Improved Linear Hull Attack on RoundReduced Simon with Dynamic KeyGuessing Techniques
 12 Citations
 1.2k Downloads
Abstract
Simon is a lightweight block cipher family proposed by NSA in 2013. It has drawn many cryptanalysts’ attention and varieties of cryptanalysis results have been published, including differential, linear, impossible differential, integral cryptanalysis and so on. In this paper, we give the improved linear attacks on all reduced versions of Simon with dynamic keyguessing technique, which was proposed to improve the differential attack on Simon recently. By establishing the boolean function of parity bit in the linear hull distinguisher and reducing the function according to the property of AND operation, we can guess different subkeys (or equivalent subkeys) for different situations, which decrease the number of key bits involved in the attack and decrease the time complexity in a further step. As a result, 23round Simon32/64, 24round Simon48/72, 25round Simon48/96, 30round Simon64/96, 31round Simon64/128, 37round Simon96/96, 38round Simon96/144, 49round Simon128/128, 51round Simon128/192 and 53round Simon128/256 can be attacked. As far as we know, our attacks on most reduced versions of Simon are the best compared with the previous cryptanalysis results. However, this does not shake the security of Simon family with full rounds.
Keywords
Boolean Function Block Cipher Round Function Differential Attack Linear Hull1 Introduction
In 2013, NSA proposed a new family of lightweight block cipher with Feistel structure, named as Simon, which is tuned for optimal performance in hardware applications [7]. The Simon family consists of various block and key sizes to match different application requirements. There is no Sbox in the round function. The round function consists of AND, rotation and Xor (ARX structure), leading to a lowarea hardware requirement.
Related Works. Simon family has attracted a lot of cryptanalysts’ attention since its proposition. Many cryptanalysis results on various versions of Simon were published. For differential attack, Alkhzaimi and Lauridsen [5] gave the first differential attacks on all versions of Simon. The attacks cover 16, 18, 24, 29, 40 rounds for the versions with block size 32, 48, 64, 96 and 128 respectively. At FSE 2014, Abed et al. [3] gave differential attack on variants of Simon reduced to 18, 19, 26, 35, 46 rounds with respective block size 32, 48, 64, 96 and 128. At the same time, Biryukov et al. [9] gave differential attack on several versions of Simon independently. And 19round Simon32, 20round Simon48, 26round Simon64 were attacked. Then Wang et al. [20] proposed better differential attacks with existing differentials, using dynamic keyguessing techniques. As a result, 21round Simon32/64, 23round Simon48/72, 24round Simon48/96, 28round Simon64/96, 29round Simon64/128, 37round Simon96/96, 37round Simon96/144, 49round Simon128/128, 49round Simon128/192, 50round Simon128/256 were attacked.
Summary of Linear Hull Attacks on Simon
Cipher  Attacked rounds  Data  Time  Reference 

Simon32/64  21  \(2^{30.56}\)  \(2^{55.56}\)  [1] 
21      [17]  
\(\varvec{ 23}\)  \(\varvec{2^{31.19}}\)  \(\varvec{ 2^{61.84}A +2^{56.3}E} \)  Sect. 4.2  
Simon48/72  20  \(2^{44.11}\)  \(2^{70.61}\)  [1] 
24  \(\varvec{2^{47.92}}\)  \(\varvec{2^{67.89}A+2^{65.34}E}\)  Sect. 4.3  
Simon48/96  21  \(2^{44.11}\)  \(2^{70.61}\)  [1] 
21      [17]  
23  \(2^{47.92}\)  \(2^{92.92}\)  [18]  
25  \(\varvec{2^{47.92}}\)  \(\varvec{2^{89.89}A+2^{88.28}E}\)  Sect. 4.3  
Simon64/96  27  \(2^{62.53}\)  \(2^{88.53}\)  [1] 
30  \(\varvec{2^{63.53}}\)  \(\varvec{2^{93.62}A+2^{88.13}E}\)  Sect. 4.3  
Simon64/128  29  \(2^{62.53}\)  \(2^{123.53}\)  [1] 
29      [17]  
31  \(\varvec{2^{63.53}}\)  \(\varvec{2^{119.62}A+2^{120.00}E}\)  Sect. 4.3  
Simon96/96  37  \(\varvec{2^{95.2}}\)  \(\mathbf{2^{67.94}A+2^{88}E}\)  Sect. 4.3 
Simon96/144  36  \(2^{94.2}\)  \(2^{123.5}\)  [1] 
38  \(\varvec{2^{95.2}}\)  \(\varvec{2^{98.94}A+2^{136.00}E}\)  Sect. 4.3  
Simon128/128  49  \(\varvec{2^{127.6}}\)  \(\varvec{2^{87.77}A+2^{120}E}\)  Sect. 4.3 
Simon128/192  48  \(2^{126.6}\)  \(2^{187.6}\)  [1] 
51  \(\varvec{2^{127.6}}\)  \(\varvec{2^{155.77}A+2^{184.00}E}\)  Sect. 4.3  
Simon128/256  50  \(2^{126.6}\)  \(2^{242.6}\)  [1] 
53  \(\varvec{2^{127.6}}\)  \(\varvec{2^{239.77}A+2^{248.01}E}\)  Sect. 4.3 
Also, there are some results with other attack models, such as impossible differential cryptanalysis [4, 10, 12, 21], zerocorrelation cryptanalysis [21] and integral cryptanalysis [21].
Our Contributions. In this paper, we give the improved linear hull attacks on all reduced versions of Simon family with dynamic keyguessing technique, which was proposed initially to improve the differential attack on Simon [20], using existing linear hull distinguishers. In linear attack, one important point is to compute the empirical correlations (bias) of the parity bit, which derives from the Xorsum of the active bits at both sides of the linear hull distinguisher, under some key guess. Our attack on Simon improves this procedure efficiently.
The nonlinear part in the round function of Simon is mainly derived from the bitwise AND (&) operation while it has a significant feature. For details, if one of the two elements is equal to zero, the result of their AND will be zero, no matter what value the other element takes. For a function \( f=f_1(x_1,k_1) \& f_2(x_2,k_2)\), if we GUESS \(k_1\) at first, and SPLIT the all \(x=x_1x_2\) into two cases: case 1, \( f_1(x_1,k_1)=0\); case 2, \( f_1(x_1,k_1)=1\), there is no need to guess the key bits \(k_2\) in case 1, since \(f=0\) holds for any value of \(f_2\) in case 1. Then, we can compute the correlations in each case with less time and at last, we COMBINE the two correlations together for corresponding key \(k=k_1k_2\).
At first, we give the boolean representations for the parity bit in the linear distinguisher of Simon. And then we apply the GUESS, SPLIT and COMBINE technique in the calculation of the empirical correlations, which mainly exploits the dynamic keyguessing idea to reduce the number of subkey bits guessed significantly. For example, in the attack on 21round Simon32, 32 subkey bits are involved. With above technique, we can only guess 12.5 bits from the total 32bit subkey on average to compute the correlations.
As a result, the improved attack results are shown as follows. We can attack 23round Simon32/64, 24round Simon48/72, 25round Simon48/96, 30round Simon64/96, 31round Simon64/128, 37round Simon96/96, 38round Simon96/144, 49round Simon128/128, 51round Simon128/192 and 53round Simon128/256. This improves the linear attack results for all versions. From the point of number of rounds attacked, the results on most versions are best up to now. The existing and new linear hull attack results on Simon are summarized in Table 1. Also, we implement the 21round attack on Simon32. In the attack, we can decrease the 32 subkey bits involved in the attack by 8 bits. The experiments show that the attack success probability is about \(27.7\,\%\) using \(2^{31.19}\) plaintextciphertext pairs.
