Differential Cryptanalysis of RoundReduced Simon and Speck
Abstract
This paper presents differential attacks on Simon and Speck, two families of lightweight block ciphers that were presented by the U.S. National Security Agency in June 2013. We describe attacks on up to slightly more than half the number of rounds. While our analysis is only of academic interest, it demonstrates the drawback of the intensive optimizations in Simon and Speck.
Keywords
Differential cryptanalysis Block cipher Lightweight Simon Speck1 Introduction
Due to the continuously growing impact of RFID tags, smartcards, and FPGAs, cryptographic algorithms which are suitable for resourceconstrained devices become more and more important. Lightweight ciphers are optimized to operate in such environments which are limited with respect to their memory, battery supply, and computing power. For these applications, hard and software efficiency are crucial, and designing cryptographic primitives which preserve security under these constraints is a major challenge.
During the last decade, many lightweight ciphers have been developed including but not limited to HIGHT [11], KATAN [8], KLEIN [9], LBlock [16], LED [10], mCrypton [12], PRESENT [6], and PRINCE [7]. In June 2012, Beaulieu et al. from the U.S. National Security Agency (NSA) contributed to this ongoing research process with the announcement of two novel families of lightweight cipher families, called Simon and Speck [3]. Both constructions support an uncommonly large range of block sizes from 32 to 128 and key sizes from 64 to 256 bits in order to suit a variety of implementations. Simon was thereby optimized for hardware (like KATAN, LED, or PRESENT), and Speck for software implementations (such as KLEIN); though, due to immense optimizations in their round functions, both cipher families perform well in hard and software.
Related Work. Due to their simple structure, Simon and Speck were already target of various cryptanalytical efforts. Alkhzaimi and Lauridsen [2] presented – parallel to our work – differential attacks on up to 16, 18, 24, 29, and 40 rounds for Simon with 32, 48, 64, 96, and 128bit state size, respectively. In addition, the authors showed impossibledifferential attacks on up to 14, 15, 16, 19, and 22 rounds and discussed observations regarding rotational cryptanalysis and weak keys. Alizadeh et al. [1] recently presented the best linear attacks on Simon, with attacks on 12, 15, 19, 28, and 35 rounds.
Biryukov and Velichkov [5] followed another promising approach, where they showed differential characteristics and trails on up to 14, 15, and 21 rounds of Simon and 9, 10, and 13 rounds of Speck with 32, 48, and 64bit state size, respectively. The authors adapted Matsui’s algorithm (which can find optimal differential characteristics for Sboxbased ciphers) for ARX constructions by a concept they called highways and country roads. They pointed out that the computation of a complete differential distribution table (DDT) is infeasible for ARXbased primitives. To overcome this challenge, the authors constructed two partial DDTs: a first one with the characteristics of highest probability (highways), and a second one with trails of slightly lower probabilities (country roads) in order to connect and/or improve their previous characteristics.
Summary of our results on Simon and Speck. (*) = the time complexities assume that we have two independent filtering steps (cf. Remark 1). CP = chosen plaintexts, \(\dagger \) = attack uses chosen ciphertexts.
