Linear Cryptanalysis of Reduced-Round S IMON Using Super Rounds

: We present attacks on 21-rounds of S IMON 32/64, 21-rounds of S IMON 48/96, 25-rounds of S IMON 64/128, 35-rounds of S IMON 96/144 and 43-rounds of S IMON 128/256, often with direct recovery of the full master key without repeating the attack over multiple rounds. These attacks result from the observation that, after four rounds of encryption, one bit of the left half of the state of 32/64 S IMON depends on only 17 key bits (19 key bits for the other variants of S IMON ). Further, linear cryptanalysis requires the guessing of only 16 bits, the size of a single round key of S IMON 32/64. We partition the key into smaller strings by focusing on one bit of state at a time, decreasing the cost of the exhaustive search of linear cryptanalysis to 16 bits at a time for S IMON 32/64. We also present other example linear cryptanalysis, experimentally veriﬁed on 8, 10 and 12 rounds for S IMON 32/64.


Introduction
Lightweight cryptography is a rapidly growing area of research, emerging to fill the need for securing highly-constrained devices such as RFID tags and sensor networks. The limited hardware and software resources require that the cryptographic primitives be highly efficient. In 2013, the U.S. National Security Agency introduced two families of lightweight block ciphers for this effort: SIMON and SPECK that have a simple design and perform well on constrained software environments [1]. Since then, both block ciphers have attracted the attention of researchers and have been the subject of many security investigations.
In this paper, we propose an extension of the classical linear cryptanalytic approach which uses multiple linear approximations and Matsui's second algorithm. The standard approach, of extending the linear approximation by a single round of decryption (encryption), comes at the cost of guessing the last round (first round) key: O(2 n ) for an n-bit round key for SIMON block size 2n. We propose extending the linear approximation by a super-round-which, in the case of SIMON, is four rounds with a total cost O(n2 b ), for b ≤ n, depending on the SIMON variant, leading to the determination of four round keys, instead of the single round key obtained through the traditional approach. Directly applying Matsui's approach by appending four rounds would require a cost of O(2 4n )); but this is not necessary because of the weakness in SIMON, which we express as a super round. Thus we demonstrate a simple, efficient extension of the key recovery attack using Matsui's second algorithm, and recover multiple round keys, including the entire master key in some cases. For this reason, we compare our results with other results in the literature that were obtained using the classical simple Matsui's second algorithm without recourse to linear hull approaches.

Our Contributions
In this paper we present an attack on reduced-round SIMON, illustrating it in detail for SIMON 32/64, and providing a sketch of it for other variants. Our attack is based on the observation that, after four rounds of encryption, one bit of the left half of the state of SIMON 32/64 depends on only 17 key bits, and linear cryptanalysis requires the guessing of only 16 bits, the size of a single round key. A single bit of right half state similarly depends on 8 key bits (seven need to be guessed for linear cryptanalysis). By focusing on a single bit of the state at a time, we are able to partition the key into smaller strings, enabling us to more efficiently apply exhaustive search to perform linear cryptanalysis, doing it 16 (or 7) bits at a time. We are able to determine multiple round keys, which corresponds to a large fraction of the independent master key bits. This approach extends to other variants of SIMON as well. We summarize the approach below for SIMON 32/64.
We define the super round-four rounds of encryption with output limited to a single bit-and the corresponding super key limited to the relevant 16 (or 7) bits. For each bit of state, we extend the super round with an appropriate linear approximation with one active input bit. We carry out Matsui's second cryptanalysis using the super round instead of a single round and obtain the corresponding super key by performing an exhaustive search over 16 (or 7) bits. We do this for all 32 bits of the state. Thus, the use of the super round significantly improves the overall time complexity of linear cryptanalysis of SIMON.
We thus obtain 16 super keys of size 16 each (left half) and 16 super keys of size 7 each (right half), with considerable overlap among the key bits, as there are only 48 independent master key bits in the four-round cipher extended by the linear approximation. Consequently, we obtain 368 related key bits representing 48 independent key bits, which allows for error correction. We can further extend the super round and the linear approximation with an additional two rounds at the end, to obtain 60 independent key bits, which can be used to obtain up to 60 master key bits.
We extend the above attack to other variants of SIMON. We also perform an experimental verification of our attack on 8, 10 and 12-round SIMON 32/64. Using the capacity-based projections of the relationship of bias to the number of P/C pairs [2], we predict the determination of the entire master key of 20-round SIMON 32/64, with 2 32 P/C pairs and time complexity 2 60 . We are also able to determine all 64 master key bits of 8-round SIMON using a meet-in-the-middle attack with one super round of encryption and one super round of decryption, with data complexity 2 5.58 and time complexity 2 34.58 .
We need to point out that [3] has an observation similar to ours: that a single bit after four rounds of encryption is affected only by 18 bits, and they use it to define a related-key attack. We had derived this result independently.

