Keywords

1 Introduction

Due to the continuously growing impact of RFID tags, smartcards, and FPGAs, cryptographic algorithms which are suitable for resource-constrained devices become more and more important. Lightweight ciphers are optimized to operate in such environments which are limited with respect to their memory, battery supply, and computing power. For these applications, hard- and software efficiency are crucial, and designing cryptographic primitives which preserve security under these constraints is a major challenge.

During the last decade, many lightweight ciphers have been developed including but not limited to HIGHT [11], KATAN [8], KLEIN [9], L-Block [16], LED [10], mCrypton [12], PRESENT [6], and PRINCE [7]. In June 2012, Beaulieu et al. from the U.S. National Security Agency (NSA) contributed to this ongoing research process with the announcement of two novel families of lightweight cipher families, called Simon and Speck [3]. Both constructions support an uncommonly large range of block sizes from 32 to 128 and key sizes from 64 to 256 bits in order to suit a variety of implementations. Simon was thereby optimized for hardware (like KATAN, LED, or PRESENT), and Speck for software implementations (such as KLEIN); though, due to immense optimizations in their round functions, both cipher families perform well in hard- and software.

Related Work. Due to their simple structure, Simon and Speck were already target of various cryptanalytical efforts. Alkhzaimi and Lauridsen [2] presented – parallel to our work – differential attacks on up to 16, 18, 24, 29, and 40 rounds for Simon with 32-, 48-, 64-, 96-, and 128-bit state size, respectively. In addition, the authors showed impossible-differential attacks on up to 14, 15, 16, 19, and 22 rounds and discussed observations regarding rotational cryptanalysis and weak keys. Alizadeh et al. [1] recently presented the best linear attacks on Simon, with attacks on 12, 15, 19, 28, and 35 rounds.

Biryukov and Velichkov [5] followed another promising approach, where they showed differential characteristics and trails on up to 14, 15, and 21 rounds of Simon and 9, 10, and 13 rounds of Speck with 32-, 48-, and 64-bit state size, respectively. The authors adapted Matsui’s algorithm (which can find optimal differential characteristics for S-box-based ciphers) for ARX constructions by a concept they called highways and country roads. They pointed out that the computation of a complete differential distribution table (DDT) is infeasible for ARX-based primitives. To overcome this challenge, the authors constructed two partial DDTs: a first one with the characteristics of highest probability (highways), and a second one with trails of slightly lower probabilities (country roads) in order to connect and/or improve their previous characteristics.

Contribution and Outline. This paper describes our differential attacks on Simon and Speck, which are summarized in Table 1. In what follows, Sect. 2 first reviews the necessary details of the encryption functions of Simon and Speck. Section 3 recaps properties of the differential propagation through their respective round functions. Section 4 follows up with a description of how we constructed differential characteristics through parts of both ciphers, and how to extend these characteristics over further rounds. We later use these characteristics for basic differential key-recovery attacks, which we explain first for Simon in Sect. 5. Then, Sect. 6 describes our differential attacks on Speck. Section 7 shows rectangle attacks on Speck. We conclude this work in Sect. 8.

Table 1. Summary of our results on Simon and Speck. (*) = the time complexities assume that we have two independent filtering steps (cf. Remark 1). CP = chosen plaintexts, \(\dagger \) = attack uses chosen ciphertexts.
Full size table

Notions. We follow the notions of [3], where \(n\) denotes the word size in bits, \(2n \) the state size in bits, and the tuple \((L^r, R^r)\) (the left and right parts of) a state after the encryption of Round \(r\). Further, \(k\) represents the length of the secret key. Furthermore, \(\oplus \) denotes the bit-wise XOR, \(+\) the addition modulo \(2^{n}\), \(\wedge \) bit-wise AND, \(\vee \) bit-wise OR, and \(\overline{x}\) the bit-wise inverse of \(x\). We denote by \(x_i\) the \(i\)-th least significant bit of value \(x\), and enumerate the bits by \(x = x_{n-1}x_{n-2}\ldots x_{1}x_{0}\). Alternatively, we write values in typewriter font, i.e., x for hex, and x \(_2\) for binary values, e.g., 1F = 31 and 110 \(_2\) = 6. Concerning differences, we denote by \(\varDelta _{i} \) a difference with all bits are zero, except for the \(i\)-th (least significant) bit, and by \(\varDelta _{i,[j,k,\ldots ]} \) a difference where the \(i\)-th bit is active and the values of the bits in square brackets are unknown. Further, we denote a differential characteristic or trail from an input difference \(\alpha \) to an output difference \(\beta \) by \(\alpha \rightarrow \beta \).

