Security evaluation on Simeck against zero‐correlation linear cryptanalysis
2017; Institution of Engineering and Technology; Volume: 12; Issue: 1 Linguagem: Inglês
10.1049/iet-ifs.2016.0503
ISSN1751-8717
AutoresKai Zhang, Jie Guan, Bin Hu, Dongdai Lin,
Tópico(s)Physical Unclonable Functions (PUFs) and Hardware Security
ResumoIET Information SecurityVolume 12, Issue 1 p. 87-93 Research ArticleFree Access Security evaluation on Simeck against zero-correlation linear cryptanalysis Kai Zhang, Corresponding Author Kai Zhang zhkai2010@139.com Zhengzhou Information Science and Technology Institute, Zhengzhou, 450000 People's Republic of China State Key Laboratory of Information Security, Institute of Information Engineering, Chinese Academy of Sciences, Beijing, 100093 People's Republic of ChinaSearch for more papers by this authorJie Guan, Jie Guan Zhengzhou Information Science and Technology Institute, Zhengzhou, 450000 People's Republic of ChinaSearch for more papers by this authorBin Hu, Bin Hu Zhengzhou Information Science and Technology Institute, Zhengzhou, 450000 People's Republic of ChinaSearch for more papers by this authorDongdai Lin, Dongdai Lin State Key Laboratory of Information Security, Institute of Information Engineering, Chinese Academy of Sciences, Beijing, 100093 People's Republic of ChinaSearch for more papers by this author Kai Zhang, Corresponding Author Kai Zhang zhkai2010@139.com Zhengzhou Information Science and Technology Institute, Zhengzhou, 450000 People's Republic of China State Key Laboratory of Information Security, Institute of Information Engineering, Chinese Academy of Sciences, Beijing, 100093 People's Republic of ChinaSearch for more papers by this authorJie Guan, Jie Guan Zhengzhou Information Science and Technology Institute, Zhengzhou, 450000 People's Republic of ChinaSearch for more papers by this authorBin Hu, Bin Hu Zhengzhou Information Science and Technology Institute, Zhengzhou, 450000 People's Republic of ChinaSearch for more papers by this authorDongdai Lin, Dongdai Lin State Key Laboratory of Information Security, Institute of Information Engineering, Chinese Academy of Sciences, Beijing, 100093 People's Republic of ChinaSearch for more papers by this author First published: 01 January 2018 https://doi.org/10.1049/iet-ifs.2016.0503Citations: 6AboutSectionsPDF ToolsRequest permissionExport citationAdd to favoritesTrack citation ShareShare Give accessShare full text accessShare full-text accessPlease review our Terms and Conditions of Use and check box below to share full-text version of article.I have read and accept the Wiley Online Library Terms and Conditions of UseShareable LinkUse the link below to share a full-text version of this article with your friends and colleagues. Learn more.Copy URL Share a linkShare onFacebookTwitterLinkedInRedditWechat Abstract Since proposed by the National Security Agency in June 2013, two lightweight block ciphers-SIMON and SPECK have attracted the attention of cryptographers from all over the world. At CHES 2015, Simeck, a new block cipher inspired from both SIMON and SPECK is proposed, which is more compact and efficient. However, the security evaluation on Simeck against zero-correlation linear cryptanalysis seems missing from the specification. The main focus of this study is to fill this gap and evaluate the security level of Simeck against zero-correlation linear cryptanalysis. According to the authors' study, 11-, 13- and 15-round zero-correlation linear distinguishers on Simeck32/48/64 are proposed, respectively, then zero-correlation linear cryptanalysis on 21-, 24-, 28-round Simeck32/48/64 are first proposed. As far as they know, for Simeck32, their result is the best result up to date. Nomenclature Simeck 2n version of Simeck whose block size is 2n P 2n -bit plaintext, consisting of two n -bit words C 2n -bit ciphertext, consisting of two n -bit words 2n -bit intermediate value (input of the i th round in the encryption), consisting of two n -bit words , the j th bits of are denoted as and , respectively K master key. For Simeck 2n, n -bit round key for the i th round XOR operation left rotation for r bits right rotation for r bits bitwise AND operation 1 Introduction With the increasing demand for low-end embedded devices, algorithms which have to adapt to the very constrained memory is greatly needed. SIMON and SPECK [1] are