MILP/MIQCP-Based Fully Automatic Method of Searching for Differential-Linear Distinguishers for SIMON-Like Ciphers

Zhou, Yanyan; Wang, Senpeng; Hu, Bin

doi:https://doi.org/10.1049/2024/8315115

IET Information Security

On this page

Abstract Introduction Preliminaries Conclusion Appendix Data Availability Conflicts of Interest Acknowledgments References Copyright Related Articles

Research Article | Open Access

Volume 2024 | Article ID 8315115 | https://doi.org/10.1049/2024/8315115

MILP/MIQCP-Based Fully Automatic Method of Searching for Differential-Linear Distinguishers for SIMON-Like Ciphers

Yanyan Zhou,¹Senpeng Wang,¹and Bin Hu¹

Academic Editor: Qichun Wang

Received08 Jul 2023

Revised27 Sept 2023

Accepted06 Oct 2023

Published12 Jan 2024

Abstract

Differential-linear (DL) cryptanalysis is an important cryptanalytic method in cryptography and has received extensive attention from the cryptography community since its proposal by Langford and Hellman in 1994. At CT-RSA 2023, Bellini et al. introduced continuous difference propagations of XOR, rotation, and modulo-addition operations and proposed a fully automatic method using Mixed-Integer Linear Programing (MILP) and Mixed-Integer Quadratic Constraint Programing (MIQCP) techniques to search for DL distinguishers of Addition-Rotation-XOR (ARX) ciphers. In this paper, we propose continuous difference propagation of AND operation and construct an MILP/MIQCP-based fully automatic model of searching for DL distinguishers of SIMON-like ciphers. We apply the fully automatic model to all versions of SIMON and SIMECK. As a result, for SIMON, we find 13 and 14-round DL distinguishers of SIMON32, 15, 16, and 17-round DL distinguishers of SIMON48, 20-round DL distinguishers of SIMON64, 25 and 26-round DL distinguishers of SIMON96, 31 and 32-round DL distinguishers of SIMON128. For SIMECK, we find 14-round DL distinguishers of SIMECK32, 17 and 18-round DL distinguishers of SIMECK48, 22, 23, 24, and 25-round DL distinguishers of SIMECK64. As far as we know, our results are currently the best.

1. Introduction

In 1994, Langford and Hellman [1] proposed differential-linear (DL) cryptanalysis based on differential cryptanalysis introduced by Biham and Shamir [2] and linear cryptanalysis introduced by Matsui [3]. An entire cipher can be decomposed as a cascade , a differential distinguisher and a linear distinguisher are applied to sub ciphers and , respectively. Assume that the differential holds with probability , the linear approximation is satisfied with correlation . Under the assumption that and are independent, the correlation of the DL distinguisher is . Figure 1 shows the overview of the DL distinguisher. DL cryptanalysis has attracted a lot of researches since its introduction.

In 2017, Blondeau et al. [4] developed a concise theory of DL cryptanalysis and gave a close estimate of the bias under the sole assumption that the two parts of the cipher are independent. They also revisited the previous methods of estimating DL bias proposed by Biham et al. [5].

At EUROCRYPT 2019, Bar-On et al. [6] took the effects of dependency between the two sub ciphers and into account, then proposed the differential-linear connectivity table (DLCT). Here, the cipher can be divided into three subciphers , , and , namely, , where the correlation of is experimentally evaluated. Thus, the correlation of the DL distinguisher can be estimated as . The overall framework of the DL distinguisher is depicted in Figure 2.

At EUROCRYPT 2021, Liu et al. [7] generalized the technique proposed by Morawiecki et al. [8] and proposed a practical method for estimating the bias of (rotational) DL distinguishers for Addition-Rotation-XOR (ARX) ciphers in the special case where the output linear mask is a unit vector. Subsequently, at CRYPTO 2022, Niu et al. [9] computed the (rotational) DL correlation of modulo additions for arbitrary output linear masks, based on which a technique for evaluating the (rotational) DL correlation of ARX ciphers was derived.

