 Hi, my name is Laura Pernot and I'm going to present a joint work with Gaëtan Lerrand and André Chrottenlauer and tittle Clustering Effect in Simon & Simon. So, let's start by a little bit of context. Simon & Speck are two lightweight block cifers introduced by the NSA in 2013. Simon is optimized in hardware while Speck is optimized in software. The NSA tried to get Simon & Speck standardized at Iso but some experts from other countries were suspicious. They were suspicious because Simon & Speck were introduced without any rationale and because of the NSA's previous involvement in the creation and promotion of Bactore Cryptographic Algorithm as Dual EC and they were also suspicious because there were no clear needs for standardization of new cifers. So, for those reasons, many papers study Simon & Speck. A little bit later, an academic variant of Simon & Speck was introduced. This variant is Simon. So, in the following, we'll focus on Simon & Speck. So, here is a brief overview of our results. For example, for Simon & Speck with a block size of 64 bits and a key size of 128 bits, we obtained an attack over 42 rounds out of 44 while previously the best attack only reached 37 rounds. So, first I will describe Simon & Speck and Differential and Linear Acryptanizes. Then I will present our stronger distinguisher for Differential and Linear Acryptanizes and then I will present our improved key recovery attacks against Simon & Speck. So, let's start by describing Simon & Speck. Simon & Speck are both Festel Cipher. So, Festel Cipher works as follows. First, we start with a plaintext of n bits and we split into two blocks of n over 2 bits, a left block and a right block. And the left block goes into a round function which depends on the round key K0. And the output of this round function is go to the right part. And the right part becomes the left part and the left part becomes the right part. This is done r times with r, the number of rounds. And at the end, we obtain the ciphertext by concatenating the left part and the right part. So, Festel Network is characterized by a block size n, a key size Kpa, a number of rounds r and a round function f. The famous example of Festel Cipher is the data encryption standard. Here, the round function will not depend on the round key. So, the round key will just be go to the right part. So, now let's speak about Simon, Speck and Simon. So, Simon is a Festel Network with a quadratic round function. This round function is made of a left rotation of 8 bits and a left rotation of 1 bits. Then, those two things are odd bitwise and the result is go to x rotated by 2 bits to the left. And Simon has a linear key schedule. Concerning Speck, Speck is an odd rotate and exhaust cipher with this round function. Here, I will not describe this round function because it is not the topic of this talk. And Speck has the particularity that he reuses its round function in the key schedule. Concerning Symec, Symec is a Festel Network with a quadratic round function. This round function is very similar to the round function of Simon. But for Simon, the rotation amounts are 8, 1 and 2. And for Symec, the rotation amounts are 5, 0 and 1. And Symec reuses its round function in the key schedule as Speck does. So, in a more graphical way, Simon works as follow. So, we have a rotation of 8 bits to the left, a rotation of 1 bit to the left, and both are odd bitwise and the result is go to the right part. This is a non-linear part and there is also a linear part which is composed of a left rotation of 2 bits. There are ten sets of parameters for Simon with different block size, key size and number of fronts. And the key schedule of Simon is linear. Concerning Symec, the rotation amounts are 5, 0 and 1. And there is only three sets of parameters. And the key size is always equal to the block size for Symec. And Symec has a non-linear key schedule which reuses the round function f. So, this is all for Simon and Symec. And now, let's speak about differential cryptanalysis. So, here we represent the possible input difference here and the possible output differences here. So, we define a differential as a per delta, delta prime, such that the probability that an input difference delta output difference delta prime is bigger than 2 to the minus n with n the block size. In order to find such differential, we will study the propagation of differences through every round. And then, we first need to define the probability transition through one round. So, the probability transition through round is just the probability that an input difference delta output difference delta prime through one round. This can be extending to our round using trails. So, the probability of a trail is just the product of the probability of each round transition. So, trail is determined by the differences at each round. So, here, the trail defined by delta 0, delta 1, delta 2, delta 3, and delta 4 happens with probability p1 times p2, times p3, times p4. So, this is for round trails over our round, but if you want to compute the probability that a difference delta 0 output a difference delta 4, we need to take into account all those trails. And as we can see here, there are many, many trails. So, in practice, it is invisible to compute this sum. But for several ciphers, this can be approximated using only one trail. But for Simon and Symec, this can't be done because there is no dominant trail. So, in the following, we will search for a way of computing a lower bound of this probability. So, here it's for our differential we also obtain a differential distinguisher. So, if we collect deepers of plaintext with input difference delta and if we compute a statistic q which is equal to the number of pairs that have an output difference of delta prime, then we are able to distinguish our cipher from a random permutation if the probability of our differential is bigger than 2 to the minus n. Because for the cipher, q is expected to be approximately d times the probability of our differential while for a random permutation q is expected to be approximately d times 2 to the minus n. So, this is for differential cryptanalyses. And we can summarize the case for differential cryptanalyses like this. So, for differential cryptanalyses we study differential which is a pair delta delta