2 Brief Description of Simon and Speck

Simon and Speck are two simple Feistel constructions that apply a combination of rotation, XOR, and either addition (Speck) or the logical AND (Simon) iteratively over many rounds. The encryption process of Simon is given in Algorithm 1, that for Speck in Algorithm 2. Both cipher families are defined for state sizes \(2n \) and key sizes \(k \): \(32/64\), \(48/72\), \(48/96\), \(64/96\), \(64/128\), \(96/96\), \(96/144\), \(128/128\), \(128/192\), and \(128/256\).

figure a

For Simon, \(f: \{0,1\}^{n} \rightarrow \{0,1\}^{n}\) is defined as \(f(x) := (x \lll 1) \wedge (x \lll 8)\). The rotation constants in Speck are \(\alpha = 8\) and \(\beta = 3\) for the most versions of Speck; only Speck32/64 uses \(\alpha = 7\) and \(\beta = 2\).

3 Differential Properties of Simon and Speck

Differential Properties for the Round Function of Speck . For Speck, one requires only the well-known XOR-differential probabilty of the modular addition (\(\text {xdp}^{+}\)), which was studied in detail by Lipmaa and Moriai [13, 14].

Definition 1

(XOR-Differential Probabilty of Addition [14]). Let \(\alpha , \beta , \gamma \) be fixed \(n\)-bit XOR differences, and \(f(x,y) = x + y~\mathrm{mod}~n\). Then, \(\text {xdp}^{+}\) is defined as the probability over all \(x \in \{0,1\}^{n}\), such that

$$ \text {xdp}^{+}(\alpha , \beta \rightarrow \gamma ) = 2^{-2 n} \left| \left\{ (x,y):\, f(x, y) \oplus f(x \oplus \alpha , y \oplus \beta ) = \gamma \right\} \right| . $$

Differential Properties for the Round Function of Simon . For Simon, one has to consider the differential probability for the round function \(f(x)\). At the end of this section, we provide an algorithm that yields the set and number of all possible output differences for a fixed input difference. In the following, we explain first the differential probability (DP) of logical AND; next, we derive the DP of AND in combination with rotation, and then consider the DP of AND with rotationally dependent inputs. We follow the notation by [5].

Property 1

(Absorption of Logical AND). Let \(x, x', y, y' \in \{0,1\}\) and \(f(x, y) = x \wedge y\). Let \(\alpha = x \oplus x', \beta = y \oplus y', \gamma = f(x,y) \oplus f(x',y')\). Then, it applies that

$$ \Pr [\alpha , \beta \rightarrow \gamma = 0] = \left\{ \begin{array}{l l} 1 &{} \quad \text {if } \alpha = \beta = 0, \\ 1/2 &{} \quad \text {otherwise}. \end{array} \right. $$

Property 1 states that the differential output of the logical AND is biased: if \(\alpha \) and \(\beta \) are 0, then \(\gamma \) must be 0. If \(\alpha \) and/or \(\beta \) is 1, there is still a probability of 1/2 that the AND operation will cancel the active bit in the output difference.

Definition 2

(XOR-Differential Probability of AND). Let \(\alpha \), \(\beta \), \(\gamma \) be fixed \(n\)-bit XOR differences, and let \(f(x, y) = x \wedge y\). The XOR-differential probability of the logical AND (\(\text {xdp}^{\wedge }\)) is the probability over all \(x, y \in \{0,1\}^{n}\), such that

$$ \text {xdp}^{\wedge } (\alpha , \beta \rightarrow \gamma ) = 2^{-2n} \left| \left\{ (x, y):\, f(x, y) \oplus f(x \oplus \alpha , y \oplus \beta ) = \gamma \right\} \right| . $$

Property 2

(XOR-Differential Probability of AND). Let \(\alpha , \beta , \gamma \) be fixed \(n\)-bit XOR differences and \(hw(\cdot )\) the hamming-weight function. Then,

$$ \text {xdp}^{\wedge } (\alpha , \beta \rightarrow \gamma ) = \left\{ \begin{array}{l l} 0 &{} \quad \text {if } \gamma \wedge \overline{\alpha \vee \beta }\,\ne \,0^{n}, \\ 2^{-hw(\alpha \vee \beta )} &{} \quad \text {otherwise}. \end{array} \right. $$

Property 2 transfers Property 1 from bits to \(n \)-bit differences. Only those bits that are active in \(\alpha \) and/or \(\beta \) can be active in \(\gamma \) – each with probability 1/2. This is reflected by the term \((\alpha \vee \beta )\). If \(\gamma \) contains active bits at other positions, then, \(\gamma \wedge \overline{\alpha \vee \beta } \ne 0^{n}\) and \(\Pr [\alpha , \beta \rightarrow \gamma ] = 0\). Otherwise, all other possible differences \(\gamma \) are equally possible. Thus, the term \(\alpha \vee \beta \) can be interpreted as the definition of a set of possible output differences, i.e., one can efficiently iterate over all possible combinations of values for its active bits and will obtain all possible output differences \(\gamma \).