At CRYPTO 2021, Liu et al. [10] re-investigated the basic principles and methods of DL cryptanalysis from an algebraic perspective and proposed the algebraic transitional forms (ATF) technique to estimate the DL bias of non-ARX ciphers. Note that it does not require any assumptions in theory for the estimation of bias from the algebraic perspective. For more researches and applications of DL cryptanalysis, see [11–14].

However, there is no effective method that can automatically search for good DL distinguishers in the above researches on DL cryptanalysis. At CT-RSA 2023, Bellini et al. [15] presented a fully automatic method of searching for DL distinguishers for ARX ciphers by using Mixed-Integer Linear Programing (MILP) and Mixed-Integer Quadratic Constraint Programing (MIQCP) techniques. They improved the correlations of the best 9 and 10-round DL distinguishers on Speck32/64. Also, it is the first time a DL distinguisher reached 11 rounds for Speck32/64.

In this paper, we will explore how to fully automatically search for DL distinguishers for SIMON-like ciphers by using MILP and MIQCP techniques.

1.1. Related Works

There are various papers published on the cryptanalysis of SIMON-like ciphers [16–24]. Especially, there are many different techniques and automatic tools in the literature for finding differential, linear distinguishers on SIMON-like ciphers. In 2015, Sun et al. [18] constructed mixed-integer programing models whose feasible region is exactly the set of all valid differential characteristics of SIMON. In 2015, Abed et al. [16] stated an algorithm for the calculation of the differential probabilities but without further explanation. Kölbl et al. [20] derived efficiently computable and easily implementable expressions for the exact differential and linear behavior of SIMON-like round functions. Moreover, they used those expressions for a computer-aided approach based on Boolean satisfiability problem or satisfiability modulo theories (SAT/SMT) solvers to find both optimal differential and linear characteristics for SIMON. In 2021, Sun et al. [22] put forward a new encoding method to convert Matsui’s bounding conditions into Boolean formulas and integrated the bounding conditions into the SAT method, which accelerated the search for differential and linear characteristics for SIMON-like ciphers.

For finding DL distinguishers for SIMON-like ciphers, in 2018, Chen et al. [23] constructed a 13-round DL distinguisher with bias and presented key recovery attacks on 17-round and 18-round SIMON32, respectively. However, Hu et al. [24] pointed there are some problems in the calculation process of this method. In 2022, Hu et al. [24] constructed 13-round DL distinguishers for SIMON32 and SIMON48, respectively, and showed 16-round key recovery attacks on SIMON32 and SIMON48, respectively.

Note that there are no relevant researches on searching for DL distinguishers of SIMECK and larger instances of SIMON (SIMON64, SIMON96, SIMON128), and there is no effective method that can automatically search for good DL distinguishers for SIMON-like ciphers. This paper will intend to fill this vacancy.

1.2. Our Contribution

The new MILP/MIQCP model to find DL distinguishers for ARX ciphers was given by Bellini et al. [15], but the MILP/MIQCP techniques could not be applied to SIMON-like ciphers. Inspired by this, we propose continuous difference propagation of AND operation for the first time. Therefore, we construct an MILP/MIQCP model to fully automatically search for DL distinguishers for SIMON-like ciphers. Recall that we have three parts in the DL distinguisher with improved structure, including the differential part (top part), the DL part (middle part), and the linear part (bottom part), so we need to consider the models of these three parts, separately.

Firstly, according to efficient computation for the exact differential behavior of SIMON-like round functions [20], we construct the differential model of SIMON-like ciphers by using MILP techniques. For the linear part, we consider the AND operation in the round function as independent S-boxes, then exploit the model-generating method for S-boxes to complete the formation of the linear MILP model.

Secondly, we propose continuous difference propagation of the AND operation, then model the DL part (middle part) of SIMON-like ciphers. So, we obtain the MILP/MIQCP-based fully automatic model to search for DL distinguishers of SIMON-like ciphers.

