Observations on the SIMON Block Cipher Family
 52 Citations
 3.5k Downloads
Abstract
In this paper we analyse the general class of functions underlying the Simon block cipher. In particular, we derive efficiently computable and easily implementable expressions for the exact differential and linear behaviour of Simonlike round functions.
Following up on this, we use those expressions for a computer aided approach based on SAT/SMT solvers to find both optimal differential and linear characteristics for Simon. Furthermore, we are able to find all characteristics contributing to the probability of a differential for Simon32 and give better estimates for the probability for other variants.
Finally, we investigate a large set of Simon variants using different rotation constants with respect to their resistance against differential and linear cryptanalysis. Interestingly, the default parameters seem to be not always optimal.
Keywords
SIMON Differential cryptanalysis Linear cryptanalysis Block cipher Boolean functions1 Introduction
Lightweight cryptography studies the deployment of cryptographic primitives in resourceconstrained environments. This research direction is driven by a demand for costeffective, smallscale communicating devices such as RFID tags that are a cornerstone in the Internet of Things. Most often the constrained resource is taken to be the chiparea but other performance metrics such as latency [7], codesize [2] and ease of sidechannel protection [12] have been considered as well. Some of these criteria were already treated in Noekeon [9].
The increased importance of lightweight cryptography and its applications has lately been reflected in the NSA publishing two dedicated lightweight cipher families: Simon and Speck [5]. Considering that this is only the third time within four decades that the NSA has published a block cipher, this is quite remarkable. Especially as NIST has started shortly after this publication to investigate the possibilities to standardise lightweight primitives, Simon and Speck certainly deserve a thorough investigation. This is emphasised by the fact that, in contrast to common practice, neither a security analysis nor a justification of the daaesign choices were published by the NSA. This lack of openness necessarily gives rise to curiosity and caution.
In this paper we focus on the Simon family of block ciphers; an elegant, innovative and very efficient set of block ciphers. There exists already a large variety of papers, mainly focussed on evaluating Simon’s security with regard to linear and differential cryptanalysis. Most of the methods used therein are rather adhoc, often only using approximative values for the differential round probability and in particular for the linear square correlation of one round.
Our Contribution. With this study, we complement the existing work threefold. Firstly we develop an exact closed form expression for the differential probability and a \(\log (n)\) algorithm for determining the square correlation over one round. Their accuracy is proven rigorously. Secondly we use these expressions to implement a model of differential and linear characteristics for SAT/SMT solvers which allows us to find the provably best characteristics for different instantiations of Simon. Furthermore we are able to shed light on how differentials in Simon profit from the collapse of many differential characteristics. Thirdly by generalising the probability expressions and the SAT/SMT model, we are able to compare the quality of different parameter sets with respect to differential and linear cryptanalysis.
We achieve this goal by first simplifying this question by considering equivalent descriptions both of the round function as well as the whole cipher (cf. Sect. 2.4). These simplifications, together with the theory of quadratic boolean functions, result in a clearer analysis of linear and differential properties (cf. Sects. 3 and 4). Importantly, the derived simple equations for computing the probabilities of the Simon round function can be evaluated efficiently and, more importantly maybe, are conceptually very easy. This allows them to be easily used in computeraided investigations of differential and linear properties over more rounds. It should be noted here that the expression for linear approximations is more complex than the expression for the differential case. However, with respect to the running time of the computeraided investigations this difference is negligible.
We used this to implement a framework based on SAT/SMT solvers to find the provably best differential and linear characteristics for various instantiations of Simon (cf. Sect. 5, in particular Table 1). Furthermore we are able to shed light on how differentials in Simon profit from the collapse of many differential characteristics by giving exact distributions of the probabilities of these characteristics for chosen differentials. The framework is open source and publicly available to encourage further research [13].
In Sect. 6 we apply the developed theory and tools to investigate the design space of Simonlike functions. In particular, using the computeraided approach, we find that the standard Simon parameters are not optimal with regard to the best differential and linear characteristics.
As a side result, we improve the probabilities for the best known differentials for several variants and rounds of Simon. While this might well lead to (slightly) improved attacks, those improved attacks are out of the scope of our work.
Interestingly, at least for Simon32 our findings indicate that the choices made by the NSA are good but not optimal under our metrics, leaving room for further investigations and questions. To encourage further research, we propose several alternative parameter choices for Simon32. Here, we are using the parameters that are optimal when restricting the criteria to linear, differential and dependency properties. We encourage further research on those alternative choices to shed more light on the undisclosed design criteria.