Comparison with Other Work
We now compare our results with those of Alizadeh et al. [4], which are improvements on their peer-reviewed work in [5] and are currently the best peer-reviewed attacks on SIMON that use the classical Matsui's second algorithm and multiple approximations. As we mentioned earlier, linear hull attacks are able to go deeper; here, we focus on our improvement on the classical approach without recourse to linear hulls. ( [6] claims better work than [4], but is not peer-reviewed and has been criticized in the literature so we are not sure if the results hold; see Section 3.) Alizadeh et al. present two types of linear cryptanalysis: one using Matsui's second algorithm and the other using multiple linear cryptanalysis. They do not use both attacks simultaneously as we do in this paper. For a fair comparison with our work, we had to make changes to how the data complexity was computed in their work. As we are using multiple linear approximations, we used the capacity model [2] for both our work and theirs. This generally helped improve their numbers. We computed the cost of using n approximations, each corresponding to a shift of one bit, which enabled the computation of all the key bits we were able to compute. Additionally, they present the average case complexity of their attacks: each guessed key bit involved in an XOR is counted as half a bit. In the literature, it is standard to count each key bit guessed as a single bit, whether it is included only in an ANDed expression or not. We hence present two sets of comparisons.
1. Table 1 shows the comparisons using average case complexity in counting guessed key bits, as used in their work. Key bits in a bitwise AND operation are counted as half a bit each, whereas all other key bits are counted as a single bit each. Their argument is that when we have an expression such as k 0 & k 1 , if we guess k 0 as a zero there is no need to continue guessing the second bit because the ANDed value will be zero independent of the value of k 1 . Using this computation of the time complexity, we are able to go deeper than [4] for all SIMON versions. 2. Table 2 shows a comparison of worst-case time complexity, which is the standard in the literature.
Each key bit guessed is counted as a single key bit, and we recomputed their numbers in order to accurately reflect this in both our work and theirs. We are able to go deeper for SIMON 32/64, SIMON 64/128 and SIMON 128/256, and in the other versions, even though we cryptanalyze the same number of rounds, the time complexity of their attacks is worse than brute force attacks.
Note that, in our proposed model, we only use independent linear approximations; as a result, we avoid the issue described in [7], about using dependent approximations in another work on SIMON.
It might be worth investigating how to combine our model with more general multidimensional cryptanalysis, where approximation independency is not assumed [8].

Organization
This paper is organized as follows. Section 2 summarizes the SIMON cipher and Section 3 describes related work. Section 4 presents the idea of the super round and the associated super key and Section 5 the approximations we used. Section 6 presents experimental verification, and Section 7 projected results. Section 9 concludes. The Appendices A,B,C,D,E and F contain derivations and the linear attacks of SIMON 48, SIMON 64, SIMON 96 and SIMON 128.

SIMON
SIMON is a family of lightweight block ciphers designed by U.S. National Security Agency (NSA) in 2013 [9], which aims to provide lightweight resource-constrained devices with needed security. It supports a variety of block and key sizes which is denoted by SIMON2n/mn, where n is the word size, m is the number of key words and 2n is the block size. The following Table 3 lists other variants: It is designed based on a Feistel structure with the key-dependent round function, (see Figure 1): The specification of each block cipher is determined by the two main functions, the round function, and the key schedule. Thus, the round function F consists of three operations: bitwise XOR ⊕, bitwise AND &, and left circular shift by j bits≪ j. It can be expressed as: The key schedule takes the master key K as an input and generates r subkeys k 0 , k 1 , ....k r−1 . The first w subkeys are initialized with the master key words, k w−1 ...k 0 . Depending on the number of key words w, a different procedure is applied as the following: For w = 2: For w = 4: As it is shown above, the generated subkey is XOR-ed with a constant c which is equal to 2 n − 4 = 0x f f ... f c and the ith bit of (z j ), where the choice of (z j ) depends on SIMON versions. Thus, these constants are added to prevent slide attacks and eliminate circular shift symmetries. There are five constant sequences (z 0 ),(z 1 ),(z 2 ),(z 3 ), and (z 4 ), which take the following values:

Related Work
We focus in this paper on linear cryptanalysis. The best linear results on SIMON are obtained using linear hulls.
First introduced by [10], the linear hull is a set of linear approximations with the same input and output masks. Abdelraheem et al. [4] generalized the method of converting any differential characteristic to a linear characteristic for SIMON, and investigated the security of SIMON against different variants of linear cryptanalysis, classical, multiple and linear hull. Using linear hull, they present attacks on the reduced-round of 21 The best linear hull attacks presented in [7] by using a dynamic key-guessing technique which first proposed to improve the differential cryptanalysis in [14]. They apply the dynamic-key-guessing method to reduce the number of key bits required guessing, and they present linear hull attacks on the reduced-round 23  There are works that focused on the classical linear cryptanalysis. The first work to look at is [19] by Abed et al., where they analyze the linear properties of SIMON round function. Hence, they linearize the only non-linear part which is the bitwise AND operation, and present this linear approximation: [F(x)) = (x ≪ 2)], which holds with probability 3/4, and bias = 2 −2 .
Moreover, following this approach they generate linear trails to a larger number of rounds and to all SIMON versions. Hence, they successfully present linear cryptanalysis of length 11 Improved results in terms of covering more rounds have been presented by Alizadeh et al. in [20], where they exploit a direct connection between linear characteristics and differential characteristics. So given an r-round differential characteristic, an equivalent r-round linear characteristic can be constructed. Given this observation, they derived improved linear trails and then mounted linear cryptanalysis using Matsui's first algorithm with a reported success probability of 0.997 for 12, 15, 19, 28 and 35 rounds for SIMON 32, SIMON 48, SIMON 64, SIMON 96, and SIMON 128 respectively.
Because in these two works [19,20], they apply Matsui's first algorithm, they were only able to determine a parity bits of the subkeys, where a represents the number of approximations that have been used, which is equal to the block size 32, 48, 64, 96 and 128.
In [4], they consider the classical linear cryptanalysis and multiple linear cryptanalysis. So, they extend the previous results to cover more rounds and launch key recovery attacks using Matsui's second algorithm, and recover 27.5 key bits of SIMON 32, and the average of 32. 5 The most recent results were presented in [6] by Ashur. They describe a new method to compute the bias of linear trails, which was then used to obtain longer linear approximations than what previous works have obtained. The literature calls into question the correctness of the results presented in this work. In particular, from [7], "it uses the correlation when all the subkeys are zero as the expected correlation under random key situations, which is not exact. Moreover, if the potential of each linear hull of the cipher is smaller than that of random permutations, then the combination of these linear hulls can not distinguish between the cipher and a random permutation."

The Cryptanalytic Model
In this section we describe the idea of a super round and its super key, and the use of this idea in linear cryptanalysis as well as for a brute force attack on eight rounds on SIMON 32/64. We first establish some notation. Superscripts denote round number beginning with 0, and subscripts denote bit number from left to right, also beginning with 0. We denote by XL j and XR j the left and right half inputs respectively to the j-th cipher round (and hence the outputs of the (j − 1)-th round), and by k j i the i-th bit of the j-th round key. Left and right plaintext and ciphertext halves are denoted PL, PR, CL and CR respectively.

Central Observation
We observe that, after four rounds of SIMON 32/64 encryption, one bit of the left half of the state depends on only 16 key bits-the size of one round key. One bit of the right half depends on only 7 key bits. On the other hand, the 32-bit state after four rounds of encryption depends on all 64 master key bits. Thus, by focusing on a single bit of the state, we are able to partition the key into smaller pieces. This enables us to more efficiently apply exhaustive search, doing it 16 (or 7) bits at a time.
In Matsui's second linear cryptanalysis, the first (or final) round key is determined by encryption (or decryption) with all possibilities (exhaustive search), choosing the most likely one. One would like to be able to use the same approach to determine all possible master key bits, instead of only those in the final round key. Performing an exhaustive search by encrypting multiple rounds is, however, prohibitively expensive. Using our observation, it is possible to efficiently encrypt the four first rounds (not only the first round), by focusing on a single bit of state at a time, and performing an exhaustive search over smaller pieces of the key. To extend Matsui's second linear cryptanalysis to four rounds in this manner, we would need linear cryptanalytic expressions with only a single bit of input state. The expressions and the encryption are symmetric with respect to the single bit of super round output, and we are hence able to perform this type of cryptanalysis on every bit of super round output.
An outline of the attack is as follows: 1.
For every bit of super round output, we guess all possible combinations of the corresponding 16 key bits for the left half, or 7 for the right half, to obtain the most likely one. We do this for all 32 bits of the block.