The paper is organised as follows. In Sect. 2, we introduce the linear (hull) cryptanalysis and give the description of Simon family. Section 3 gives the dynamic keyguessing technique used in the linear cryptanalysis. Then the improved attacks on Simon32/64 and all other variants are given in Sect. 4. Finally, we conclude in Sect. 5. Appendix A gives the time complexities to calculate the empirical correlations in some simple situations.
2 Preliminaries
2.1 Linear Cryptanalysis and Linear Hull
Selçuk and Biçak [16] gave the estimation of success probability in linear attack for achieving a desired advantage level. The advantage is the complexity reduction over the exhaustive search. For example, if mbit key is attacked and the right key is ranked tth among all \(2^m\) candidates, the advantage of this attack is \(mlog_2(t)\). Theorem 2 in [16] described the relation between success rate, advantage and number of data samples.
Theorem 1
2.2 Description of Simon
\(X^r\)  2nbit output of round r (input of round \(r+1\)) 
\(X^r_L\)  left half nbit of \(X^r\) 
\(X^r_R\)  right half nbit of \(X^r\) 
\(K^r\)  subkey used in round \(r+1\) 
\(x_i\)  the ith bit of x, begin with bit 0 from right (e.g., \(X^r_{L,0}\) is the LSB of \(X^r_L\) ) 
\(x_{i_1,\ldots ,i_t}\)  the XORsum of \(x_i\) for \(i=i_1,i_2,\ldots ,i_t\) (e.g., \(x_{0,1}=x_0\oplus x_1\)) 
\(x\lll i\)  left circulant shift by i bits of x 
\(\oplus \)  bitwise XOR 
&  bitwise AND 
F(x)  \( F(x)=((x\lll 1) \& (x\lll 8)) \oplus (x\lll 2)\) 
The Simon Family Block Ciphers
block size (2n)  key size (mn)  rounds 

32 \((n=16)\)  64 \((m=4)\)  32 
48 \((n=24)\)  72 \((m=3)\)  36 
96 \((m=4)\)  36  
64 \((n=32)\)  96 \((m=3)\)  42 
128 \((m=4)\)  44  
96 \((n=48)\)  96 \((m=2)\)  52 
144 \((m=3)\)  54  
128 \((n=64)\)  128 \((m=2)\)  68 
192 \((m=3)\)  69  
256 \((m=4)\)  72 
3 Time Reduction in Linear Cryptanalysis for BitOriented Block Cipher
3.1 Linear Compression
In Matsui’s improved linear cryptanalysis [14], the attacker can preconstruct a table to store the plaintexts and ciphertexts. We call this preconstruction procedure as linear compression, since the purpose is to reduce the size of efficient states by compressing the linear part. The detail of the compression is as follows.
If y is linear with multiple bits of x and k, the linear bits can be combined at first, then above linear compression can be applied. For example, \(y=(x_0\oplus k_0)\oplus \cdots \oplus (x_t\oplus k_t) \oplus f_t(x'',k'')\) where \(x'',k''\) are the other bits of x and k respectively. We can initialize a new counter vector \(V'[x''x_0']\) where \(x_0'\) is 1bit value of the xor sum of \(x_0,x_1,\ldots ,x_t\). We set \(V'[x''x_0']=\sum _{x_0\oplus \cdots \oplus x_t=x_0'}V[x]\). Let \(k_0'=k_0\oplus \cdots \oplus k_t\). The target value y becomes \(y=x_0'\oplus k_0'\oplus f_t(x'',k'')\) with counter vector \(V'[x''x_0']\), which is the case discussed above.
3.2 Dynamic KeyGuessing in Linear Attack: Guess, Split and Combination
The AND operation in Simon will generate the situations discussed above. Let \(x,k\in \mathbb {F}_2^2\) and \( y=f(x,k)=(x_0\oplus k_0) \& (x_1\oplus k_1)\). V[x] denotes the count number of x. With a straightforward method, the calculation of correlations for all k need time \(2^{2+2}=2^4\). If one side of the AND in f(x, k) is 0, y would be 0 without knowing the value in the other side. Exploiting this property, we can improve the time complxity for calculating the correlations. At first, we guess one bit of k, e.g. \(k_0\). Then we split the x into two sets and compute the correlations in each set. At last, we combine the correlations according to the keys guessed.
 GUESS \(k_0\) and SPLIT the x into two sets

For the x with \(x_0=k_0\), initialize a counter \(T_0\) and set \(T_0=V[0x_0]+V[1x_0]\)

For the x with \(x_0=k_0\oplus 1\), initialize a counter \(T_1\) and set \(T_1=V[0x_0]V[1x_0]\) (Linear compression)

COMBINE \(B(y)=T_0+(1)^{k_1}T_1\) (\(k_1\) is a related bit)

So in total, it needs \(2(1+1+2)=2^3\) additions to compute the correlations for all the k, which improves the time complexity compared to the straightforward method. Although there are 2 bits of k involved in the attack, we guess only one bit and make some computations while another bit is just involved in the final combination. This can be viewed as that we reduce the number of key bits guessed from 2 to 1. Morever, this technique adapts to some complicated boolean functions and more key (or equivalent key) bits can be reduced significantly. Some cases have been discussed in Appendix A.
4 Linear Cryptanalysis on Simon
Linear Hulls for Simon
BS  Input Active Bits  Output Active Bits  ALH  #R  Ref 

32  \(X^i_{L,6}\)  \(X^{i+13}_{R,14}\)  \(2^{31.69}\)  13  [1] 
\(X^i_{L,5}\)  \(X^{i+13}_{R,13}\)  \(2^{30.19}\)  13  [17]  
\(X^i_{L,0}\)  \(X^{i+14}_{L,8},X^{i+14}_{R,6}\)  \(2^{32.56}\)  14  [1]  
48  \(X^i_{L,7},X^i_{L,11},X^i_{L,19},X^i_{R,9},X^i_{R,17}\)  \(X^{i+15}_{L,5},X^{i+15}_{R,3},X^{i+15}_{R,7},X^{i+15}_{R,11},X^{i+15}_{R,19}\)  \(2^{44.11}\)  15  [1] 
\(X^i_{L,6},X^i_{L,14},X^i_{L,18},X^i_{L,22},X^i_{R,16}\)  \(X^{i+15}_{L,4},X^{i+15}_{L,20},X^{i+15}_{R,6},X^{i+15}_{R,18},X^{i+15}_{R,20},\) \(X^{i+15}_{R,22}\)  \(2^{42.28}\)  15  [17]  
\(X^{i}_{L,1},X^{i}_{L,5}, X^{i}_{L,21}, X^{i}_{R,23}\)  \(X^{i+16}_{L,1}, X^{i+16}_{L,5}, X^{i+16}_{R,23}\)  \(2^{44.92}\)  16  [18]  
64  \(X^i_{L,20},X^i_{L,24},X^i_{R,22}\)  \(X^{i+21}_{L,22},X^{i+21}_{R,20},X^{i+21}_{R,24}\)  \(2^{62.53}\)  21  [1] 
\(X^i_{L,6}\)  \(X^{i+21}_{L,0},X^{i+21}_{R,2},X^{i+21}_{R,6},X^{i+21}_{R,30}\)  \(2^{60.72}\)  21  [17]  
\(X^i_{L,3},X^i_{L,27},X^i_{L,31},X^i_{R,29}\)  \(X^{i+22}_{L,3},X^{i+22}_{R,1},X^{i+22}_{R,2}\)  \(2^{63.83}\)  22  [17]  
96  \(X^i_{L,2},X^i_{L,34},X^i_{L,38},X^i_{L,42},X^i_{R,36}\)  \(X^{i+30}_{L,2},X^{i+30}_{L,42},X^{i+30}_{L,46},X^{i+30}_{R,0},X^{i+30}_{R,40}\)  \(2^{94.2}\)  30  [1] 
128  \(X^i_{L,2},X^i_{L,58},X^i_{L,62},X^i_{R,60}\)  \(X^{i+41}_{L,60},X^{i+41}_{R,0},X^{i+41}_{R,2},X^{i+41}_{R,58},X^{i+41}_{R,62}\)  \(2^{126.6}\)  41  [1] 
4.1 Linear Hulls of Simon
Some linear hulls have been proposed recently in [1, 17, 18], and they are displayed in Table 3. Abdelraheem et al. [1] took advantage of the connection between linear and differential characteristics for Simon and transformed the differential characteristics proposed in [2, 9] to linear characteristics directly. Similarly, differentials can be transformed to the linear hulls. Also, they found a new 14round linear hull for Simon32 / 64, by constructing squared correlation matrix to compute the average squared correlation. Shi et al. [17] searched the linear characteristics with same input and output masks using the Mixedinteger Linear Programming modelling, which was investigated to search the differential characteristics for bitoriented block cipher [19] and then extended to search the linear characteristics (hull) later [18].