Cipher  Attacked Rounds  Time (*)  Data (CP)  Memory (Bytes)  Success Rate 

Differential  
Simon32/64  18/32 (0.56)  \(2^{46.0}\)  \(2^{31.2}\)  \(2^{15.0}\)  0.63 
Simon48/72 \(^\dagger \)  19/36 (0.52)  \(2^{52.0}\)  \({2^{46.0}}\)  \(2^{20.0}\)  0.98 
Simon48/96 \(^\dagger \)  19/36 (0.52)  \(2^{76.0}\)  \({2^{46.0}}\)  \(2^{20.0}\)  0.98 
Simon64/96  26/42 (0.61)  \(2^{63.9}\)  \(2^{63.0}\)  \(2^{31.0}\)  0.86 
Simon64/128  26/44 (0.59)  \(2^{94.0}\)  \(2^{63.0}\)  \(2^{31.0}\)  0.86 
Simon96/96  35/52 (0.67)  \(2^{93.3}\)  \(2^{93.2}\)  \(2^{37.8}\)  0.63 
Simon96/144  35/54 (0.64)  \(2^{101.1}\)  \(2^{93.2}\)  \(2^{37.8}\)  0.63 
Simon128/128  46/68 (0.67)  \(2^{125.7}\)  \(2^{125.6}\)  \(2^{40.6}\)  0.63 
Simon128/192  46/69 (0.66)  \(2^{142.0}\)  \(2^{125.6}\)  \(2^{40.6}\)  0.63 
Simon128/256  46/72 (0.63)  \(2^{206.0}\)  \(2^{125.6}\)  \(2^{40.6}\)  0.63 
Differential  
Speck32/64  10/22 (0.45)  \(2^{29.2}\)  \(2^{29}\)  \(2^{16}\)  0.99 
Speck48/72  12/22 (0.54)  \(2^{45.3}\)  \(2^{45}\)  \(2^{24}\)  0.99 
Speck48/96  12/23 (0.52)  \(2^{45.3}\)  \(2^{45}\)  \(2^{24}\)  0.99 
Speck64/96  15/26 (0.57)  \(2^{61.1}\)  \(2^{61}\)  \(2^{32}\)  0.99 
Speck64/128  15/27 (0.55)  \(2^{61.1}\)  \(2^{61}\)  \(2^{32}\)  0.99 
Speck96/96  15/28 (0.51)  \(2^{89.1}\)  \(2^{89}\)  \(2^{48}\)  0.99 
Speck96/144  15/29 (0.51)  \(2^{89.1}\)  \(2^{89}\)  \(2^{48}\)  0.99 
Speck128/128  16/32 (0.50)  \(2^{111.1}\)  \(2^{116}\)  \(2^{64}\)  0.99 
Speck128/192  16/33 (0.48)  \(2^{111.1}\)  \(2^{116}\)  \(2^{64}\)  0.99 
Speck128/256  16/34 (0.47)  \(2^{111.1}\)  \(2^{116}\)  \(2^{64}\)  0.99 
Rectangle  
Speck32/64  11/22 (0.50)  \(2^{46.7}\)  \(2^{30.1}\)  \(2^{37.1}\)  \(\approx 1\) 
Speck48/72  12/22 (0.54)  \(2^{58.8}\)  \(2^{43.2}\)  \(2^{45.8}\)  \(\approx 1\) 
Speck48/96  12/23 (0.52)  \(2^{58.8}\)  \(2^{43.2}\)  \(2^{45.8}\)  \(\approx 1\) 
Speck64/96  14/26 (0.53)  \(2^{89.4}\)  \(2^{63.6}\)  \(2^{65.6}\)  \(\approx 1\) 
Speck64/128  14/27 (0.51)  \(2^{89.4}\)  \(2^{63.6}\)  \(2^{65.6}\)  \(\approx 1\) 
Speck96/144  16/29 (0.55)  \(2^{135.9}\)  \(2^{90.9}\)  \(2^{94.5}\)  \(\approx 1\) 
Speck128/192  18/33 (0.54)  \(2^{182.7}\)  \(2^{125.9}\)  \(2^{121.9}\)  \(\approx 1\) 
Speck128/256  18/34 (0.52)  \(2^{182.7}\)  \(2^{125.9}\)  \(2^{121.9}\)  \(\approx 1\) 
Notions. We follow the notions of [3], where \(n\) denotes the word size in bits, \(2n \) the state size in bits, and the tuple \((L^r, R^r)\) (the left and right parts of) a state after the encryption of Round \(r\). Further, \(k\) represents the length of the secret key. Furthermore, \(\oplus \) denotes the bitwise XOR, \(+\) the addition modulo \(2^{n}\), \(\wedge \) bitwise AND, \(\vee \) bitwise OR, and \(\overline{x}\) the bitwise inverse of \(x\). We denote by \(x_i\) the \(i\)th least significant bit of value \(x\), and enumerate the bits by \(x = x_{n1}x_{n2}\ldots x_{1}x_{0}\). Alternatively, we write values in typewriter font, i.e., x for hex, and x \(_2\) for binary values, e.g., 1F = 31 and 110 \(_2\) = 6. Concerning differences, we denote by \(\varDelta _{i} \) a difference with all bits are zero, except for the \(i\)th (least significant) bit, and by \(\varDelta _{i,[j,k,\ldots ]} \) a difference where the \(i\)th bit is active and the values of the bits in square brackets are unknown. Further, we denote a differential characteristic or trail from an input difference \(\alpha \) to an output difference \(\beta \) by \(\alpha \rightarrow \beta \).