2.
This gives us 16 keys of size 16 each (left half) and 16 keys of size 7 each (right half), with considerable overlap among the key bits, as there are only 48 independent master key bits.

3.
We obtain 368 related key bits representing 48 independent key bits, which allows for correcting errors.
The complexity of this attack is (16

The Super Round
We use the term super round to represent a generalization of the four-round encryption we described above.

Definition 1 (SUPER ROUNDS AND SUPER KEYS).
A super round for a block cipher is a function representing s-rounds of encryption of the cipher, for some s > 1. It takes as input a full block of plaintext and the required key bits, and outputs t bits of ciphertext, where t is considerably smaller than the block size. The required key bits for a super round are referred to as a super key.

Linear Cryptanalysis with Super Rounds
In this section we describe the general linear cryptanalytic attack of Matsui's second algorithm with super rounds. The linear approximations we will derive in Section 5 are chosen so as to have a single bit of input-XL 4 i or XR 4 i -which is approximately related to multiple bits of the ciphertext C (see Figure 3). The super round itself relates this bit, exactly, (modulo a key bit absorbed into the linear approximation) to the plaintext P and the ith super key. Thus we obtain an approximate relationship between P, C and the super key bits. By performing an exhaustive search over the super key space, we obtain the super key bits. We repeat this process for all bits of the super round output.
For each of the two super rounds (for left and right hand output halves), for each value of i, there are corresponding 16-bit and 7-bit super keys. Table 5 lists the components of the super keys.
We see that each super key for the left half contains nine bits from k 0 , in the form k 0 i+m for m = 1, 2, 3, 4, 5, 8, 10, 11, 12. Thus a particular bit of k 0 , say k 0 s , appears in the super key of left half bits s − m, for m = 1, 2, 3, 4, 5, 8, 10, 11, 12. That is, if we determine the super key for each value of i in the left half of the state, we will obtain nine copies of each bit of k 0 . Similarly, the super key for the right half contains five bits of k 0 . Additionally, there are other bits in the super key as well. Thus, over all sixteen bits of XL 4 and XR 4 , we obtain: The redundancy above allows us to better estimate the individual key bits, and we estimate each of the 48 independent key bits by a majority vote from the corresponding multiple copies. In any experiment, we get three outcomes: correctly determined bits, incorrectly determined bits and undetermined bits (when the outcome is a tie).
Finally, we will have 16 bits of k 0 , 16 bits of k 0 s ⊕ k 1 s+2 , and 16 bits of k 0 s ⊕ k 0 s+4 ⊕ k 1 s+2 ⊕ k 2 s , for a total of 48 independent key bits. We may use estimates of bits of k 0 to estimate bits of k 1 , and then to estimate bits of k 2 . We note that the error increases as we go from k 0 through k 2 ; not only because the number of copies of the required bits decreases, but because the error is compounded (the error in determining k 2 is increased due to errors in estimating k 0 and k 1 ).

The Construction of Super Rounds and Derivations of Super Keys
Here, we demonstrate how the super rounds are constructed for SIMON cipher, beginning with SIMON 32/64 and going on to other variants [21].
Since SIMON is designed based on a Feistel structure with the key-dependent round function, one round of SIMON can be expressed as: Hence: and hence that: Given the round function of SIMON: giving us: Finally, Recall the SIMON family consists of another nine variants of the cipher differing in their block and key sizes. All SIMON variants share the same round function; hence the observation enabling us to construct super-rounds in SIMON 32/64 continues to be valid. Even though the larger variants of SIMON correspond to larger block and key sizes, we have found that the size of the super keys is only slightly larger than that for SIMON 32/64. After four round of encryption, a single bit of the left-half of the intermediate state is influenced by only 18 key bits. On the other hand, the size of the super-key of the right half stays the same, at seven bits.
The value v 2 affects the super key bit k 0 i+2 ⊕ k 1 i , which becomes in the case of larger SIMON, k 0 i+18 ⊕ k 1 i+16 . The other components of the super key for the left half, are consistent with the bits presented in Table 5. See Algorithm 1 for pseudocode for our attack on SIMON 32/64, using the left half system of approximation.