Similar to the rotational property of integral distinguishers and zerocorrelation linear hull shown in [21], more linear hulls can be constructed as follows.
Property 1
Assume that \(X^i_{L,j_0^0},\ldots , X^i_{L,j_{t_0}^0}, X^i_{R,j_0^1},\ldots , X^i_{R,j_{t_1}^1}\rightarrow X^{i+r}_{L,j_0^2},\ldots , X^{i+r}_{L,j_{t_2}^2},\) \( X^{i+r}_{R,j_0^3},\ldots , X^{i+r}_{R,j_{t_3}^3}\) is a rround linear hull with potential \(\bar{\epsilon }^2\) for Simon2n, where \(j_0^0,\ldots ,j_{t_0}^0,j_0^1,\ldots ,j_{t_1}^1,j_0^2,\ldots ,j_{t_2}^2,j_0^3,\ldots ,j_{t_3}^3 \in \{0,\ldots , n1\}\). Let \(j^{p,s}_{q}= (j^{p}_{q}+s) \text { mod } n\), where \(p=0,\ldots ,3\), \(q=0,\ldots ,t_p\), then for \(0\le s \le n1\), we have that the potential of the rround linear hull \(X^i_{L,j_0^{0,s}},\ldots , X^i_{L,j_{t_0}^{0,s}}, X^i_{R,j_0^{1,s}},\ldots , X^i_{R,j_{t_1}^{1,s}}\rightarrow X^{i+r}_{L,j_0^{2,s}},\ldots , X^{i+r}_{L,j_{t_2}^{2,s}}, X^{i+r}_{R,j_0^{3,s}},\ldots , X^{i+r}_{R,j_{t_3}^{3,s}}\) for Simon2n is also \(\bar{\epsilon }^2\).
Experimental bias for the 13round linear hull of Simon32
\(\epsilon ^2=p1/2^2\)  Number  Number/600 

\(\epsilon ^2 \ge 2^{27.19}\)  7  0.012 
\(2^{27.19}>\epsilon ^2 \ge 2^{28.19}\)  21  0.035 
\(2^{28.19}>\epsilon ^2 \ge 2^{29.19}\)  58  0.097 
\(2^{29.19}>\epsilon ^2 \ge 2^{30.19}\)  72  0.12 
\(2^{30.19}>\epsilon ^2 \ge 2^{31.19}\)  104  0.173 
\(\epsilon ^2 < 2^{31.19}\)  338  0.563 
From the table, we know that about \(26.4\,\%\) of the keys have \(\epsilon ^2 \ge 2^{30.19}\). So \(2^{30.19}\) is a little optimistic for the other \(73.6\,\%\) keys. However, this linear hull distinguisher is interesting and in the following, we will give the key recovery procedure using this linear hull. Also, we implement the 21round attack on Simon32 and the results shows that we can decrease the candidate key space by 8 bits when the potential under the real key is large.
4.2 Improved Key Recovery Attack on Simon32 / 64
4 rounds before \(X^{i}_{L,5}\) for Simon32
x  Representation of \(x_i\)  k  Representation of \(k_i\) 

\(x_0\)  \( X^{i4}_{L,13}\oplus (X^{i4}_{L,14} \& X^{i4}_{L,7})\oplus X^{i4}_{R,15}\oplus X^{i4}_{L,1}\)  \( k_0\)  \(K^{i4}_{15}\oplus K^{i3}_{1}\oplus K^{i3}_{5}\oplus K^{i2}_{3} \) 
\(\oplus X^{i4}_{L,5}\)  \(\oplus K^{i1}_{5}\)  
\(x_1\)  \( X^{i4}_{L,14}\oplus (X^{i4}_{L,15} \& X^{i4}_{L,8})\oplus X^{i4}_{R,0}\)  \( k_1\)  \(K^{i4}_{0}\) 
\(x_2\)  \( X^{i4}_{L,7}\oplus (X^{i4}_{L,8} \& X^{i4}_{L,1})\oplus X^{i4}_{R,9}\)  \( k_2\)  \(K^{i4}_{9}\) 
\(x_3\)  \( X^{i4}_{L,2}\oplus (X^{i4}_{L,3} \& X^{i4}_{L,12})\oplus X^{i4}_{R,4}\)  \( k_3\)  \(K^{i4}_{4}\) 
\(x_4\)  \( X^{i4}_{L,11}\oplus (X^{i4}_{L,12} \& X^{i4}_{L,5})\oplus X^{i4}_{R,13}\)  \( k_4\)  \(K^{i4}_{13}\) 
\(x_5\)  \( X^{i4}_{L,14}\oplus (X^{i4}_{L,15} \& X^{i4}_{L,8})\oplus X^{i4}_{R,0}\oplus X^{i4}_{L,2}\)  \( k_5\)  \(K^{i4}_{0}\oplus K^{i3}_{2}\) 
\(x_6\)  \( X^{i4}_{L,15}\oplus (X^{i4}_{L,0} \& X^{i4}_{L,9})\oplus X^{i4}_{R,1}\)  \( k_6\)  \(K^{i4}_{1}\) 
\(x_7\)  \( X^{i4}_{L,8}\oplus (X^{i4}_{L,9} \& X^{i4}_{L,2})\oplus X^{i4}_{R,10}\)  \( k_7\)  \(K^{i4}_{10}\) 
\(x_8\)  \( X^{i4}_{L,7}\oplus (X^{i4}_{L,8} \& X^{i4}_{L,1})\oplus X^{i4}_{R,9}\oplus X^{i4}_{L,11}\)  \( k_8\)  \(K^{i4}_{9}\oplus K^{i3}_{11}\) 
\(x_9\)  \( X^{i4}_{L,1}\oplus (X^{i4}_{L,2} \& X^{i4}_{L,11})\oplus X^{i4}_{R,3}\)  \( k_9\)  \(K^{i4}_{3}\) 
\(x_{10}\)  \( X^{i4}_{L,14}\oplus (X^{i4}_{L,15} \& X^{i4}_{L,8})\oplus X^{i4}_{R,0} \)  \( k_{10}\)  \(K^{i4}_{0}\oplus K^{i3}_{2}\oplus K^{i4}_{4}\oplus K^{i2}_{4}\) 
\( \oplus (X^{i4}_{L,3} \& X^{i4}_{L,12})\oplus X^{i4}_{R,4}\)  
\(x_{11}\)  \( X^{i4}_{L,15}\oplus (X^{i4}_{L,0} \& X^{i4}_{L,9})\oplus X^{i4}_{R,1}\oplus X^{i4}_{L,3}\)  \( k_{11}\)  \(K^{i4}_{1}\oplus K^{i3}_{3}\) 
\(x_{12}\)  \( X^{i4}_{L,0}\oplus (X^{i4}_{L,1} \& X^{i4}_{L,10})\oplus X^{i4}_{R,2}\)  \( k_{12}\)  \(K^{i4}_{2}\) 