two lightweight block ciphers proposed by the National Security Agency (NSA) in 2013. SIMON is hardware friendly and SPECK is software friendly. To meet the demand of small hardware implementations, Yang et al. proposed Simeck at CHES 2015. Simeck benefits from both the designs of SIMON and SPECK, while it has more compact and efficient hardware implementation. At the same time, it has comparable security margin with SIMON and SPECK. The concept of zero-correlation (ZC) linear cryptanalysis (LC) was first proposed by Bogdanov and Rijmen [2]. In the recent two years, ZCLC has shown its great potential in cryptanalysis and it has proven to be very effective against lots of block ciphers [2-4]. Generally speaking, this cryptanalytic method can be concluded as 'use linear approximation of probability 1/2 to eliminate the wrong key candidates'. In the specification of Simeck [5], designers evaluated the security level against many cryptanalytic methods such as differential cryptanalysis (DC), LC, impossible DC and rotational attack. However, as an important cryptanalytic tool, it is essential to evaluate the security level against ZCLC for this newly proposed block cipher. 1.1 Our contributions The main purpose of this paper is to evaluate the security level of Simeck against ZCLC: For distinguishers, this paper proposes ZC linear distinguishers on all variants of Simeck. On the basis of '0–1' bit contradiction, 11-, 13- and 15-round ZC linear distinguishers on Simeck32/48/64 are first proposed. To validate the usefulness of these newly proposed ZC linear distinguishers, this paper evaluates the security level of Simeck against ZCLC. For Simeck32/48/64, ciphers reduced to 21-, 24- and 28-round can be attacked, respectively. The results are concluded in Table 1 below. This paper is organised as follows. Notations are introduced in this paper. In Section 2, a brief description of Simeck is presented. Section 3 proposes some ZC linear distinguishers on Simeck. Section 4 proposes ZCLC on Simeck and Section 5 improves the attack in Section 4 with equivalent-subkey technique. Section 6 compares the results on SIMON and Simeck against ZCLC and Section 7 concludes this paper. Table 1. Summary of all the cryptanalysis on Simeck Algorithm Attack Rounds attacked Data Memory Time Reference Simeck32 DC 19 O (231.5) — 234 [5] DC 19 O (231) 231 231 [6] LC 18a O (232) — 262.56 [7] ID 20 O (232) 256 262.6 [5] ZC 20 O (232) 239.37 256.65 this paper ZC 21 O (232) 245.67 258.78 this paper Simeck48 DC 20 O (246) — 275 [5] DC 26 O (247) 247 262 [6] LC 19 O (245) — 294 [7] ID 24 O (248) 274 294.7 [5] ZC 24 O (248) 265.06 291.6 this paper ZC 24 O (248) 258.99 281.64 this paper Simeck64 DC 26 O (263) — 2121 [5] DC 33 O (263) 263 296 [6] LC 27a O (261) — 2120.5 [7] ID 25 O (264) 279 2126.6 [5] ZC 27 O (264) 274.34 2112.79 this paper ZC 28 O (264) 297.67 2123.06 this paper a Success probability of the attack is 0.477. DC: differential cryptanalysis; LC: linear cryptanalysis; ID: impossible DC; ZC: ZCLC. 2 Brief description of Simeck Simeck is a family of lightweight block ciphers proposed at CHES 2015, the round function of Simeck is slightly modified from SIMON and the key schedule of Simeck adopts the idea of round function reuse such as SPECK does. Like SIMON, Simeck is also based on Feistel network, and the operations Simeck uses are simply bitwise AND, exclusive OR (XOR) and rotation operation. The only difference for the round functions of Simeck and SIMON is the rotation constant, which is (0, 5, 1) for Simeck and (1, 8, 2) for SIMON. The round function of Simeck is depicted in Fig. 1 below. Unlike SIMON and SPECK, there are only three different versions for Simeck, and the parameters for each version are illustrated in Table 2 below. Fig. 1Open in figure viewerPowerPoint Round function of Simeck Table 2. Simeck parameters Algorithm Block size 2n Key size 4n Word size n Rounds T Simeck32 32 64 16 32 Simeck48 48 96 24 36 Simeck64 64 128 32 44 The initial master key K consists of four n -bit words . First of all, initialise vectors with Then, for different i, round key is computed with the following equation: where , C and are predefined constants. For more details of Simeck algorithm, we refer the readers to [5]. 