Linear Cryptanalysis of Reduced-Round Simon Using Super Rounds

Abstract

We present attacks on 21-rounds of Simon 32/64, 21-rounds of Simon 48/96, 25-rounds of Simon 64/128, 35-rounds of Simon 96/144 and 43-rounds of Simon 128/256, often with direct recovery of the full master key without repeating the attack over multiple rounds. These attacks result from the observation that, after four rounds of encryption, one bit of the left half of the state of 32/64 Simon depends on only 17 key bits (19 key bits for the other variants of Simon). Further, linear cryptanalysis requires the guessing of only 16 bits, the size of a single round key of Simon 32/64. We partition the key into smaller strings by focusing on one bit of state at a time, decreasing the cost of the exhaustive search of linear cryptanalysis to 16 bits at a time for Simon 32/64. We also present other example linear cryptanalysis, experimentally verified on 8, 10 and 12 rounds for Simon 32/64.

1. Introduction

Lightweight cryptography is a rapidly growing area of research, emerging to fill the need for securing highly-constrained devices such as RFID tags and sensor networks. The limited hardware and software resources require that the cryptographic primitives be highly efficient. In 2013, the U.S. National Security Agency introduced two families of lightweight block ciphers for this effort: Simon and Speck that have a simple design and perform well on constrained software environments [1]. Since then, both block ciphers have attracted the attention of researchers and have been the subject of many security investigations.

In this paper, we propose an extension of the classical linear cryptanalytic approach which uses multiple linear approximations and Matsui’s second algorithm. The standard approach, of extending the linear approximation by a single round of decryption (encryption), comes at the cost of guessing the last round (first round) key: $O\left(2^n\right)$ for an n-bit round key for Simon block size $2n$. We propose extending the linear approximation by a super-round—which, in the case of Simon, is four rounds with a total cost $O\left(n{2}^b\right)$, for $b\le n$, depending on the Simon variant, leading to the determination of four round keys, instead of the single round key obtained through the traditional approach. Directly applying Matsui’s approach by appending four rounds would require a cost of $O\left(2^{4n}\right)$); but this is not necessary because of the weakness in Simon, which we express as a super round. Thus we demonstrate a simple, efficient extension of the key recovery attack using Matsui’s second algorithm, and recover multiple round keys, including the entire master key in some cases. For this reason, we compare our results with other results in the literature that were obtained using the classical simple Matsui’s second algorithm without recourse to linear hull approaches.

1.1. Our Contributions

In this paper we present an attack on reduced-round Simon, illustrating it in detail for Simon 32/64, and providing a sketch of it for other variants. Our attack is based on the observation that, after four rounds of encryption, one bit of the left half of the state of Simon 32/64 depends on only 17 key bits, and linear cryptanalysis requires the guessing of only 16 bits, the size of a single round key. A single bit of right half state similarly depends on 8 key bits (seven need to be guessed for linear cryptanalysis). By focusing on a single bit of the state at a time, we are able to partition the key into smaller strings, enabling us to more efficiently apply exhaustive search to perform linear cryptanalysis, doing it 16 (or 7) bits at a time. We are able to determine multiple round keys, which corresponds to a large fraction of the independent master key bits. This approach extends to other variants of Simon as well. We summarize the approach below for Simon 32/64.

We define the super round—four rounds of encryption with output limited to a single bit—and the corresponding super key limited to the relevant 16 (or 7) bits. For each bit of state, we extend the super round with an appropriate linear approximation with one active input bit. We carry out Matsui’s second cryptanalysis using the super round instead of a single round and obtain the corresponding super key by performing an exhaustive search over 16 (or 7) bits. We do this for all 32 bits of the state. Thus, the use of the super round significantly improves the overall time complexity of linear cryptanalysis of Simon.

We thus obtain 16 super keys of size 16 each (left half) and 16 super keys of size 7 each (right half), with considerable overlap among the key bits, as there are only 48 independent master key bits in the four-round cipher extended by the linear approximation. Consequently, we obtain 368 related key bits representing 48 independent key bits, which allows for error correction. We can further extend the super round and the linear approximation with an additional two rounds at the end, to obtain 60 independent key bits, which can be used to obtain up to 60 master key bits.

We extend the above attack to other variants of Simon. We also perform an experimental verification of our attack on 8, 10 and 12-round Simon 32/64. Using the capacity-based projections of the relationship of bias to the number of P/C pairs [2], we predict the determination of the entire master key of 20-round Simon 32/64, with $2^{32}$ P/C pairs and time complexity $2^{60}$. We are also able to determine all 64 master key bits of 8-round Simon using a meet-in-the-middle attack with one super round of encryption and one super round of decryption, with data complexity $2^{5.58}$ and time complexity $2^{34.58}$.

We need to point out that [3] has an observation similar to ours: that a single bit after four rounds of encryption is affected only by 18 bits, and they use it to define a related-key attack. We had derived this result independently.

1.2. Comparison with Other Work

We now compare our results with those of Alizadeh et al. [4], which are improvements on their peer-reviewed work in [5] and are currently the best peer-reviewed attacks on Simon  that use the classical Matsui’s second algorithm and multiple approximations. As we mentioned earlier, linear hull attacks are able to go deeper; here, we focus on our improvement on the classical approach without recourse to linear hulls. ([6] claims better work than [4], but is not peer-reviewed and has been criticized in the literature so we are not sure if the results hold; see Section 3.) Alizadeh  et al. present two types of linear cryptanalysis: one using Matsui’s second algorithm and the other using multiple linear cryptanalysis. They do not use both attacks simultaneously as we do in this paper. For a fair comparison with our work, we had to make changes to how the data complexity was computed in their work. As we are using multiple linear approximations, we used the capacity model [2] for both our work and theirs. This generally helped improve their numbers. We computed the cost of using n approximations, each corresponding to a shift of one bit, which enabled the computation of all the key bits we were able to compute. Additionally, they present the average case complexity of their attacks: each guessed key bit involved in an XOR is counted as half a bit. In the literature, it is standard to count each key bit guessed as a single bit, whether it is included only in an ANDed expression or not. We hence present two sets of comparisons.

1.

Table 1. Comparison of previous results using Matsui’s second algorithm and multiple linear cryptanalysis (without recourse to linear hull) on Simon.

Average Case Computations
Simon	Number of Rounds	Data Complexity	Time Complexity	Presented in
32/64	21-round	$2^{32}$	$2^{59.23}$	Appendix B
	17-round	$2^{27}$	$2^{57.5}$	[4]
48/72	20-round	$2^{45.42}$	$2^{71.5}$	Appendix C.1
	19-round	$2^{39.42}$	$2^{68}$	[4]
48/96	21-round	$2^{45.42}$	$2^{86}$	Appendix C.2
	20-round	$2^{39.42}$	$2^{84.5}$	[4]
64/96	23-round	$2^{51}$	$2^{94}$	Appendix D.1
	22-round	$2^{51}$	$2^{89}$	[4]
64/128	25-round	$2^{63}$	$2^{109.5}$	Appendix D.2
	23-round	$2^{51}$	$2^{106}$	[4]
96/144	35-round	$2^{93.42}$	$2^{132.5}$	Appendix E
	34-round	$2^{86.42}$	$2^{134.5}$	[4]
128/192	42-round	$2^{128}$	$2^{189}$	Appendix F.1
	40-round	$2^{120}$	$2^{174.5}$	[4]
128/256	43-round	$2^{128}$	$2^{210}$	Appendix F.2
	42-round	$2^{120}$	$2^{233.5}$	[4]

shows the comparisons using average case complexity in counting guessed key bits, as used in their work. Key bits in a bitwise AND operation are counted as half a bit each, whereas all other key bits are counted as a single bit each. Their argument is that when we have an expression such as $k_0\&k_1$, if we guess $k_0$ as a zero there is no need to continue guessing the second bit because the ANDed value will be zero independent of the value of $k_1$. Using this computation of the time complexity, we are able to go deeper than [4] for all Simon versions.

2.

Table 2. Comparison of previous results using Matsui’s second algorithm and multiple linear cryptanalysis on Simon without recourse to linear hull (* indicates that the complexity of [4] is worse than brute force attack).

Worst Case Computations
Simon	Number of Rounds	Data Complexity	Time Complexity	Presented in
32/64	20-round	$2^{32}$	$2^{60}$	Section 7
	* 17-round	$2^{26}$	$2^{66}$	[4]
48/72	18-round	$2^{35.42}$	$2^{71}$	Appendix C.1
	* 18-round	$2^{39.42}$	$2^{78}$	[4]
48/96	20-round	$2^{43.42}$	$2^{94}$	Appendix C.2
	* 20-round	$2^{39.42}$	$2^{97}$	[4]
64/96	22-round	$2^{51}$	$2^{95}$	Appendix D.1
	* 22-round	$2^{51}$	$2^{101}$	[4]
64/128	24-round	$2^{62}$	$2^{122}$	Appendix D.2
	23-round	$2^{51}$	$2^{123}$	[4]
96/144	34-round	$2^{93.42}$	$2^{136}$	Appendix E
	* 34-round	$2^{86.42}$	$2^{149}$	[4]
128/192	40-round	$2^{128}$	$2^{187}$	Appendix F.1
	40-round	$2^{120}$	$2^{192}$	[4]
128/256	43-round	$2^{128}$	$2^{240}$	Appendix F.2
	42-round	$2^{120}$	$2^{236}$	[4]

shows a comparison of worst-case time complexity, which is the standard in the literature. Each key bit guessed is counted as a single key bit, and we recomputed their numbers in order to accurately reflect this in both our work and theirs. We are able to go deeper for Simon 32/64, Simon 64/128 and Simon 128/256, and in the other versions, even though we cryptanalyze the same number of rounds, the time complexity of their attacks is worse than brute force attacks.

Note that, in our proposed model, we only use independent linear approximations; as a result, we avoid the issue described in [7], about using dependent approximations in another work on Simon.

It might be worth investigating how to combine our model with more general multidimensional cryptanalysis, where approximation independency is not assumed [8].