2 Brief Description of Simon and Speck
For Simon, \(f: \{0,1\}^{n} \rightarrow \{0,1\}^{n}\) is defined as \(f(x) := (x \lll 1) \wedge (x \lll 8)\). The rotation constants in Speck are \(\alpha = 8\) and \(\beta = 3\) for the most versions of Speck; only Speck32/64 uses \(\alpha = 7\) and \(\beta = 2\).
3 Differential Properties of Simon and Speck
Differential Properties for the Round Function of Speck . For Speck, one requires only the wellknown XORdifferential probabilty of the modular addition (\(\text {xdp}^{+}\)), which was studied in detail by Lipmaa and Moriai [13, 14].
Definition 1
Differential Properties for the Round Function of Simon . For Simon, one has to consider the differential probability for the round function \(f(x)\). At the end of this section, we provide an algorithm that yields the set and number of all possible output differences for a fixed input difference. In the following, we explain first the differential probability (DP) of logical AND; next, we derive the DP of AND in combination with rotation, and then consider the DP of AND with rotationally dependent inputs. We follow the notation by [5].
Property 1
Property 1 states that the differential output of the logical AND is biased: if \(\alpha \) and \(\beta \) are 0, then \(\gamma \) must be 0. If \(\alpha \) and/or \(\beta \) is 1, there is still a probability of 1/2 that the AND operation will cancel the active bit in the output difference.
Definition 2
Property 2
Property 2 transfers Property 1 from bits to \(n \)bit differences. Only those bits that are active in \(\alpha \) and/or \(\beta \) can be active in \(\gamma \) – each with probability 1/2. This is reflected by the term \((\alpha \vee \beta )\). If \(\gamma \) contains active bits at other positions, then, \(\gamma \wedge \overline{\alpha \vee \beta } \ne 0^{n}\) and \(\Pr [\alpha , \beta \rightarrow \gamma ] = 0\). Otherwise, all other possible differences \(\gamma \) are equally possible. Thus, the term \(\alpha \vee \beta \) can be interpreted as the definition of a set of possible output differences, i.e., one can efficiently iterate over all possible combinations of values for its active bits and will obtain all possible output differences \(\gamma \).
Definition 3
Definition 4
Property 3
(Differential Propagation of \(\text {xdp}^{x \wedge (x \lll r)} \)). Let \(\alpha \) be fixed \(n\)bit XOR difference and \(r\in [0,n1]\) be a fixed integer. Let \(f: \{0,1\}^{n} \rightarrow \{0,1\}^{n}\) be defined by \(f(x) = x \wedge (x \lll r)\). Then, the set of possible output differences \(\beta \) for \(\text {xdp}^{x \wedge (x \lll r)} \), can be efficiently computed in O\((n)\) as shown in Algorithm 3.

