Partly-Pseudo-Linear Cryptanalysis of Reduced-Round S PECK

: We apply McKay’s pseudo-linear approximation of addition modular 2 n to lightweight ARX block ciphers with large words, speciﬁcally the S PECK family. We demonstrate that a pseudo-linear approximation can be combined with a linear approximation using the meet-in-the-middle attack technique to recover several key bits. Thus we illustrate improvements to S PECK linear distinguishers based solely on Cho–Pieprzyk approximations by combining them with pseudo-linear approximations, and propose key recovery attacks.


Introduction
ARX block ciphers-which rely on Addition-Rotation-XOR operations performed a number of times-provide a common approach to lightweight cipher design. In June 2013, a group of inventors from the US's National Security Agency (NSA) proposed two families of lightweight block ciphers, SIMON and SPECK-each of which comes in a variety of widths and key sizes. The SPECK cipher, as an ARX cipher, provides efficient software implementations, while SIMON provides efficient hardware implementations. Moreover, both families perform well in both hardware and software and offer the flexibility across different platforms that will be required by future applications [1,2]. In this paper, we focus on the SPECK family as an example lightweight ARX block cipher to illustrate our attack.
Pseudo-linear cryptanalysis [3][4][5] is a method of analyzing and measuring the security of an ARX block cipher. The main idea of the pseudo-linear approximation is to examine a window (group of contiguous bits) of size w, for some w < n, and approximate addition modulo 2 n by addition modulo 2 w . If the carry into the window is estimated correctly, the approximation will be perfect. The probability of correctness for a random guess of the value of the window is 1 2 w , but the accuracy of the pseudo-linear approximation can be much larger.
This paper presents a new approximation and corresponding key recovery attack, Partly-Pseudo-Linear attack, combining pseudo-linear approximation with linear cryptanalysis of addition modulo 2 n using Cho and Pieprzyk's property of modular addition [6,7]. This combination of linear and pseudo-linear attack is original to the best of our knowledge. We illustrate, on SPECK, improvements due to this approximation over the Cho-Pieprzyk approximation for all rounds. We further use our approximation to describe key recovery attacks. Additionally, for SPECK 32/64, we are able to provide experimental results of a few implemented six-round attacks verifying our proposal. We have demonstrated a similar approach to cryptanalysing the SPARX cipher in a later paper [8].
We compare our attack to [9,10] which present linear distinguishers using the Cho-Pieprzyk property. Our key recovery attacks are able to either cover more rounds with similar or better bias, or, when we cover same rounds, our bias is better. We are able to attack nine rounds for SPECK 32/64, 11 rounds for SPECK 48/96, 14 rounds for SPECK 64/128, 12 rounds for SPECK 96/144 and 14 rounds for SPECK 128/256 (see Section 3 for more detailed comparisons). Note that our approximation is itself a key recovery attack

Preliminaries
This section presents our notation and briefly describes the SPECK cipher.

Notation
The following describes the notation used in this paper. • xl j t (i, i + w) (xr j t (i, i + w)): window t with size w of the left (right) word x, where the msb is at i and the lsb is at i + w − 1, for 0 ≤ i < n 2 and 1 ≤ w ≤ n 2 .
• xl j t (i) (xr j t (i)): Bit at index i of the window where 0 ≤ i < w the left (right) word x.

The SPECK Cipher
The SPECK cipher is a family of lightweight block ciphers, proposed by inventors from the National Security Agency (NSA) in June 2013 [1,2]. A member of the family is denoted by SPECK 2n/mn, where the block size is 2n and the key size is mn for some m ∈ {2, 3, 4}. Each round function in SPECK has three main operations: • Addition modulo 2 n , denoted n • Rotation: right rotation by α, denoted ≫ α and left rotation by β, denoted ≪ β • bitwise XOR, denoted ⊕ In this construction the block of the plaintext is split into two words, PL and PR, which are then added, XORed and rotated by the round function. Figure 1 shows one round from SPECK; where xl j (xr j ) denotes to the left (right) input words of round j and k j denotes to the key of round j. The output of the round function for the left word of SPECK is: xl j+1 = ((xl j ≫ α) n xr j ) ⊕ k j . (1) The output of the round function for the right word is: The parameters specifying the SPECK versions are listed in Table 1.  32  64  16  7  2  22   48  72  24  8  3  22  96  23   64  96  32  8  3  26  128  27   96  96  48  8  3  28  144  29   128  128  64  8  3  32  192  33  256  34

Related Works
In this section, we review previous works that are relevant to our contributions. We first review linear cryptanalysis and pseudo-linear cryptanalysis, as we will combine the two approaches for our attack. We then describe cryptanalysis of SPECK, as we will illustrate our attack on the SPECK family.