Definition 3

(XOR-Differential Probabilty of AND with Rotations). Let \(\alpha \), \(\beta \), \(\gamma \) be fixed \(n\)-bit XOR differences, \(r \in [0, n- 1]\) be a fixed rotation amount, and \(f(x, y) = x \wedge (y \lll r)\). Then, \(\text {xdp}^{\wedge , \lll }\) is defined as the probability over all \(x, y \in \{0,1\}^{n}\), such that

$$ \text {xdp}^{\wedge , \lll } (\alpha , \beta \rightarrow \gamma ) = 2^{-2n} \left| \left\{ (x, y):\, f(x, y) \oplus f(x \oplus \alpha , y \oplus \beta ) = \gamma \right\} \right| . $$

Since rotation and bit-wise logical AND are linear, we can derive

$$ \text {xdp}^{\wedge , \lll } (\alpha , \beta \rightarrow \gamma ) = \left\{ \begin{array}{l l} 0 &{} \quad \text {if } \gamma \wedge \overline{\alpha \vee (\beta \lll r)}\,\ne \,0^{n}, \\ 2^{-hw(\alpha \vee (\beta \lll r))} &{} \quad \text {otherwise}. \end{array} \right. $$

We can easily transform \(f(x) = (x \lll s) \wedge (x \lll t)\), with \(s, t \in [0,n-1], s \ne t\) into \(f(x) = x \wedge (x \lll r)\) with \(r = s - t ~\mathrm{mod}~n \). In the following, we also take rotationally dependent inputs into account.

Definition 4

(XOR-Differential Probabilty of AND with Rotationally Dependent Inputs). Let \(\alpha \), \(\beta \) be fixed \(n\)-bit XOR differences, \(r \in [0,n-1]\) be a fixed integer, and \(f(x) = x \wedge (x \lll r)\). Then, \(\text {xdp}^{x \wedge (x \lll r)} \) is defined as the probability over all \(x \in \{0,1\}^{n}\), such that

$$ \text {xdp}^{x \wedge (x \lll r)} (\alpha \rightarrow \beta ) = 2^{-n} \left| \left\{ x:\, f(x) \oplus f(x \oplus \alpha ) = \beta \right\} \right| . $$

Property 3

(Differential Propagation of \(\text {xdp}^{x \wedge (x \lll r)} \)). Let \(\alpha \) be fixed \(n\)-bit XOR difference and \(r\in [0,n-1]\) be a fixed integer. Let \(f: \{0,1\}^{n} \rightarrow \{0,1\}^{n}\) be defined by \(f(x) = x \wedge (x \lll r)\). Then, the set of possible output differences \(\beta \) for \(\text {xdp}^{x \wedge (x \lll r)} \), can be efficiently computed in O\((n)\) as shown in Algorithm 3.

figure b

Example: \(n = 16, r = 7, \alpha = \mathtt 0500 \).Let \(x, x'\) be two 16-bit values which serve as input to \(f(x)\), with \(x \oplus x' = \alpha \) and \(\beta = f(x) \oplus f(x')\). We see that

$$ \begin{array}{rllll} \alpha =&{} \alpha _{15} \ldots \alpha _0 &{}= \mathtt 00000101 &{}\mathtt 0000000 &{}\mathtt 0 _2\ (\text {top}) \\ \alpha \lll r =&{} \alpha _{8}\ldots \alpha _0\alpha _{15}\ldots \alpha _{9} &{}= \mathtt 10000000 &{}\mathtt 0000001 &{}\mathtt 0 _2 \ (\text {bottom})\\ \beta =&{} \beta _{15} \ldots \beta _0 &{}= \mathtt 1000010 *^1 &{}\mathtt 000000 *^1 &{}\mathtt 0 _2 \end{array} $$

Algorithm 3 returns \(\beta =\) 1000010 \(*^1\) 000000 \(*^1\) 0 \(_2\), and \(count = 3\). The star symbol \(*\) denotes dependent bits and the index \(*^i\), indicates pairs of bits that are related.

  • \(\beta _1\) depends on \(\alpha _1\) (top) and \(\alpha _{10}\) (bottom), with \(\alpha _1 = 0\) and \(\alpha _{10} = 1\);

  • \(\beta _8\) depends on \(\alpha _{8}\) (top) and \(\alpha _1\) (bottom), with \(\alpha _1 = 0\) and \(\alpha _{8} = 1\);

From \(\alpha _1 = 0\) follows that \(x_2 = x'_2\). When \(x_2 = x'_2 = 0\) then \(\beta _1 = \beta _8 = 0\); otherwise, when \(x_2 = x'_2 = 1\), it must hold that \(\beta _1 = \beta _8 = 1\). We call \(\beta _1\) and \(\beta _8\) dependent bits. Since \(\beta \) contains four active bits and one pair of them depends on each other, there are \(2^{4-1} = 2^3\) possible output differences defined by \(\beta \), namely:

$$ \{ \mathtt 0000 , \mathtt 0102 , \mathtt 0400 , \mathtt 0502 , \mathtt 8000 , \mathtt 8102 , \mathtt 8400 , \mathtt 8502 . \}, $$

Each difference can be formed by \(2^{16 - 3} = 2^{13}\) possible pairs \((x, x')\).