prime such that the probability that an input difference output a difference delta prime on this probability needs to be bigger than 2 to the minus n. So, to find some differential we will define the probability transitions to run-run and in order to find a differential the probability of this differential is just the sum over all those trails and the sum of all the probability of those trails. So, this is for differential cryptanalyses and for linear cryptanalyses we have approximately the same thing. So, for running linear cryptanalyses we'll focus on linear approximation which is a pair alpha alpha prime such that the probability that x mass by alpha equal the encryption of x mass by alpha prime minus 1 alpha and the absolute value of this need to be bigger than 2 to the minus n over 2. And in order to find some linear approximation we will define the correlation of alpha alpha prime for run-run as 2 times the probability that x mass by alpha equal the run-run encryption of x mass by alpha prime minus 1. And for r-runs we will define the ELP which is the expected linear potential of alpha 0, alpha r as the sum over all the trails of the product of the square correlation. So, this formula is really similar to the formula of the differential case. So, in the following we will apply our approach to differential and linear cryptanalyses. So, we also obtain a linear distinguisher so, for this distinguisher we need to collect deepers of plaintext ciphertext and to compute our statistic q which is equal to the number of pairs such that p mass by alpha equal c mass by alpha prime minus the number of pairs that do not satisfy this relation and for the cipher q square is expected to be approximately d times the ELP of alpha alpha prime while for a random permutation q square is expected to be approximately d times 2 to d minus n. So, in the next two parts we will focus on how to find some stronger distinguisher for Simon and Simon. So, let's start by the differential case. So, first we will need to compute the probability transition through run-run, so through f. So, let's start by a small example. Here, we represent one round of SIMEC and if we consider a difference alpha equal 1 on the left part then we will study the propagation of this difference through one round. So, first there is the linear propagation so, this this difference propagates through the run-run the run-bit rotation to the left and then there is the non-linear so, in order to study the difference diffusion through the und operator we need to look at the value of the same bit in the other state. So, here for this bit we need to study the value of the gray bit and if the value is 0 then the difference will not propagate because 0 on 1 equals 0 on 0 on 0 is equal also to 0 but if the value is 1 then the difference propagates because 1 on 0 equals 0 and 1 on 1 equals 1 So, here we have we will have sometimes a difference on this bit and some other time no difference the same thing happen for the second bit so, in total we have 4 possible outputs and each of these outputs happen with probability 0.25 and this result can be generalized like this, this was done by Cobble, Leander and Tessen at crypto 2015 and they say that since F is quadratic the exact probability transition through one round can be computed efficiently for Simon and Semay so, they obtain this formula and now we are able to compute the probability transition through one round but computing the probability remains hard and here is our starting point so, we observe this thing so, if we start with differences in a window of size W then in the worst case the difference will stand in a window of size W plus 5 because the biggest amount of rotation is 5 but sometimes the difference will not propagate through the hand operator and because the rotation amount 5 is associated to the non-linear part then sometimes the difference will not propagate so, in the best case if we start with differences in a window of size W equal 3 then we will obtain some differences in a window of size W plus 1 at the output so, this can be summarized like this Semay as a relatively slow diffusion so, in the following we will exploit this property our idea is to focus on trails that are only active in a window of W bits so, it means that in place of taking into account all of those trails we will just focus on a window on all the trails that are in a window so, here more formally we choose W size of the window and we define delta W as the vector space of the differences active only in W least significant bits and due to the pastel structure we also define delta W square which is the product delta W tan delta W and then we are able to compute a lower bound of the probability of the differential delta 0 delta R by summing over all the characteristics with intermediate differences in delta W squared so, here we just compute the sum of all the probability of the trails of size W so in practice we are able to compute the lower bound for a window of size 18 but for size 18 it takes approximately a week on a 48 core machine using 1 terabyte of RAM so, this is a big computation so, here are our results so, first we find some tire lower bound for existing differential so, this was done with W equal 18 and for example, for the first differential the previous probability was 2 to the minus 60.02 but, here we find that lower bound of the differential is 2 to the minus 54.60 we also find a set of 64 best characteristics but, in the following we will use the differential 0 and to 1 0 because this differential is almost as good and it will lead to a more efficient key recovery because it has fewer active bits here is a comparison of the differential 0 and to 1 0 on the differential 1 2 to 2 1 which is one of the best characteristics we have identified and for example for 30 rounds the differential 0 and to 1 0 have probability 2 to the minus 60.41 while the best characteristic we have identified have a probability 2 to the minus 59.92 so, those two probability are really close so, in the following we will use the first one because it has fewer active bits so, the key recovery part will be more efficient moreover, we also study the effect of the size of the window W and what we observe is that after W equal 15 the increase is quite slow on expect our lower bound of the