Linear Cryptanalysis
Linear cryptanalysis [14] is one of the most powerful and widely used attacks on block ciphers. It was introduced by Matsui in 1998, and is a known plaintext attack where the attacker has access to both the plaintext and its encrypted version ciphertext [14,15]. Using linear cryptanalysis, an adversary is able to find a linear expression that approximates a non-linear function that connects plaintext, ciphertext, and key bits with high probability.
The quality of the linear approximation is measured by the bias which is defined as = p − 1 2 ; a higher bias in absolute value, | |, implies a better approximation and a more efficient attack. The number of required known plaintext and ciphertext pairs (data complexity, pairs) depends on the success probability desired and is roughly proportional to −2 . For example, pairs = 2 4 × −2 corresponds to a 99.80% success rate. Table 2 shows different small multiple of −2 with their success rate of the linear approximation [14,15]. The Piling Up Lemma [14] provides an expression for the bias of an approximations that results from the xor of s approximations, each with bias i :

Linear Cryptanalysis of Modular Addition
The modular addition operation is nonlinear as an operation in Z 2 . The result of modular addition in a certain position is the exclusive-or (addition in Z 2 ) of the two bits in that position and the carry into the position. The carry, in turn, depends on a non-linear operation (the and operation, multiplication over Z 2 ) of previous bits.
All these equations with a i , b i and c i represent one bit each. In another paper, Cho and Pieprzyk [6] describe a property of modular addition that removes the carry chain from Equation (4) and this property uses consecutive bits. Two consecutive bits can be approximated as: This means: Removing the carry chain from Equation (4), using a mask λ to mask the bits that we want to throw away and keep the bits that we are interested in, we can write: The mask λ contains exactly the two consecutive bits we are interested in and we can replace λ × (a b) by λ × (a ⊕ b) to obtain a linear expression. This approximation holds with a probability equal to 3 4 . Consequently, the bias is equal to 1 4 . In fact, a prerequisite for Equation (9) is that the following two cases are avoided, because these two cases do not adhere to the Cho and Pieprzyk framework [6]:

1.
Bitwise rotation breaks the two consecutive bits. After the rotation, one of these two bits will be in the most significant bit position (msb) and the other will be in the least significant bit position (lsb). Example: 00011000 ≫ 4 = 10000001

2.
Bitwise exclusive-or breaks the two consecutive bits. These two bits will be not consecutive any more. Example: 00011000 ⊕ 00110000 = 00101000

Pseudo-Linear Cryptanalysis
McKay and Vora present the idea of pseudo-linear cryptanalysis [3][4][5] which aims to overcome the limitations of traditional linear cryptanalysis by approximating addition modulo 2 n for large values of n with addition modulo 2 w , for a small window size w, 0 < w ≤ n. In other words, the pseudo-linear approximations use addition modulo 2 w and exclusive-or over a w-bit strings of contiguous bits (windows) instead of using the entire n-bit strings. In this section we provide detail about the approach, which was first developed to analyze Threefish for the SHA-3 competition [5].
McKay and Vora [5] illustrate why this is an improvement over traditional linear cryptanalysis. Consider the following example: In Figure 2, there are two n-bit words added modulo 2 n , only the value of the dark square, labeled z, is needed and it is of size w in bits. Denote by x and y the operand windows in the same position as z. Thus, z can be approximated as x w y. The correctness of this approximation is dependent on the value of the carry into the window z. Let part(x, s, e) represent bits of the word x in positions [s, e), where s represents the index of the word that the window starts with and e is the size of this window, 0 ≤ s < n, 0 ≤ e < n, and the least significant bit (lsb) is at index s. We have two scenarios, illustrated by examples for n = 12. We have two strings added modulo 2 12 , z = x y. The adversary wants to approximate only a window of 4 bits of z. Thus, part(z, 4, 4) ≈ part(x, 4, 4) 2 part(y, 4,4). Note that the approximation implicitly assumes that the carry into bit s is zero.