4 Search for Differential Characteristics and Differentials

During our analysis, we applied a two-step approach to find our differentials. Firstly, we employed Matsui’s algorithm [15] to find some characteristics for the 32-, 48-, and 64-bit versions of Simon:

 

Simon32/64

Simon48/\(k\)

Simon64/\(k\)

\(\alpha \)

\((\varDelta _{5}, 0)\)

\((\varDelta _{8,16}, \varDelta _{6,14,18})\)

\((\varDelta _{6}, 0)\)

\(\beta \)

\((\varDelta _{14}, 0)\)

\((\varDelta _{6,14,18,22}, \varDelta _{20})\)

\((\varDelta _{6,10,14}, \varDelta _{12})\)

Rounds

12

15

20

\(\Pr [\alpha \rightarrow \beta ]\)

\(2^{-36}\)

\(2^{-52}\)

\(2^{-70}\)

Secondly, we applied a branch-and-bound search, similar to the approach of [2]. There, we started from the input difference \(\alpha \) and propagated it round-wise in forward and backward direction. For each round, we collected all possible output characteristics \(\alpha \rightarrow \beta \) and their probability \(p\) as a tuple \((\beta , p)\) in a set and used them as a starting point for the next round in a depth-first manner. Therefore, we used Algorithm 3 for Simon and a variant of the Algorithm by Lipmaa and Moriai [14] for Speck.

Since following each path is infeasible, we pruned the search tree by considering only characteristics \(\alpha \rightarrow \beta \) with a probability above a chosen threshold. Therefore, we used the characteristic found with Matsui’s algorithm as a reference, i.e., say Matsui’s characteristic had probability \(p = 2^{-q}\) after some round \(r\), we only considered those characteristics \(\beta \) as input to round \(r + 1\) that had a probability \(p \gg 2^{-q - thresh}\). We further pruned the search tree by only storing a (chosen) maximal number of characteristics.

Every time two differential characteristics lead to the same output difference \(\beta \) after a round, we merged them to one differential trail and added their probabilities. We emphasize that our characteristics have been found experimentally and do not necessarily represent the best possible ones. Further, note that we rely on the assumption that all possible round keys are equally probable and uniformly distributed for every round.

Extending Differential Characteristics to Attacks. A given differential can be extended by a few more rounds in a key-recovery attack for any version of Simon2\(n\)/\(k\). Assume, we are given an \(r\)-round differential \((\alpha , \beta ) \rightarrow (\gamma , \delta )\). Because Simon injects the subkey at the end of the rounds, the adversary itself can compute the output of \(f(x)\) in the first round, choose \((\beta , \alpha \oplus f(\beta ))\) as input difference and obtains an \((r + 1)\)-round differential with equal probability. A similar strategy can be applied at the output side. Given an output difference \((\gamma , \delta )\) after \((r + 1)\) rounds, the difference after \((r + 2)\) rounds is \((\delta \oplus f(\gamma ), \gamma )\). Since the subkey in the last round of a characteristic does not affect the output difference \(\delta \oplus f(\gamma )\), the adversary can compute \(f(\gamma )\) itself and obtains an \((r + 2)\)-round differential with equal probability.

For the versions 48/72-, 64/96-, 96/144-, and 128/192-bit versions, one can append a further round by simply guessing its full subkey. The total computational effort for collecting plaintext-ciphertext pairs and testing all subkey candidates for the appended round remains significantly smaller than that for exhaustively searching the full key space. Moreover, for the 32/64-, 48/96-, 64/128-, and 128/256-bit versions, one can append another round by guessing its subkey.

5 Key-Recovery Attacks on Simon

In this section we describe a key-recovery attack on round-reduced Simon32/64. Since attacks on the further variants follow a similar procedure, we specify only their complexities at the end of this section. For Simon32/64 we use the \(13\)-round differential characteristic with \(p \approx 2^{-30.2}\) (see Table 4 in Appendix A) over the rounds \(2-14\):

$$ \varDelta ^1 = (0, \varDelta _{6}) \rightarrow (\varDelta _{14}, 0) = \varDelta ^{14}. $$