\(x_{13}\)  \( X^{i4}_{L,9}\oplus (X^{i4}_{L,10} \& X^{i4}_{L,3})\oplus X^{i4}_{R,11}\)  \( k_{13}\)  \(K^{i4}_{11}\) 
\(x_{14}\)  \( X^{i4}_{L,8}\oplus (X^{i4}_{L,9} \& X^{i4}_{L,2})\oplus X^{i4}_{R,10}\oplus X^{i4}_{L,12}\)  \( k_{14}\)  \(K^{i4}_{10}\oplus K^{i3}_{12}\) 
\(x_{15}\)  \( X^{i4}_{L,7}\oplus (X^{i4}_{L,8} \& X^{i4}_{L,1})\oplus X^{i4}_{R,9}\)  \( k_{15}\)  \(K^{i4}_{9}\oplus K^{i3}_{11}\oplus K^{i4}_{13}\oplus K^{i2}_{13}\) 
\( \oplus (X^{i4}_{L,12} \& X^{i4}_{L,5})\oplus X^{i4}_{R,13}\)  
\(x_{16}\)  \( X^{i4}_{L,1}\oplus (X^{i4}_{L,2} \& X^{i4}_{L,11})\oplus X^{i4}_{R,3}\oplus X^{i4}_{L,5}\)  \( k_{16}\)  \(K^{i4}_{3}\oplus K^{i3}_{5}\) 
4 rounds after \(X^{i+13}_{R,13}\) for Simon32
x  Representation of \(x_i\)  k  Representation of \(k_i\) 

\(x_0\)  \( X^{i+17}_{R,5}\oplus (X^{i+17}_{R,6} \& X^{i+17}_{R,15})\oplus X^{i+17}_{L,7}\oplus X^{i+17}_{R,9}\) \(\oplus X^{i+17}_{R,13}\)  \( k_0\)  \(K^{i+16}_{7}\oplus K^{i+15}_{9}\oplus K^{i+15}_{13}\oplus K^{i+14}_{11}\) \(\oplus K^{i+13}_{13}\) 
\(x_1\)  \( X^{i+17}_{R,6}\oplus (X^{i+17}_{R,7} \& X^{i+17}_{R,0})\oplus X^{i+17}_{L,8}\)  \( k_1\)  \(K^{i+16}_{8}\) 
\(x_2\)  \( X^{i+17}_{R,15}\oplus (X^{i+17}_{R,0} \& X^{i+17}_{R,9})\oplus X^{i+17}_{L,1}\)  \( k_2\)  \(K^{i+16}_{1}\) 
\(x_3\)  \( X^{i+17}_{R,10}\oplus (X^{i+17}_{R,11} \& X^{i+17}_{R,4})\oplus X^{i+17}_{L,12}\)  \( k_3\)  \(K^{i+16}_{12}\) 
\(x_4\)  \( X^{i+17}_{R,3}\oplus (X^{i+17}_{R,4} \& X^{i+17}_{R,13})\oplus X^{i+17}_{L,5}\)  \( k_4\)  \(K^{i+16}_{5}\) 
\(x_5\)  \( X^{i+17}_{R,6}\oplus (X^{i+17}_{R,7} \& X^{i+17}_{R,0})\oplus X^{i+17}_{L,8}\oplus X^{i+17}_{R,10}\)  \( k_5\)  \(K^{i+16}_{8}\oplus K^{i+15}_{10}\) 
\(x_6\)  \( X^{i+17}_{R,7}\oplus (X^{i+17}_{R,8} \& X^{i+17}_{R,1})\oplus X^{i+17}_{L,9}\)  \( k_6\)  \(K^{i+16}_{9}\) 
\(x_7\)  \( X^{i+17}_{R,0}\oplus (X^{i+17}_{R,1} \& X^{i+17}_{R,10})\oplus X^{i+17}_{L,2}\)  \( k_7\)  \(K^{i+16}_{2}\) 
\(x_8\)  \( X^{i+17}_{R,15}\oplus (X^{i+17}_{R,0} \& X^{i+17}_{R,9})\oplus X^{i+17}_{L,1}\oplus X^{i+17}_{R,3}\)  \( k_8\)  \(K^{i+16}_{1}\oplus K^{i+15}_{3}\) 
\(x_9\)  \( X^{i+17}_{R,9}\oplus (X^{i+17}_{R,10} \& X^{i+17}_{R,3})\oplus X^{i+17}_{L,11}\)  \( k_9\)  \(K^{i+16}_{11}\) 
\(x_{10}\)  \( X^{i+17}_{R,6}\oplus (X^{i+17}_{R,7} \& X^{i+17}_{R,0})\oplus X^{i+17}_{L,8}\) \( \oplus (X^{i+17}_{R,11} \& X^{i+17}_{R,4})\oplus X^{i+17}_{L,12}\)  \( k_{10}\)  \(K^{i+16}_{8}\oplus K^{i+15}_{10}\oplus K^{i+16}_{12}\oplus K^{i+14}_{12}\) 
\(x_{11}\)  \( X^{i+17}_{R,7}\oplus (X^{i+17}_{R,8} \& X^{i+17}_{R,1})\oplus X^{i+17}_{L,9}\oplus X^{i+17}_{R,11}\)  \( k_{11}\)  \(K^{i+16}_{9}\oplus K^{i+15}_{11}\) 
\(x_{12}\)  \( X^{i+17}_{R,8}\oplus (X^{i+17}_{R,9} \& X^{i+17}_{R,2})\oplus X^{i+17}_{L,10}\)  \( k_{12}\)  \(K^{i+16}_{10}\) 
\(x_{13}\)  \( X^{i+17}_{R,1}\oplus (X^{i+17}_{R,2} \& X^{i+17}_{R,11})\oplus X^{i+17}_{L,3}\)  \( k_{13}\)  \(K^{i+16}_{3}\) 
\(x_{14}\)  \( X^{i+17}_{R,0}\oplus (X^{i+17}_{R,1} \& X^{i+17}_{R,10})\oplus X^{i+17}_{L,2}\oplus X^{i+17}_{R,4}\)  \( k_{14}\)  \(K^{i+16}_{2}\oplus K^{i+15}_{4}\) 
\(x_{15}\)  \( X^{i+17}_{R,15}\oplus (X^{i+17}_{R,0} \& X^{i+17}_{R,9})\oplus X^{i+17}_{L,1}\) \( \oplus (X^{i+17}_{R,4} \& X^{i+17}_{R,13})\oplus X^{i+17}_{L,5}\)  \( k_{15}\)  \(K^{i+16}_{1}\oplus K^{i+15}_{3}\oplus K^{i+16}_{5}\oplus K^{i+14}_{5}\) 
\(x_{16}\)  \( X^{i+17}_{R,9}\oplus (X^{i+17}_{R,10} \& X^{i+17}_{R,3})\oplus X^{i+17}_{L,11}\oplus X^{i+17}_{R,13}\)  \( k_{16}\)  \(K^{i+16}_{11}\oplus K^{i+15}_{13}\) 
Compute \(\varvec{B^{k'}(y)}\) with counter vector \(\varvec{V_1'[x']}\) and Boolean function \(\varvec{f'}\) . (For simplicity, we define this procedure as Procedure A.) Although \(x'\) is a 16bit value, there are only \(2^{14}\) possible values for \(x'\) as explained above. We use the guess, split and combination technique to decrease the time complexity to compute \(B^{k'}(y)\) with counter vector \(V_1'[x']\) and boolean function \(y=f'\), for \(2^{16}\) key vaules \(k'\).
 1.