1.
Suppose x = 001001000100 and y = 100010101010. In this case the approximation is correct because the carry into the window is correctly assumed to be zero (See Figure 3).

2.
Suppose x = 00100100110 and y = 100010101010. In this case the approximation is incorrect because the carry into the window is incorrectly assumed to be zero (See Figure 4). The probability that the carry is 0 is exactly the probability that the approximation is correct when it is applied for the first time and both summand windows are correct (and not yet the result of approximations). This probability is equal to 1 2 + 2 −(s+1) where s is the lsb of the window [4]. Note that the probability of correctly estimating an entire window is slightly larger than 1 2 . How does one measure the efficacy of this approximation? Consider the approximation of a single bit, whether by linear approximation or any other technique. A guess made at random with no information would be correct with probability 1 2 . The bias of the approximation is defined as the deviation from 1 2 . If w > 1, the pseudo-linear approach provides an approximation for multiple bits, and we define an error measure for the approximation as the difference between the probability of correctly approximating the (entire) window and 1 2 w . Thus the pseudo-linear approximation is more advantageous if the size of the window is larger.
Note that the pseudo-linear approximation capture the influence of intermediate carries, which are not typically captured by linear approaches. This is expected to improve the result, even when the aim is to approximate the parity of the final window (see, for example, Section 5.1).
Additionally, intuitively, for a large window, a non-zero carry will not always affect the higher-order bits. Thus, if one is measuring the number of bits that are well-approximated by the pseudo-linear expression (in the previous paragraph, we considered only whether the entire w-bit window was correctly evaluated or not), the higher order bits are more likely to be correct.
Finally, because addition modulo 2 w and exclusive-or do not distribute, the composition of the pseudo-linear approximation and the key injection includes key bits combined in a non-linear manner. For this reason, the use of the pseudo-linear approximation for key recovery requires guessing multiple key bits. In spite of this, we are able to obtain attacks more efficiently than the brute force attack because pseudo-linear approximations enable the reduction of the number of key bits from those required by the cipher [5].

Some Observations Regarding the Addition Window
McKay and Vora [3] provide some properties of the approximation over addition windows. Consider two n-bit words, x and y, selected uniformly at random, and a window size w < n. The following notation is used in the lemmas: (quoted verbatim from [4]) In the proof of this lemma, McKay and Vora demonstrate that Note that this is the probability of the entire window being correctly approximated. The probability of bit parities being correctly approximated will typically be larger.
Corollary 1 is for the case when the window wraps around from the higher end of the n-bit word to the lower end. If the window does not wrap around in the word, the corresponding result is presented in Lemma 3.
The use of these equations will lead us to approximate windows derived from a single addition. However, the ARX block cipher is an iterated cipher. Thus, after the first approximated addition, the input of all further subsequent additions changes. In particular, the input for the further additions is dependent on the input of the operand bits that precede this addition over all rounds approximated [5].

Base Approximation
The base approximation is a simple approximation that follows the windows until the target window. All exclusive-or operations and addition modulo 2 n operations are preserved, assuming that the carry into all windows is 0 [3].

Carry Patterns
A carry pattern is a series of carry values, c i ∈ {0, 1} where i denotes to the approximated addition window that may have a carry into it.
Multiple carry patterns, indexed by j, C j = (c 0 , . . . , c i , . . . , c m−1 ) can be constructed for each base approximation; here j denotes a specific carry pattern for the approximation, i the approximated window, and m the total number of windows approximated. If c i = 1, then the carry going into the ith approximated addition window is 1. Thus, the base approximation is overlaid by the m carry patterns, C j + base to result in m estimates of the target window. [5].