1.3. Organization

This paper is organized as follows. Section 2 summarizes the Simon cipher and Section 3 describes related work. Section 4 presents the idea of the super round and the associated super key and Section 5 the approximations we used. Section 6 presents experimental verification, and Section 7 projected results. Section 9 concludes. The Appendix A, Appendix B, Appendix C, Appendix D, Appendix E and Appendix F contain derivations and the linear attacks of Simon 48, Simon 64, Simon 96 and Simon 128.

2. Simon

Simon is a family of lightweight block ciphers designed by U.S. National Security Agency (NSA) in 2013 [9], which aims to provide lightweight resource-constrained devices with needed security. It supports a variety of block and key sizes which is denoted by Simon$2n/mn$, where n is the word size, m is the number of key words and $2n$ is the block size. The following

Table 3. Simon parameters.

Block Size $2\mathbf{n}$	Key Size $\mathbf{mn}$	Word Size n	Key Words m	Number of Rounds
Simon 32	64	16	4	32
Simon 48	72	24	3	36
	96		4	36
Simon 64	96	32	3	42
	128		4	44
Simon 96	96	48	2	52
	144		3	54
Simon 128	128	64	2	68
	192		3	69
	256		4	72

lists other variants:

It is designed based on a Feistel structure with the key-dependent round function, (see Figure 1):

$$(X{L}^{j+1},X{R}^{j+1})=R_{k^j}(X{L}^j,X{R}^j)=(X{R}^j\oplus F\left(X{L}^j\right)\oplus k^j,X{L}^j).$$

(1)

The specification of each block cipher is determined by the two main functions, the round function, and the key schedule. Thus, the round function F consists of three operations: bitwise XOR ⊕, bitwise AND &, and left circular shift by j bits $⋘j$. It can be expressed as:

$$F\left(X{L}^j\right)=[(X{L}^j⋘1)\&(X{L}^j⋘8)]\oplus X{L}^j⋘2)$$

(2)

The key schedule takes the master key K as an input and generates r subkeys $k^0,k^1,....k^{r-1}$. The first w subkeys are initialized with the master key words, $k_{w-1}...k_0$. Depending on the number of key words w, a different procedure is applied as the following:

$$\begin{array}{cc}\hfill & \mathrm{For}\mathrm{w}=2:\hfill \\ \hfill & k^{i+2}=k^i\oplus (k^{i+1}⋙3)\oplus (k^{i+1}⋙4)\oplus c\oplus {\left(z_j\right)}_i\hfill \\ \hfill & \mathrm{For}\mathrm{w}=3:\hfill \\ \hfill & k^{i+3}=k^i\oplus k^{i+1}\oplus (k^{i+2}⋙3)\oplus (k^{i+1}⋙1)\oplus (k^{i+2}⋙4)\oplus c\oplus {\left(z_j\right)}_i\hfill \\ \hfill & \mathrm{For}\mathrm{w}=4:\hfill \\ \hfill & k^{i+4}=k^i\oplus k^{i+1}\oplus (k^{i+3}⋙3)\oplus (k^{i+1}⋙1)\oplus (k^{i+3}⋙4)\oplus c\oplus {\left(z_j\right)}_i.\hfill \end{array}$$

As it is shown above, the generated subkey is XOR-ed with a constant c which is equal to $2^n-4=0xff...fc$ and the ith bit of $\left(z_j\right)$, where the choice of $\left(z_j\right)$ depends on Simon versions. Thus, these constants are added to prevent slide attacks and eliminate circular shift symmetries. There are five constant sequences $\left(z_0\right)$,$\left(z_1\right)$,$\left(z_2\right)$,$\left(z_3\right)$, and $\left(z_4\right)$, which take the following values:

$$\begin{array}{c}\hfill z=[11111010001001010110000111001101111101000100101011000011100110,\\ \hfill 10001110111110010011000010110101000111011111001001100001011010,\\ \hfill 10101111011100000011010010011000101000010001111110010110110011,\\ \hfill 11011011101011000110010111100000010010001010011100110100001111,\\ \hfill 11010001111001101011011000100000010111000011001010010011101111].\end{array}$$

3. Related Work

We focus in this paper on linear cryptanalysis. The best linear results on Simon are obtained using linear hulls.

First introduced by [10], the linear hull is a set of linear approximations with the same input and output masks. Abdelraheem et al. [4] generalized the method of converting any differential characteristic to a linear characteristic for Simon, and investigated the security of Simon against different variants of linear cryptanalysis, classical, multiple and linear hull. Using linear hull, they present attacks on the reduced-round of 21, 21, 29, 36, and 50 rounds of Simon 32/64, Simon 48/96, Simon 64/128, Simon 96/144, and Simon 128/256.

Shi et al. [11] by using the method of automatic enumeration of differential and linear approximations Mixed-integer Linear Programming presented in [12], they present linear hull crytpanalysis on the reduced-round 21, 21, 29 rounds for Simon 32/64, Simon 48/96, Simon 64/128 respectively.

Then, Abdelraheem et al. [13] proposed a time-memory trade-off method to search for highly biased linear trails. Hence, they found 14-round and 17-round linear approximations for Simon 32 and Simon 48 respectively. As a result, they present 24, 23 and 24 rounds of Simon 32/64, Simon 48/72 and Simon 48/96. Additionally, Sun et al. [12] present a 16-round linear hull for Simon 48/96, which used to break up 23 rounds.

The best linear hull attacks presented in [7] by using a dynamic key-guessing technique which first proposed to improve the differential cryptanalysis in [14]. They apply the dynamic- key-guessing method to reduce the number of key bits required guessing, and they present linear hull attacks on the reduced-round 23, 25, 31, 38 and 53 for Simon 32, Simon 48, Simon 64, Simon 96 and Simon 128 respectively. An interesting future work direction would be to examine the combination of linear hulls and super rounds.

Table 4. Summary of linear hull results.

Simon	Total Rounds	Attacked Rounds	Data Complexity	Time Complexity	Reference
Simon 32/64	32	21	$2^{30.56}$	$2^{55.56}$	[4]
		21	-	-	[11]
		23	$2^{30.59}$	$2^{50}$	[13]
		23	$2^{31.19}$	$2^{61.84}A+2^{56}E$	[7]
Simon 48/72	36	20	$2^{44.11}$	$2^{70.61}$	[4]
		23	$2^{47.78}$	$2^{62.10}$	[13]
		24	$2^{47.92}$	$2^{67.89}A+2^{65.34}E$	[7]
Simon 48/96	36	21	$2^{44.11}$	$2^{87.11}$	[4]
		21	-	-	[11]
		24	$2^{47.78}$	$2^{83.10}$	[13]
		23	$2^{47.92}$	$2^{92.92}$	[12]
		25	$2^{47.92}$	$2^{89.89}A+2^{88.28}E$	[7]
Simon 64/96	42	27	$2^{62.53}$	$2^{88.53}$	[4]
		30	$2^{63.53}$	$2^{93.62}A+2^{88.13}E$	[7]
Simon 64/128	44	29	$2^{62.53}$	$2^{123.53}$	[4]
		29	-	-	[11]
		31	$2^{63.53}$	$2^{119.62}A+2^{120}E$	[7]
Simon 96/96	52	37	$2^{95.2}$	$2^{67.94}A+2^{88}E$	[7]
Simon 96/144	54	36	$2^{94.2}$	$2^{135.2}$	[4]
		38	$2^{95.2}$	$2^{98.54}A+2^{136}E$	[7]
Simon 128/128	68	36	$2^{124}$	$2^{124}$	[11]
		49	$2^{127.6}$	$2^{87.77}A+2^{120}E$	[7]
Simon 128/192	69	48	$2^{126.6}$	$2^{187.6}$	[4]
		43	$2^{127}$	-	[11]
		51	$2^{127.6}$	$2^{155.77}A+2^{184}E$	[7]
Simon 128/256	72	50	$2^{126.6}$	$2^{242.6}$	[4]
		53	$2^{127.6}$	$2^{239.77}A+2^{248}E$	[7]

‘-’ refers to not given, A refers to number of additions, E refers to number of encryptions.

summarizes the linear hull attack results on Simon.

Moreover, there are other results using different attack methods such as Zero-correlation linear cryptanalysis. Bogdanov et al. [15] propose an extension of linear cryptanalysis based on linear approximations with correlation Zero, called Zero-correlation linear cryptanalysis. [16] present Zero-correlation linear cryptanalysis on all versions of Simon. Hence, they successfully present attacks on 19, 20, 22, 23, 25, 28, 33, and 34 rounds for Simon 32/64, Simon 48/72, Simon 48/96, Simon 64/96, Simon 64/128, Simon 96/144, Simon 128/192 and Simon 128/256 respectively.

Wang et al. [17] also present improved results using zero-correlation with the help of divide-and-conquer technique on 20, 21 and 21 rounds of Simon 32/64, Simon 48/72, Simon 48/96. Then, Sun et al. [18] improved Zero-correlation linear cryptanalysis presented in [17] on Simon 32/64, Simon 48/72, Simon 48/96 and the first to apply it on the larger variants of Simon. Hence, they attack 21, 21, 22, 23, 24, 28, 32 and 34 rounds of Simon 32/64, Simon 48/72, Simon 48/96, Simon 64/96, Simon 64/128, Simon 96/144, Simon 128/192 and Simon 128/256 respectively.

There are works that focused on the classical linear cryptanalysis. The first work to look at is [19] by Abed et al., where they analyze the linear properties of Simon round function. Hence, they linearize the only non-linear part which is the bitwise AND operation, and present this linear approximation: $\left[F\right(x\left)\right)=(x⋘2)]$, which holds with probability 3/4, and bias $ϵ=2^{-2}$.