\(\beta _1\) depends on \(\alpha _1\) (top) and \(\alpha _{10}\) (bottom), with \(\alpha _1 = 0\) and \(\alpha _{10} = 1\);

\(\beta _8\) depends on \(\alpha _{8}\) (top) and \(\alpha _1\) (bottom), with \(\alpha _1 = 0\) and \(\alpha _{8} = 1\);
4 Search for Differential Characteristics and Differentials
Simon32/64  Simon48/\(k\)  Simon64/\(k\)  

\(\alpha \)  \((\varDelta _{5}, 0)\)  \((\varDelta _{8,16}, \varDelta _{6,14,18})\)  \((\varDelta _{6}, 0)\) 
\(\beta \)  \((\varDelta _{14}, 0)\)  \((\varDelta _{6,14,18,22}, \varDelta _{20})\)  \((\varDelta _{6,10,14}, \varDelta _{12})\) 
Rounds  12  15  20 
\(\Pr [\alpha \rightarrow \beta ]\)  \(2^{36}\)  \(2^{52}\)  \(2^{70}\) 
Secondly, we applied a branchandbound search, similar to the approach of [2]. There, we started from the input difference \(\alpha \) and propagated it roundwise in forward and backward direction. For each round, we collected all possible output characteristics \(\alpha \rightarrow \beta \) and their probability \(p\) as a tuple \((\beta , p)\) in a set and used them as a starting point for the next round in a depthfirst manner. Therefore, we used Algorithm 3 for Simon and a variant of the Algorithm by Lipmaa and Moriai [14] for Speck.
Since following each path is infeasible, we pruned the search tree by considering only characteristics \(\alpha \rightarrow \beta \) with a probability above a chosen threshold. Therefore, we used the characteristic found with Matsui’s algorithm as a reference, i.e., say Matsui’s characteristic had probability \(p = 2^{q}\) after some round \(r\), we only considered those characteristics \(\beta \) as input to round \(r + 1\) that had a probability \(p \gg 2^{q  thresh}\). We further pruned the search tree by only storing a (chosen) maximal number of characteristics.
Every time two differential characteristics lead to the same output difference \(\beta \) after a round, we merged them to one differential trail and added their probabilities. We emphasize that our characteristics have been found experimentally and do not necessarily represent the best possible ones. Further, note that we rely on the assumption that all possible round keys are equally probable and uniformly distributed for every round.
Extending Differential Characteristics to Attacks. A given differential can be extended by a few more rounds in a keyrecovery attack for any version of Simon2\(n\)/\(k\). Assume, we are given an \(r\)round differential \((\alpha , \beta ) \rightarrow (\gamma , \delta )\). Because Simon injects the subkey at the end of the rounds, the adversary itself can compute the output of \(f(x)\) in the first round, choose \((\beta , \alpha \oplus f(\beta ))\) as input difference and obtains an \((r + 1)\)round differential with equal probability. A similar strategy can be applied at the output side. Given an output difference \((\gamma , \delta )\) after \((r + 1)\) rounds, the difference after \((r + 2)\) rounds is \((\delta \oplus f(\gamma ), \gamma )\). Since the subkey in the last round of a characteristic does not affect the output difference \(\delta \oplus f(\gamma )\), the adversary can compute \(f(\gamma )\) itself and obtains an \((r + 2)\)round differential with equal probability.
For the versions 48/72, 64/96, 96/144, and 128/192bit versions, one can append a further round by simply guessing its full subkey. The total computational effort for collecting plaintextciphertext pairs and testing all subkey candidates for the appended round remains significantly smaller than that for exhaustively searching the full key space. Moreover, for the 32/64, 48/96, 64/128, and 128/256bit versions, one can append another round by guessing its subkey.
5 KeyRecovery Attacks on Simon
 Collection Phase
 1.
Initialize an empty set \(\mathcal {C} = \emptyset \).
 2.
Choose \(2^{30.2}\) plaintext pairs \((P_i, P'_i)\), s.t. their difference after the first round yields \(\varDelta ^1\).
 3.
Collect their corresponding ciphertext pairs \((C_i, C'_i)\) from an encryption oracle, where \(C_i = E_K (P_i)\) and \(C'_i = E_K (P'_i)\).
 1.
 PairFiltering Phase
 4.