Note that we can choose the left part of the plaintext pairs \(P, P'\), s.t. we obtain the desired difference \(\varDelta ^1\) after the first round. We can append four additional rounds to the end of the cipher, where we will guess in total 18 key bits. From the obtained ciphertexts, we still know many bits from the truncated trail:

$$\begin{aligned} (\varDelta L^{15}, \varDelta R^{15})&= (\varDelta _{0,[6,15]}, \varDelta _{14}), \\ (\varDelta L^{16}, \varDelta R^{16})&= (\varDelta _{2,[0,1,7,8,14]}, \varDelta _{0,[6,15]}), \\ (\varDelta L^{17}, \varDelta R^{17})&= (\varDelta _{4,[0,1,2,3,6,8,9,10,15]}, \varDelta _{2,[0,1,7,8,14]}), \\ (\varDelta L^{18}, \varDelta R^{18})&= (\varDelta _{6,[14]}, \varDelta _{4,[0,1,2,3,6,8,9,10,15]}). \end{aligned}$$

Attack Procedure. The full attacking procedure can be split into a collection, a pair-filtering, a key-guessing, and a brute-force phase:

  • Collection Phase

    1. 1.

      Initialize an empty set \(\mathcal {C} = \emptyset \).

    2. 2.

      Choose \(2^{30.2}\) plaintext pairs \((P_i, P'_i)\), s.t. their difference after the first round yields \(\varDelta ^1\).

    3. 3.

      Collect their corresponding ciphertext pairs \((C_i, C'_i)\) from an encryption oracle, where \(C_i = E_K (P_i)\) and \(C'_i = E_K (P'_i)\).

  • Pair-Filtering Phase

    1. 4.

      For all ciphertext pairs, invert the final round to derive \(\varDelta ^{17}\) and store all pairs \((C_i, C'_i)\) with the correct difference at the known bits \(\varDelta ^{17}\) in \(\mathcal {C}\). We know seven bits of \(\varDelta L^{17}\) and 11 bits of \(\varDelta R^{17}\). Assuming the differences \(\varDelta ^{17}\) are uniformly distributed, we can expect \(2^{30.2-18} = 2^{12.2}\) pairs in average.

  • Key-Guessing Phase

    1. 5.

      Create a list of counters for all \(2^{18}\) possible values of the round-key bits \(K^{17}_{0,1,5,7-11,14,15}\), \(K^{16}_{6-9,13,15}\), and \(K^{15}_{9,7}\), and perform the following steps for each candidate:

      1. For all pairs \((C_i, C'_i) \in \mathcal {C}\):

        1. Partially decrypt \((C_i, C'_i)\) to the state after the encryption of Round \(14\). If their difference matches \(\varDelta ^{14}\), increment the counter for the current key candidate.

    2. 6.

      Output the key candidate(s) which is/are associated to the highest counter values.

  • Brute-Force Phase

    1. 7.

      For all bits of \(K^{17}\), \(K^{16}\), \(K^{15}\), and \(K^{14}\) that are not guessed in the previous steps, perform further encryptions to identify their correct values.

Attack Complexity. The attack requires \(2^{31.2}\) chosen plaintexts. Regarding the memory complexity, we store \(2 \cdot 2^{12.2}\) texts of \(32\) bits each, or \(2^{15.2}\) bytes for the attack. The computational effort for the collection phase, \(C_{\text {collect}} \), is equivalent to \(2^{30.2}\) full encryptions performed by the oracle. The filtering effort, \(C_{\text {filter}} \), is given by \(2^{30.2}\) one-round decryptions to check 18 bits of \(\varDelta ^{17}\). The effort for the key-guessing phase, \(C_{\text {key-guessing}} \), consists of decrypting the remaining pairs for each of the \(2^{18}\) key candidates over three further rounds.

Assuming that both filtering steps of the pair-filtering and the key-guessing phase are independent from each other, we can identify the correct value of the 18 guessed key bits. A trivial brute-force search can find the correct value of the 46 remaining bits of the considered subkeys \(K^{14},K^{15},K^{16},K^{17}\) with about \(2^{46}\) encryptions. The total computational complexity can be estimated by

$$ \underbrace{2 \cdot 2^{30.2}}_{C_{\text {collect}}} + \underbrace{2 \cdot 2^{30.2} \cdot \frac{1}{18}}_{C_{\text {filter}}} + \underbrace{2 \cdot 2^{18} \cdot 2^{18} \cdot \frac{3}{18}}_{C_{\text {key-guessing}}} + \underbrace{2^{46}}_{C_{\text {bruteforce}}} \approx 2^{46} \text { encryptions.} $$
Table 2. Parameters of our differential attacks on Simon. “1st Filter” denotes the number of bits that can be used to filter out pairs after inverting the final round; key bits = # guessed key bits; \(p\) = Probability of the used differential.
Full size table

Remark 1

Note that in the case that our assumption would not hold, we still have a differential that is satisfied with probability \(p = 2^{-30.2}\), and a 32-bit filter at \(\varDelta ^{14}\). Hence, we can expect to be able to reduce the candidates of the 18 key bits we guess in the final four rounds to \(2^{30.2} \cdot 2^{18} \cdot 2^{-32} = 2^{16.2}\), increasing the complexity of the brute-force step to \(2^{46} \cdot 2^{16.2} = 2^{62.2}\) encryptions, which is still significantly faster than exhaustive search. In general case, the computational effort for our attacks would then be dominated by the costs for a simple exhaustive search on the remaining key space. Hence, the time complexities would then become approximately \(2^k/(p\cdot 2^{2n})\) (\(k = 64\), \(n = 16\), \(p \approx 2^{-30.2}\) for Simon32/64).