Moreover, following this approach they generate linear trails to a larger number of rounds and to all Simon versions. Hence, they successfully present linear cryptanalysis of length 11, 14, 16, 20 and 23 on Simon 32, Simon 48, Simon 64, Simon 96 and Simon 128 respectively. Since their attack is considered Matsui’s first algorithm, the required number of plaintext and ciphertext pairs is what determines the complexity of the attack. Accordingly, the required data complexity were $2^{23}$, $2^{47}$, $2^{61}$, $2^{95}$ and $2^{125}$ for Simon 32, Simon 48, Simon 64, Simon 96 and Simon 128 respectively.

Improved results in terms of covering more rounds have been presented by Alizadeh et al. in [20], where they exploit a direct connection between linear characteristics and differential characteristics. So given an r-round differential characteristic, an equivalent r-round linear characteristic can be constructed. Given this observation, they derived improved linear trails and then mounted linear cryptanalysis using Matsui’s first algorithm with a reported success probability of 0.997 for 12, 15, 19, 28 and 35 rounds for Simon 32, Simon 48, Simon 64, Simon 96, and Simon 128 respectively.

Because in these two works [19,20], they apply Matsui’s first algorithm, they were only able to determine a parity bits of the subkeys, where a represents the number of approximations that have been used, which is equal to the block size 32, 48, 64, 96 and 128.

In [4], they consider the classical linear cryptanalysis and multiple linear cryptanalysis. So, they extend the previous results to cover more rounds and launch key recovery attacks using Matsui’s second algorithm, and recover 27.5 key bits of Simon 32, and the average of 32.5, 41.5, 42.5, and 78 key bits for Simon 48, Simon 64, Simon 96 and Simon 128. Thus, they have successfully introduced attacks on 17, 20, 23, 34 and 42 rounds for all versions of Simon 32, Simon 48, Simon 64, Simon 96 and Simon 128 respectively. Moreover, they apply multiple linear cryptanalysis and present attacks on 18, 20, 22, 33 and 39 rounds of respective block sizes of 32, 48, 64, 96, and 128 bits respectively, and they can determine n parity bits of the subkeys.

The most recent results were presented in [6] by Ashur. They describe a new method to compute the bias of linear trails, which was then used to obtain longer linear approximations than what previous works have obtained. The literature calls into question the correctness of the results presented in this work. In particular, from [7], “it uses the correlation when all the subkeys are zero as the expected correlation under random key situations, which is not exact. Moreover, if the potential of each linear hull of the cipher is smaller than that of random permutations, then the combination of these linear hulls can not distinguish between the cipher and a random permutation.”

4. The Cryptanalytic Model

In this section we describe the idea of a super round and its super key, and the use of this idea in linear cryptanalysis as well as for a brute force attack on eight rounds on Simon 32/64.

We first establish some notation. Superscripts denote round number beginning with 0, and subscripts denote bit number from left to right, also beginning with 0. We denote by $X{L}^j$ and $X{R}^j$ the left and right half inputs respectively to the j-th cipher round (and hence the outputs of the $(j-1)$-th round), and by $k_i^j$ the i-th bit of the j-th round key. Left and right plaintext and ciphertext halves are denoted $PL$, $PR$, $CL$ and $CR$ respectively.

4.1. Central Observation

We observe that, after four rounds of Simon 32/64 encryption, one bit of the left half of the state depends on only 16 key bits—the size of one round key. One bit of the right half depends on only 7 key bits. On the other hand, the 32-bit state after four rounds of encryption depends on all 64 master key bits. Thus, by focusing on a single bit of the state, we are able to partition the key into smaller pieces. This enables us to more efficiently apply exhaustive search, doing it 16 (or 7) bits at a time.

In Matsui’s second linear cryptanalysis, the first (or final) round key is determined by encryption (or decryption) with all possibilities (exhaustive search), choosing the most likely one. One would like to be able to use the same approach to determine all possible master key bits, instead of only those in the final round key. Performing an exhaustive search by encrypting multiple rounds is, however, prohibitively expensive. Using our observation, it is possible to efficiently encrypt the four first rounds (not only the first round), by focusing on a single bit of state at a time, and performing an exhaustive search over smaller pieces of the key. To extend Matsui’s second linear cryptanalysis to four rounds in this manner, we would need linear cryptanalytic expressions with only a single bit of input state. The expressions and the encryption are symmetric with respect to the single bit of super round output, and we are hence able to perform this type of cryptanalysis on every bit of super round output.

An outline of the attack is as follows:

1.

For every bit of super round output, we guess all possible combinations of the corresponding 16 key bits for the left half, or 7 for the right half, to obtain the most likely one. We do this for all 32 bits of the block.

2.

This gives us 16 keys of size 16 each (left half) and 16 keys of size 7 each (right half), with considerable overlap among the key bits, as there are only 48 independent master key bits.

3.

We obtain 368 related key bits representing 48 independent key bits, which allows for correcting errors.

The complexity of this attack is $(16\times 2^{16}+16\times 2^7)\times N$ where N is the number of plaintext-ciphertext (P/C) pairs used.

4.2. The Super Round

We use the term super round to represent a generalization of the four-round encryption we described above.

Definition 1

(Super Rounds and Super Keys).A super round for a block cipher is a function representing s-rounds of encryption of the cipher, for some $s>1$. It takes as input a full block of plaintext and the required key bits, and outputs t bits of ciphertext, where t is considerably smaller than the block size. The required key bits for a super round are referred to as a super key.

Examples: For Simon 32/64:

• A super round of the first four rounds requires a super key for the left half of length 16 and has as output a single bit of left-half ciphertext.
• A super-round of the first four rounds requires a super key for the right half of length 7 key bits and has as output a single bit of right-half ciphertext.

Figure 2 depicts these examples, where $F_S$ represents the super round.

4.3. Linear Cryptanalysis with Super Rounds

In this section we describe the general linear cryptanalytic attack of Matsui’s second algorithm with super rounds. The linear approximations we will derive in Section 5 are chosen so as to have a single bit of input—$X{L}_i^4$ or $X{R}_i^4$—which is approximately related to multiple bits of the ciphertext C (see Figure 3). The super round itself relates this bit, exactly, (modulo a key bit absorbed into the linear approximation) to the plaintext P and the ith super key. Thus we obtain an approximate relationship between P, C and the super key bits. By performing an exhaustive search over the super key space, we obtain the super key bits. We repeat this process for all bits of the super round output.

For each of the two super rounds (for left and right hand output halves), for each value of i, there are corresponding 16-bit and 7-bit super keys.

Table 5. Super Keys.

Super-Key for ${\mathit{Fs}}_{\mathit{enc},\mathit{i}}$, $0\le \mathit{i}\le 15$	Super-Key for ${\mathit{Fs}}_{\mathit{enc},\mathit{i}}$, $16\le \mathit{i}\le 31$
Left Half	Right Half
$k_{i+8}^0\oplus k_{i+12}^0\oplus k_{i+10}^1\oplus k_{i+8}^2$	$k_{i+3}^0\oplus k_{i+1}^1$
$k_{i+1}^0\oplus k_{i+5}^0\oplus k_{i+3}^1\oplus k_{i+1}^2$	$k_{i+10}^0\oplus k_{i+8}^1$
$k_{i+12}^0\oplus k_{i+10}^1$	$k_{i+2}^0$
$k_{i+5}^0\oplus k_{i+3}^1$	$k_{i+3}^0$
$k_{i+2}^0\oplus k_i^1$	$k_{i+10}^0$
$k_{i+11}^0\oplus k_{i+9}^1$	$k_{i+9}^0$
$k_{i+4}^0\oplus k_{i+2}^1$	$k_i^0$
$k_{i+12}^0$
$k_{i+5}^0$
$k_{i+2}^0$
$k_{i+11}^0$
$k_{i+4}^0$
$k_{i+10}^0$
$k_{i+3}^0$
$k_{i+8}^0$
$k_{i+1}^0$

lists the components of the super keys.

We see that each super key for the left half contains nine bits from $k^0$, in the form $k_{i+m}^0$ for $m=1,2,3,4,5,8,10,11,12$. Thus a particular bit of $k^0$, say $k_s^0$, appears in the super key of left half bits $s-m$, for $m=1,2,3,4,5,8,10,11,12$. That is, if we determine the super key for each value of i in the left half of the state, we will obtain nine copies of each bit of $k^0$. Similarly, the super key for the right half contains five bits of $k^0$. Additionally, there are other bits in the super key as well. Thus, over all sixteen bits of $X{L}^4$ and $X{R}^4$, we obtain:

• 14 copies of $k_s^0$
• 7 copies of $k_s^0\oplus k_{s+2}^1$
• 2 copies of $k_s^0\oplus k_{s+4}^0\oplus k_{s+2}^1\oplus k_s^2$

for $s=0,1,2,...,15$.

The redundancy above allows us to better estimate the individual key bits, and we estimate each of the 48 independent key bits by a majority vote from the corresponding multiple copies. In any experiment, we get three outcomes: correctly determined bits, incorrectly determined bits and undetermined bits (when the outcome is a tie).

Finally, we will have 16 bits of $k^0$, 16 bits of $k_s^0\oplus k_{s+2}^1$, and 16 bits of $k_s^0\oplus k_{s+4}^0\oplus k_{s+2}^1\oplus k_s^2$, for a total of 48 independent key bits. We may use estimates of bits of $k^0$ to estimate bits of $k^1$, and then to estimate bits of $k^2$. We note that the error increases as we go from $k^0$ through $k^2$; not only because the number of copies of the required bits decreases, but because the error is compounded (the error in determining $k^2$ is increased due to errors in estimating $k^0$ and $k^1$).

4.4. The Construction of Super Rounds and Derivations of Super Keys

Here, we demonstrate how the super rounds are constructed for Simon cipher, beginning with Simon 32/64 and going on to other variants [21].