For all ciphertext pairs, invert the final round to derive \(\varDelta ^{17}\) and store all pairs \((C_i, C'_i)\) with the correct difference at the known bits \(\varDelta ^{17}\) in \(\mathcal {C}\). We know seven bits of \(\varDelta L^{17}\) and 11 bits of \(\varDelta R^{17}\). Assuming the differences \(\varDelta ^{17}\) are uniformly distributed, we can expect \(2^{30.218} = 2^{12.2}\) pairs in average.
 4.
 KeyGuessing Phase
 5.Create a list of counters for all \(2^{18}\) possible values of the roundkey bits \(K^{17}_{0,1,5,711,14,15}\), \(K^{16}_{69,13,15}\), and \(K^{15}_{9,7}\), and perform the following steps for each candidate:
 –For all pairs \((C_i, C'_i) \in \mathcal {C}\):
 –
Partially decrypt \((C_i, C'_i)\) to the state after the encryption of Round \(14\). If their difference matches \(\varDelta ^{14}\), increment the counter for the current key candidate.
 –
 –
 6.
Output the key candidate(s) which is/are associated to the highest counter values.
 5.
 BruteForce Phase
 7.
For all bits of \(K^{17}\), \(K^{16}\), \(K^{15}\), and \(K^{14}\) that are not guessed in the previous steps, perform further encryptions to identify their correct values.
 7.
Parameters of our differential attacks on Simon. “1st Filter” denotes the number of bits that can be used to filter out pairs after inverting the final round; key bits = # guessed key bits; \(p\) = Probability of the used differential.
Cipher  Rounds  Pairs  1st Filter  Key Bits  Stored pairs  p  Succ. rate 

Simon32/\(k\)  \(18\)  \(2^{30.2}\)  \(18\)  \(18\)  \(2^{12.2}\)  \(2^{30.2}\)  \(0.632\) 
Simon48/\(k\)  \(19\)  \(2^{45.0}\)  \(28\)  \(20\)  \(2^{17.0}\)  \(2^{43.0}\)  \(0.981\) 
Simon64/\(k\)  \(25\)  \(2^{62.0}\)  \(35\)  \(36\)  \(2^{27.0}\)  \(2^{61.0}\)  \(0.863\) 
Simon96/\(k\)  \(35\)  \(2^{92.2}\)  \(59\)  \(43\)  \(2^{33.2}\)  \(2^{92.2}\)  \(0.632\) 
Simon128/\(k\)  \(46\)  \(2^{124.6}\)  \(89\)  \(50\)  \(2^{35.6}\)  \(2^{124.6}\)  \(0.632\) 
Remark 1
Note that in the case that our assumption would not hold, we still have a differential that is satisfied with probability \(p = 2^{30.2}\), and a 32bit filter at \(\varDelta ^{14}\). Hence, we can expect to be able to reduce the candidates of the 18 key bits we guess in the final four rounds to \(2^{30.2} \cdot 2^{18} \cdot 2^{32} = 2^{16.2}\), increasing the complexity of the bruteforce step to \(2^{46} \cdot 2^{16.2} = 2^{62.2}\) encryptions, which is still significantly faster than exhaustive search. In general case, the computational effort for our attacks would then be dominated by the costs for a simple exhaustive search on the remaining key space. Hence, the time complexities would then become approximately \(2^k/(p\cdot 2^{2n})\) (\(k = 64\), \(n = 16\), \(p \approx 2^{30.2}\) for Simon32/64).
6 Differential Attacks on Speck
In this section we describe our differential analysis of Speck. Since the small version of Speck (Speck32/64) allows a simple practical verification, in the following, we only discuss this version in detail. We apply the same strategy to the remaining family members of Speck and present only their complexities at the end of this section.
6.1 KeyRecovery Attack on Speck32/64
 Collection Phase
 1.
Initialize an empty list \(\mathcal {C} = \emptyset \).
 2.
Choose \(2^{28}\) pairs \((P_i, P'_i)\) s.t. their difference after the first round is \(\varDelta ^1\).
 3.