probability of the differential to be close to the exact probability of the differential so, this is all for differential cryptanalysis now, let's move on linear cryptanalysis so, we apply exactly the same approach to linear cryptanalysis and we find a set of 64 almost optimal trails and those trails adjust bit reverse version of the optimal differential characteristics but as for the differential case we will use the trail 10 to 0 because it has fewer active bits so, it will lead to a more efficient key recovery so, here we compare our results on differential on linear cryptanalysis and what we observe is that the results are really close so, for example, for 30 rounds we have a probability of 2 to the minus 60.41 for the differential case and a probability of 2 to the minus 60.36 for the linear case so, those two values are really, really similar Moreover, here we are representing the number of trails that are taking into account in our analysis and what we observe is that we take into account a huge number of trails so, for example, for 30 rounds we take into account 2 to the 254 trails so, this is why our lower bounds are higher than the previous lower bounds this is due to the fact that we take into account a high number of trails so, here those are results on Simon and we study the effect of the size of the window for Simon in linear cryptanalysis and what we observe is that the increase is quite important even for the large values of W so, this is probably due to the fact that the rotations amounts for Simon higher, are bigger than the rotations amount for Simon because for Simon we have a rotation of 8 bits while for Simon the bigger rotation is 5 so, here we expect our lower bound of the probability of the linear urge for Simon to be not as tight as the one for Simon so, probably further work can improve our results for Simon so, this is all for linear cryptanalysis now let's move on to the recovery attack so, here we start with our distinguishers so, a linear differential distinguisher and then in order to do a recovery attack we will add some rounds before and after our distinguisher and then, we will need to guess a subset of the key which is here denoted kp, kt, kb and kc and then, using this subset of the key we will be able to compute our statistic q, so the statistic of our distinguisher we denote kpg the total number of guest bits and this number needs to be smaller than the number of the key size kpa so, a nice way to do a key recovery attack is as follow so, first we need to go over all the possible key guess and then, for each key guess we will need to compute our statistic q of k and if this statistic is bigger than a threshold s then, k is a possible candidate this require d times 2 to dkpg operation with d the data on kpg the size of k but, this can be improved to d plus 2 to dkpg using algorithm tricks so, for differential cryptanalysis we will use the dynamic key guessing and for linear cryptanalysis we will use the false wash transform approach I will not describe those two attacks in details but just to give an overview so, these attacks are made of three steps so, first we need to find efficient distinguisher so, this was done in the previous part then, we will need to find the subset of the key that need to be guess to evaluate our statistic q and then we will need to rearrange operation to reduce the time complexity from d times 2 to dkpg to d plus 2 to dkpg so, we have previously seen that the step 0 is quite similar for differential and linear cryptanalysis and, the step 2 is also very similar for differential and linear cryptanalysis but concerning the step 1 this step is really different from differential and linear cryptanalysis because, we will need to guess a bigger nier number of bits for differential cryptanalysis than for linear cryptanalysis so, here we compare the number of bits that need to be guess for differential and linear attacks contre Symex 64-129-28. Donc pour chaque casque, donc différenciale en linéaire cryptoanalyse, nous avons deux colonnes. Donc le premier colonne signifie le nombre total de bits, et le second colonne signifie le nombre de bits indépendants. Parce que quand on va trouver un nombre large de qubits, certains de ces qubits seraient liés à l'utilisation des relations quiscadales. Donc parfois, le nombre d'indépendants qubits seraient plus petit que le nombre total de bits. Et ce que nous avons observé, c'est que si nous voulons ajouter plusieurs rounds avant ou après notre distinguition, nous aurons besoin d'adresser 114 bits en différenciale cryptoanalyse, mais en linéaire cryptoanalyse, seulement 68 bits devraient être indépendants. Donc nos attaques en linéaire cryptoanalyse seraient mieux que en différenciale cryptoanalyse parce que ces numéros sont plus petits que les numéros pour les différenciaux cryptoanalyse. Donc ici sont nos résultats. Donc nous avons juste mis le résultat linéaire parce que le résultat linéaire cryptoanalyse sera mieux que les différenciaux cryptoanalyse ici. Et pour Symax 64-128, nous avons obtenu un attaque qui atteint 42 rounds de 44, alors que le meilleur attaque a atteint 37 rounds. Pour l'exemple, pour Symax 96-129-44, nous avons obtenu un attaque de 45 rounds de 54, alors que le meilleur attaque a atteint 38 rounds. Pour conclure, dans ce travail, nous avons trouvé une meilleure probabilité pour l'existence de différenciaux en linéaire cryptoanalyse en utilisant des lois intermédiaires dans une window de W bits. Nous avons aussi trouvé des nouvelles distinguissures avec le minimum de nombre d'activités. Donc, la recouverte de la clé est plus importante. Et en utilisant cela, nous avons obtenu des attaques contre Symax et Symon. Et en particulier, nous avons obtenu un attaque de 42 rounds de 44, pour Symax 64-128, et de 43 rounds de 52, pour Symax 96-96. Et ces attaques ont été utilisées par des techniques d'advance comme l'approche transformée de force. Mais concernant le Symon, notre ligue de la ligue de l'approche semble ne être pas aussi forte que la ligue de Symax. Ce serait probablement que la rotation amontée pour le Symon est plus grande que la rotation amontée pour le Symax. Donc, probablement, plus de travail peut augmenter nos résultats. Donc, merci d'avoir écouté. Et si vous voulez plus de détails, vous pouvez lire notre papier.