3 ZC linear distinguishers on Simeck For SIMON-type ciphers, ZC linear distinguishers are usually built with miss-in-the-middle technique and the contradiction for this kind of distinguishers is usually '0–1' bit contradiction. Usually, this kind of distinguishers is constructed in two directions: encryption direction and decryption direction. For Simeck32, in the encryption direction, we find that for any 5-round non-zero linear hull with input linear mask of (1000000000000000 0000000000000000), the linear mask of the internal state for the fifth round must be (???10???00??000? ?????????0???00?). Similarly, in the decryption direction, for any 6-round non-zero linear hull with output linear mask of (0000000000000000 0000010 000000000), the linear mask of the internal state for the sixth round from the bottom must be (???0???????????? ??00??????????0?). Combining these two directions together, we can derive an 11-round ZC linear distinguisher with input linear mask of (1000000000000000 0000000000000000) and output linear mask of (0000000000000000 0000010000000000). Similarly, 13-round ZC linear distinguisher for Simeck48 and 15-round ZC linear distinguisher for Simeck64 can also be derived (see the Appendix for more details). The ZC linear distinguishers used to attack these Simeck variants are illustrated in Table 3 below. Table 3. ZC linear distinguishers used to attack Simeck32/48/64 Algorithm Position ZC linear distinguisher Simeck32 (11-round) input 1000000000000000 0000000000000000 output 0000000000000000 0000010000000000 Simeck48 (13-round) input 100000000000000000000000 000000000000000000000000 output 000000000000000000000000 000001000000000000000000 Simeck64 (15-round) input 10000000000000000000000000000000 00000000000000000000000000000000 output 00000000000000000000000000000000 00000001000000000000000000000000 4 ZCLC on Simeck In this section, with the proposed 11-, 13- and 15-round ZC linear distinguishers on Simeck32/48/64, ZCLC on 20-round Simeck32, 24-round Simeck48 and 27-round Simeck64 are first proposed. 4.1 ZCLC on Simeck32 In this section, ZCLC on 20-round Simeck32 is proposed; we use an 11-round ZC linear distinguisher and add five initial rounds and four final rounds before and after the distinguisher. The details are depicted in Fig. 2 below. Fig. 2Open in figure viewerPowerPoint Initial five rounds encryption (left) and final four rounds decryption (right) Fig. 2 just illustrates those intermediate states and subkeys involved in the partial encryption and decryption processes. With partial-sum technique, the procedure of the attack can be concluded as follows: Step 1: Allocate a counter vector of size 228, where each element is 8 bit length and initialised to zero. Step 2: Guess all possible values of 20-round key bits , and . Step 3: Partially decrypt the ciphertext of each (P, C) pair to get . Add one to corresponding ; Step 4: The target of this step is to reduce to a new counter vector . During this step, 13 bits of have to be guessed in total. To reduce the time complexity, we guess these round key bits bit by bit. The guessed key bits, intermediate state counters and complexities are illustrated in Table 4 below. Step 5: The target of this step is to reduce to a new counter vector . During this step, 10 bits of have to be guessed in total. To reduce the time complexity, we also guess these round key bits bit by bit. The guessed key bits, intermediate state counters and complexities are illustrated in Table 5 below. Step 6: The target of this step is to reduce to a new counter vector . During this step, 6 bits of have to be guessed in total. To reduce the time complexity, we guess these round key bits bit by bit. The guessed key bits, intermediate state counters and complexities are illustrated in Table 6 below. Step 7: The target of this step is to reduce to a new counter vector . During this step, 3 bits of have to be guessed in total. Similarly, we guess these round key bits bit by bit. The guessed key bits, intermediate state counters and complexities are illustrated in Table 7 below. Step 8: Allocate a new counter vector of size 22, where each element is 32 bit length and initialised to zero. As have already been guessed, can be directly deduced. Then, we can compute and add one to corresponding . In the first 8 steps, there are altogether 52 round key bits guessed. If a round key candidate is generated by the correct key, , whereas for a wrong key candidate the probability is . So after the eight steps above, the 