Finally, to illustrate the effectiveness of our fully automatic model, we apply it to search for DL distinguishers of all versions of SIMON and SIMECK and verify experimentally the correlations of our DL distinguishers. To the best of our knowledge, it is the first time that DL distinguishers of all versions of SIMON and SIMECK have been found. Compared to previous DL distinguishers, for SIMON32 and SIMON48, our distinguishers have increased by 1 and 4 rounds, respectively. For SIMON64, SIMON96, SIMON128, and all versions of SIMECK, it is the first time that the DL distinguishers have been found. As far as we know, our DL distinguishers are currently the best for SIMON and SIMECK. Our results are given in Table 1.

1.3. Outline

The rest of this paper is organized as follows: In Section 2, we introduce notations and preliminaries used in this paper. In Section 3, we propose a fully automatic model to find DL distinguishers for SIMON-like ciphers. In Section 4, the fully automatic model is applied to all versions of SIMON and SIMECK, and all improved results are experimentally verified. We conclude this paper with some open problems in Section 5.

2. Notations and Preliminaries

In this paper, we will use the following notations. Let , we denote by the -th bit of . The bitwise XOR operation of and is denoted as . The bitwise AND operation of and is denoted as . denotes rotation of by bits to the left. denotes the set of real numbers between 1 and , namely, . denotes the real number domain. and denote left half and right half of the -th round input, respectively.

MILP is a kind of programing problem of optimizing (minimizing or maximizing) a linear objective function . The objective function and constraints are linear, and all or some of the decision variables in the problem are restricted to be integers. For example, an MILP model is as follows, consisting of three parts: objective function, constraints, and variables.

MIQCP is a class of programing problems that optimize an objective function (quadratic or linear) given a set of quadratic constraints. The constraints can be inequalities or equations. When we want to invoke the Gurobi optimizer to solve a question, we need to translate the question into the form of MILP/MIQP problem.

Lemma 1. [3] (Piling-up Lemma). Let be independent binary random variables with . Then we have thator alternatively,

Proposition 1. [7] Let , and be -bit strings with and . Then

According to Proposition 1, it’s easy to obtain Corollary 1.

Corollary 1. Let , and , if , then

2.1. Description of SIMON-Like Ciphers

SIMON is a family of lightweight block ciphers designed by the US National Security Agency. There are 10 versions of SIMON. The SIMON block cipher with an -bit word (a -bit block) is denoted as SIMON , where is required to be 16, 24, 32, 48, or 64. SIMON with an -word (-bit) key is referred to as SIMON, where . For example, SIMON32/64 refers to the version of SIMON acting on 32-bit plaintext blocks and using a 64-bit key. All versions of SIMON use similar round functions. The round function of SIMON is depicted in Figure 3.

Let the input of i-th round be , so the i-th round function is described in the following:where

The key scheduling of SIMON depends on the size of the master key. For a detailed description of SIMON, please refer to the study of Beaulieu et al. [25].

SIMECK is a new family of lightweight block ciphers that combines the good design components from both SIMON and SPECK. There are three versions of SIMECK, namely SIMECK32/64, SIMECK48/96, and SIMECK64/128. The round function of SIMECK is similar to SIMON, but the rotation constants are different, namely, , , and . For a detailed description of SIMECK, please refer to the study of Yang et al. [26].

2.2. Continuous Difference Propagation

Coutinho et al. [27] proposed a new technique called Continuous Diffusion Analysis (CDA), which allows them to generalize cryptographic algorithms by transforming bits into probabilities or correlations. They presented continuous generalizations of some cryptographic operations (such as the XOR, addition modulo, S-box, etc.) and expressed bits as probabilities or correlations. For example, for the XOR operation , where are independent random variables. is equal to 1 either when and or when and . Let , , and . Therefore, . Expressing , , and as functions of their correlations , , , they defined the continuous generalization of XOR operation as .

