Bitwise Mixture Differential Cryptanalysis and Its Application to SIMON

With the proliferation of Internet of Things (IoT) devices today, the need to strengthen the security of these devices is becoming increasingly urgent, particularly the need to review the security of lightweight block ciphers. SIMON is a lightweight block cipher proposed by the National Security Agency (NSA) of US to provide efficient and secure encryption for resource-constrained devices in IoT systems. This article aims to evaluate the security of SIMON against mixture differential cryptanalysis, which was proposed in Eurocrypt 2017 to launch the best key-recovery attacks on the most widely used encryption standard AES. Though there have been intensive studies on this cryptanalysis method, its current targets are all aligned block ciphers. Whether the numerous bitwise block ciphers, including SIMON, have weaknesses regarding this method remains unknown. In this article, we extend the mixture differential cryptanalysis to bitwise ciphers and develop an SAT-based automatic tool to search for such distinguishers. We interpret the bitwise mixture differential distinguisher as a variant of differential distinguisher in the multikey setting with 2^-3n as the boundary (n: block size), potentially boosting rounds or improving the signal-to-noise ratio of previous boomerang or classical differential distinguisher. Using SIMON as an example, we discover multikey distinguishers for up to 17-round SIMON32, 18-round SIMON48, and 23-round SIMON64, which outperform previous results in terms of the number of rounds. This article reconciles the disparity between mixture differential cryptanalysis applied to word-oriented target ciphers and its application to bit-oriented targets, thereby extending the mixture differential cryptanalysis to a broader range of block ciphers.