Guess \(k_1,k_3,k_7\) and split the plaintexts into 8 sets according to the value \((x_1\oplus k_1, x_3\oplus k_3, x_7\oplus k_7)\). The simplification for \(f'(x',k')\) after guessing some keys are shown in Table 7.
The representation of \(f_{ij}\) are as follows,$$ \begin{aligned} f_{00}=&((x_5\oplus k_5) \& (x_8\oplus k_8))\oplus \{(x_{10}\oplus k_{10} \oplus [(x_{11}\oplus k_{11}\oplus ((x_{12}\oplus k_{12}) \& (x_{13}\oplus k_{13})))\\& \& (x_{14}\oplus k_{14} )]) \& (x_{15}\oplus k_{15}\oplus [(x_{14}\oplus k_{14}) \& (x_{16}\oplus k_{16})]) \},\\ f_{01}=&((x_{5,6}\oplus k_{5,6}) \& (x_{8,9}\oplus k_{8,9}))\oplus \{ (x_{6,10}\oplus k_{6,10} \oplus [(x_{11}\oplus k_{11}\oplus ((x_{12}\oplus k_{12})\\& \& (x_{13}\oplus k_{13}))) \& (x_{14}\oplus k_{14} )]) \& (x_{9,15}\oplus k_{9,15}\oplus [(x_{14}\oplus k_{14}) \& (x_{16}\oplus k_{16})]) \},\\ f_{10}=&((x_5\oplus k_5) \& (x_8\oplus k_8))\oplus \{(x_{10}\oplus k_{10} \oplus [(x_{11}\oplus k_{11}\oplus ((x_{12}\oplus k_{12}) \& (x_{13}\oplus k_{13})))\\& \& (x_{13,14}\oplus k_{13,14} )]) \& (x_{15}\oplus k_{15}\oplus [(x_{13,14}\oplus k_{13,14}) \& (x_{4,16}\oplus k_{4,16})]) \},\\ f_{11}=&((x_{5,6}\oplus k_{5,6}) \& (x_{8,9}\oplus k_{8,9}))\oplus \{ (x_{6,10}\oplus k_{6,10} \oplus [(x_{11}\oplus k_{11}\oplus ((x_{12}\oplus k_{12}) \& (x_{13}\\&\oplus k_{13}))) \& (x_{13,14}\oplus k_{13,14} )]) \& (x_{9,15}\oplus k_{9,15}\oplus [(x_{13,14}\oplus k_{13,14}) \& (x_{4,16}\oplus k_{4,16})]) \}.\\ \end{aligned}$$Table 7.Simplification for \(f'(x',k')\) after guessing \(k_1,k_3,k_7\)
Guess
\(x_1\oplus k_1,x_3\oplus k_3,x_7\oplus k_7\)
\(f'\)
Related Bit
\(k_1,k_3,k_7\)
0,0,0
\(f_{00}\)
0,0,1
\(f_{01}\)
0,1,0
\(f_{10}\)
\(k_4\)
0,1,1
\(f_{11}\)
\(k_4\)
1,0,0
\(f_{00}\)
\(k_2\)
1,0,1
\(f_{01}\)
\(k_2\)
1,1,0
\(f_{10}\)
\(k_{2,4}\)
1,1,1
\(f_{11}\)
\(k_{2,4}\)
The counter vectors for \(x'\) can be compressed in a further step according to the new representations of \(f'\). For example, if \((x_1\oplus k_1, x_3\oplus k_3, x_7\oplus k_7)=(0,0,0)\), \(f'\) will be equal to the formula \(f_{00}\), which is independent of \(x_2,x_4,x_6,x_9\). So we compress the corresponding counters into a new counter \(V_{000}\), andTable 8.Simplification for \(f_{00}\) after guessing \(k_5,k_{14}\)
Guess
Value
\(f_{00}\)
Related Bit
\(k_5,k_{14} \)
0,0
\( (x_{10}\oplus k_{10}) \& (x_{15}\oplus k_{15})\)
0,1
\( (x_{10,11}\oplus k_{10,11}\oplus ((x_{12}\oplus k_{12}) \& (x_{13}\oplus k_{13}))) \& (x_{15,16}\oplus k_{15,16})\)
1,0
\( (x_{10}\oplus k_{10}) \& (x_{15}\oplus k_{15})\)
\(k_8\)
1,1
\( (x_{10,11}\oplus k_{10,11}\oplus ((x_{12}\oplus k_{12}) \& (x_{13}\oplus k_{13}))) \& (x_{15,16}\oplus k_{15,16})\)
\(k_8\)
Notice \(x_{10}=x_3\oplus x_5\), so there are 8 independent x bits for \(x_5,x_8,x_{10}x_{16}\). Notice \(x_{15}=x_{4}\oplus x_8\), for some fixed value of \(x_5,x_8,x_{10}x_{16}\), there are 7 times addition in above equation. So generating this new counter vector needs \(2^8\times 7\) additions.$$V_{000}[x_5,x_8,x_{10}x_{16}]=\sum _{ x_1=k_1,x_3=k_3,x_7=k_7, x_2\in \mathbb {F}_2,x_4\in \mathbb {F}_2,x_6\in \mathbb {F}_2,x_9 \in \mathbb {F}_2 }V_1'[x'].$$We give another example to illustrate the situations with related key bit. If \((x_1\oplus k_1,x_3\oplus k_3,x_7\oplus k_7)= (1,0,0)\), there is \(f'=(x_2\oplus k_2) \oplus f_{00}\). Notice in this subset, \(f'\) is linear with \(x_2\oplus k_2\) and \(x_2\) can be compressed into the new counters with related key \(k_2\). So the new counter vector \(V_{100}\) is as follows,Also, there are 8 independent x bits for \(x_5,x_8,x_{10}x_{16}\). For each fixed \(x_5,x_8,x_{10}x_{16}\), the new counter can be obtained with 7 additions according to above equation.$$V_{100}[x_5,x_8,x_{10}x_{16}]=\sum _{ x_1=k_1\oplus 1,x_3=k_3,x_7=k_7, x_2\in \mathbb {F}_2,x_4\in \mathbb {F}_2,x_6\in \mathbb {F}_2,x_9 \in \mathbb {F}_2 }(1)^{x_2}V_1'[x'].$$The procedures to generate the new counter vectors for other cases are similar as that of case \((x_1\oplus k_1,x_3\oplus k_3, x_7\oplus k_7)=(0,0,0)\) or (1, 0, 0). Morever, the time complexity to split the plaintexts and construct new counter vectors is same for each case. Observing the four functions \(f_{00},f_{01},f_{10}\) and \(f_{11}\), we know that they are with same form. In the following step, we explain the attack procedure of case \((x_1\oplus k_1,x_3\oplus k_3, x_7\oplus k_7)=(0,0,0)\) in detail and the others can be obtained in the same way.
Note that, there are 9 subkey bits in each function of \(f_{00}, f_{01}, f_{10}\) and \(f_{11}\) after guessing \(k_1, k_3, k_7\). So this can be viewed as that \(3+9=12\) subkey bits are involved in the attack while there are 16 subkey bits are involved initially in \(f'\). In the following, the number of key bits can be reduced in a further step.
 2.
For \(f_{00}\), guess \(k_5,k_{14}\) and split the plaintexts into 4 sets according to the value \((x_5\oplus k_5,x_{14}\oplus k_{14})\). The simplification for \(f_{00}\) after guessing some keys are shown in Table 8.