Inspired by Coutinho’s idea, Bellini et al. [15] constructed continuous functions for the difference propagation of ARX operations. For instance, assume and are two pairs of inputs of , , . Therefore, . Expressing , as functions of their correlations , , they defined the continuous difference propagation for as . Also, they defined more formally continuous difference propagation in Definition 1.

Definition 1. [15] Let be a function with input variables belonging to , and with output in , the continuous difference propagation of , denoted as , is a function that maps input variables from to , and describes the correlation between an input difference for f and each bit of its output difference. The exact form of the function will depend on the specific properties of the function .

According to this definition, they obtained some propositions describing continuous difference propagations for ARX operations. The continuous difference propagations of XOR, left and right rotation are as follows:

Proposition 2. [15] (Continuous difference propagation of XOR). Let , then the continuous difference propagation of XOR is given by .

Proposition 3. [15] (Continuous difference propagation of Left and Right Rotation). Let and such that , then the continuous difference propagation of the rotation to the left, and to the right, by , respectively, is given by the following:

3. Fully Automatic Model of Finding DL Distinguishers with MILP/MIQCP

We use MILP/MIQCP techniques to model the entire DL distinguishers. Recall that the DL distinguisher with improved structure consists of three parts, namely, the differential part (top part), the DL part (middle part), and the linear part (bottom part). Therefore, we need to model these three parts, respectively.

3.1. Differential MILP Model of SIMON-Like Ciphers

Kölbl et al. [20] derived efficiently computable and easily implementable expressions for the exact differential of SIMON-like round functions, see Theorem 1.

Theorem 1. [20] Let , and and be an input and an output difference, where , even, and . Then withandandwe have that the probability that difference goes to difference is as follows:

According to Theorem 1, Kölbl et al. [20] used those expressions for a computer-aided approach based on SAT/SMT solvers. Instead, we construct the differential MILP model of SIMON-like round function based on Theorem 1.

Differential Model (SIMON-Like Round Function). For the -bit SIMON-like round function, we denote and as the input and output differences, respectively. Additionally, three -bit variables , , and are incorporated so that we can evaluate the differential probability. If is not an all-ones vector, the differential is valid if and only if the values of , , varibits, doublebits, and validate all the constraints listed below:

The weight of the possible differential is .

3.2. Linear MILP Model of SIMON-Like Ciphers

Kölbl et al. (cf. Theorem 5) [20] perfectly handled the dependency and derived efficient computation for the exact linear behavior of SIMON-like round functions. However, because of the difficulty of encoding this model with Boolean equations, Sun et al. [22] regarded the AND operations in the round function as independent S-boxes and exploited the model-generating method for S-boxes to complete the linear SAT model. Similarly, we regard the AND operations as independent S-boxes. After computing its linear approximation table (LAT), we obtain the linear MILP model.

Linear Model (SIMON-Like Round Function). For the -bit SIMON-like round function, we denote the input and output linear masks as and , respectively. Two auxiliary -bit variables and are employed to record the two input masks of the AND operation. After one round of encryption, we denote the right half of the output linear mask as . To estimate the linear correlation, we also import an -bit variable . The correlation of the linear approximation is nonzero if the values of , , , , and validate all the constraints listed in the following:where MILP model of the equation as follows:

The value of equals the opposite number of the binary logarithm of the absolute value of the correlation.

3.3. Middle Part Model of SIMON-Like Ciphers

To model the middle part of ARX ciphers, Bellini et al. [15] proposed the continuous difference propagations of ARX operations (see Section 2.2) and modeled the continuous difference propagation using the MILP/MIQCP syntax over . Inspired by this, to model the middle part of SIMON-like ciphers, we first propose the continuous difference propagation of AND operation, then model the continuous difference propagation of SIMON-like ciphers using the MILP/MIQCP syntax over .

Proposition 4. (Continuous Difference Propagation of AND). Let , then the continuous difference propagation of AND is given by .

Proof 1. Suppose , and , , and . According to Corollary 1, if and , we have . Replacing the probabilities with their expressions involving their respective correlations , we have, so .