Since Simon is designed based on a Feistel structure with the key-dependent round function, one round of Simon can be expressed as:

$$(X{L}^{j+1},X{R}^{j+1})=R_{k^j}(X{L}^j,X{R}^j)=(X{R}^j\oplus F\left(X{L}^j\right)\oplus k^j,X{L}^j)$$

which implies that:

$$\begin{array}{cc}\hfill X{L}_i^{j+1}& =X{R}_i^j\oplus Z_i^j\oplus k_i^j\hfill \\ \hfill & =X{L}_i^{j-1}\oplus Z_i^j\oplus k_i^j\hfill \\ \hfill & =X{L}_i^{j-3}\oplus Z_i^{j-2}\oplus k_i^{j-2}\oplus Z_i^j\oplus k_i^j\hfill \end{array}$$

Hence:

$$X{L}_i^4=X{L}_i^0\oplus Z_i^1\oplus k_i^1\oplus Z_i^3\oplus k_i^3=P{L}_i\oplus Z_i^1\oplus k_i^1\oplus Z_i^3\oplus k_i^3$$

Similarly,

$$\begin{array}{cc}\hfill X{R}_i^{j+1}& =X{L}_i^j\hfill \\ \hfill & =X{L}_i^{j-2}\oplus Z_i^{j-1}\oplus k_i^{j-1}\hfill \\ \hfill & =X{R}_i^{j-3}\oplus Z_i^{j-3}\oplus k_i^{j-3}\oplus Z_i^{j-1}\oplus k_i^{j-1}\hfill \end{array}$$

and hence that:

$$X{R}_i^4=X{R}_i^0\oplus Z_i^0\oplus k_i^0\oplus Z_i^2\oplus k_i^2=P{R}_i\oplus Z_i^0\oplus k_i^0\oplus Z_i^2\oplus k_i^2$$

Given the round function of Simon:

$$F\left(X{L}^j\right)=[(X{L}^j⋘1)\&(X{L}^j⋘8)]\oplus X{L}^j⋘2)$$

which implies that:

$$Z_i^j=(X{L}_{i+1}^j\&X{L}_{i+8}^j)\oplus X{L}_{i+2}^j$$

giving us:

$$\begin{array}{cc}\hfill Z_i^0& =(P{L}_{i+1}\&P{L}_{i+8})\oplus P{L}_{i+2}\hfill \\ \hfill Z_i^1& =[(Z_{i+1}^0\oplus k_{i+1}^0\oplus P{R}_{i+1})\&(Z_{i+8}^0\oplus k_{i+8}^0\oplus P{R}_{i+8})]\oplus (Z_{i+2}^0\oplus k_{i+2}^0\oplus P{R}_{i+2})\hfill \\ \hfill Z_i^2& =[(Z_{i+1}^1\oplus k_{i+1}^1\oplus X{R}_{i+1}^1)\&(Z_{i+8}^1\oplus k_{i+8}^1\oplus X{R}_{i+8}^1)]\oplus (Z_{i+2}^1\oplus k_{i+2}^1\oplus X{R}_{i+2}^1)\hfill \\ \hfill & =[(Z_{i+1}^1\oplus k_{i+1}^1\oplus P{R}_{i+1})\&(Z_{i+8}^1\oplus k_{i+8}^1\oplus P{R}_{i+8})]\oplus (Z_{i+2}^1\oplus k_{i+2}^1\oplus P{R}_{i+2})\hfill \\ \hfill Z_i^3& =(v_1\&v_2)\oplus v_3\hfill \end{array}$$

where:

$$\begin{array}{cccccc}\hfill v_1=& Z_{i+1}^2\oplus k_{i+1}^2\oplus X{R}_{i+1}^2\hfill & \hfill =& Z_{i+1}^2\oplus k_{i+1}^2\oplus X{L}_{i+1}^1\hfill & \hfill =& Z_{i+1}^2\oplus Z_{i+1}^0\oplus k_{i+1}^0\oplus P{R}_{i+1}\oplus k_{i+1}^2\hfill \\ \hfill v_2=& Z_{i+8}^2\oplus k_{i+8}^2\oplus X{R}_{i+8}^2\hfill & \hfill =& Z_{i+8}^2\oplus k_{i+8}^2\oplus X{L}_{i+8}^1\hfill & \hfill =& Z_{i+8}^2\oplus Z_{i+8}^0\oplus k_{i+8}^0\oplus P{R}_{i+8}\oplus k_{i+8}^2\hfill \\ \hfill v_3=& Z_{i+2}^2\oplus k_{i+2}^2\oplus X{R}_{i+2}^2\hfill & \hfill =& Z_{i+2}^2\oplus k_{i+2}^2\oplus X{L}_{i+2}^1\hfill & \hfill =& Z_{i+2}^2\oplus Z_{i+2}^0\oplus k_{i+2}^0\oplus P{R}_{i+2}\oplus k_{i+2}^2\hfill \end{array}$$

Finally,

$$\begin{array}{cccccc}\hfill X{L}_i^4=& Z_i^3\oplus k_i^3\oplus X{R}_i^3\hfill & \hfill =& Z_i^3\oplus k_i^3\oplus X{L}_i^2\hfill & \hfill =& Z_i^3\oplus k_i^3\oplus Z_i^1\oplus k_i^1\oplus P{L}_i\hfill \\ \hfill X{R}_i^4=& X{L}_i^3\hfill & \hfill =& X{L}_i^1\oplus Z_i^2\oplus k_i^2\hfill & \hfill =& P{R}_i\oplus k_i^0\oplus Z_i^0\oplus Z_i^2\oplus k_i^2.\hfill \end{array}$$

Recall the Simon family consists of another nine variants of the cipher differing in their block and key sizes. All Simon variants share the same round function; hence the observation enabling us to construct super-rounds in Simon 32/64 continues to be valid. Even though the larger variants of Simon correspond to larger block and key sizes, we have found that the size of the super keys is only slightly larger than that for Simon 32/64. After four round of encryption, a single bit of the left-half of the intermediate state is influenced by only 18 key bits. On the other hand, the size of the super-key of the right half stays the same, at seven bits.

In Simon 32/64, we have nine bits of $k_i^0$, for $i=1,2,3,4,5,8,10,11,12$, as shown in Table 5, where in Simon 48 we have 11 bits of $k_i^0$, for $i=0,1,3,4,5,8,10,11,12,17,18$, and in Simon 64 we have a similar set of bits, except instead of $k_i^0$, we have $k_{i+24}^0$. This difference arises from computing $v_2$, where we have the similar computations for $v_1$, and $v_3$. In larger Simon, we get:

$$\begin{array}{cc}\hfill v_2=& Z_{i+8}^2\oplus k_{i+8}^2\oplus X{R}_{i+8}^2,\hfill \end{array}$$

where,

$$\begin{array}{cc}\hfill Z_{i+8}^2& =[(Z_{i+9}^1\oplus k_{i+9}^1\oplus X{R}_{i+9}^1)\&(Z_{(i+16)\%n}^1\oplus k_{(i+16)\%n}^1\oplus X{R}_{(i+16)\%n}^1)]\oplus (Z_{i+10}^1\oplus k_{i+10}^1\oplus X{R}_{i+10}^1).\hfill \end{array}$$

Hence:

$$\begin{array}{c}\hfill Z_{i+9}^1=[(Z_{i+10}^0\oplus k_{i+10}^0\oplus P{R}_{i+10})\&(Z_{(i+17)\%n}^0\oplus k_{(i+17)\%n}^0\oplus P{R}_{(i+17)\%n})]\oplus (Z_{i+11}^0\oplus k_{i+11}^0\oplus P{R}_{i+11})\\ \hfill Z_{(i+16)\%n}^1=[(Z_{i+17}^0\oplus k_{i+17}^0\oplus P{R}_{i+17})\&(Z_{(i+24)\%n}^0\oplus k_{(i+24)\%n}^0\oplus P{R}_{(i+24)\%n})]\oplus (Z_{i+18}^0\oplus k_{i+18}^0\oplus P{R}_{i+18})\\ \hfill Z_{i+10}^1=[(Z_{i+11}^0\oplus k_{i+11}^0\oplus P{R}_{i+11})\&(Z_{(i+18)\%n}^0\oplus k_{(i+18)\%n}^0\oplus P{R}_{(i+18)\%n})]\oplus (Z_{i+12}^0\oplus k_{i+12}^0\oplus P{R}_{i+12}).\end{array}$$

It is clear from the equations that in the case of $n=24$, we get $k_{i+17}^0,k_{i+18}^0$ and $k_i^0$ from evaluating $Z_{i+9}^1$, $Z_{i+16}^1$ and $Z_{i+10}^1$. In the case of $n=32$, we get $k_{i+17}^0,k_{i+18}^0$ and $k_{i+24}^0$.

The value $v_2$ affects the super key bit $k_{i+2}^0\oplus k_i^1$, which becomes in the case of larger Simon, $k_{i+18}^0\oplus k_{i+16}^1$. The other components of the super key for the left half, are consistent with the bits presented in Table 5. See Algorithm 1 for pseudocode for our attack on Simon 32/64, using the left half system of approximation.

Algorithm 1 Matsui’s second algorithm using multiple linear approximations.

Let T be the number of plaintexts such that the linear approximation is True. for i = 0, …, $2^n$ do      ▹ evaluate the linear approximation for the left word  for j = 0, …, $2^{16}$ do                     ▹ try all 16-bit keys   Initialize T with zero   for all N plaintext–ciphertext pairs do    calculate $X{L}_i^4$ using super round    if linear approximation is True then     increment T    end if   end for   Calculate $bia{s}_j$ = $\mid (T-(N÷2\left)\right)÷N\mid$  end for  output the candidate key j with the highest bias end for

5. Linear Approximations for Simon 32/64

In this section we derive linear approximations for 8, 10 and 12-round attacks on Simon 32/64. In Section 6 we describe experimental results for the proposed attacks.