The time complexity of computing the counters’ value \(B^{k_5,k_8,k_{10}k_{16}}(y)\) with counter vector \(V_{000}\) and function \(f_{00}\) is as follows: (a)Guess \(k_5,k_{14}\) and split the states into four parts
 i.\((x_5\oplus k_5,x_{14}\oplus k_{14})=(0,0)\)
 A.Since \(x_{10}=x_{3}\oplus x_{5}\), \(x_5=k_5\) and \(x_{3}=k_3\) (the first case in Table 7), so the \(x_{10}\) here is fixed. There is one variable bit \(x_{15}\) to store. Let \(V_{000}^{00}[x_{10},x_{15}]\) store the number of \((x_{10},x_{15})\). There isThere are two possible values for \((x_{10},x_{15})\) here and for each value, the above sum needs \(2^51\) additions (5 variable bits \((x_8, x_{11},x_{12},x_{13},x_{16})\)). So generating the new counter vector needs \(2 \times (2^{5}1)=2^62\) additions.$$V_{000}^{00}[x_{10},x_{15}]=\sum _{x_5=k_5,x_{14}=k_{14}}V_{000}[x_5,x_8,x_{10}x_{16}].$$
 B.
Computing \(B_{00}^{k_{10},k_{15}}(y)\) with new function (the first case in Table 8) and vector \(V_{000}^{00}\):
If \(k_{10}=x_{10}\), \(B_{00}^{k_{10},k_{15}}(y)=V_{000}^{00}[x_{10},0]+V_{000}^{00}[x_{10},1]\); if \(k_{10}=x_{10}\oplus 1\), \(B_{00}^{k_{10},k_{15}}(y)=(1)^{k_{15}}(V_{000}^{00}[x_{10},0]V_{000}^{00}[x_{10},1])\). So in total there are no more than \(2^2\) additions.
 A.
 ii.\((x_5\oplus k_5,x_{14}\oplus k_{14})=(0,1)\)
 A.There are 4 variable bits \((x_{10,11}, x_{12}, x_{13}, x_{15,16})\) to store. Let \(V_{000}^{01}[x_{10,11},x_{12},x_{13},x_{15,16}]\) store the counter number of \((x_{10,11},x_{12},\) \(x_{13},x_{15,16})\). There isFor each possible value of \((x_{10,11}, x_{12}, x_{13}, x_{15,16})\), the above sum needs \(2^21\) additions (2 free variables \((x_{8},x_{15})\), \(x_{10}\) is fixed, \(x_{11}=x_{10}\oplus x_{10,11}\), \(x_{16} = x_{15}\oplus x_{15,16}\)). So generating the new counter vector needs: \( 2^4\times (2^21)=2^62^4\) additions.$$V_{000}^{01}[x_{10,11},x_{12},x_{13},x_{15,16}]=\sum _{x_5=k_5,x_{14}=k_{14}\oplus 1}V_{000}[x_5,x_8,x_{10}x_{16}].$$
 B.
Partial \(B_{01}^{k_{10,11},k_{12},k_{13},k_{15,16}}(y)\) with new function and vector \(V_{000}^{01}\): \(2^{5.64}\) additions. (See \(f_3\) in Appendix A)
 A.
 iii.\((x_5\oplus k_5,x_{14}\oplus k_{14})=(1,0)\)
 A.Similar to the first case in Step (2(a)i), let \(V_{000}^{10}[x_{10},x_{15}]\) store the number of \((x_{10},x_{15})\). There isSo generating the new counter vector also needs \(2 \times (2^{5}1)=2^62\) additions. \(k_8\) becomes a related bit.$$V_{000}^{10}[x_{10},x_{15}]=\sum _{x_5=k_5,x_{14}=k_{14}}V_{000}(1)^{x_8}[x_5,x_8,x_{10}x_{16}].$$
 B.
Partial \(B_{10}^{k_{10},k_{15}}(y)\) with new function and vector \(V_{000}^{10}\): \(2^2\) additions (same with case (0, 0)).
 A.
 iv.\((x_5\oplus k_5,x_{14}\oplus k_{14})=(1,1)\)
 A.Similar to the second case in Step (2(a)ii), let \(V_{000}^{11}[x_{10,11},x_{12},x_{13},\) \(x_{15,16}]\) store the counter number of \((x_{10,11},x_{12},\) \(x_{13},x_{15,16})\). There isSo generating the new counter vector needs: \( 2^4\times (2^21)=2^62^4\) additions. \(k_8\) becomes a related bit.$$\begin{aligned}&V_{000}^{11}[x_{10,11},x_{12},x_{13},x_{15,16}]\\ =&\sum _{x_5=k_5,x_{14}=k_{14}\oplus 1}(1)^{x_8}V_{000}[x_5,x_8,x_{10}x_{16}]. \end{aligned}$$
 B.
Partial \(B_{11}^{k_{10,11},k_{12},k_{13},k_{15,16}}(y)\) with new function and vector \(V_{000}^{11}\): \(2^{5.64}\) additions. (See \(f_3\) in Appendix A)
 A.
 i.
 (b)For each of \(2^9\) keys involved in \(f_{00}\), partial \(B^{k_5,k_8,k_{10}k_{16}}(y)\) with function \(y=f_{00}\) and counter vector \(V_{000}\) under key guess \(k_5,k_{14}\) isWe can add \(B_{00}^{k_{10},k_{15}}(y)\) and \(B_{01}^{k_{10,11},k_{12},k_{13},k_{15,16}}(y)\) at first, then add \(B_{10}^{k_{10},k_{15}}(y)\) and \(B_{01}^{k_{10,11},k_{12},k_{13},k_{15,16}}(y)\), at last add the two parts according to the index value and \(k_8\). The combination phase needs \(2^6+2^6+2^7=2^8\) additions in total when \(k_5,k_{14}\) are fixed.$$\begin{aligned} B^{k_5,k_8,k_{10}k_{16}}(y)&=\qquad \qquad \quad (B_{00}^{k_{10},k_{15}}(y)+B_{01}^{k_{10,11},k_{12},k_{13},k_{15,16}}(y))\\&+(1)^{k_8} \qquad \qquad (B_{10}^{k_{10},k_{15}}(y)+B_{01}^{k_{10,11},k_{12},k_{13},k_{15,16}}(y)). \end{aligned}$$
 (c)In total, there areadditions to compute \(B^{k_5,k_8,k_{10}k_{16}}(y)\) for all \(2^9\) possible key values. Note that, about 1 subkey bit is guessed in the first (or third) step of step 2a. In the second (or forth) step of step 2a, 1.5 subkey bits are guessed on average. So, although there are 9 subkey bits in total, only 2+(1+1+1.5+1.5)/4=3.25 bits on average are guessed with dynamic keyguessing technique.$$2^2\times ((2^62+2^2+2^62^4+2^{5.64})\times 2 + 2^8) \approx 2^{11.19}$$
 (a)
 3.
The time of computing \(B^{k'}(y)\) with counter vector \(V_1'[x']\) and boolean function \(f'\) is shown in Table 9. \(T_1\) denotes the time of seperation of the plaintexts according to the guessed bit of k. \(T_2\) denotes the time of computation in the inner part. \(T_3\) is the time in the combination phase. When \(k_1,k_3,k_7\) are fixed, in each case, \(T_1=2^8\times 7\) as explainted in Step 1. \(T_2\) is \(2^{11.19}\) as explained in Step 2. There are 13 bits for \(k'\) except \(k_1,k_3,k_7\), leading to \(T_3=2^{13}\times 7\). For all guesses of \(k_1,k_3,k_7\), the total time is about \(2^{19.46}\) additions.