Computing Bias
If cp carry patterns are used, the bias may be experimentally computed to be the difference between the probability of the approximation being correct and the probability of correctly guessing a carry pattern at random, with cp tries. The carry patterns will be correct with probability cp 2 w instead of 1 2 w since each pattern represents a different approximation. According to McKay [3] the bias is computed using Equation (10)

Comparison between Pseudo-Linear Cryptanalysis and Linear Cryptanalysis
The pseudo-linear attack is clearly inspired by linear cryptanalysis, and there are several differences that should be noted. Table 3, shows these differences [3]. Table 3. The main differences between linear and pseudo-linear cryptanalysis.

Linear Cryptanalysis Pseudo-Linear Cryptanalysis
The effect of several approximations can be easily concatenated and simplified because there is only one operation (exclusive-or).
The effect of several approximations cannot be concatenated and simplified because the two operations (exclusive-or and addition modulo 2 w ) do not commute.
Combining key bits across rounds into a single function of the key, independent of plaintext bits, is possible.
Cannot combine key bits across rounds into a single function of the key independent of plaintext.
The approximation may be used for a distinguisher as well as for key recovery.
The approximation includes a non-linear function of key and plaintext bits, and cannot be used as a distinguisher but can be used for key recovery.
Approximation of a single modular addition for large window sizes has low bias.
Approximation of a single modular addition can result in high accuracy prediction of large windows.

Cryptanalysis of SPECK
Since the publication of SPECK in 2013 [1,2], there have been several analyses of the cipher, most focused on differential and linear cryptanalysis. Beaulieu et al. summarise the cryptanalysis and implementation results [16]. Section 3.4.1, reviews different methods of cryptanalysis on SPECK. Section 3.4.2, reviews some key results on linear cryptanalysis, as the focus of this paper is to combine linear and pseudo-linear cryptanalysis.

Different Methods of Cryptanalysis on SPECK
There are two previous works that have the best results of the differential cryptanalysis on SPECK. Ling et al. (2016) [17] present differential cryptanalysis of ARX block ciphers. They develop a framework for finding differential characteristics. Lee et al. (2018) [18] present a method of approximating the differentials probability using a SAT solver. In addition, Yunwen et al. (2017) [19] presents a rotational-XOR cryptanalysis on SPECK. Table 4 summarizes the result of Differential and rotational cryptanalysis on the SPECK family.  [13] have the largest number of attacked rounds on the two largest size members of the SPECK family. They show in their paper that they are able to attack more rounds on the large SPECK with large key size especially for SPECK 96/144, SPECK 128/192, and SPECK 128/256. The number of the attacked rounds is larger than [11]. Moreover, they present a new search method for linear approximations of the SPECK family by using the partial linear mask table (pLMT).
Fu et al. [12] present differential and linear trails (hull) for an ARX cipher and implement their approach on SPECK. For the linear trails (hull), they use the Wallén algorithm and the Mixed Integer Linear Programming model (MILP). Table 5 summarises the results of these previous works.
This paper presents a novel attack: the combination of linear and pseudo-linear attacks. It illustrates improvements to SPECK attacks based solely on Cho-Pieprzyk approximations by combining them with pseudo-linear approximations. N is the block size and K is the key size. LT refers to a Linear Trail used as a distinguisher. NA refers to Not Available (not reported in the paper).

Pseudo-Linear Cryptanalysis Attacks on Reduced-Round SPECK 32/64
In this section, we derive pseudo-linear approximations for 4 and 6 round attacks on SPECK 32/64. That is, we approximate the addition mod 2 n by addition mod 2 w , for w = 2, 3, 4, using some carry patterns for each approximated addition window unless its right end is at the least significant bit (lsb) of the word. In later sections, we combine these approximations with linear approximations.