Collect the corresponding ciphertext pairs \((C_i, C'_i)\) from a decryption oracle, where \(C_i = E_K (P_i)\) and \(C'_i = E_K (P'_i)\). Derive \(\varDelta L^9_{03}, \varDelta R^9\) and store all pairs \((C_i, C'_i)\) with \(\varDelta L^9_{03} = \varDelta _{3} \) and \(\varDelta R^9 = \varDelta _{3,5,7,10,12,14,15} \) in the list \(\mathcal {C}\).
 1.
 KeyGuessing Phase
 4.
Create a list of \(2^{12}\) counters.
 5.For all possible values of the 12 key bits \(K^{9}_{415}\):
 –For all pairs \((C_i, C'_i) \in \mathcal {C}\):
 –
Partially decrypt \((C_i, C'_i)\) to the state after the encryption of Round \(9\), and derive \(\varDelta L^{9}\). If \(\varDelta L^{9} = \varDelta _{1,3,5,15} \), then increment the counter for the current key candidate.
 –
 –
 6.
Output those keys as potentially correct for which their counter has a value of at least four.
 7.
Mark all pairs which yielded the correct \(\varDelta ^{9}\) for the potentially correct key(s) as correct pairs.
 4.
 BruteForce Phase
 8.
Partially decrypt all correct pairs round by round to get the correct subkey bits \(K^{9}_{03}\), \(K^8\), \(K^7\), and \(K^6\).
 8.
Parameters of our differential attacks on Speck. “1st Filter” denotes the number of bits that can be used to filter out pairs after inverting the final round; key bits = # guessed key bits; \(p\) = Probability of the used differential.
Cipher  Rounds  Pairs  1st Filter  Key Bits  Stored pairs  \(p\)  Succ. rate 

Speck32/\(k\)  \(10\)  \(2^{28}\)  \(20\)  \(12\)  \(2^{8}\)  \(2^{24.0}\)  0.99 
Speck48/\(k\)  \(12\)  \(2^{44}\)  \(25\)  \(23\)  \(2^{19}\)  \(2^{40.6}\)  0.99 
Speck64/\(k\)  \(15\)  \(2^{61}\)  \(35\)  \(29\)  \(2^{26}\)  \(2^{58.9}\)  0.99 
Speck96/\(k\)  \(15\)  \(2^{88}\)  \(54\)  \(42\)  \(2^{34}\)  \(2^{84.0}\)  0.99 
Speck128/\(k\)  \(16\)  \(2^{115}\)  \(67\)  \(61\)  \(2^{48}\)  \(2^{111.1}\)  0.99 
7 Rectangle Attacks on Speck
Boomerangs and Rectangles. Boomerangs and rectangles allow to use two short differential characteristics with high probabilities instead of a single long differential. Therefore, one first splits a given cipher \(E \) into parts \(E = E ^2 \circ E ^1\), and searches for two differentials \(\alpha \xrightarrow [E ^1]{p} \beta \text { and } \gamma \xrightarrow [E ^2]{q} \delta \). Next, one collects quartets of plaintexts \((P, P', Q, Q')\) with \(P \oplus P' = Q \oplus Q' = \alpha \). In the following we denote by \((R, R', S, S')\) their encryptions after \(E ^1\) and by \((C, C', D, D')\) their encryptions after \(E ^2\).
7.1 Rectangle Attack on Speck32/64
 Collection Phase
 1.
Initialize two empty hash tables \(\mathcal {C}\), \(\mathcal {D}\), and a list \(\mathcal {Q}\).
 2.
Choose \(\frac{2^{(n + 2)/2}}{\hat{p}\hat{q}} = \frac{2^{34/2}}{2^{8.01}2^{4.56}} = 2^{29.57}\) plaintext pairs \((P, P')\) s.t. their difference after the first round is \(\alpha \).
 3.