Time Complexity of computing \(B^{k'}(y)\) with counter vector \(V_1'[x']\) and boolean function \(f'\)
Guess  \(x_1\oplus k_1,x_3\oplus k_3,x_7\oplus k_7\)  \(f'\)  Related Bit  Time  

\(T_1\)  \(T_2\)  \(T_3\)  
\(k_1,k_3,k_7\)  0,0,0  \(f_{00}\)  \(2^8\times 7\)  \(2^{11.19}\)  \(2^{13}\times 7\)  
0,0,1  \(f_{01}\)  \(2^8\times 7\)  \(2^{11.19}\)  
0,1,0  \(f_{10}\)  \(k_4\)  \(2^8\times 7\)  \(2^{11.19}\)  
0,1,1  \(f_{11}\)  \(k_4\)  \(2^8\times 7\)  \(2^{11.19}\)  
1,0,0  \(f_{00}\)  \(k_2\)  \(2^8\times 7\)  \(2^{11.19}\)  
1,0,1  \(f_{01}\)  \(k_2\)  \(2^8\times 7\)  \(2^{11.19}\)  
1,1,0  \(f_{10}\)  \(k_{2,4}\)  \(2^8\times 7\)  \(2^{11.19}\)  
1,1,1  \(f_{11}\)  \(k_{2,4}\)  \(2^8\times 7\)  \(2^{11.19}\)  
Total Time  \( ((2^8\times 7+2^{11.19})\times 8+2^{13}\times 7)\times 2^3=2^{19.46}\) 
Relation between bias and success probability using \(2^{31.19}\) data and setting advantage \(a=8\)
\(\epsilon ^2 = 2^{27.19}\)  \(p_0 \approx 1.000\) 
\(\epsilon ^2 = 2^{28.19}\)  \(p_1 \approx 0.997\) 
\(\epsilon ^2 = 2^{29.19}\)  \(p_2 \approx 0.864\) 
\(\epsilon ^2 = 2^{30.19}\)  \(p_3 \approx 0.477\) 
\(\epsilon ^2 = 2^{31.19}\)  \(p_4\approx 0.188\) 
There are 32 subkey bits involved in this attack. With our attack method, only about \(6.25+6.25=12.5\) bits are guessed on average, which reduces the number of key bits greatly.
 1.
Compress the N plaintextciphertext pairs into the counter vector \(V_1[x_P',x_C']\) of size \(2^{14+14}\).
 2.For each of \(2^{14}\) \(x_C'\)
 (a)
Call Procedure A. Store the counters according to \(x_C'\) and \(k_P'\)
 (a)
 3.
For each \(k_P'\) of \(2^{16}\) possible values.
 (a)
Call procedure A. Store the counters according to \(k_P'\) and \(k_C'\).
 (a)
 4.
The keys with counter values ranked in the largest \(2^{328}=2^{24}\) values would be the right subkey candidates. Exploiting the key schedule and guessing some other bits, use two plaintexciphertext pairs to check the right key.
Time: (1)\(N=2^{31.19}\) times compression (2) \(2^{14}\times 2^{19.46}=2^{33.46}\) additions. (3)\( 2^{16}\times 2^{19.46}=2^{35.46}\) additions. So the time to compute the empirical bias for the subkeys involved is about \(2^{35.84}\) while that given in [1] with similar linear hull is \(2^{63.69}\). The time is improved significantly. Step (4) is to recovery the master key, which needs \(2^{648}=2^{56}\) 21round encryptions. However, [1] does not give this step.
Also we implemented the 21round attack on Simon32 using \(2^{31.19}\) plaintextciphertext pairs. (The exhaustive search part of the attack is not included since it would take about \(2^{648}=2^{56}\) encryptions, which takes too much time.) In the implementation, we set the main key randomly and collect \(2^{31.19}\) plaintextciphertext pairs (data collection part), then use the dynamic keyguessing techniques to recover 8bit key information for the 32 subkey bits (recovery part). We store the \(2^{328} = 2^{24}\) keys with large bias in set S as the right key candidates, then compute the real 32 subkey bits from the main key and check whether it is in S. In the implementation, about 5GB memory is needed. The data collection part (\(2^{31.19}\) encryptions) takes about 11 minutes and the recovery part takes about 11 minutes too (using Intel(R) Xeon(R) CPU E52620, 2.00GHz). 1000 experiments were done and 277 of them were successful. This derives that the experimental success probability is about \(27.7\,\%\), which is consistent with the expected success probability.
22Round Attack on Simon 32/64. Add one more round before the 21round attack, we can attack 22round of Simon32/64. There are 13 active key bits involved in round \(i5\), which is \(\kappa _1=(K^{i5}_0K^{i5}_{3},K^{i5}_5,K^{i5}_7K^{i5}_{12},K^{i5}_{14},K^{i5}_{15})\), to obtain the x represented in Table 5.
 1.Guess each of \(2^{13}\) \(\kappa _1\)
 (a)
Encrypt the plaintexts by one round.
 (b)
Do as the first three steps in the 21round attack
 (a)
 2.
The keys with counter values ranked in the largest \(2^{32+138}=2^{37}\) values would be the right subkey candidates. Exploiting the key schedule and guessing some other bits, use two plaintexciphertext pairs to check the right key.
Time: (1.a)\(2^{13}\times N=2^{44.19}\) oneround encryptions. (1.b) \(2^{13}\times 2^{35.84}=2^{48.84}\) additions. (2) Exhaustive phase needs about \(2^{648}=2^{56}\) 22round encryptions. So the total time is about \(2^{56}\) 22round encryptions and \(2^{48.84}\) additions.
23round attack on Simon 32/64. Add one more round before and one round after the 21round attack, we can attack 23round of SIMON32/64. There are 13 active key bits involved in round \(i+17\), which is \(\kappa _2=(K^{i+17}_0K^{i+17}_{3},K^{i+17}_5,\) \(K^{i+17}_7K^{i+17}_{12},K^{i+17}_{14},K^{i+17}_{15})\), to obtain the x represented in Table 6.
 1.Guess each of \(2^{13+13}\) \(\kappa _1 \kappa _2\)
 (a)
Encrypt the plaintexts by one round and decrypt the ciphertexts by one round.
 (b)
Do as the first three steps in the 21round attack
 (a)
 2.
The keys with counter values ranked in the largest \(2^{32+268}=2^{50}\) values would be the right subkey candidates. Exploiting the key schedule and guessing some other bits, use two plaintexciphertext pairs to check the right key.
Time: (1.a)\(2^{26}\times N=2^{57.19}\) tworound encryptions. (1.b) \(2^{26}\times 2^{35.84}=2^{61.84}\) additions. (2) Exhaustive phase needs about \(2^{648}=2^{56}\) 23round encryptions. So the total time complexity is about \(2^{56.3}\) 23round encryptions and \(2^{61.84}\) additions.
4.3 Improved Key Recovery Attack on Other Variants of Simon
With the dynamic keyguessing technique shown in above attack, we can also improve the linear hull attacks on all other variants of Simon. The linear hulls used are displayed in Table 3. For Simon48, we exploit the 22round linear hull proposed in [18], which covers most rounds up to date. For Simon64, the 21round linear hull with potential \(2^{62.53}\) proposed in [1] is used in the attack. Also, the 31round (resp. 40round) linear hull for Simon96 (resp. Simon128) in [1] are used to attack corresponding variant. Due to limited space, we do not give the detail of the attacks (please refer to the full version [11] of this paper for the details). However, the improved results for these variants are listed in Table 1.
4.4 Multiple Linear Hull Attack on Simon
Combining multiple linear cryptanalysis [8] and linear hull together, one can make multiple linear hull attack with improved data complexity. Our attack technique can be used in the multiple linear hull attack of Simon well. According to the rotational property, Property 1, of Simon, lots of linear hulls with high potential can be found. For example, the two 13round linear hulls for Simon32 in Table 3 are rotations of same linear hull.