Algorithm 1
Matsui's second algorithm using multiple linear approximations.
Let T be the number of plaintexts such that the linear approximation is True. for i=0,.....,2 n do evaluate the linear approximation for the left word for j=0,.....,2 16 do try all 16-bit keys Initialize T with zero for all N plaintext-ciphertext pairs do calculate XL 4 i using super round if linear approximation is True then increment T end if end for Calculate bias j =| (T − (N ÷ 2)) ÷ N | end for output the candidate key j with the highest bias end for

Linear Approximations for SIMON 32/64
In this section we derive linear approximations for 8, 10 and 12-round attacks on SIMON 32/64. In Section 6 we describe experimental results for the proposed attacks.
We use a natural linear expression of the SIMON round function, obtained by replacing the & function by 0, with a bias of 1 4 [19]. The left half is approximated as: Additionally, the following are linear expressions from the literature with a similar absolute bias of 1 4 : We use this approximation repeatedly for multiple-round attacks that relate a single bit of input to multiple output bits. The experimentally-verified success probabilities of the attacks on 8, 10 and 12 rounds are listed in Table 9.

8-Round Attack
We find two four-round linear approximations, relating a single bit of the left and right half inputs respectively to a few bits of output after four rounds. We can use a super round to obtain exactly the single bit of input from the plaintext and the super key and then concatenate it with the approximation, thus relating the plaintext, super key and ciphertext bits of eight rounds encryption (see Figure 4). Beginning with a single bit of the left half plaintext, PL = XL 0 , we approximate a linear relationship with bits from the output: To produce a four-round linear approximation for the right half, we will start with a single bit of right half PR = XR 0 : Hence, appending the four rounds of encryption to Equations (3) and (4), we get the following expressions with biases 2 −5 and 2 −6 respectively:

10-Round Attack
We extend the 8-round attack by adding two more rounds of decryption at the end so we have a 10-round attack. The two rounds are added by decrypting the ciphertext bits; this comes at the cost of exhaustive search over a few more key bits. See Figure 5. Recall single-round decryption: and hence two rounds decryption is: which gives us: Recall the four-round linear approximation for the single bit in the left half: Substituting for X 8 , we get: or: or: and finally, Hence, two new key bits k 9 i+7 and k 9 i+14 (in addition to the 16 bits to compute XL 4 i ) required guessing to add the two rounds decryption. Now recall the linear approximation for the single bit on the right side: Again, substituting the expressions for X 8 in terms of X 10 we get: In this case, six new key bits (in addition to the seven required to obtain XR 4 i from the plaintext), k 9 i , k 9 i+1 , k 9 i+5 , k 9 i+8 , k 9 i+9 , k 9 i+12 , are required for the decryption of the last two rounds. Thus, the number of key bits affecting the approximation for the left side is 18, and that for the right side is 13.

12-Round Attack
To extend the linear attack of SIMON 32/64 to 12 rounds, we need to extract r-round linear approximations for r > 4. Therefore, we derive two seven-round linear approximations for the left half and the right half, with biases 2 −11 and 2 −14 respectively (see Tables 10 and 11 for details): We can extend the attack by one decryption round free of any approximations, which enables us to attack 12 rounds. See Figure 6.

Experimental Verification
To validate our proposed linear cryptanalysis of SIMON 32/64, we conducted a number of experiments for the 8-round, 10-round, and 12-round linear attacks, which we summarize in this section.
We will need some additional notation. As mentioned before, the super key of the left-half is of size 16 bits, each bit being in one of three forms (recall Table 5 We denote the 16-bit strings of bits of this form (for i = 0, 1, 2, ..., 15) as Bit1, Bit2, and Bit3 respectively.
We determine Bit1, Bit2 and Bit3 from the super key estimates using a majority vote for error correction. We then compute the 48 master key bits (k 0 , k 1 , and k 2 ) using Equation (10).
In all cases-8, 10 and 12 round attacks-Bit1 is determined with the greatest accuracy, then Bit2, and, last, Bit3. This is to be expected because there are more copies of Bit1 (nine) than Bit2 (five), and Bit3 has the fewest copies (two). In all cases, k 0 is computed more accurately than k 1 , which is more accurately computed than k 2 . This is because k 0 , k 1 and k 2 are computed from one, two and three values of the estimated values of super key bits. Additionally, k 0 is computed from the most accurately estimated super key bits, Bit1; k 1 from Bit1 and Bit2; k 2 from Bit1, Bit2 and Bit3. Tables 6-8 compare between the number of super key bits guessed correctly in the 8-round, 10-round and 12-round attacks respectively.