Ask for the encryption of \((P,P')\) and receive the corresponding ciphertext pair \((C,C')\). Then, partially decrypt \(C, C'\) over the final round to the state after Round 10, \((R^{10}, {R'}^{10})\) and store the result in \(\mathcal {C}\). XOR the right part of \(\delta \) to \((R^{10} \oplus \varDelta _{1,3,10,15}, {R'}^{10} \oplus \varDelta _{1,3,10,15} \) and store them in \(\mathcal {D}\).
 4.Prior, lookup if there is already an entry in \(\mathcal {D}\) under the indexIf there is, label the existing ciphertext pair in \(\mathcal {D}\) as \((D, D')\) and store the quartet \((C, C', D, D')\) in \(\mathcal {Q}\). We can build \((2^{29.57})^2 / 2 = 2^{58.14}\) quartets from our pairs. Since this event requires a match in 16 bits of the first, and 16 bits of the second pair, we can expect to have at average a number of \(2^{58.14  32} \approx 2^{26.14}\) false positive quartets for which this condition holds. Since the probability of a right quartet is \(2^{2 \cdot 8.01 + 2 \cdot 4.56} = 2^{25.14}\), we can expect \(2^{58.14  25.14} = 2^{33}\) right quartets in addition. We approximate \(2^{33} + 2^{26.14} \approx 2^{33}\) hereafter.$$(R^{10} \oplus \varDelta _{1,3,10,15}, {R'}^{10} \oplus \varDelta _{1,3,10,15}). $$
 1.
 Filtering Phase
 5.
Initialize a table \(\mathcal {T}\) of \(2^{16}\) counters.
 6.For all possible values of the subkeys \(K^{10}\):
 6.1
Decrypt all quartets over the final round and check whether their difference \(\varDelta L^{10}\) is equal to \(\varDelta _{15} \). If yes, then increment the counter for the current key candidate in \(\mathcal {T}\).
 6.1
 7.
Output the key candidate(s) with the maximal count(s) in \(\mathcal {T}\).
 5.
 BruteForce Phase
 8.
Partially decrypt the remaining pairs round by round to identify the further round keys \(K^9\), \(K^8\), and \(K^7\).
 8.
8 Discussion and Conclusion
This work presented differential attacks on roundreduced versions of the Simon and Speck. Furthermore, we briefly considered rectangle attacks on Speck. We also studied rectangle attacks on Simon and impossibledifferential attacks; however, we omitted those since they did not improve our results with conventional differentials.
Our analysis can be seen as a starting point for further research on Simon and Speck. For Simon, it demonstrates that up to half the number of rounds are vulnerable against differential attacks due to its highly optimizied round function. Moreover, the cipher shows a strong differential effect, i.e., there are many possible characteristics for given input and output difference.
Speck is much closer to previous ARX designs such as ThreeFish than Simon. However, while ThreeFish has been published four years ago, still only 1/3 of the rounds have been attacked so far, whereas the current analysis of Speck already threatened the security of up to half of the rounds little time after publication. Moreover, any new analysis method on additionbased ARX would be a threat to both NSA constructions as well. In conclusion, we can learn from Simon that ARX designs should incorporate additions to provide reasonably fast diffusion.
Notes
Acknowledgments
We thank all reviewers of the FSE 2014 for their helpful comments and furthermore, we would like to thank Christian Forler, Ivica Nikolić, Douglas Shors, and Vesselin Velichkov for fruitful discussions.