Suppose that the time to compute the bias for one linear hull is \(\mathcal {T}_1\) and data complexity is \(\mathcal {N}\). If m linear hulls with same bias are used in the multiple linear hull attack, the data complexity would be decreased to \(\mathcal {N}/m\). But the time complexity would increase to \(m\mathcal {T}_1+2^{\mathcal {K}}\), where \(\mathcal {K}\) is the size of the independent key bits involved in all m linear hull attacks. For example, there are 32 independent key bits involved in the 21round attack of Simon32 with linear hull \(X^{i}_{L,5}\rightarrow X^{i+13}_{R,13}\). The data complexity is \(2^{31.19}\) known plaintextciphertext pairs and the time needs about \(2^{35.84}\) additions to get the bias. When another linear hull \(X^{i}_{L,6}\rightarrow X^{i+13}_{R,14}\) is taken in to make a multiple linear hull attack, the data size will decrease to \(2^{30.19}\). There are also 32 independent key bits involved in this linear hull attack. But, the total independent key size of both linear hulls is 48. So the time to compute the bias for the multiple linear hull attack with above two linear hulls needs about \(2^{36.84}\) additions and \(2^{48}\) combinations.
5 Conclusion
In this paper, we gave the improved linear attacks on all the reduced versions of Simon family with dynamic keyguessing techniques. By establishing the boolean function of parity bit in the linear hull distinguisher and reducing the expressions of function according to the property of AND operation, we decrease the number of key bits involved in the attack and decrease the attack complexity in a further step. As a result, we can attack 23round Simon32/64, 24round Simon48/72, 25round Simon48/96, 30round Simon64/96, 31round Simon64/128, 37round Simon96/96, 38round Simon96/144, 49round Simon128/128, 51round Simon128/192 and 53round Simon128/256. The differential attack in [20] and our linear hull attack are bitlevel cryptanalysis results, which provide the more efficient and precise security estimation results on Simon. It is mentioned that, the bitlevel cryptanalysis combining with dynamic keyguessing techniques are applicable to more lightweight block ciphers and hash functions etc.
Notes
Acknowledgements
This work was partially supported by the National Natural Science Foundation of China (Grant No. 61133013), also supported by National Key Basic Research Program of China (Grant No. 2013CB834205).
Supplementary material
References
 1.Abdelraheem, M.A., Alizadeh, J., Alkhzaimi, H.A., Aref, M.R., Bagheri, N., Gauravaram, P., Lauridsen, M.M.: Improved linear cryptanalysis of reducedround Simon (2014). IACR Cryptology ePrint Archive 2014/68Google Scholar
 2.Abed, F., List, E., Lucks, S., Wenzel, J.: Differential and linear cryptanalysis of reducedround Simon (2013). IACR Cryptology ePrint Archive, 2013/526Google Scholar
 3.Abed, F., List, E., Lucks, S., Wenzel, J.: Differential cryptanalysis of roundreduced Simon and Speck. In: Cid, C., Rechberger, C. (eds.) FSE 2014. LNCS, vol. 8540, pp. 525–545. Springer, Heidelberg (2015)Google Scholar
 4.Alizadeh, J., Alkhzaimi, H.A., Aref, M.R., Bagheri, N., Gauravaram, P., Kumar, A., Lauridsen, M.M., Sanadhya, S.K.: Cryptanalysis of Simon variants with connections. In: Sadeghi, A.R., Saxena, N. (eds.) RFIDSec 2014. LNCS, vol. 8651, pp. 90–107. Springer, Heidelberg (2014)Google Scholar
 5.Alkhzaimi, H.A., Lauridsen, M.M.: Cryptanalysis of the Simon family of block ciphers (2013). IACR Cryptology ePrint Archive 2013/543Google Scholar
 6.Asgur, T.: Improved linear trails dor the block cipher Simon (2015). IACR Cryptology ePrint Archive 2015/285Google Scholar
 7.Beaulieu, R., Shors, D., Smith, J., TreatmanClark, S.: The Simon and Speck Families of Lightweight Block Ciphers. Bryan Weeks, Louid Wingers (2013)Google Scholar
 8.Biryukov, A., De Cannière, C., Quisquater, M.: On multiple linear approximations. In: Franklin, M. (ed.) CRYPTO 2004. LNCS, vol. 3152, pp. 1–22. Springer, Heidelberg (2004)CrossRefGoogle Scholar
 9.Biryukov, A., Roy, A., Velichkov, V.: Differential analysis of block ciphers Simon and SPECK. In: Cid, C., Rechberger, C. (eds.) FSE 2014. LNCS, vol. 8540, pp. 546–570. Springer, Heidelberg (2015)Google Scholar
 10.Boura, C., NayaPlasencia, M., Suder, V.: Scrutinizing and improving impossible differential attacks: applications to CLEFIA, Camellia, LBlock and Simon. In: Sarkar, P., Iwata, T. (eds.) ASIACRYPT 2014. LNCS, vol. 8873, pp. 179–199. Springer, Heidelberg (2014)Google Scholar
 11.Chen, H., Wang, X.: Improved linear hull attack on roundreduced Simon with dynamic keyguessing techniques (2015). IACR Cryptology ePrint Archive 2015/666Google Scholar
 12.Chen, Z., Wang, N., Wang, X.: Impossible differential cryptanalysis of reduced round Simon (2015). IACR Cryptology ePrint Archive 2015/286Google Scholar
 13.Matsui, M.: Linear cryptanalysis method for DES cipher. In: Helleseth, T. (ed.) EUROCRYPT 1993. LNCS, vol. 765, pp. 386–397. Springer, Heidelberg (1994)CrossRefGoogle Scholar
 14.Matsui, M.: The first experimental cryptanalysis of the data encryption standard. In: Desmedt, Y.G. (ed.) CRYPTO 1994. LNCS, vol. 839, pp. 1–11. Springer, Heidelberg (1994)Google Scholar
 15.Nyberg, K.: Linear approximation of block ciphers. In: De Santis, A. (ed.) EUROCRYPT 1994. LNCS, vol. 950, pp. 439–444. Springer, Heidelberg (1995)CrossRefGoogle Scholar
 16.Selçuk, A.A., Biçak, A.: On probability of success in linear and differential cryptanalysis. In: Cimato, S., Galdi, C., Persiano, G. (eds.) SCN 2002. LNCS, vol. 2576, pp. 174–185. Springer, Heidelberg (2003)CrossRefGoogle Scholar
 17.Shi, D., Lei, H., Sun, S., Song, L., Qiao, K., Ma, X.: Improved linear (hull) cryptanalysis of roundreduced versions of Simon (2014). IACR Cryptology ePrint Archive 2014/973Google Scholar
 18.Sun, S., Lei, H., Wang, M., Wang, P., Qiao, K., Ma, X., Ma, D., Song, L., Kai, F.: Towards finding the best characteristics of some bitoriented block ciphers and automatic enumeration of (relatedkey) differential and linear characteristics with predefined properties and its applications (2014). IACR Cryptology ePrint Archive 2014/747Google Scholar
 19.Sun, S., Hu, L., Wang, P., Qiao, K., Ma, X., Song, L.: Automatic security evaluation and (relatedkey) differential characteristic search: application to Simon, PRESENT, LBlock, DES(L) and Other bitoriented block ciphers. In: Sarkar, P., Iwata, T. (eds.) ASIACRYPT 2014. LNCS, vol. 8873, pp. 158–178. Springer, Heidelberg (2014)Google Scholar
 20.Wang, N., Wang, X., Jia, K., Zhao, J.: Differential attacks on reduced SIMON versions with dynamic keyguessing techniques (2014). IACR Cryptology ePrint Archive 2014/448Google Scholar
 21.Wang, Q., Liu, Z., Kerem Varıcı, Y., Sasaki, V.R., Todo, Y.: Cryptanalysis of Reudcedround SIMON32 and SIMON48. In: Meier, W., Mukhopadhyay, D. (eds.) INDOCRYPT 2014. LNCS, vol. 8885, pp. 143–160. Springer International Publishing, Switzerland (2014)Google Scholar