252 round key candidates can be reduced to ∼236.67, then store these round key candidates. Table 4. Details of partial encryption procedure for step 4 Step Guess Counter(size) Complexity 4.1 222 ×229 ×2/(16×20) 4.2 223 ×228 ×1/(16×20) 4.3 225 ×227 ×2/(16×20) 4.4 226 ×226 ×1/(16×20) 4.5 227 ×225 ×1/(16×20) 4.6 233 ×224 ×6/(16×20) Table 5. Details of partial encryption procedure for step 5 Step Guess Counter (size) Complexity 5.1 235 ×224 ×2/(16·20) 5.2 236 ×223 ×1/(16×20) 5.3 237 ×222 ×1/(16×20) 5.4 238 ×221 ×1/(16×20) 5.5 239 ×220 ×1/(16×20) 5.6 240 ×219 ×1/(16×20) 5.7 243 ×217 ×3/(16×20) Table 6. Details of partial encryption procedure for step 6 Step Guess Counter (size) Complexity 6.1 244 ×217 ×1/(16×20) 6.2 245 ×216 ×1/(16×20) 6.3 246 ×215 ×1/(16×20) 6.4 247 ×214 ×1/(16×20) 6.5 248 ×213 ×1/(16×20) 6.6 249 ×210 ×1/(16×20) Table 7. Details of partial encryption procedure for step 7 Step Guess Counter(size) Complexity 7.1 250 ×210 ×1/(16×20) 7.2 251 ×29 ×1/(16×20) 7.7 252 ×28 ×1/(16×20) Next step is to recover the master key. Unlike SIMON, the key schedule of Simeck is non-linear, which leads to the idea of establishing linear equations for the round key bits and then using Gaussian elimination method to derive master key impractical. So, we introduce a novel method here to recover the master key. For the 52 round key bits (denoted as ), there are altogether 32 master key bits and other 20 round key bits . As for the 52 round key bits, there are 236.67 round key candidates left, it can be regarded as 15.33 bits information have been derived. For and , 9.43 and 5.90 bits information have been derived, respectively. In average, among these 52 round key bits, there are 232 ×2−9.43 =222.57 master key bits and 220 ×2−5.90 =214.10 other round key bits left. Step 9: First of all, sort the 236.67 round key candidates according to the value of . Step 10: Then, for each candidate of , guess all the other 32 master key bits (denoted as ). After calculating according to the key schedule, if a candidate can make locate in the 236.67 round key candidates, save . Step 11: Finally, test whether a derived master key is correct by verification for plaintext–ciphertext pairs. 4.1.1 Complexity estimation The data complexity is O (232), whereas the memory complexity is 228 ×8/8 + 236.67 ×52/8≃239.37 bytes. The time complexity for each step is as follows: Step 1–3: 232 ×220 ×20/(16×20)≃248 ×20-round Simeck32 encryptions. Step 4: 251.30 20-round Simeck32 encryptions (for details see Table 4). Step 5: 254.38 20-round Simeck32 encryptions (for details see Table 5). Step 6: 255.07 20-round Simeck32 encryptions (for details see Table 6). Step 7: 253.26 20-round Simeck32 encryptions (for details see Table 7). Step 8: 252 ×25 ×1/(16×20);248.67 20-round Simeck32 encryptions. Step 9–10: For each , there are altogether 232 corresponding need to be guessed. As there are , so the total time complexity for this step is 232 ×222.57 =254.57 20-round Simeck32 key schedule algorithm. Ideally, there are left for each . So, the number of master key candidates left is 226.10 ×222.57 ≃248.67. Step 11: Test the correctness of each master key candidate with plaintext–ciphertext pairs (P, C). For the correct master key κ, after encryption, the equation always holds with probability one. For an incorrect guess k, after encryption, . So, after sieving with first plaintext–cipher pair, the space of master key candidate can be reduced to about 216.67, these master key candidates should be tested through the second plaintext–ciphertext pair. Iterating this process until the only correct key is left. The time complexity for this step is about 248.67 20-round Simeck32 encryptions. To sum up, the total time complexity is about 256.65 20-round Simeck32 encryptions. 