Success Rate. Since the probability of a pair to follow our differential is about \(2^{-30.2}\), the probability that at least one correct pair occurs for the correct key can be approximated by

$$ 1 - \Pr [n = 2^{30.2}, p = 2^{-30.2}, x \le 0] = 1 - 1/e \approx 0.632. $$

Similar Attacks on Further Versions. We can apply the same procedure to further versions of Simon. To cover one additional round, we use chosen ciphertexts in the attack on Simon48/\(k\). Table 2 summarizes the probabilities, required number of pairs, known state bits to filter (1st filter), guessed key bits (key bits), and success rates (where false random shows the probability that no correct pair occurs during execution of the respective attack, and false real denotes the probability of a false-positive pair to occur) for each attack. The differential characteristics for the further version are illustrated in Tables 45 and 6 in Appendix A.

6 Differential Attacks on Speck

In this section we describe our differential analysis of Speck. Since the small version of Speck (Speck32/64) allows a simple practical verification, in the following, we only discuss this version in detail. We apply the same strategy to the remaining family members of Speck and present only their complexities at the end of this section.

6.1 Key-Recovery Attack on Speck32/64

We use the characteristic for Speck32/64 from Table 7 in Appendix A with \(p \approx 2^{-24}\) over rounds \(2-9\) to mount a \(10\)-round attack.

$$ \varDelta ^{1} = (\varDelta _{5,6,9,11}, \varDelta _{0,2,9,14}) \rightarrow (\varDelta _{1,3,5,15}, \varDelta _{3,5,7,10,12,14,15}) = \varDelta ^{9}. $$

Attack Procedure. Again, we split the attacking procedure into a collection, a key-guessing, and a brute-force phase:

  • Collection Phase

    1. 1.

      Initialize an empty list \(\mathcal {C} = \emptyset \).

    2. 2.

      Choose \(2^{28}\) pairs \((P_i, P'_i)\) s.t. their difference after the first round is \(\varDelta ^1\).

    3. 3.

      Collect the corresponding ciphertext pairs \((C_i, C'_i)\) from a decryption oracle, where \(C_i = E_K (P_i)\) and \(C'_i = E_K (P'_i)\). Derive \(\varDelta L^9_{0-3}, \varDelta R^9\) and store all pairs \((C_i, C'_i)\) with \(\varDelta L^9_{0-3} = \varDelta _{3} \) and \(\varDelta R^9 = \varDelta _{3,5,7,10,12,14,15} \) in the list \(\mathcal {C}\).

  • Key-Guessing Phase

    1. 4.

      Create a list of \(2^{12}\) counters.

    2. 5.

      For all possible values of the 12 key bits \(K^{9}_{4-15}\):

      1. For all pairs \((C_i, C'_i) \in \mathcal {C}\):

        1. Partially decrypt \((C_i, C'_i)\) to the state after the encryption of Round \(9\), and derive \(\varDelta L^{9}\). If \(\varDelta L^{9} = \varDelta _{1,3,5,15} \), then increment the counter for the current key candidate.

    3. 6.

      Output those keys as potentially correct for which their counter has a value of at least four.

    4. 7.

      Mark all pairs which yielded the correct \(\varDelta ^{9}\) for the potentially correct key(s) as correct pairs.

  • Brute-Force Phase

    1. 8.

      Partially decrypt all correct pairs round by round to get the correct subkey bits \(K^{9}_{0-3}\), \(K^8\), \(K^7\), and \(K^6\).

Success Rate. The probability that a pair follows our differential characteristic is about \(2^{-24}\). Hence, the probability that no more than three correct pairs occur when using Speck (i.e., the correct subkey will not be found) is about

$$ \Pr [n = 2^{28}, p = 2^{-24}, x \le 3] \approx 9.31 \cdot 10^{-5}, $$

and hence, the success probability of the attack approx. \(1 - 9.31 \cdot 10^{-5} > 0.99\).