In the following, we regard as the multiplication of and in . According to Proposition 4, we model constraints of AND operation using the MILP/MIQCP syntax over .

Constraints of AND Operation. For every AND operation with input and and output , we have constraints:for .

SIMON-like ciphers also include XOR operation and left rotation operation. Bellini et al. [15] showed the constraints of them.

Constraints of XOR Operation [15]. For every XOR operation with input and and output , we have constraints:for .

Constraints of Left Rotation Operation [15]. For every left rotation operation with input and output , we have n constraints:for , where is left rotation constant.

Constraints of R-Round SIMON-Like Cipher. For all rounds, we need variables belonging to to represent the states of SIMON. The count of the number of equations is as follows: equalities to model the XOR operation. equalities to model the AND operation. Summing up, we have a total of constraints to model the continuous difference propagation framework for SIMON-like ciphers.

Objective Function of the Middle Part Model. For the objective function of the middle part, given the correlation , we need to minimize the function . Beaulieu et al. [25] found a linear function to approximate such that .

In addition, to connect the top part with the middle part, we use the method in the study of Bellini et al. [15] to translate the differential output bits into real numbers belonging to . Specifically, the value in a specific position in the output of the differential part indicates that there is a difference in that position, so the probability is , which results in a correlation . In contrast, the value means that there is no difference in that position, so the probability is , and the correlation is . In other words, the correlation in that certain position with output bit is , and the correlation in that certain position with output bit is .

Assume is the output difference of the differential part, and is the input difference of the middle part. There are the constraints if , otherwise . To connect the middle part with the linear part, suppose is the input mask of the linear part, and is the output of the middle part. Since the correlation of the middle part can not be 0, there is the constraint .

Objective Function of the Entire Model. We denote and as the exponents of the differential and linear parts, respectively. By applying Lemma 1 (piling-up lemma), we need to minimize the exponents of the three parts, namely, .

Thus, we construct the fully automatic model to find DL distinguishers of SIMON-like ciphers. Note that as the number of rounds increases, it becomes increasingly difficult to find a good DL trail for larger instances of SIMON-like ciphers. Therefore, we apply one strategy to obtain good DL distinguishers for larger instances of SIMON-like ciphers.

One Strategy to Obtain Good DL Distinguishers. First, we obtain the optimal differential trail for a certain number of rounds by using the SAT method presented in the study of Sun et al. [22]. Second, we extend the optimal differential trail by a DL trail (the middle part) and a linear trail (the bottom part) by using our fully automatic model.

4. Applications to SIMON-Like Ciphers

In this section, we apply the fully automatic model to search for DL distinguishers for SIMON-like ciphers. For clarity and convenience, if a DL distinguisher has the -round top part, the -round middle part, and the -round bottom part, we say that the DL distinguisher uses configuration . Our MILP/MIQCP models have been implemented using MiniZinc and solved with Gurobi.

4.1. Applications to SIMON

We apply the fully automatic model to all versions of SIMON. Our DL distinguishers are shown in Table 2.

For SIMON32, we found two DL distinguishers for 13 and 14 rounds. To obtain the 13-round distinguisher, we try all configurations regarding the number of rounds for the top, middle, and bottom parts. In this case, for the 13-round DL distinguisher, the best theoretical correlation is found by using configuration . For the 14-round DL distinguisher, in the same way, we try all configurations. In this case, the best theoretical correlation is found by using configuration . The details of the two distinguishers are covered in Tables 4 and 5.

For SIMON48, we found three DL distinguishers for 15, 16, and 17 rounds. Similarly, we try all configurations regarding the number of rounds for the top, middle, and bottom parts. In these cases, the best theoretical correlation for the 15-round DL distinguisher is found by using configuration , the best theoretical correlation for the 16-round DL distinguisher is found by using configuration , and the best theoretical correlation for the 17-round DL distinguisher is found by using configuration . The details of these distinguishers can be found in Tables 6–8.