8-Round Attack
We carried out 14 instances of the 8-round attack, with 2 14 P/C pairs and keys chosen at random. We observed that obtaining estimates of the super key bits corresponding to the right half of the state does not improve the estimate over using only those obtained from the left half state. This is likely because the bias for the right half is half that of the left half, and hence the right half data is noisier and not particularly useful. Figure 7 shows the results achieved using super rounds corresponding to the left half and to the left and right halves.

10-Round Attack
We carried out 14 instances of the 10-round attack, each with a key chosen at random and 2 14 plaintext/ciphertext pairs. In addition to the super keys (48 bits), we recover the last round key k 9 (16-bits), which is denoted as Bit4, hence we retrieve a total of 64 key bits. We find that the last round key bits are not independent, so we do not obtain 64 independent bits.
In contrast to the 8-round attack, we obtain better overall results by using super rounds corresponding to both right and left halves, as compared to using only the left half. The improvement is especially noticeable in the estimate of k 9 . The reason is that we receive 96 bits (16 × 6) of k 9 from the right half and only 32 bits (16 × 2) from the left-half. Thus, even though the right-half attacks have a lower bias, having a larger number of copies of k 9 bits results in better estimation. Figure 8 shows the improvements of the results obtained using super rounds corresponding to both right and left halves over using the left half only.

12-Round Attack
We performed three instances of the 12-round attack using 2 25 plaintext and ciphertext pairs. We got similar results in the case we use the estimates of the super key bits corresponding to only the left half and in the case, we combine the estimates corresponding to both halves. As in the 8-round attack, the right half of the state doesn't improve the overall results, hence we obtain the same results using the left half and the two halves. In the three experiments, we can determine correctly 48, 47 and 45 key bits.
6.2. The Deduction of k 3 from k 9 The 64-bit master key is used directly for the first four rounds; thereafter, the SIMON key schedule generates all other round keys from the 64-bit master key. We are able to express k 3 in terms of k 0 , k 1 , k 2 , and k 9 as follows: Thus, on determining k 0 , k 1 , k 2 and k 9 , we obtain the 16 bit string k 3 ⊕ (k 3 ≫ 4), which we denote Bit4. Note that the bits of Bit4 are not independent, because Thus only 12 bits of Bit4 are independent, enabling us to determine up to 12 bits of k 3 . For fixed values of k 0 , k 1 and k 2 , there is a one-to-one correspondence between Bit4 i and k 9 i . Thus, only 12 bits of k 9 are independent, and all possible values of k 9 will not be generated by the key schedule. Because of this, in addition to the 48 master key bits computed from the super key, we are able to deduce up to 12 bits of k 3 for a total of up to 60 master key bits.

8-Round Attack without Approximations
Based on the Feistel symmetry of SIMON, we are able to establish a four-round decryption super round in addition to the encryption super round we describe above. This allows us to launch a meet-in-the-middle attack on 8-round SIMON 32/64 without any approximations. Instead of performing an exhaustive search over a large number of master key bits, we can focus on a single bit and perform an exhaustive search over fewer key bits at a time.
The encryption super round Fs enc,i takes the plaintext and 16 key bits of super key K enc,i to produce a single bit of four-round encryption XL 4 i (modulo a single key bit). The decryption super round Fs dec,i takes the ciphertext and 8 key bits of super key K dec,i to generate a single bit of four-round decryption, see Figure 9. For every bit of intermediate state i, the adversary computes Fs enc,i and Fs dec,i for all possible values of encryption super key K enc,i and decryption super key K dec,i respectively. If there isn't a match between the two operations, the pair (K enc,i , K dec,i ) is discarded as a possible candidate for the correct key. As all expressions are exact, there is no need to keep a count of how many times there was a match; a single mismatch disqualifies the key pair.
In this meet-in-the-middle attack on 8-round SIMON, we attempt to recover 112 key bits, consisting of 64 bits of one super key and 48 more bits of the second super key. We are able to determine all 64 master key bits using only 48 plaintext and ciphertext pairs. We carried out two instances of this attack.

Summary of Experimental Results
Here we provide a summary of our experimental results (see Table 9).

Projected Results Using Multiple Linear Cryptanalysis
In this section we present projected results for the 20-round linear attack. Similar results for SIMON 48 and SIMON 64 ,SIMON 96 and SIMON 128 are presented in the Appendices C-F, respectively. Note that by "projected" results we mean results that have not been verified experimentally but are derived analytically.