We use a natural linear expression of the Simon round function, obtained by replacing the & function by 0, with a bias of $\frac{1}{4}$ [19]. The left half is approximated as:

$$Approximation1:Pr[F\left(X{L}_i^{j+1}\right)=X{L}_{i+2}^j]=\frac{3}{4}.$$

Additionally, the following are linear expressions from the literature with a similar absolute bias of $\frac{1}{4}$:

$$\begin{array}{cc}\hfill Approximation2& :Pr[F\left(X{L}_i^{j+1}\right)=X{L}_{i+2}^j\oplus X{L}_{i+1}^j]=\frac{3}{4}\hfill \\ \hfill Approximation3& :Pr[F\left(X{L}_i^{j+1}\right)=X{L}_{i+2}^j\oplus X{L}_{i+8}^j]=\frac{3}{4}\hfill \\ \hfill Approximation4& :Pr[F\left(X{L}_i^{j+1}\right)=X{L}_{i+2}^j\oplus X{L}_{i+1}^j\oplus X{L}_{i+8}^j]=\frac{1}{4}.\hfill \end{array}$$

We use this approximation repeatedly for multiple-round attacks that relate a single bit of input to multiple output bits. The experimentally-verified success probabilities of the attacks on 8, 10 and 12 rounds are listed in Table 9.

5.1. 8-Round Attack

We find two four-round linear approximations, relating a single bit of the left and right half inputs respectively to a few bits of output after four rounds. We can use a super round to obtain exactly the single bit of input from the plaintext and the super key and then concatenate it with the approximation, thus relating the plaintext, super key and ciphertext bits of eight rounds encryption (see Figure 4).

Beginning with a single bit of the left half plaintext, $PL=X{L}^0$, we approximate a linear relationship with bits from the output:

$$\begin{array}{cc}\hfill P{L}_i& =X{L}_i^0=X{R}_i^1\hfill \\ \hfill & =F{\left(X{R}^2\right)}_i\oplus X{L}_i^2\oplus k_i^1\hfill \\ \hfill & \approx X{R}_{i+2}^2\oplus X{L}_i^2\oplus k_i^1\hfill \\ \hfill & =F{\left(X{R}^3\right)}_{i+2}\oplus X{L}_{i+2}^3\oplus k_{i+2}^2\oplus X{L}_i^2\oplus k_i^1\hfill \\ \hfill & =F{\left(X{R}^3\right)}_{i+2}\oplus X{L}_{i+2}^3\oplus k_{i+2}^2\oplus X{R}_i^3\oplus k_i^1\hfill \\ \hfill & \approx X{R}_{i+4}^3\oplus X{R}_i^3\oplus X{L}_{i+2}^3\oplus k_{i+2}^2\oplus k_i^1\hfill \\ \hfill & =X{R}_{i,i+4}^3\oplus X{L}_{i+2}^3\oplus k_{i+2}^2\oplus k_i^1\hfill \\ \hfill & =F{\left(X{R}^4\right)}_{i,i+4}\oplus X{L}_{i,i+4}^4\oplus k_{i,i+4}^3\oplus X{L}_{i+2}^3\oplus k_{i+2}^2\oplus k_i^1\hfill \\ \hfill & =F{\left(X{R}^4\right)}_{i,i+4}\oplus X{L}_{i,i+4}^4\oplus k_{i,i+4}^3\oplus X{R}_{i+2}^4\oplus k_{i+2}^2\oplus k_i^1\hfill \\ \hfill & =F{\left(X{R}^4\right)}_{i,i+4}\oplus X{L}_{i,i+4}^4\oplus X{R}_{i+2}^4\oplus k_{i,i+4}^3\oplus k_{i+2}^2\oplus k_i^1\hfill \\ \hfill & \approx X{R}_{i+2,i+6}^4\oplus X{L}_{i,i+4}^4\oplus X{R}_{i+2}^4\oplus k_{i,i+4}^3\oplus k_{i+2}^2\oplus k_i^1\hfill \\ \hfill & =X{R}_{i+6}^4\oplus X{L}_{i,i+4}^4\oplus k_{i,i+4}^3\oplus k_{i+2}^2\oplus k_i^1\hfill \end{array}$$

(3)

To produce a four-round linear approximation for the right half, we will start with a single bit of right half $PR=X{R}^0$:

$$\begin{array}{cc}\hfill P{R}_i& =X{R}_i^0=F{\left(X{R}^1\right)}_i\oplus X{L}_i^1\oplus k_i^0\hfill \\ \hfill & \approx X{R}_{i+2}^1\oplus X{L}_i^1\oplus k_i^0\hfill \\ \hfill & =F{\left(X{R}^2\right)}_{i+2}\oplus X{L}_{i+2}^2\oplus k_{i+2}^1\oplus X{R}_i^2\oplus k_i^0\hfill \\ \hfill & \approx X{R}_{i+4}^2\oplus X{L}_{i+2}^2\oplus X{R}_i^2\oplus k_{i+2}^1\oplus k_i^0\hfill \\ \hfill & =X{R}_{i,i+4}^2\oplus X{L}_{i+2}^2\oplus k_{i+2}^1\oplus k_i^0\hfill \\ \hfill & =F{\left(X{R}^3\right)}_{i,i+4})\oplus X{L}_{i,i+4}^3\oplus k_{i,i+4}^2\oplus X{R}_{i+2}^3\oplus k_{i+2}^1\oplus k_i^0\hfill \end{array}$$

(4)

$$\begin{array}{cc}\hfill & \approx X{R}_{i+2,i+6}^3\oplus X{L}_{i,i+4}^3\oplus X{R}_{i+2}^3\oplus k_{i,i+4}^2\oplus k_{i+2}^1\oplus k_i^0\hfill \\ \hfill & =X{R}_{i+6}^3\oplus X{L}_{i,i+4}^3\oplus k_{i,i+4}^2\oplus k_{i+2}^1\oplus k_i^0\hfill \\ \hfill & =F{\left(X{R}^4\right)}_{i+6}\oplus X{L}_{i+6}^4\oplus k_{i+6}^3\oplus X{R}_{i,i+4}^4\oplus k_{i,i+4}^2\oplus k_{i+2}^1\oplus k_i^0\hfill \\ \hfill & \approx X{R}_{i,i+4,i+8}^4\oplus X{L}_{i+6}^4\oplus k_{i+6}^3\oplus k_{i,i+4}^2\oplus k_{i+2}^1\oplus k_i^0.\hfill \end{array}$$

Hence, appending the four rounds of encryption to Equations (3) and (4), we get the following expressions with biases $2^{-5}$ and $2^{-6}$ respectively:

$$X{L}_i^4\oplus X{R}_{i+6}^8\oplus X{L}_{i,i+4}^8=k_{i+6}^0\oplus k_{i,i+4}^1\oplus k_{i+2}^2\oplus k_i^3\oplus k_i^5\oplus k_{i+2}^6\oplus k_{i,i+4}^7$$

(5)

$$X{R}_i^4\oplus X{R}_{i,i+4,i+8}^8\oplus X{L}_{i+6}^8=k_{i,i+4}^0\oplus k_{i+2}^1\oplus k_i^2\oplus k_i^4\oplus k_{i+2}^5\oplus k_{i,i+4}^6\oplus k_{i+6}^7.$$

(6)

5.2. 10-Round Attack

We extend the 8-round attack by adding two more rounds of decryption at the end so we have a 10-round attack. The two rounds are added by decrypting the ciphertext bits; this comes at the cost of exhaustive search over a few more key bits. See Figure 5.

Recall single-round decryption:

$$\begin{array}{cc}\hfill X{L}^j& =X{R}^{j+1}\hfill \\ \hfill X{R}^j& =F\left(X{L}^j\right)\oplus X{L}^{j+1}\oplus k^j=F\left(X{R}^{j+1}\right)\oplus X{L}^{j+1}\oplus k^j,\hfill \end{array}$$

and hence two rounds decryption is:

$$\begin{array}{cc}\hfill X{L}^j& =F\left(X{R}^{j+2}\right)\oplus X{L}^{j+2}\oplus k^{j+1}\hfill \\ \hfill X{R}^j& =F(F\left(X{R}^{j+2}\right)\oplus X{L}^{j+2}\oplus k^{j+1})\oplus X{R}^{j+2}\oplus k^j,\hfill \end{array}$$

which gives us:

$$\begin{array}{cc}\hfill X{L}^8& =X{L}^{10}\oplus F\left(X{R}^{10}\right)\oplus k^9\hfill \\ \hfill X{R}^8& =X{R}^{10}\oplus F(X{L}^{10}\oplus F\left(X{R}^{10}\right)\oplus k^9)\oplus k^8.\hfill \end{array}$$

(7)

Recall the four-round linear approximation for the single bit in the left half:

$$\begin{array}{cc}\hfill X{L}_i^4\oplus X{R}_{i+6}^8\oplus X{L}_{i,i+4}^8& =k_i^5\oplus k_{i+2}^6\oplus k_{i,i+4}^7.\hfill \end{array}$$