Attack Complexity. Our attack on Speck32/64 requires \(2^{29}\) chosen plaintexts. The computational effort for \(C_{\text {collect}} \) covers \(2^{29}\) full encryptions performed by an encryption oracle. The filtering effort, \(C_{\text {filter}} \), is twofold. First, we partially decrypt all ciphertext pairs over the final round. There, we have a 20-bit filter from the four least-significant bits of \(\varDelta L^9\) and the full \(\varDelta R^9\). Assuming all differences occur uniformly at random, we expect to have \(2^{28 - 20} = 2^8\) remaining pairs afterwards. Thereupon, for \(2^{12}\) values of \(K^{9}_{4-15}\), we derive the remaining \(2^8\) pairs and derive \(\varDelta L^9\). In the brute-force phase, the adversary partially decrypts the remaining pairs round by round to identify the correct round keys. Therefore, the full computational complexity is given by

$$ \underbrace{2^{29}}_{C_{\text {collect}}} + \underbrace{ 2^{29} \cdot \frac{1}{10} + 2^{8} \cdot 2^{12} \cdot \frac{1}{10} }_{C_{\text {filter}}} + \underbrace{ \left( 2^4 + 2^{16} + 2^{16} + 2^{16}\right) \cdot 2^8 \cdot \frac{1}{10} }_{C_{\text {bruteforce}}} \approx 2^{29.16} $$

encryptions. Concerning the memory complexity, we store a list of counters for all key candidates, which requires \(2^{12}\) bytes for the first filtering phase and \(2^{16}\) bytes for the counters of the round keys in the brute-force phase.

We can apply a similar procedure for the remaining versions of Speck and obtain the results of Table 3. In all cases, the computational effort is dominated by the brute-force step. The differentials for the individual versions of Speck can be found in the Tables 789 and 10 in Appendix A.

Table 3. Parameters of our differential attacks on Speck. “1st Filter” denotes the number of bits that can be used to filter out pairs after inverting the final round; key bits = # guessed key bits; \(p\) = Probability of the used differential.
Full size table

7 Rectangle Attacks on Speck

Boomerangs and Rectangles. Boomerangs and rectangles allow to use two short differential characteristics with high probabilities instead of a single long differential. Therefore, one first splits a given cipher \(E \) into parts \(E = E ^2 \circ E ^1\), and searches for two differentials \(\alpha \xrightarrow [E ^1]{p} \beta \text { and } \gamma \xrightarrow [E ^2]{q} \delta \). Next, one collects quartets of plaintexts \((P, P', Q, Q')\) with \(P \oplus P' = Q \oplus Q' = \alpha \). In the following we denote by \((R, R', S, S')\) their encryptions after \(E ^1\) and by \((C, C', D, D')\) their encryptions after \(E ^2\).

Each quartet has a probability of \(p^2\) that \((R, R', S, S')\) fulfils \(R \oplus R' = S \oplus S' = \beta \). We are interested in the case when \(R \oplus S = \gamma \) since then, it automatically applies that \(R' \oplus S' = \gamma \). With probability \(q^2\), a ciphertext quartet \((C, C', D, D')\) fulfils \(C \oplus D = C' \oplus D' = \delta \). In this case, we call it a right quartet. If an adversary collects \(m\) pairs with difference \(\alpha \), then, the expected number of right quartets according to [4] is:

$$ m^2 \cdot 2^{-n} \cdot (pq)^2. $$

Hence, it must apply that \(pq < 2^{-n/2}\) in order to mount an attack on \(E\).

As an improvement Biham et al. proposed in [4] to use quartets with any possible difference \(\beta '\) and \(\gamma '\) in the middle, as long as both pairs in a quartet share the same difference \(\beta '\) and \(\gamma '\) after \(E ^1\). Thus, the probabilities of \(p\) and \(q\) increase to

$$ \hat{p} = \sqrt{\sum _{\beta '} \Pr [\alpha \rightarrow \beta ']} \quad \text { and } \quad \hat{q} = \sqrt{\sum _{\gamma '} \Pr [\gamma ' \rightarrow \delta ]}. $$

In the remainder of this section, we describe in details a rectangle attack on 11 rounds of Speck32/64. Since our attacks on the further versions of Speck work similar, we only specify the used trails and their complexities in Tables 11 and 12 in Appendix B.

7.1 Rectangle Attack on Speck32/64

For the attack on Speck32/64 we use the following trails \(\alpha \rightarrow \beta '\) and \(\gamma ' \rightarrow \delta \):

$$ \alpha = (\varDelta _{11,13}, \varDelta _{4}) \xrightarrow [E _1]{\hat{p}\,\ge \,2^{-8.01}} \beta ' \text { and } \gamma ' \xrightarrow [E _2]{\hat{q}\,\ge \,2^{-4.56}} (\varDelta _{15}, \varDelta _{1,3,10,15}) = \delta . $$

\(E _1\) represents the rounds 2–6, and \(E _2\) the rounds 7–10. Again, we can split the attacking procedure into a collection, a key-guessing, and a brute-force phase:

  • Collection Phase

    1. 1.

      Initialize two empty hash tables \(\mathcal {C}\), \(\mathcal {D}\), and a list \(\mathcal {Q}\).

    2. 2.

      Choose \(\frac{2^{(n + 2)/2}}{\hat{p}\hat{q}} = \frac{2^{34/2}}{2^{-8.01}2^{-4.56}} = 2^{29.57}\) plaintext pairs \((P, P')\) s.t. their difference after the first round is \(\alpha \).