20-Round Linear Attack
In this section, we describe how to recover the entire master key in a 20-round attack. First, we extend the seven-linear approximations (Equations (8) and (9)) into 12-round linear trails, with bias 2 −19 for the left-half and the right-half (see Figure 10): Because the derived 12-round linear approximation for the left-half has one active input bit and one active output, we are able to append the super round of the four-round encryption at the beginning and the super round of the four-round decryption at the end, giving us a 20-round linear attack. The same is true for the right-half approximation. Tables 10 and 11 list the sequence of approximations used to produce the 12-round linear approximation.
The extended linear approximations are: and To determine the computational complexity of the 20-round attack, first, we need to determine the required number of plaintext and ciphertext pairs. To do so, we will use the fact that in our proposed linear attack, we need to evaluate 16 linear approximations for the left-half, and 16 linear approximations for the right-half, hence we have a system of multiple approximations which enables us to apply multiple linear cryptanalysis.
Multiple linear cryptanalysis was first proposed in [22], by Kaliski and Robshaw, where they show how to exploit multiple linear expressions, all including the same key bits, to reduce the required number of plaintext and ciphertext pairs. Then Biryukov et al. [2], propose a more flexible framework for using multiple linear approximations, also defining the capacity of a system of m-approximations to be: A key recovery attack with a capacity of c 2 will require O( 1 c 2 ) plaintext and ciphertext pairs. The system of the left-half approximations has a capacity of: Figure 10. The 20-round linear attack.   Table 11. The sequence of approximations used to derive and 13-rounds linear trails for the right-half of SIMON 32. Consequently, the data complexity of the 20-round linear attack may be approximated as 2 32 . The success probability, computed using the approach of [23], and with a four-bit advantage, is about 6%. To increase the success probability, we would need to use a multiple of N = 1 c 2 P/C pairs, which is not feasible in this case. If we use 2 31 P/C pairs, the success probability drops to 4% with a four-bit advantage. In the literature, key recovery attacks generally have a larger probability of success, but those attacks recover fewer bits of the key, while we have demonstrated recovery of the entire master key. We have a range of success probabilities, for example: 84% for the 20-round attack of SIMON 48/96 and 78% for the 24-round attack of SIMON 64/128.

Active bits in the Left Side Active bits in the Right Side Used Approximation Number of Approximations
In addition to the data complexity, we need to add the cost of guessing the key bits of the extended rounds to connect the plaintext and ciphertext with the left-half and the right-half approximations. Evaluating the left half approximations requires guessing 16 key bits for the super round of four-round encryption and another seven key bits for the super round of the four-round decryption, which results in a total time complexity of 16 × 2 32 × 2 16 × 2 7 = 2 59 . In the case of the right-half approximations, we need to brute force seven key bits to append the super round of fur-round encryption, and 16 key bits for the super round of four-round decryption which results also in 2 59 , hence the overall computational complexity to evaluate the two halves is 2 60 . In addition to the first three round keys (k 0 , k 1 , k 2 ), we recover the last three round keys (k 17 , k 18 , k 19 )from which we can deduce k 3 as described in the next section. This results in the recovery of the entire master key.

The k 3 Deduction from k 19
According to the key schedule algorithm used in SIMON, k 19 is: It can be rewritten in terms of the master key bits as follows: It is clear from Equation (19), that we are able to compute k 3 , given the first three round keys (k 0 , k 1 , k 2 ), and the last round key k 19 .

Summary of Projected Results
In Section 6, we presented the results from the experimental verification of our approach on small numbers of rounds. Table 12 summarizes our results for larger numbers of rounds (that cannot, obviously, be experimentally verified) on SIMON32/64:

The Effect of Super Rounds on Larger Variants of SIMON
Although the larger variants of SIMON correspond to larger block and key sizes, we have found that the size of the super-keys is only slightly larger than that for SIMON 32/64. After four-round encryption, a single bit of the left-half of the intermediate state is influenced by only 18 key bits. On the other hand, the size of the super-key of the right half stays the same, at seven bits.
We found that, for larger variants of SIMON, the bias of linear approximations with only a single active bit in the input mask is very low. We looked for approximations with a higher bias that uses a very small number of active bits in the input mask. Thus, we may not be using the linear trails with the highest bias, but we need to realize an acceptable trade-off between the bias and the number of active bits of especially the left half, because appending the super round, in this case, is more expensive.
For SIMON 48, we derived linear approximations with high bias that have three active bits in the input mask, one bit for the left half and two bits of the right half. Appending three super rounds to these approximations requires the guessing of 24 key bits, the size of one round key.
For SIMON 64, we derived a linear trail with four active bits of input, one of the left half and three bits of the right half, requiring the guessing of 31 key bits with appended super rounds. This is smaller than a single round key. In SIMON 96, and SIMON 128, we obtain linear approximations that need the guessing of 41 and 53 key bits respectively, which, in both cases, are smaller than a single round key in these variants.