Four-Round Attack
We begin our work by implementing the pseudo-linear cryptanalysis on four rounds of SPECK 32/64, as a meet-in-the-middle attack with a four-bit window approximated by two rounds in the forward direction and two backward. The approximation requires 12 key bits. The first addition operation is before the key round injection, thus it can be performed for the full word without windows or carry patterns, and is denoted NewPL in Table 6, which shows the approximation for four rounds meeting at xl 2 1 (0, 1). Note that x(i, i + w − 1) is a window of size w beginning at msb i and ending at lsb i + w − 1. Table 6. The pseudo-linear attack approximation for 4 rounds meeting at xl 2 1 (0, 1), w = 2.
There are two approximations of interest, xl 2 1 (0, 1) ( Table 6, Round 2) and xl 3 1 (0, 1) ( Table 6, Round 3), each of size w = 2. xl 2 1 (0, 1) is the first window (windows are denoted in subscript) of the second round (rounds are denoted in superscript) in the left half. It consists of bits 0 through 1. Similarly, xl 3 1 (0, 1) is the first window in the third round, consisting of the two least significant bits of the left half state. Each window represents a pseudo-linear approximation from a particular direction (forward or backward), and the approximation meets in the middle, at the target window, xl 2 1 (0, 1) ≡ xl 3 1 (0, 1). Note that for window xl 2 1 (0, 1), the approximation is exact when the key is correct because the summands are exact and the window begins at the least significant bit and the incoming carry is always zero. The approximation for window xl 3 1 (0, 1) needs an approximation for xl 4 1 (9, 10) and xr 3 1 (9, 10), which, in turn, needs an approximation for window xl 4 2 (11, 12) (window xr 4 3 (11, 12), xr 4 2 (6, 7), and xr 4 1 (2, 3) are computed exactly). First, we begin with approximating windows xl 4 1 (9, 10), xl 4 2 (11, 12), which use the correct value of summand windows, and the approximation error is only due to an error in carry.
McKay shows [4] that the bias of an incoming carry into a window with lsb at position s, assuming a uniform distribution of the bits that have lower significance, is 2 −(s+1) . If carry s denotes the carry coming into a window with the least significant bit s, and e 1 , e 2 are the error in the first and second bit in a window.
Pr[e 1 e 0 = 00 | carry s = 0] = 1 In addition, the probability with which the intermediate carry is correctly computed (by the pseudo-linear summation which assumes the incoming carry is zero) when the incoming carry is actually one is 1 2 , which is also the probability with which the msb is correctly computed when the incoming carry is one (of the four possibilities for the pairs of lsbs of the summand window, when both lsbs are 0, the approximated intermediate carry is 0 as is the true one. Similarly, when both lsbs are 1, both the true and the approximated intermediate carries are 1. When one of the two lsbs is 0 and the other is 1, the approximated carry is zero, but the true carry is one.). Hence: Pr[e 1 e 0 = 01 | carry s = 1] = Pr[e 1 e 0 = 11 | carry s = 1] = 1 2 An approximation which uses the correct values for summand windows can never have an error in the msb if the lsb is correct (that is, the carry was correctly estimated), hence: Pr[e 1 e 0 = 10 | carry s = 1] = 0 We start from round 4 to approximate xl 4 1 (9, 10) and xl 4 2 (11, 12) (note: xl 4 1 , the first twobit window of the fourth round, is located at (2, 3) before rotation and, similarly, xl 4 2 is located at (4,5)). Thus, we need to calculate the probabilities of these two windows as follows: For window xl is obtained by adding xr 3 1 (9, 10) and xl 4 1 (9, 10). This is the target window and we are trying to compute the entire window correctly, so we compute Pr[e 1 e 0 = 00]. If the incoming carry is carry s = 0, we have 16 possibilities for two bit errors in each summand window, 6 of these, with an incoming carry of zero (the possibilities are: both summands have error 00 or 10; with probability half, when both have error patterns 01 or 11; with probability half when the summands are 01 and 11 (two possibilities).), and 8 with an incoming carry of one (with probability half, each of the following pairs of summand errors will result in an error of 00 in the approximated window when the true value of the incoming carry is one; each pair occurs twice: 00 and 01, 00 and 11, 01 and 10, 10 and 11) , give e 1 e 0 = 00. The total probability is obtained using the probabilities of errors in windows xl 4 1 (9, 10) and xl 4 2 (11, 12) computed above to obtain: To experimentally verify our probability, we carried out 200 experiments for the pseudolinear approximation each with a key chosen at random. We used 2 10 P/C pairs for each experiment. The average empirically determined probability for the xl 2 1 (0, 1) ≡ xl 3 1 (0, 1) was 0.3476 The bias for this approximation is 2 −3.35 . Table 7 shows the results of these approximations. The bias for the pseudo-linear approximation above is experimentally computed as described in Section 3 and verified theoretically by computing the probability of each window in this approximation.