Substituting for $X^8$, we get:

$$\begin{array}{cc}\hfill & X{L}_i^4\oplus X{R}_{i+6}^{10}\oplus F{(X{L}^{10}\oplus F\left(X{R}^{10}\right)\oplus k^9)}_{i+6}\oplus k_{i+6}^8\oplus X{L}_{i,i+4}^{10}\hfill \\ \hfill & \oplus F{\left(X{R}^{10}\right)}_{i,i+4}\oplus k_{i,i+4}^9=k_i^5\oplus k_{i+2}^6\oplus k_{i,i+4}^7,\hfill \end{array}$$

or:

$$\begin{array}{cc}\hfill & X{L}_i^4\oplus X{R}_{i+6}^{10}\oplus [(X{L}_{i+7}^{10}\oplus F{\left(X{R}^{10}\right)}_{i+7}\oplus k_{i+7}^9)\&(X{L}_{i+14}^{10}\hfill \\ \hfill & \oplus F{\left(X{R}^{10}\right)}_{i+14}\oplus k_{i+14}^9\left)\right]\oplus k_{i+6}^8\oplus X{L}_{i+8}^{10}\oplus F{\left(X{R}^{10}\right)}_{i+8}\oplus \hfill \\ \hfill & k_{i+8}^9\oplus X{L}_{i,i+4}^{10}\oplus [X{R}_{i+1}^{10}\&X{R}_{i+8}^{10}]\oplus X{R}_{i+2}^{10}\oplus [X{R}_{i+5}^{10}\hfill \\ \hfill & \&X{R}_{i+12}^{10}]\oplus X{R}_{i+6}^{10}\oplus k_{i,i+4}^9=k_i^5\oplus k_{i+2}^6\oplus k_{i,i+4}^7.\hfill \end{array}$$

or:

$$\begin{array}{cc}\hfill & X{L}_i^4\oplus X{R}_{i+6}^{10}\oplus [(X{L}_{i+7}^{10}\oplus F{\left(X{R}^{10}\right)}_{i+7}\oplus k_{i+7}^9)\&(X{L}_{i+14}^{10}\hfill \\ \hfill & \oplus F{\left(X{R}^{10}\right)}_{i+14}\oplus k_{i+14}^9\left)\right]\oplus k_{i+6}^8\oplus X{L}_{i+8}^{10}\oplus (X{R}_{i+9}^{10}\&X{R}_i^{10})\hfill \\ \hfill & \oplus X{R}_{i+10}^{10}\oplus k_{i+8}^9\oplus X{L}_{i,i+4}^{10}\oplus [X{R}_{i+1}^{10}\&X{R}_{i+8}^{10}]\oplus X{R}_{i+2}^{10}\hfill \\ \hfill & \oplus [X{R}_{i+5}^{10}\&X{R}_{i+12}^{10}]\oplus X{R}_{i+6}^{10}\oplus k_{i,i+4}^9=k_i^5\oplus k_{i+2}^6\oplus k_{i,i+4}^7\hfill \end{array}$$

and finally,

$$\begin{array}{cc}\hfill & X{L}_i^4\oplus X{R}_{i+2,i+10}^{10}\oplus X{L}_{i,i+4,i+8}^{10}\hfill \\ \hfill & \oplus [(X{L}_{i+7}^{10}\oplus F{\left(X{R}^{10}\right)}_{i+7}\oplus k_{i+7}^9)\&(X{L}_{i+14}^{10}\oplus F{\left(X{R}^{10}\right)}_{i+14}\hfill \\ \hfill & \oplus k_{i+14}^9\left)\right]\oplus (X{R}_{i+9}^{10}\&X{R}_i^{10})\oplus [X{R}_{i+1}^{10}\&X{R}_{i+8}^{10}]\oplus \hfill \\ \hfill & [X{R}_{i+5}^{10}\&X{R}_{i+12}^{10}]=k_i^5\oplus k_{i+2}^6\oplus k_{i,i+4}^7\oplus k_{i+6}^8\oplus k_{i,i+4,i+8}^9.\hfill \end{array}$$

Hence, two new key bits $k_{i+7}^9$ and $k_{i+14}^9$ (in addition to the 16 bits to compute $X{L}_i^4$) required guessing to add the two rounds decryption.

Now recall the linear approximation for the single bit on the right side:

$$X{R}_i^4\oplus X{R}_{i,i+4,i+8}^8\oplus X{L}_{i+6}^8=k_i^4\oplus k_{i+2}^5\oplus k_{i,i+4}^6\oplus k_{i+6}^7.$$

Again, substituting the expressions for $X^8$ in terms of $X^{10}$ we get:

$$\begin{array}{cc}\hfill & X{R}_i^4\oplus X{R}_i^{10}\oplus F{(X{L}^{10}\oplus F\left(X{R}^{10}\right)\oplus k^9)}_i\oplus k_i^8\oplus X{R}_{i+4}^{10}\oplus \hfill \\ \hfill & F{(X{L}^{10}\oplus F\left(X{R}^{10}\right)\oplus k^9)}_{i+4}\oplus k_{i+4}^8\oplus X{R}_{i+8}^{10}\oplus F(X{L}^{10}\oplus F\left(X{R}^{10}\right)\hfill \\ \hfill & \oplus k^9{)}_{i+8}\oplus k_{i+8}^8\oplus X{L}_{i+6}^{10}\oplus F{\left(X{R}^{10}\right)}_{i+6}\oplus k_{i+6}^9\hfill \\ \hfill & =k_i^4\oplus k_{i+2}^5\oplus k_{i,i+4}^6\oplus k_{i+6}^7\hfill \end{array}$$

$$\begin{array}{cc}\hfill & X{R}_i^4\oplus X{R}_{i,i+4,i+8}^{10}\oplus X{L}_{i+6}^{10}\oplus \left[\right(X{L}_{i+1}^{10}\oplus F{\left(X{R}^{10}\right)}_{i+1}\hfill \\ \hfill & \oplus k_{i+1}^9)\&(X{L}_{i+8}^{10}\oplus F{\left(X{R}^{10}\right)}_{i+8}\oplus k_{i+8}^9)]\oplus X{L}_{i+2}^{10}\oplus F{\left(X{R}^{10}\right)}_{i+2}\hfill \\ \hfill & \oplus k_{i+2}^9\oplus [(X{L}_{i+5}^{10}\oplus F{\left(X{R}^{10}\right)}_{i+5}\oplus k_{i+5}^9)\&(X{L}_{i+12}^{10}\oplus F{\left(X{R}^{10}\right)}_{i+12}\hfill \\ \hfill & \oplus k_{i+12}^9\left)\right]\oplus X{L}_{i+6}^{10}\oplus F{\left(X{R}^{10}\right)}_{i+6}\oplus k_{i+6}^9\oplus \left[\right(X{L}_{i+9}^{10}\oplus F{\left(X{R}^{10}\right)}_{i+9}\hfill \\ \hfill & \oplus k_{i+9}^9)\&(X{L}_i^{10}\oplus F{\left(X{R}^{10}\right)}_i\oplus k_i^9)]\oplus X{L}_{i+10}^{10}\oplus F{\left(X{R}^{10}\right)}_{i+10}\hfill \\ \hfill & \oplus k_{i+10}^9\oplus F{\left(X{R}^{10}\right)}_{i+6}=k_i^4\oplus k_{i+2}^5\oplus k_{i,i+4}^6\oplus k_{i+6}^7\oplus k_{i,i+4,i+8}^8\oplus k_{i+6}^9.\hfill \end{array}$$

In this case, six new key bits (in addition to the seven required to obtain $X{R}_i^4$ from the plaintext), $k_i^9$, $k_{i+1}^9$, $k_{i+5}^9$, $k_{i+8}^9$, $k_{i+9}^9$, $k_{i+12}^9$, are required for the decryption of the last two rounds.

Thus, the number of key bits affecting the approximation for the left side is 18, and that for the right side is 13.

5.3. 12-Round Attack

To extend the linear attack of Simon 32/64 to 12 rounds, we need to extract r-round linear approximations for $r>4$. Therefore, we derive two seven-round linear approximations for the left half and the right half, with biases $2^{-11}$ and $2^{-14}$ respectively (see Tables 10 and 11 for details):

$$\begin{array}{c}\hfill X{L}_i^4\oplus X{L}_{i+2,i+10}^{11}\oplus X{R}_{i,i+8,i+12}^{11}=\left\{\begin{array}{c}{k}_i^5\oplus k_{i+2}^6\oplus k_{i,i+4}^7\hfill \\ \oplus k_{i+6}^8\oplus k_{i,i+4,i+8}^9\oplus k_{i+2,i+10}^{10}\hfill \end{array}\right.\end{array}$$

(8)

$$\begin{array}{c}\hfill X{R}_i^4\oplus X{L}_{i,i+8,i+12}^{11}\oplus X{R}_{i+14}^{11}=\left\{\begin{array}{c}{k}_i^4\oplus k_{i+2}^5\oplus k_{i,i+4}^6\oplus k_{i+6}^7\hfill \\ \oplus k_{i,i+4,i+8}^8\oplus k_{i+2,i+10}^9\oplus k_{i,i+8,i+12}^{10}\hfill \end{array}\right..\end{array}$$

(9)

We can extend the attack by one decryption round free of any approximations, which enables us to attack 12 rounds. See Figure 6.

6. Experimental Verification

To validate our proposed linear cryptanalysis of Simon 32/64, we conducted a number of experiments for the 8-round, 10-round, and 12-round linear attacks, which we summarize in this section.

We will need some additional notation. As mentioned before, the super key of the left-half is of size 16 bits, each bit being in one of three forms (recall Table 5): $k_i^0$, $k_{i+2}^0\oplus k_i^1$, or $k_i^0\oplus k_{i+4}^0\oplus k_{i+2}^1\oplus k_i^2$. We denote the 16-bit strings of bits of this form (for $i=0,1,2,...,15$) as $Bit1$, $Bit2$, and $Bit3$ respectively.

We determine $Bit1$, $Bit2$ and $Bit3$ from the super key estimates using a majority vote for error correction. We then compute the 48 master key bits ($k^0$, $k^1$, and $k^2$) using Equation (10).

$$\begin{array}{c}\hfill \begin{array}{cc}\hfill & k_i^0=Bit{1}_i\hfill \\ \hfill & k_i^1=Bit{2}_i\oplus Bit{1}_{i+2}\hfill \\ \hfill & k_i^2=Bit{1}_i\oplus Bit{2}_{i+2}\oplus Bit{3}_i.\hfill \end{array}\end{array}$$

(10)

In all cases—8, 10 and 12 round attacks—$Bit1$ is determined with the greatest accuracy, then $Bit2$, and, last, $Bit3$. This is to be expected because there are more copies of $Bit1$ (nine) than $Bit2$ (five), and $Bit3$ has the fewest copies (two). In all cases, $k^0$ is computed more accurately than $k^1$, which is more accurately computed than $k^2$. This is because $k^0$, $k^1$ and $k^2$ are computed from one, two and three values of the estimated values of super key bits. Additionally, $k^0$ is computed from the most accurately estimated super key bits, $Bit1$; $k^1$ from $Bit1$ and $Bit2$; $k^2$ from $Bit1$, $Bit2$ and $Bit3$.

