing the Probability of the Next Round. The probability of an RXD trail of a round is determined by the RXD of the left half of the input. Hence, if we can control the right half of the output of the current round, we can maximize the RX probability of the next round. According to Theorem 3, one input RXD can be transformed into several output RXDs through the bitwise AND, and because their probabilities are identical, we can choose one of them with a condition identical to that of the current round. Let and be the RXDs of the left and the right inputs of -th round, respectively, and be the value of the -th round key. To maximize the RX probability of the -th round, should have a lower Hamming weight. Because where is the RXD of the output of the bitwise AND in the -th round, we can choose for which minimizes the Hamming weight of . Note that minimizing the Hamming weight of does not always guarantee the best RXD trail; however, we searched for RXD trails with such conditions in mind.
3.3. Rotational-XOR-Differences Trails of Simon

Putting the aforementioned considerations together, we searched for RXD trails with a high probability for Simon-32/64, 48/72, 48/96, 64/96, and 64/128. Initially, we let the pairs of both intermediate value and key state of the starting round have the values of Hamming weight 0 or 1. We then searched for the RXD trail with the maximum probability for each number of rounds by adding rounds forward and backward, while varying the starting round.

As a result, we can find numerous trails with the maximum probability for various starting round indices. Therefore, we can construct rectangle characteristics using short trails with high probabilities with considering the round indices.

4. Rotational Rectangle Attack on Simon

4.1. Rotational Rectangle Characteristic

In this section, we show that rotational-XOR-differences can be used to construct rectangle characteristics similar to differential characteristics by proving the following Theorem 4.

Theorem 4. Le and be independent random variables and , and be constants in for some positive integer . In addition, let and be RX pairs with and . If forms an RX pair with RXD , then also forms an RX pair and its RXD is .

Proof. Because we assumed that is an RX pair and that its RXD is , we can assume thatfor a random variable and for some constants and such that .
We will show that and .
According to this assumption, we haveThus, we haveTherefore, if we let and , we then haveAccordingly, the proof is complete.
With Theorem 4 in mind, we introduce the rotational rectangle distinguisher as follows. Denote an encryption algorithm with a key by . Suppose that is a composition of and such that . We have RXD trails satisfied with probability for and with probability for .
Suppose that and are plaintext pairs whose values are both . The probability that the pairs of intermediate values and are both RX pair and their values are both is .
According to Theorem 4, if is an RX pair and its RXD is , then is also an RX pair with RXD . If , it holdsare both RX pairs with RXD with a probability of .
Because the probability that is for block length , two RX pairs and with are transformed into two RX pairs:according to , , , and with a probability of .
However, if is a random permutation, the probability that the resulting four values form two RX pairs both with the expected RXDs is . Therefore, we can mount an RX rectangle attack when .

4.2. Constructing RX Rectangle Distinguishers

We have found many RXD trails for each of the Simon parameters that correspond to the probabilities presented in Table 2. Using these trails, we construct RX rectangle distinguishers by joining two RXD trails with consideration of round indices. As an example of Simon-32/64, we found that there exist eight-round RXD trails which start at eighth and sixteenth rounds. Therefore, we successfully combined them for the rectangle distinguisher with the maximum probability . However, for Simon-48/72, we did not find two eight-round trails that could be combined for a rectangle distinguisher to maximize the probability. Therefore, we use a nine-round trail starting at fifth round and a seven-round trail starting at fourteenth round for the rectangle distinguisher with a probability of . The number of rounds and the probability of the RX rectangle distinguisher for each of the Simon parameters are given in Table 3 and examples of RXD trails are presented in Tables 4 and 5.



Simon-Rounds ()Probability

32/648 + 8 = 16
48/727 + 9 = 16
48/969 + 9 = 18.
64/968 + 9 = 17
64/1289 + 10 = 19