4.2 ZCLC on Simeck48 and Simeck64 For Simeck48 and Simeck64, similar attacks can also be proposed. We summarise our results for Simeck in Table 8 below. Table 8. Summary of basic ZCLC on Simeck Algorithm Rounds attacked Data Memory Time Simeck32 11 + 5 + 4(20) O (232) 239.37 256.65 Simeck48 13 + 6 + 5(24) O (248) 265.06 291.6 Simeck64 15 + 6 + 6(27) O (264) 274.34 2112.79 5 Improvement with equivalent-subkey technique In this section, equivalent-subkey technique is used to improve the former results. The basic idea of equivalent-subkey technique is to replace the original subkeys with equivalent subkeys. It can reduce the number of guessed subkey bits to some extent. This technique has been used in [8] to explore generic key recovery attacks on Feistel scheme and further in [9] to improve the ZCLC on SIMON. According to the equivalent-subkey technique, if we change the position where the round keys inject (besides the first and last rounds, the positions for the equivalent subkeys are changed to the left half just before the rotation and AND operations, see the circle marked with red-dotted lines in Fig. 3) and change the round keys (RKi) with related equivalent round keys , then and , both and are constants which are totally related to the initial round keys. If we XOR even number of and , the results are totally same. Fig. 3Open in figure viewerPowerPoint Initial five rounds encryption (left) and final five rounds decryption (right) Besides, we want to note that after using this technique, the linearity for the internal states has already been abstracted and it is unnecessary to use meet-in-the-middle strategy and exploit the linearity for meet-in-the-middle strategy. Thus, only one table M3 is needed to store the subkey candidates. All in all, the results in Section 4 can be improved with this technique, and for Simeck32 and Simeck64 we can attack more rounds with this technique. The results are concluded in Table 9 below. Table 9. Summary of improved ZCLC on Simeck Algorithm Rounds Attacked Data Memory Time Simeck32 11 + 5 + 5 O (232) 245.67 258.78 Simeck48 13 + 6 + 5 O (248) 258.99 281.64 Simeck64 15 + 7 + 6 O (264) 297.67 2123.06 With equivalent-subkey technique, the number of guessed round key bits can be reduced, which leads to one more round attack for Simeck32 and Simeck64. As the key recovery process is very similar to Section 5.1, we omit the details of the key recovery phases and just list these results. 6 Comparison As Simeck is very similar to SIMON, in this part, we want to illustrate the differences between these two ciphers against ZCLC. Table 10 presents these differences. Table 10. Comparison between SIMON and Simeck against ZC Algorithm Length of the distinguisher Rounds attacked Data complexity Memory complexity Time complexity Reference SIMON32(64) 11 21 O (232) 231.0 259.4 [9] Simeck32 11 21 O (232) 245.67 258.78 this paper SIMON48(96) 12 22 O (248) 243.0 280.5 [9] Simeck48 13 24 O (248) 258.99 281.64 this paper SIMON64(128) 13 24 O (264) 254.0 2116.8 [9] Simeck64 15 28 O (264) 297.67 2123.06 this paper For SIMONa (b) in Table 10, a represents the block size and b represents the key size. On the whole, the security level of Simeck against ZCLC is not as good as SIMON, no matter in terms of lengths of distinguishers or rounds attacked. There are two main differences for Simeck and SIMON, rotation constants and key schedule. According to our attack, when compared with SIMON, the key schedule of Simeck does bring some barriers for our cryptanalysis, and the higher-memory complexity for our attack is one of the proofs. This is mainly due to the non-linear key schedule, which makes the idea of solving the linear equations with Gaussian elimination infeasible. In Section 4.1, we propose a new method to recover the master key, which needs some extra memory to store the key candidates and it makes higher-memory complexity for our attack. The rotation constants lead to both longer ZC linear distinguishers and longer rounds for the key recovery phase. This is mainly due to the poor diffusion property for the rotation constants (0, 5, 1), which makes the internal states, round key bits involved in the attack are much less than SIMON when we attack same rounds, and this will make both longer ZC linear distinguishers and longer rounds for the key recovery phase. That is to say, for Simeck, the rotation constants show positive effect on the cryptanalysis and the key schedule shows negative effect on the cryptanalysis. 7 Conclusion This paper investigates the security level of Simeck against ZCLC. For Simeck32, currently best result is proposed. During our research, we find that different rotation constants and different key schedules both have effect on the length we can attack with ZCLC. How to choose and even category these parameters is an interesting topic. On the other hand, the security level against other cryptanalytic methods for Simeck is further to be studied. 