Table 6. Comparison of 8-round attack results using the left half only and using both halves.

Number of Rounds	Super Key Bits Estimated	Bits Correctly Guessed (out of 16 Bits)	No. of Experiments (out of 14)
8-round (left half)	$Bit1$	16	14
	$Bit2$ average no. bits guessed correctly = 15.7	16	11
		15	2
		14	1
	$Bit3$ average no. bits guessed correctly = 13.4	16	1
		15	6
		14	2
		12	1
		11	3
		9	1
8-round (left and right halves)	$Bit1$	16	14
	$Bit2$ average no. bits guessed correctly = 15.8	16	11
		15	3
	$Bit3$ average no. bits guessed correctly = 13.4	16	1
		15	6
		14	2
		12	1
		11	3
		9	1

,

Table 7. Comparison of 10-round attack results using the left half only and using both halves.

Number of Rounds	Super Key Bits Estimated	Bits Correctly Guessed (out of 16 Bits)	No. of Experiments (out of 14)
10-round (left half)	$Bit1$	16	14
	$Bit2$ average no. bits guessed correctly = 15.8	16	13
		14	1
	$Bit3$ average no. bits guessed correctly = 13.2	15	4
		14	3
		13	3
		12	2
		11	1
		9	1
	$Bit4$ average no. bits guessed correctly = 13.8	16	2
		15	2
		14	5
		13	2
		12	2
		11	1
10-round (left and right halves)	$Bit1$	16	14
	$Bit2$ average no. bits guessed correctly = 15.8	16	12
		15	1
		14	1
	$Bit3$ average no. bits guessed correctly = 13.4	16	1
		15	4
		14	3
		13	2
		12	2
		11	1
		9	1
	$Bit4$ average no. bits guessed correctly = 15.6	16	11
		15	2
		13	1

and

Table 8. Comparison of 12-round attack results using the left half only and using both halves.

Number of Rounds	Super Key Bits Estimated	Bits Correctly Guessed (out of 16 Bits)	No. of Experiments (out of 3)
12-round (left half)	$Bit1$	16	3
	$Bit2$	16	3
	$Bit3$ average no. bits guessed correctly = 13	15	1
		13	1
		11	1
12-round (left and right halves)	$Bit1$	16	3
	$Bit2$	16	3
	$Bit3$ average no. bits guessed correctly = 13	15	1
		13	1
		11	1

compare between the number of super key bits guessed correctly in the 8-round, 10-round and 12-round attacks respectively.

6.1. Experimental Results

6.1.1. 8-Round Attack

We carried out 14 instances of the 8-round attack, with $2^{14}$ P/C pairs and keys chosen at random. We observed that obtaining estimates of the super key bits corresponding to the right half of the state does not improve the estimate over using only those obtained from the left half state.

This is likely because the bias for the right half is half that of the left half, and hence the right half data is noisier and not particularly useful. Figure 7 shows the results achieved using super rounds corresponding to the left half and to the left and right halves.

6.1.2. 10-Round Attack

We carried out 14 instances of the 10-round attack, each with a key chosen at random and $2^{14}$ plaintext/ciphertext pairs. In addition to the super keys (48 bits), we recover the last round key $k^9$ (16-bits), which is denoted as $Bit4$, hence we retrieve a total of 64 key bits. We find that the last round key bits are not independent, so we do not obtain 64 independent bits.

In contrast to the 8-round attack, we obtain better overall results by using super rounds corresponding to both right and left halves, as compared to using only the left half. The improvement is especially noticeable in the estimate of $k^9$. The reason is that we receive 96 bits ($16\times 6$) of $k^9$ from the right half and only 32 bits ($16\times 2$) from the left-half. Thus, even though the right-half attacks have a lower bias, having a larger number of copies of $k^9$ bits results in better estimation. Figure 8 shows the improvements of the results obtained using super rounds corresponding to both right and left halves over using the left half only.

6.1.3. 12-Round Attack

We performed three instances of the 12-round attack using $2^{25}$ plaintext and ciphertext pairs. We got similar results in the case we use the estimates of the super key bits corresponding to only the left half and in the case, we combine the estimates corresponding to both halves. As in the 8-round attack, the right half of the state doesn’t improve the overall results, hence we obtain the same results using the left half and the two halves. In the three experiments, we can determine correctly 48, 47 and 45 key bits.

6.2. The Deduction of $k^3$ from $k^9$

The 64-bit master key is used directly for the first four rounds; thereafter, the Simon key schedule generates all other round keys from the 64-bit master key. We are able to express $k^3$ in terms of $k^0$, $k^1$, $k^2$, and $k^9$ as follows:

$$\begin{array}{cc}\hfill & k^3\oplus (k^3⋙4)=k^0\oplus (k^0⋙3)\oplus (k^0⋙4)\oplus (k^0⋙6)\oplus (k^0⋙7)\oplus (k^0⋙8)\hfill \\ \hfill & \oplus (k^0⋙9)\oplus (k^0⋙15)\oplus (k^1⋙1)\oplus (k^1⋙3)\oplus (k^1⋙5)\oplus (k^1⋙6)\hfill \\ \hfill & \oplus (k^1⋙10)\oplus (k^1⋙12)\oplus (k^1⋙15)\oplus k^2\oplus (k^2⋙1)\oplus (k^2⋙9)\hfill \\ \hfill & \oplus (k^2⋙10)\oplus (k^2⋙11)\oplus (k^2⋙13)\oplus k^9\oplus constant\hfill \end{array}$$

(11)

Thus, on determining $k^0$, $k^1$, $k^2$ and $k^9$, we obtain the 16 bit string $k^3\oplus (k^3⋙4)$, which we denote $Bit4$. Note that the bits of $Bit4$ are not independent, because

$$Bit{4}_i\oplus Bit{4}_{i+4}\oplus Bit{4}_{i+8}\oplus Bit{4}_{i+12}=0i=0,1,2,3$$

Thus only 12 bits of $Bit4$ are independent, enabling us to determine up to 12 bits of $k^3$. For fixed values of $k^0$, $k^1$ and $k^2$, there is a one-to-one correspondence between $Bit{4}_i$ and $k_i^9$. Thus, only 12 bits of $k^9$ are independent, and all possible values of $k^9$ will not be generated by the key schedule. Because of this, in addition to the 48 master key bits computed from the super key, we are able to deduce up to 12 bits of $k^3$ for a total of up to 60 master key bits.

6.3. 8-Round Attack without Approximations

Based on the Feistel symmetry of Simon, we are able to establish a four-round decryption super round in addition to the encryption super round we describe above. This allows us to launch a meet-in-the-middle attack on 8-round Simon 32/64 without any approximations. Instead of performing an exhaustive search over a large number of master key bits, we can focus on a single bit and perform an exhaustive search over fewer key bits at a time.

The encryption super round $F{s}_{enc,i}$ takes the plaintext and 16 key bits of super key $K_{enc,i}$ to produce a single bit of four-round encryption $X{L}_i^4$ (modulo a single key bit). The decryption super round $F{s}_{dec,i}$ takes the ciphertext and 8 key bits of super key $K_{dec,i}$ to generate a single bit of four-round decryption, see Figure 9. For every bit of intermediate state i, the adversary computes $F{s}_{enc,i}$ and $F{s}_{dec,i}$ for all possible values of encryption super key $K_{enc,i}$ and decryption super key $K_{dec,i}$ respectively. If there isn’t a match between the two operations, the pair $(K_{enc,i},K_{dec,i})$ is discarded as a possible candidate for the correct key. As all expressions are exact, there is no need to keep a count of how many times there was a match; a single mismatch disqualifies the key pair.

In this meet-in-the-middle attack on 8-round Simon, we attempt to recover 112 key bits, consisting of 64 bits of one super key and 48 more bits of the second super key. We are able to determine all 64 master key bits using only 48 plaintext and ciphertext pairs. We carried out two instances of this attack.

6.4. Summary of Experimental Results

Here we provide a summary of our experimental results (see

Table 9. Summary of the Experimental Results.

Experimental Results	Super Key Bits Recovered	Master Key Bits Recovered	Data Complexity	Time Complexity	Success Probability
8-round	41–48 bits	43–48 bits	$2^{14}$	$2^{34.00281}$	$94\%$
10-round	55–64 bits	56–64 bits	$2^{14}$	$2^{36.044}$	$95\%$
12-round	45–48 bits	45–48 bits	$2^{25}$	$2^{45.0028}$	$94\%$
8-round without	112 bits	64 bits	$2^{5.58}$	$2^{34.58}$	$100\%$
approximations

).

7. Projected Results Using Multiple Linear Cryptanalysis

In this section we present projected results for the 20-round linear attack. Similar results for Simon 48 and Simon 64, Simon 96 and Simon 128 are presented in the Appendix C, Appendix D, Appendix E and Appendix F, respectively. Note that by “projected” results we mean results that have not been verified experimentally but are derived analytically.

7.1. 20-Round Linear Attack

In this section, we describe how to recover the entire master key in a 20-round attack. First, we extend the seven-linear approximations (Equations (8) and (9)) into 12-round linear trails, with bias $2^{-19}$ for the left-half and the right-half (see Figure 10):

$$P{L}_i\oplus C{L}_{i+8}=\left\{\begin{array}{c}{k}_i^1\oplus k_{i+2}^2\oplus k_{i,i+4}^3\oplus k_{i+6}^4\hfill \\ \oplus k_{i,i+4,i+8}^5\oplus k_{i+2,i+10}^6\oplus k_{i,i+8,i+12}^7\hfill \\ \oplus k_{i+14}^8\oplus k_{i+8,i+12}^9\oplus k_{i+10}^{10}\oplus k_{i+8}^{11}\hfill \end{array}\right.$$

(12)

$$P{R}_i\oplus C{R}_{i+8}=\left\{\begin{array}{c}{k}_i^0\oplus k_{i+2}^1\oplus k_{i,i+4}^2\oplus k_{i+6}^3\oplus k_{i,i+4,i+8}^4\hfill \\ \oplus k_{i+2,i+10}^5\oplus k_{i,i+8,i+12}^6\oplus k_{i+14}^7\hfill \\ \oplus k_{i+8,i+12}^8\oplus k_{i+10}^9\oplus k_{i+8}^{10}\hfill \end{array}\right.$$

(13)

Because the derived 12-round linear approximation for the left-half has one active input bit and one active output, we are able to append the super round of the four-round encryption at the beginning and the super round of the four-round decryption at the end, giving us a 20-round linear attack. The same is true for the right-half approximation.