For SIMON64, we obtain a DL distinguisher for 20 rounds by using the strategy in Section 3.3. Likewise, we try all configurations regarding the number of rounds for the top, middle, and bottom parts, and the DL distinguisher by using configuration is found. The details of the distinguisher are shown in Table 9.

For SIMON96, we obtain two DL distinguishers for 25 and 26 rounds by using the strategy in Section 3.3. In the same way, the 25-round DL distinguisher by using configuration and 26-round DL distinguishers by using configuration are found. The details of the two distinguishers are provided in Tables 10 and 11.

For SIMON128, we obtain two DL distinguishers for 31 and 32 rounds by using the strategy in Section 3.3. In the same way, the 31-round DL distinguisher by using configuration and the 32-round DL distinguishers by using configuration are found. Please check Tables 12 and 13 for the details of the two distinguishers.

4.2. Applications to SIMECK

In this section, we apply the fully automatic model to search for DL distinguishers for SIMECK. It is the first time that DL distinguishers for SIMECK have been obtained. These DL distinguishers are shown in Table 3.

For SIMECK32, we find a DL distinguisher for 14 rounds. To obtain the 14-round distinguisher, we try all configurations regarding the number of rounds for the top, middle, and bottom parts. In this case, the best theoretical correlation is found by using configuration . The details of the distinguisher can be found in Table 14.

For SIMECK48, we find two DL distinguishers for 17 and 18 rounds. Similarly, we try all configurations regarding the number of rounds for the top, middle, and bottom parts. In these cases, the best theoretical correlation for the 17-round DL distinguisher is found by using configuration , the best theoretical correlation for the 18-round DL distinguishers by using configuration is found. The details of the two distinguishers are shown in Tables 15 and 16.

For SIMECK64, we find four DL distinguishers for 22, 23, 24, and 25 rounds by using the strategy in Section 3.3. The 22-round DL distinguisher by using configuration , 23-round DL distinguishers by using configuration , 24-round DL distinguishers by using configuration , and 25-round DL distinguishers by using configuration are found. The details of these distinguishers are in Tables 17–20.

5. Conclusion and Open Problems

In this work, we consider how to construct the MILP/MIQCP model to fully automatically search for DL distinguishers of SIMON-like ciphers. For the top part of the model, we first construct the differential MILP model of SIMON-like ciphers according to efficient computation for the exact differential behavior of SIMON-like round functions. For the middle part, we obtain continuous difference propagation of AND operation, so we can model the middle part of SIMON-like ciphers. For the bottom part, we construct the linear MILP model of SIMON-like ciphers by regarding AND operation as independent S-boxes. After that, we apply the MILP/MIQCP model to SIMON and SIMECK. It is the first time that the DL distinguishers for full versions of SIMON and SIMECK have been obtained. To the best of our knowledge, our fully automatic model finds the best DL distinguishers for SIMON and SIMECK at present. We believe that the fully automatic model can be applied to SPN ciphers. Of course, the primary problem to be solved is how to characterize the continuous difference propagation of S-boxes, which is also our future work.

Appendix

Details of the DL Distinguishers

In the Tables 4–20, the first column shows the number of rounds. The second column shows the differential, DL, or linear trails of the DL distinguishers presented in Section 4. In the DL part, we have rows and subrows. Each row represents a state of the DL trail, and each subrow represents correlation of every bit of that state.

Data Availability

No underlying data were collected or produced in this study.

Conflicts of Interest

The authors declare that they have no conflicts of interest.

Acknowledgments

This work was sponsored by the National Natural Science Foundation of China (grant nos. 62102448, 62202493, and 62372463).