Six-Round Attack
The maximum number of rounds we can analyze for key recovery in SPECK 32/64 using the pseudo-linear approximation is 6. We are limited by the fact that there are several key bits involved in the approximation and the pseudo-linear cryptanalysis requires the adversary to try all possibility of the key bits that are involved in the approximation. Using this approximation 44 key bits may be recovered with data complexity 2 10 and time complexity 2 54 .

Partly-Pseudo-Linear Cryptanalysis with Illustration on SPECK
In this paper, we present a new attack for the ARX block cipher which we term the Partly-Pseudo-Linear attack: a meet-in-the-middle combination of pseudo-linear and linear attacks. We show that linear cryptanalysis relying on Cho-Pieprzyk approximations of modular addition is improved by replacing some rounds of linear approximation with pseudo-linear approximations. Using the approach of Bodden and Ashur [9,10], we find the longest linear trails to approximate a window of two consecutive bits in each direction (forward and backward). Of these, we choose the trail(s) that would combine with a lower-error pseudo-linear attack.
The pseudo-linear attack itself first uses pseudo-linear approximations for each addition operation. The approximations require the use of key bits, but because the approximation is limited to a window, fewer key bits are used than in the entire round. Every bit of the window is computed with considerable accuracy as a function of a few key bits. The larger the window size the more key bits are required; similarly, the more rounds one covers (the more additions one approximates) the more key bits are required. This typically limits the window size, and we focus on window sizes of two bits. Thus, our pseudo-linear approximation computes each bit of a window of size two bits in one direction, as a function of some key bits. We use the xor of this window and compare it to the xor computed using linear cryptanalysis in the other direction as described above.
We have done this analysis in the forward direction and backward direction since we will use one of these directions by combining it with the pseudo-linear attack. Figure 6 shows an approximated round of SPECK using Cho-Pieperzyk approximations in each direction. Note that the constraint of requiring two consecutive bits in the window to be approximated restricts the windows that can be approximated. The final linear approximation approximates the xor of the two bits of the window. The bias of the Partly-Pseudo-Linear cryptanalysis approximation hence consists of two parts.

1.
The first part is the bias of xor of the bits of the window when the window is computed using the pseudo-linear approximation.

2.
The second part is the bias for the linear approximation, computed using traditional linear approaches. The combination of these two biases using the piling up lemma allows us to determine the number of plaintext and ciphertext pairs that we should use in our experiments.

Implementation of the Partly-Pseudo-Linear Attack on SPECK 32/64
We illustrate the Partly-Pseudo-Linear attack (including the analytical approach to determining the bias of a pseudo-linear attack) on 6 and 9 rounds of SPECK 32/64.

Six-Round Partly-Pseudo-Linear Attack
We find the longest linear trail arising from a two-consecutive-bit target window, discovering one that covers four rounds in the backward direction and combines it with two rounds approximated using pseudo-linear cryptanalysis in the forward direction. Table 8 shows the derivation of the mask that is used in the linear part of the Partly-Pseudo-Linear attack. Note that we do not cover more rounds than four rounds because rotation breaks the requirement for two consecutive ones. Table 8. Linear trail of SPECK 32/64 for four rounds-six-rounds Partly-Pseudo-Linear attack (Starting with 0x30000000 forward).

Round
Cost Broke requirement of consecutive ones for 0xf0be ≫ 7.
The window size of the pseudo-linear approximation is two, w = 2, and 6 key bits are required for the approximation. In the first round, the addition operation is performed before the key round injection; thus, it can be performed exactly for the full word without any need for an approximation. The second round involves a single modular addition that is approximated by an addition over 2 w = 2 2 with zero carry. Table 9 shows the Partly-Pseudo-Linear approximation for six rounds meeting at xl 2 1 (1, 2), which denotes the first (and only) window in round 2. The window is in the left word. (Recall that xl j t represents the tth window of the left word in the jth round.) Table 9. The approximation for the Partly-Pseudo-Linear attack: six rounds, meeting at xl 2 1 (1, 2). Figure 7 shows how the target window travels through two rounds of SPECK 32/64. Linear cryptanalysis, and the techniques for computing bias are well-established. On the other hand, pseudo-linear cryptanalysis is new, and we describe here an approach to computing the bias of the xor of a 2-bit window approximated using one instance of the pseudo-linear approximation, as in this case.