Table 10. The sequence of approximations used to derive 12-rounds and 13-rounds linear trails for the left-half of Simon 32.

Active Bits in the Left Side	Active Bits in the Right Side	Used Approximation	Number of Approximations
0	-
	0	1	1
0	2	1	1
2	0,4	1;1	2
0,4	6	1	1
6	0,4,8	1;1;1	3
0,4,8	2,10	1;1	2
2,10	0,8,12	1;1;1	3
0,8,12	14	1	1
14	8,12	1;1	2
8,12	10	1	1
10	8	1	1
8	-
-	8

and

Table 11. The sequence of approximations used to derive and 13-rounds linear trails for the right-half of Simon 32.

Active bits in the Left Side	Active bits in the Right Side	Used Approximation	Number of Approximations
-	0	1	1
0	2	1;1	2
2	0,4	1	1
0,4	6	1;1;1	3
6	0,4,8	1;1	2
0,4,8	2,10	1;1;1	3
2,10	0,8,12	1	1
0,8,12	14	1;1	2
14	8,12	1	1
8,12	10	1	1
10	8	1	1
8	-	1;1	2
-	8
8	0,10

list the sequence of approximations used to produce the 12-round linear approximation.

The extended linear approximations are:

$$X{L}_i^4\oplus X{L}_{i+8}^{17}=\left\{\begin{array}{c}{k}_i^5\oplus k_{i+2}^6\oplus k_{i,i+4}^7\oplus k_{i+6}^8\hfill \\ \oplus k_{i,i+4,i+8}^9\oplus k^1{0}_{i+2,i+10}\oplus k^1{1}_{i,i+8,i+12}\hfill \\ \oplus k_{i+14}^{12}\oplus k_{i+8,i+12}^{13}\oplus k_{i+10}^{14}\oplus k_{i+8}^{15}\hfill \end{array}\right.$$

(14)

and

$$X{R}_i^4\oplus X{R}_{i+8}^{17}=\left\{\begin{array}{c}{k}_i^4\oplus k_{i+2}^5\oplus k_{i,i+4}^6\oplus k_{i+6}^7\oplus k_{i,i+4,i+8}^8\hfill \\ \oplus k_{i+2,i+10}^9\oplus k_{i,i+8,i+12}^{10}\oplus k_{i+14}^{11}\hfill \\ \oplus k_{i+8,i+12}^{12}\oplus k_{i+10}^{13}\oplus k_{i+8}^{14}\hfill \end{array}\right.$$

(15)

To determine the computational complexity of the 20-round attack, first, we need to determine the required number of plaintext and ciphertext pairs. To do so, we will use the fact that in our proposed linear attack, we need to evaluate 16 linear approximations for the left-half, and 16 linear approximations for the right-half, hence we have a system of multiple approximations which enables us to apply multiple linear cryptanalysis.

Multiple linear cryptanalysis was first proposed in [22], by Kaliski and Robshaw, where they show how to exploit multiple linear expressions, all including the same key bits, to reduce the required number of plaintext and ciphertext pairs. Then Biryukov et al. [2], propose a more flexible framework for using multiple linear approximations, also defining the capacity of a system of m-approximations to be:

$${\overline{c}}^2=4\times \sum _{i=1}^m{c}_i^2=4\times \sum _{i=1}^m{ϵ}_i^2.$$

(16)

A key recovery attack with a capacity of ${\overline{c}}^2$ will require $O\left(\frac{1}{{\overline{c}}^2}\right)$ plaintext and ciphertext pairs. The system of the left-half approximations has a capacity of:

$${\overline{c}}^2=4\times 16\times 2^{-19\times 2}=2^6\times {\left(2^{-19}\right)}^2=2^{-32}.$$

(17)

Consequently, the data complexity of the 20-round linear attack may be approximated as $2^{32}$. The success probability, computed using the approach of [23], and with a four-bit advantage, is about $6\%$. To increase the success probability, we would need to use a multiple of $N=\frac{1}{{\overline{c}}^2}$ P/C pairs, which is not feasible in this case. If we use $2^{31}$ P/C pairs, the success probability drops to $4\%$ with a four-bit advantage. In the literature, key recovery attacks generally have a larger probability of success, but those attacks recover fewer bits of the key, while we have demonstrated recovery of the entire master key. We have a range of success probabilities, for example: $84\%$ for the 20-round attack of Simon 48/96 and $78\%$ for the 24-round attack of Simon 64/128.

In addition to the data complexity, we need to add the cost of guessing the key bits of the extended rounds to connect the plaintext and ciphertext with the left-half and the right-half approximations. Evaluating the left half approximations requires guessing 16 key bits for the super round of four-round encryption and another seven key bits for the super round of the four-round decryption, which results in a total time complexity of $16\times 2^{32}\times 2^{16}\times 2^7=2^{59}$. In the case of the right-half approximations, we need to brute force seven key bits to append the super round of fur-round encryption, and 16 key bits for the super round of four-round decryption which results also in $2^{59}$, hence the overall computational complexity to evaluate the two halves is $2^{60}$. In addition to the first three round keys ($k^0$, $k^1$, $k^2$), we recover the last three round keys ($k^{17}$, $k^{18}$, $k^{19}$) from which we can deduce $k^3$ as described in the next section. This results in the recovery of the entire master key.

7.2. The $k^3$ Deduction from $k^{19}$

According to the key schedule algorithm used in Simon, $k^{19}$ is:

$$k^{19}=k^{15}\oplus k^{16}\oplus (k^{18}⋙3)\oplus (k^{16}⋙1\oplus (k^{18}⋙4))\oplus c\oplus {\left(z_0\right)}_{15}.$$

(18)

It can be rewritten in terms of the master key bits as follows:

$$\begin{array}{cc}\hfill & k^{19}=k^0\oplus (k^0⋙2)\oplus (k^0⋙7)\oplus (k^0⋙9)\oplus (k^0⋙11)\oplus (k^0⋙12)\hfill \\ \hfill & \oplus (k^0⋙13)\oplus (k^0⋙14)\oplus k^1\oplus (k^1⋙1)\oplus (k^1⋙3)\oplus (k^1⋙4)\hfill \\ \hfill & \oplus (k^1⋙6)\oplus (k^1⋙7)\oplus (k^1⋙8)\oplus (k^1⋙9)\oplus (k^1⋙11)\oplus (k^1⋙12)\hfill \\ \hfill & \oplus (k^1⋙14)\oplus (k^1⋙15)\oplus (k^2⋙3)\oplus (k^2⋙5)\oplus (k^2⋙8)\oplus (k^2⋙9)\hfill \\ \hfill & \oplus (k^2⋙10)\oplus (k^2⋙12)\oplus (k^2⋙14)\oplus (k^2⋙15)\hfill \\ \hfill & \oplus k^3\oplus constant\hfill \end{array}$$

(19)

It is clear from Equation (19), that we are able to compute $k^3$, given the first three round keys ($k^0$, $k^1$, $k^2$), and the last round key $k^{19}$.

7.3. Summary of Projected Results

In Section 6, we presented the results from the experimental verification of our approach on small numbers of rounds.

Table 12. Summary of the Projected Results.

Projected Results	Key Bits Recovered	Master Key Bits	Data Complexity	Time Complexity
20-round	64 independent key bits	64 master key bits	$2^{32}$	$2^{60}$
	32 dependent key bits

summarizes our results for larger numbers of rounds (that cannot, obviously, be experimentally verified) on Simon32/64:

8. The Effect of Super Rounds on Larger Variants of Simon

Although the larger variants of Simon correspond to larger block and key sizes, we have found that the size of the super-keys is only slightly larger than that for Simon 32/64. After four-round encryption, a single bit of the left-half of the intermediate state is influenced by only 18 key bits. On the other hand, the size of the super-key of the right half stays the same, at seven bits.

We found that, for larger variants of Simon, the bias of linear approximations with only a single active bit in the input mask is very low. We looked for approximations with a higher bias that uses a very small number of active bits in the input mask. Thus, we may not be using the linear trails with the highest bias, but we need to realize an acceptable trade-off between the bias and the number of active bits of especially the left half, because appending the super round, in this case, is more expensive.

For Simon 48, we derived linear approximations with high bias that have three active bits in the input mask, one bit for the left half and two bits of the right half. Appending three super rounds to these approximations requires the guessing of 24 key bits, the size of one round key.

For Simon 64, we derived a linear trail with four active bits of input, one of the left half and three bits of the right half, requiring the guessing of 31 key bits with appended super rounds. This is smaller than a single round key. In Simon 96, and Simon 128, we obtain linear approximations that need the guessing of 41 and 53 key bits respectively, which, in both cases, are smaller than a single round key in these variants.

9. Conclusions

This paper describes the novel notions of super rounds and super keys and demonstrates their efficacy through both experimental and projected theoretical linear cryptanalysis of Simon 32/64. The feature of our attack is that we are able to apply Matsui’s second algorithm in an efficient manner, especially in the forward direction, to recover the entire master key or three-fourths of it.

We were able to recover three-fourths of the master key in the 8-round and 12-round linear attacks of Simon 32/64 with high accuracy, and we approximately recover more than 80 percent of the master key in the 10-round key recovery attack. The attack may be extended to 20 and 21-rounds revealing the full master key of size 64 bits. Similar results have been achieved and presented in the appendices for Simon 48, Simon 64, Simon 96, and Simon 128. We propose to apply our linear attack with super-rounds to other block ciphers with a design similar to Simon.