References

S. K. Langford and M. E. Hellman, “Differential-linear cryptanalysis,” in Advances in Cryptology–CRYPTO ’94, 14th Annual International Cryptology Conference, Santa Barbara, California, USA, August 21–25, 1994, Proceedings, vol. 836 of Lecture Notes in Computer Science, pp. 17–25, Springer, Santa Barbara, California, USA, 1994.
View at: Publisher Site | Google Scholar
E. Biham and A. S., Differential Cryptanalysis of the Data Encryption Standard, Springer, Berlin, Germany, 1993.
M. Matsui, “Linear cryptanalysis method for DES cipher,” in Advances in Cryptology—EUROCRYPT ’93. EUROCRYPT 1993, T. Helleseth, Ed., vol. 765 of Lecture Notes in Computer Science, Springer, Berlin, Heidelberg, 1994.
View at: Publisher Site | Google Scholar
C. Blondeau, G. Leander, and K. Nyberg, “Differential-linear cryptanalysis revisited,” Journal of Cryptology, vol. 30, no. 3, pp. 859–888, 2017.
View at: Publisher Site | Google Scholar
E. Biham, O. Dunkelman, and N. Keller, “Enhancing differential-linear cryptanalysis,” in Advances in Cryptology—ASIACRYPT 2002, Y. Zheng, Ed., vol. 2501 of ASIACRYPT 2002. Lecture Notes in Computer Science, Springer, Berlin, Heidelberg, 2002.
View at: Publisher Site | Google Scholar
A. Bar-On, O. Dunkelman, N. Keller, and A. Weizman, “DLCT: A new tool for differential-linear cryptanalysis,” in Proceedings of Advances in Cryptology — EUROCRYPT. 2019–38th Annual International Conference on the Theory and Applications of Cryptographic Techniques, Lecture Notes in Computer Science, pp. 313–342, 2019.
View at: Google Scholar
Y. Liu, S. Sun, and C. Li, “Rotational cryptanalysis from a differential-linear perspective - practical distinguishers for round-reduced friet, xoodoo, and alzette,” in Proceedings of Advances in Cryptology EUROCRYPT. 2021 40th Annual International Conference on the Theory and Applications of Cryptographic Techniques, Lecture Notes in Computer Science, pp. 741–770, 2021.
View at: Google Scholar
P. Morawiecki, J. Pieprzyk, and M. Srebrny, “Rotational cryptanalysis of round-reduced keccak,” in Proceedings of Fast Software Encryption–20th International Workshop, Lecture Notes in Computer Science, pp. 241–262, 2013.
View at: Google Scholar
Z. Niu, S. Sun, Y. Liu, and C. Li, “Rotational differential-linear distinguishers of ARX ciphers with arbitrary output linear masks,” in Proceedings of Advances in Cryptology–CRYPTO. 2022–42nd Annual International Cryptology Conference, Lecture Notes in Computer Science, pp. 3–32, 2022.
View at: Google Scholar
M. Liu, X. Lu, and D. Lin, “Differential-linear cryptanalysis from an algebraic perspective,” in Proceedings of Advances in Cryptology–CRYPTO. 2021–41st Annual International Cryptology Conference, Lecture Notes in Computer Science, pp. 247–277, 2021.
View at: Google Scholar
G. Beierle, Christofand Leander, and Y. Todo, “Improved differential-linear attacks with applications to ARX ciphers,” in Proceedings of Advances in Cryptology — CRYPTO. 2020–40th Annual International Cryptology Conference, Lecture Notes in Computer Science, pp. 329–358, 2020.
View at: Google Scholar
H. Wu and B. Preneel, “Differential-linear attacks against the stream cipher phelix,” in Proceedings of Fast Software Encryption–14th International Workshop, Lecture Notes in Computer Science, pp. 87–100, 2007.
View at: Google Scholar
G. Leurent, “Improved differential-linear cryptanalysis of 7-round chaskey with partitioning,” in Proceedings of Advances in Cryptology –EUROCRYPT. 2016 35th Annual International Conference on the Theory and Applications of Cryptographic Techniques, Lecture Notes in Computer Science, pp. 344–371, 2016.
View at: Google Scholar