Round Encryption Decryption
Consider the 2-bit target window of interest, xl 2 1 (1, 2) ( Table 9, Round 2), where the pseudo-linear approximation meets the linear approximation. The pseudo-linear part of the attack approximates the xor of the two bits of the window, xl 2 1 (1) ⊕ xl 2 1 (2), by approximating the window through multiple rounds, and then, finally, xoring the two bits. The linear part of the attack follows the Cho-Pieprzyk property of modular addition through multiple rounds.
Let the pseudo-linear approximation of the xor be denoted ζ. Because this is the first instance of pseudo-linear approximation, the values of the component windows being added to obtain the target window are correct. That is, no approximations have been used while obtaining xl 1 2 ≫ 7 and xr 1 1 . Thus, if the incoming carry is zero, the entire target window, xl 2 1 (1, 2), is estimated correctly and, hence, so is ζ. McKay shows [4] that the bias of an incoming carry into a window with lsb s, assuming a uniform distribution of the bits that have lower significance, is 2 −(s+1) . If carry s denotes the carry coming into a window with the least significant bit s, Pr[ζ is correct | carry s = 0] = 1 Now consider the case when the incoming carry is 1. The lsb in the approximated window of the sum will be incorrect with probability 1. However, there will be instances when the msb is also approximated incorrectly, in which case the xor will be correct. Thus the probability with which the intermediate carry is correctly computed when the incoming carry is one is 1 2 , which is also the probability with which the msb is correctly computed when the incoming carry is one. Hence: Hence: For the pseudo-linear approximation of Table 9, we observe that s = 1, hence: Our bias for the first approximation is larger than the bias of a first-round Cho-Pieprzyk approximation.
To experimentally verify our bias prediction, we carried out 150 experiments for the pseudo-linear approximation each with a key chosen at random. We used 2 10 P/C pairs for each experiment. The average empirically determined bias for the xor of the target window was 2 −1.41 .
Thus, the attack of the approximation of Table 9, using the masks of Table 8, has the following characteristics. The summary of attack properties is presented in Table 10. We were able to determine all six key bits correctly for each of the randomly-chosen keys in a list of three best keys.  We describe a nine-round key recovery attack. Here in this nine-round attack, we use a different mask that covers four rounds and can be combined with our pseudo-linear approximation. Table 11 shows the mask that is used in this attack. Table 11. Linear trail of SPECK 32/64 for four rounds-nine rounds Partly-Pseudo-Linear attack (Starting with 0x0c000000 forward).

Round
Cost Broke requirement for consecutive ones for 0xfbc2 ≫ 7.
We use five rounds forward of pseudo-linear approximation (the maximum given the time complexity constraints of the non-linear approximation) and four rounds backward using a linear approximation. The window size of the pseudo-linear approximation is two, w = 2. Table 12 shows the approximation for nine rounds meeting at xl 5 1 (10, 11); note that 36 key bits are required. Figure 8 shows how we derive the pseudo-linear approximation of the target window through five rounds of SPECK 32/64. Table 12. The Partly-Pseudo-Linear approximation for nine rounds meeting at xl 5 1 (10, 11).

The Partly-Pseudo-Linear Attack on the Large Variants of SPECK
The larger variants of SPECK correspond to a larger block with two or three different key sizes. This gives us two features. First, with a larger key size, we have a larger bruteforce attack to compare with, so a pseudo-linear attack can cover more rounds in spite of requiring key bits in the approximation. Second, with a larger block size, it is harder to break the mask λ through bitwise rotation. Table 14 summarizes the results of the Partly-Pseudo-Linear attack on the SPECK family. Details of the individual attacks are in Appendices B-E. For the attacks on larger rounds, our bias predictions are limited by the ability to experimentally determines the error of pseudo-linear approximation.  Table A1. The pseudo-linear attack approximation for 4 rounds meeting at xl 2 1 (0, 2), w = 3.  Table A2 shows the approximation for four rounds meeting xl 2 1 (0, 3). Table A2. Four-round pseudo-linear attack, meeting at xl 2 1 (0, 3).