Conclusions
This paper describes the novel notions of super rounds and super keys and demonstrates their efficacy through both experimental and projected theoretical linear cryptanalysis of SIMON 32/64. The feature of our attack is that we are able to apply Matsui's second algorithm in an efficient manner, especially in the forward direction, to recover the entire master key or three-fourths of it.
We were able to recover three-fourths of the master key in the 8-round and 12-round linear attacks of SIMON 32/64 with high accuracy, and we approximately recover more than 80 percent of the master key in the 10-round key recovery attack. The attack may be extended to 20 and 21-rounds revealing the full master key of size 64 bits. Similar results have been achieved and presented in the appendices for SIMON 48, SIMON 64, SIMON 96, and SIMON 128. We propose to apply our linear attack with super-rounds to other block ciphers with a design similar to SIMON.
Author Contributions: R.A. contributed more than P.L.V. did to this work, with R.A. leading the work for her doctoral dissertation and contributing about 80% of the effort. All authors have read and approved the final version of the manuscript.
Funding: This research was sponsored in part by NSF award 1421373.

Conflicts of Interest:
The authors declare no conflict of interest.

Appendix A. The Deduction of k 3 from k 9
Recall k 9 is generated as follows: Appending four-rounds encryption comes at the cost of guessing 23 bits of subkeys, in addition to guessing 8 key bits of k 17 , to do two rounds decryption, in addition to guessing 8 key bits of k 17 , to do two rounds decryption, k 17 i for i = 1, 8, 13, 20, 9, 16, 17, 0. Thus, the data complexity is 16 × (1/2 31.42 ) = 2 35.42 , and the total time complexity of this attack is 2 4.58 × 2 35.42 × 2 31 = 2 71 , with full recovery of the 72 master key bits, and with a success probability of 42% with an 8-bit advantage. If we use only 8 × (1/2 31.42 ) = 2 34.42 , the success probability drops to 15%.
In the case, we count the key bits we need to guess on average (key bits that are involved in and operation cost guessing a half-bit), then we can go further and present a 20-rounds linear attack. First, we extend the 12-rounds linear approximation by two more rounds and get a 14-rounds linear expression with bias = 2 −26 (see Table A1). Here, we append four-rounds encryption to a 14-rounds linear approximation, then add two rounds decryption at the end which results in a 20-rounds linear attack. This costs guessing 21.5 bits (16.5 bits for the encryption and 5 bits for the decryption), and data complexity = 2 45.42 . The time complexity, in this case, is 2 71.5 ,with a 8% success probability.
Appendix D.2. 24-Rounds and 25-Rounds Linear Attacks on SIMON 64/128 We derive a 17-rounds linear trail as presented in Table A2, and add four rounds before and three rounds after the linear characteristic to get a 24-rounds linear attack.
In the case of counting the key bits on average, we can go deeper by using 18-rounds linear approximation and appending four rounds before and three rounds after, which results in a 25-rounds linear attack. The capacity of this system is c 2 = 4 × 32 × 2 −35 2 = 2 −63 , which makes the data complexity is 2 63 .

Appendix E. SIMON 96
We derive a 28-rounds linear approximation presented in Table A3, with bias = 2 −50 . Hence, we obtain a 34-rounds linear attack by appending four-rounds encryption at the beginning of the 28-rounds linear approximation and two rounds decryption at the end.
In the case of average-case complexity, we present a 35-rounds linear attack, which comes from using a 28-rounds linear approximation and appending four rounds before and three rounds after. The four-rounds encryption costs guessing 21.5 bits on average. In addition to the costs of adding three rounds decryption, there are 12 bits of k 34 i for i = 2, 9, 16, 6, 13, 20, 10, 17, 24, 3, 11, 18, each counted as a half bit. Also, there are 6 bits of the sum k 34 i+2 ⊕ k 33 i for i = 1,8,5,12,9,16. The time complexity in this case is 2 5.58 × 2 93.42 × 2 21.5 × 2 12 = 2 132.5 . Table A3. The sequence of approximations used to derive 28-rounds linear trails for SIMON 96.