T. Huang, I. Tjuawinata, and H. Wu, “Differential-linear cryptanalysis of ICEPOLE,” in Proceedings of Fast Software Encryption–22nd International Workshop, Lecture Notes in Computer Science, pp. 243–263, 2015.
View at: Google Scholar
E. Bellini, D. Gérault, J. Grados, R. H. Makarim, and T. Peyrin, “Fully automated differential-linear attacks against ARX ciphers,” in Proceedings of Topics in Cryptology–CT-RSA. 2023–Cryptographers’ Crack at the RSA Conference, Lecture Notes in Computer Science, pp. 252–276, 2023.
View at: Google Scholar
F. Abed, E. List, S. Lucks, and J. Wenzel, “Differential cryptanalysis of round-reduced simon and speck,” in Proceedings of Fast Software Encryption–21st International Workshop, Lecture Notes in Computer Science, pp. 525–545, 2014.
View at: Google Scholar
J. Alizadeh, H. AlKhzaimi, M. R. Aref et al., “Cryptanalysis of SIMON variants with connections,” in Proceedings of Radio Frequency Identification: Security and Privacy Issues–10th International Workshop, Lecture Notes in Computer Science, pp. 90–107, 2014.
View at: Google Scholar
S. Sun, L. Hu, M. Wang et al., “Constructing mixed-integer programming models whose feasible region is exactly the set of all valid differential characteristics of SIMON,” Cryptology ePrint Archive, Paper 2015/122, 2015.
View at: Google Scholar
Q. Wang, Z. Liu, K. Varici, Y. Sasaki, V. Rijmen, and Y. Todo, “Cryptanalysis of reduced-round SIMON32 and SIMON48,” in Proceedings of Progress in Cryptology–INDOCRYPT. 2014–15th International Conference on Cryptology, Lecture Notes in Computer Science, pp. 143–160, 2014.
View at: Google Scholar
S. Kölbl, G. Leander, and T. Tiessen, “Observations on the SIMON block cipher family,” in Proceedings of Advances in Cryptology –CRYPTO–35th Annual Cryptology Conference, Lecture Notes in Computer Science, pp. 161–185, 2015.
View at: Google Scholar
K. Qiao, L. Hu, and S. Sun, “Differential analysis on simeck and SIMON with dynamic key-guessing techniques,” in Proceedings of Information Systems Security and Privacy–Second International Conference, Communications in Computer and Information Science, pp. 64–85, 2016.
View at: Google Scholar
L. Sun, W. Wang, and M. Wang, “Accelerating the search of differential and linear characteristics with the SAT method,” IACR Transactions on Symmetric Cryptology, vol. 2021, no. 1, pp. 269–315, 2021.
View at: Publisher Site | Google Scholar
Y. Chen and W. Zhang, “Differential-linear cryptanalysis of SIMON32/64,” International Journal of Embedded Systems, vol. 10, no. 3, pp. 196–202, 2018.
View at: Publisher Site | Google Scholar
Y. Hu, Z. Dai, and B. Sun, “Differential-linear cryptanalysis of the simon algorithm,” Netinfo Security, vol. 22, no. 9, pp. 63–75, 2022.
View at: Google Scholar
R. Beaulieu, D. Shors, J. Smith, S. Clark, B. Weeks, and L. W., “The SIMON and SPECK families of lightweight block ciphers,” IACR Cryptology ePrint Archive, Article ID 404, 2013.
View at: Google Scholar
G. Yang, B. Zhu, V. Suder, M. D. Aagaard, and G. Gong, “The simeck family of lightweight block ciphers,” in Proceedings of Cryptographic Hardware And Embedded Systems–CHES–17th International Workshop, Lecture Notes in Computer Science, pp. 307–329, 2015.
View at: Google Scholar
M. Coutinho, R. de Sousa Júnior, and F. Borges, “Continuous diffusion analysis,” IEEE Access, vol. 8, pp. 123 735–123 745, 2020.
View at: Publisher Site | Google Scholar

Copyright

Copyright © 2024 Yanyan Zhou et al. This is an open access article distributed under the Creative Commons Attribution License, which permits unrestricted use, distribution, and reproduction in any medium, provided the original work is properly cited.

PDF Download Citation

Download other formats

Order printed copies