Appendix B. The Partly-Pseudo-Linear Attack on SPECK 48
In SPECK 48 there are two key sizes: 72 bits and 96 bits. With SPECK 48/72, we are able to attack 10 rounds (four rounds using a pseudo-linear approximation and six rounds using a linear approximation). Using this approach, we are able to recover 27 key bits. With SPECK 48/96, we increase the pseudo-linear approximation by one more round and are able to recover 45 key bits.
In the previous attacks in Section 5, we show that the longest linear trail covers four rounds of SPECK 32/64 in the backward direction and Tables 8 and 11 show that the reason to stop after four rounds was that rotation broke the requirement for two consecutive ones.
Here in this attack, we use a mask that covers six rounds and the reason to stop is that exclusive-or breaks the requirement for two consecutive ones. Table A3 shows the mask that is used in this attack. As with SPECK 32, we can drive our target window xl 7 1 (1, 0) backward from the ciphertext to build the pseudo-linear approximation. Table A3. Linear trail of SPECK 48 for six rounds. (Starting with 0x000003000000 backward).

Appendix C. The Partly-Pseudo-Linear Attack on SPECK 64
In SPECK 64 there are two key sizes: 96 bits and 128 bits. With SPECK 64/96, we are able to attack 13 rounds (four rounds using a pseudo-linear approximation and nine rounds using linear approximations). Thus, we are able to recover 28 key bits. With SPECK 64/128, we increase the pseudo-linear approximation by one more rounds and are able to recover 49 key bits. Table A4 shows the mask that is used in this attack. As with SPECK 32, we can drive our target window xl 10 1 (0, 1) backward from the ciphertext to build the pseudolinear approximation. Table A4. Linear trail of SPECK 64 for 9 rounds. (Starting with 0x0000000300000000 backward).

Appendix D. The Partly-Pseudo-Linear Attack on SPECK 96
In SPECK 96 there are two key sizes: 96 bits and 144 bits. With SPECK 96/96, we are able to attack 10 rounds (five rounds using a pseudo-linear approximation and five rounds using linear approximations). Thus, we are able to recover 46 key bits. With SPECK 96/144, we increase the pseudo-linear approximation by one round and increase the linear approximation by one round too. Thus, the total is 12 rounds and we are able to recover 76 key bits. Table A5 shows the mask that is used in this attack. As with SPECK 32 and SPECK 48, in SPECK 96/96, we can drive our target window xl 5 1 (1, 0) backward from the ciphertext to build the pseudo-linear approximation. On the other hand, for SPECK 96/144, we increase the attacked rounds by two rounds and the target window is xl 6 1 (0, 1). Round λ x i+1 λ y i+1 λ x i λ y i Cost 1 0x83000060036d 0x803300600c62 0x3300000f0f03 0x5335600c0e83 7 2 0x00030303030c 0x6d800303630f 0x83000060036d 0x803300600c62 6 3 0x000003000360 0x0c0000030063 0x00030303030c 0x6d800303630f 5 4 0x000000030300 0x600000000303 0x000003000360 0x0c0000030063 3 5 0x000000000300 0x000000000003 0x000000030300 0x600000000303 2 6 0x000000000003 0x000000000000 0x000000000300 0x000000000003 1

Appendix E. The Partly-Pseudo-Linear Attack on SPECK 128
In SPECK 128 there are three key sizes: 128 bits, 192 bits, and 256 bits. With SPECK 128/128, we are able to attack 11 rounds (five rounds using a pseudo-linear approximation and 6 rounds using a linear approximations). Thus, we are able to recover 50 key bits. With SPECK 128/192, we increase the pseudo-linear approximation by two more rounds (Total rounds is 13) and are able to recover 122 key bits. With SPECK 128/256, we increase the pseudo-linear approximation by one round (Total rounds is 14) and are able to recover 173 key bits. Table A6 shows the mask that is used in this attack. As with SPECK 32, we can drive our target window xl 7 1 (0, 1) backward from the ciphertext to build the pseudo-linear approximation. Table A6. Linear trail of SPECK 128 for six rounds. (Starting with 0x000000000000000 30000000000000000 backward).