References
 1.Alizadeh, J., Bagheri, N., Gauravaram, P., Kumar, A., Sanadhya, S.K.: Linear Cryptanalysis of Round Reduced SIMON. Cryptology ePrint Archive, Report 2013/663 (2013). http://eprint.iacr.org/
 2.Alkhzaimi, H.A., Lauridsen, M.M.: Cryptanalysis of the SIMON Family of Block Ciphers. Cryptology ePrint Archive, Report 2013/543 (2013). http://eprint.iacr.org/
 3.Beaulieu, R., Shors, D., Smith, J., TreatmanClark, S., Weeks, B., Wingers, L.: The SIMON and SPECK Families of Lightweight Block Ciphers. Cryptology ePrint Archive, Report 2013/404 (2013). http://eprint.iacr.org/
 4.Biham, E., Dunkelman, O., Keller, N.: The Rectangle Attack  Rectangling the Serpent. In: Pfitzmann, B. (ed.) EUROCRYPT 2001. LNCS, vol. 2045, pp. 340–357. Springer, Heidelberg (2001) Google Scholar
 5.Biryukov, A., Velichkov, V.: Automatic Search for Differential Trails in ARX Ciphers (Extended Version). Cryptology ePrint Archive, Report 2013/853 (2013). http://eprint.iacr.org/
 6.Bogdanov, A.A., Knudsen, L.R., Leander, G., Paar, C., Poschmann, A., Robshaw, M., Seurin, Y., Vikkelsoe, C.: PRESENT: An UltraLightweight Block Cipher. In: Paillier, P., Verbauwhede, I. (eds.) CHES 2007. LNCS, vol. 4727, pp. 450–466. Springer, Heidelberg (2007) Google Scholar
 7.Borghoff, J., et al.: PRINCE: A LowLatency Block Cipher for Pervasive Computing Applications  Extended Abstract. In: Sako, K., Wang, X. (eds.) ASIACRYPT 2012. LNCS, vol. 7658, pp. 208–225. Springer, Heidelberg (2012) Google Scholar
 8.De Cannière, C., Dunkelman, O., Knežević, M.: KATAN and KTANTAN: A Family of Small and Efficient HardwareOriented Block Ciphers. In: Clavier, C., Gaj, K. (eds.) CHES 2009. LNCS, vol. 5747, pp. 272–288. Springer, Heidelberg (2009) Google Scholar
 9.Gong, Z., Nikova, S., Law, Y.W.: KLEIN: A New Family of Lightweight Block Ciphers. In: Juels, A., Paar, C. (eds.) RFIDSec 2011. LNCS, vol. 7055, pp. 1–18. Springer, Heidelberg (2012) Google Scholar
 10.Guo, J., Peyrin, T., Poschmann, A., Robshaw, M.: The LED Block Cipher. In: Preneel, B., Takagi, T. (eds.) CHES 2011. LNCS, vol. 6917, pp. 326–341. Springer, Heidelberg (2011) Google Scholar
 11.Hong, D., et al.: HIGHT: A New Block Cipher Suitable for LowResource Device. In: Goubin, L., Matsui, M. (eds.) CHES 2006. LNCS, vol. 4249, pp. 46–59. Springer, Heidelberg (2006) Google Scholar
 12.Lim, C.H., Korkishko, T.: mCrypton  A Lightweight Block Cipher for Security of LowCost RFID Tags and Sensors. In: Song, J.S., Kwon, T., Yung, M. (eds.) WISA 2005. LNCS, vol. 3786, pp. 243–258. Springer, Heidelberg (2006) Google Scholar
 13.Lipmaa, H.: On Differential Properties of PseudoHadamard Transform and Related Mappings. In: Menezes, A., Sarkar, P. (eds.) INDOCRYPT 2002. LNCS, vol. 2551, pp. 48–61. Springer, Heidelberg (2002) Google Scholar
 14.Lipmaa, H., Moriai, S.: Efficient Algorithms for Computing Differential Properties of Addition. In: Matsui, M. (ed.) FSE 2001. LNCS, vol. 2355, pp. 336–350. Springer, Heidelberg (2002) Google Scholar
 15.Matsui, M.: On Correlation Between the Order of Sboxes and the Strength of DES. In: De Santis, A. (ed.) EUROCRYPT 1994. LNCS, vol. 950, pp. 366–375. Springer, Heidelberg (1995) Google Scholar
 16.Wu, W., Zhang, L.: LBlock: A Lightweight Block Cipher. In: Lopez, J., Tsudik, G. (eds.) ACNS 2011. LNCS, vol. 6715, pp. 327–344. Springer, Heidelberg (2011) Google Scholar