8 Acknowledgments The authors thank the anonymous reviewers for their helpful comments. This work was supported by the National Natural Science Foundation of China under grant nos. 61572516, 61202491, 61272041, 61272488 and 61402523. 10 Appendix See Tables 11–13. Table 11. 11-round ZC linear distinguisher on Simeck32 Round 0 1000000000000000 0000000000000000 1 0000000000000000 1000000000000000 2 1000000000000000 *1000*0000000000 3 *1000*0000000000 **100**000*00000 4 **100**000*00000 ***10***00**000* 5 ***1 0***00**000* *********0***00* 5 ***0 ************ **00**********0* 6 **00**********0* *000****10***00* 7 *000****10***00* 00000**100**000* 8 00000**100**000* 00000*1000*00000 9 00000*1000*00000 0000010000000000 10 0000010000000000 0000000000000000 11 0000000000000000 0000010000000000 Table 12. 13-round ZC linear distinguisher on Simeck48 Round 0 100000000000000000000000 000000000000000000000000 1 000000000000000000000000 100000000000000000000000 2 100000000000000000000000 *1000*000000000000000000 3 *1000*000000000000000000 **100**000*0000000000000 4 **100**000*0000000000000 ***10***00**000*00000000 5 ***10***00**000*00000000 ****1****0***00**000*000 6 ****1 ****0***00**000*000 **************0***00**00 6 0***0 ******************* 0**00**************0***0 7 0**00**************0***0 0*000****1****0***00**00 8 0*000****1****0***00**00 00000***10***00**000*000 9 00000***10***00**000*000 00000**100**000*00000000 10 00000**100**000*00000000 00000*1000*0000000000000 11 00000*1000*0000000000000 000001000000000000000000 12 000001000000000000000000 000000000000000000000000 13 000000000000000000000000 000001000000000000000000 Table 13. 15-round ZC linear distinguisher on Simeck64 Round 0 10000000000000000000000000000000 00000000000000000000000000000000 1 00000000000000000000000000000000 10000000000000000000000000000000 2 10000000000000000000000000000000 *1000*00000000000000000000000000 3 *1000*00000000000000000000000000 **100**000*000000000000000000000 4 **100**000*000000000000000000000 ***10***00**000*0000000000000000 5 ***10***00**000*0000000000000000 ****1****0***00**000*00000000000 6 ****1 ****0***00**000*00000000000 **************0***00**000*000000 6 ****0 *************************** ***00**************************0 7 ***00**************************0 **000*0*******************0***00 8 **000*0*******************0***00 *000000**************0***00**000 9 *000000**************0***00**000 0000000****1****0***00**000*0000 10 0000000****1****0***00**000*0000 0000000***10***00**000*000000000 11 0000000***10***00**000*000000000 0000000**100**000*00000000000000 12 0000000**100**000*00000000000000 0000000*1000*0000000000000000000 13 0000000*1000*0000000000000000000 00000001000000000000000000000000 14 00000001000000000000000000000000 00000000000000000000000000000000 15 00000000000000000000000000000000 00000001000000000000000000000000 9 References 1Beaulieu, R., Shors, D., Smith, J. et al: 'The SIMON and SPECK families of lightweight block ciphers'. Proc. 52nd ACM/EDAC/IEEE Conf. Design Automation Conf. (DAC), San Francisco, CA, USA, July 2015, pp. 1– 6 2Bogdanov, A., Rijmen, V.: 'Linear hulls with correlation zero and linear cryptanalysis of block ciphers', Des. Codes Cryptogr., 2014, 70, (3), pp. 369– 383 3Bogdanov, A., Wang, M.: 'Zero correlation linear cryptanalysis with reduced data complexity'. Proc. FSE, Washington, DC, USA, March 2012, pp. 29– 48 4Wen, L., Wang, M., Bogdanov, A. et al: 'Multidimensional zero-correlation attacks on lightweight block cipher HIGHT: improved cryptanalysis of an ISO standard', Inf. Process. Lett., 2014, 114, (6), pp. 322– 330 5Yang, G., Zhu, B., Suder, V. et al: 'The Simeck family of lightweight block ciphers'. Proc. CHES, Saint-Malo, France, September 2015, pp. 307– 329 6Kölbl, S., Roy, A.: 'A brief comparison of Simon and Simeck'. Proc. Lightweight Cryptography for Security and Privacy, Aksaray, Turkey, September 2016, pp. 69– 88 7Bagheri, N.: 'Linear cryptanalysis of reduced-round SIMECK variants'. Proc. INDOCRYPT, Bangalore, India, December 2015, pp. 140– 152 8Isobe, T., Shibutani, K.: 'Generic key recovery attack on Feistel scheme'. Proc. ASIACRYPT, Bengaluru, India, December 2013, pp. 464– 485 9Sun, L., Fu, K., Wang, M.: 'Improved zero-correlation cryptanalysis on SIMON'. Proc. Inscrypt, Beijing, China, November 2015, pp. 113– 133 Citing Literature Volume12, Issue1January 2018Pages 87-93 FiguresReferencesRelatedInformation
Referência(s)