    3. 3.

      Ask for the encryption of \((P,P')\) and receive the corresponding ciphertext pair \((C,C')\). Then, partially decrypt \(C, C'\) over the final round to the state after Round 10, \((R^{10}, {R'}^{10})\) and store the result in \(\mathcal {C}\). XOR the right part of \(\delta \) to \((R^{10} \oplus \varDelta _{1,3,10,15}, {R'}^{10} \oplus \varDelta _{1,3,10,15} \) and store them in \(\mathcal {D}\).

    4. 4.

      Prior, lookup if there is already an entry in \(\mathcal {D}\) under the index

      $$(R^{10} \oplus \varDelta _{1,3,10,15}, {R'}^{10} \oplus \varDelta _{1,3,10,15}). $$

      If there is, label the existing ciphertext pair in \(\mathcal {D}\) as \((D, D')\) and store the quartet \((C, C', D, D')\) in \(\mathcal {Q}\). We can build \((2^{29.57})^2 / 2 = 2^{58.14}\) quartets from our pairs. Since this event requires a match in 16 bits of the first, and 16 bits of the second pair, we can expect to have at average a number of \(2^{58.14 - 32} \approx 2^{26.14}\) false positive quartets for which this condition holds. Since the probability of a right quartet is \(2^{2 \cdot -8.01 + 2 \cdot -4.56} = 2^{-25.14}\), we can expect \(2^{58.14 - 25.14} = 2^{33}\) right quartets in addition. We approximate \(2^{33} + 2^{26.14} \approx 2^{33}\) hereafter.

  • Filtering Phase

    1. 5.

      Initialize a table \(\mathcal {T}\) of \(2^{16}\) counters.

    2. 6.

      For all possible values of the subkeys \(K^{10}\):

      1. 6.1

        Decrypt all quartets over the final round and check whether their difference \(\varDelta L^{10}\) is equal to \(\varDelta _{15} \). If yes, then increment the counter for the current key candidate in \(\mathcal {T}\).

    3. 7.

      Output the key candidate(s) with the maximal count(s) in \(\mathcal {T}\).

  • Brute-Force Phase

    1. 8.

      Partially decrypt the remaining pairs round by round to identify the further round keys \(K^9\), \(K^8\), and \(K^7\).

Attack Complexity. The attack requires \(2^{30.07}\) chosen plaintexts. We have to store the corresponding ciphertexts, the remaining \(2^{33}\) quartets, and a list of \(2^{16}\) counters for all round-key candidates. So, we can approximate the required memory by \((2^{30.07} + 4 \cdot 2^{33}) \cdot 32/8 + 2^{16} \approx 2^{37.1}\) bytes. The computational effort for the collection phase, \(C_{\text {collect}} \), consists of \(2^{30.07}\) full encryptions performed by the oracle, and \(2^{30.07}\) half-round decryptions. Additionally, we need \(2^{30.07}\) memory accesses to look up potential quartets and about \(4 \cdot 2^{33}\) memory accesses in average to store the remaining quartets.

To use consistent units, we overestimate a memory access by a half-round computation. In the filtering phase, we have to perform \(2^{16} \cdot 4 \cdot 2^{33} = 2^{51}\) half-round decryptions to obtain the difference in the left word after Round 10. Summing up, we obtain a computational effort of

$$ \underbrace{ 2^{30.07} + (2^{30.07} + 2^{30.07} + 4 \cdot 2^{26.14}) \cdot \frac{1}{22}}_{C_{\text {collect}}} + \underbrace{2^{51.14} \cdot \frac{1}{22}}_{C_{\text {filter}}} + \underbrace{2^{16} + 2^{16} + 2^{16}}_{C_{\text {bruteforce}}} \approx 2^{46.68} $$

encryptions.

8 Discussion and Conclusion

This work presented differential attacks on round-reduced versions of the Simon and Speck. Furthermore, we briefly considered rectangle attacks on Speck. We also studied rectangle attacks on Simon and impossible-differential attacks; however, we omitted those since they did not improve our results with conventional differentials.

Our analysis can be seen as a starting point for further research on Simon and Speck. For Simon, it demonstrates that up to half the number of rounds are vulnerable against differential attacks due to its highly optimizied round function. Moreover, the cipher shows a strong differential effect, i.e., there are many possible characteristics for given input and output difference.

Speck is much closer to previous ARX designs such as ThreeFish than Simon. However, while ThreeFish has been published four years ago, still only 1/3 of the rounds have been attacked so far, whereas the current analysis of Speck already threatened the security of up to half of the rounds little time after publication. Moreover, any new analysis method on addition-based ARX would be a threat to both NSA constructions as well. In conclusion, we can learn from Simon that ARX designs should incorporate additions to provide reasonably fast diffusion.