We also like to point out that the Simon keyscheduling was not part of our investigations. Its influence on the security of Simon is left as an important open question for further investigations. In line with this, whenever we investigate multiround properties of Simon in our work, we implicitly assume independent round keys in the computation of probabilities.
Finally, we note that most of our results can be applied to more general constructions, where the involved operations are restricted to AND, XOR, and rotations.
Related Work. There are various papers published on the cryptanalysis of Simon [1, 3, 6, 17, 18, 19]. The most promising attacks so far are based on differential and linear cryptanalysis, however a clear methodology of how to derive the differential probabilities and square correlations seems to miss in most cases. Biryukov, Roy and Velichkov [6] derive a correct, but rather involved method to find the differential probabilities. Abed, List, Lucks and Wenzel [1] state an algorithm for the calculation of the differential probabilities but without further explanation. For the calculation of the square correlations an algorithm seems to be missing all together.
Previous work also identifies various properties like the strong differential effect and give estimate of the probability of differentials.
The concept behind our framework was previously also applied on the ARX cipher Salsa20 [14] and the CAESAR candidate NORX [4]. In addition to the applications proposed in previous work we extend it for linear cryptanalysis, examine the influence of rotation constants and use it to compute the distribution of characteristics corresponding to a differential.
2 Preliminaries
In this section, we start by defining our notation and giving a short description of the round function. We recall suitable notions of equivalence of Boolean functions that allow us to simplify our investigations of Simonlike round functions. Most of this section is generally applicable to ANDRX constructions, i.e. constructions that only make use of the bitwise operations AND, XOR, and rotations.
2.1 Notation
We denote by \({{\mathrm{\mathbb {F}}}}_2\) the field with two elements and by \({{\mathrm{\mathbb {F}}}}_2^n\) the ndimensional vector space over \({{\mathrm{\mathbb {F}}}}_2\). By \({{\mathrm{\mathbf {0}}}}\) and \({{\mathrm{\mathbf {1}}}}\) we denote the vectors of \({{\mathrm{\mathbb {F}}}}_2^n\) with all 0s and all 1s respectively. The Hamming weight of a vector \(a\in {{\mathrm{\mathbb {F}}}}_2^n\) is denoted as \({{\mathrm{wt}}}(a)\). By \({{\mathrm{\mathbb {Z}}}}_n\) we denote the integers modulo n.
2.2 Description of SIMON
2.3 Affine Equivalence of Boolean Functions
2.4 Structural Equivalence Classes in ANDRX Constructions
ANDRX constructions, i.e. constructions that make only use of the operations AND (\(\odot \)), XOR (\(+\)), and rotations (\(S^r\)), exhibit a high degree of symmetry. Not only are they invariant under rotation of all input words, output words and constants, they are furthermore structurally invariant under any affine transformation of the bitindices. As a consequence of this, several equivalent representations of the Simon variants exist.
To summarize the above, when applying such a transformation T to all input words, output words and constants in an ANDRX construction, the structure of the constructions remains untouched apart from a multiplication of the rotation constants by the factor s.
This means for example for Simon32 that changing the rotation constants from (8, 1, 2) to \((3\cdot 8, 3\cdot 1, 3\cdot 2) = (8,3,6)\) and adapting the key schedule accordingly gives us the same cipher apart from a bit permutation. As s has to be coprime to n, all s with \(\gcd (s,n)=1\) are allowed, giving \(\varphi (n)\) equivalent tuples of rotation constants in each equivalence class where \(\varphi \) is Euler’s phi function.
Together with the result from Sect. 2.3, this implies the following lemma.
Lemma 1
When looking at differential and square correlations of Simonlike round functions this means that it is sufficient to investigate this restricted set of functions. The results for these functions can then simply be transferred to the general case.
3 Differential Probabilities of SIMONlike Round Functions
In this section, we derive a closed expression for the differential probability for all Simonlike round functions, i.e. all functions as described in Eq. (1). The main ingredients here are the derived equivalences and the observation that any such function is quadratic. Being quadratic immediately implies that its derivative is linear and thus the computation of differential probabilities basically boils down to linear algebra (cf. Theorem 1). However, to be able to efficiently study multipleround properties and in particular differential characteristics, it is important to have a simple expression for the differential probabilities. Those expressions are given for \(f(x)=x\odot S^1(x)\) in Theorem 2 and for the general case in Theorem 3.
3.1 A Closed Expression for the Differential Probability
The following statement summarises the differential properties of the f function.
Theorem 1
Proof
Next we present a closed formula to calculate the differential probability in the case where \(a=1\). Furthermore we restrict ourselves to the case where n is even.
Theorem 2
Proof
According to Theorem 1, we need to prove two things. Firstly we need to prove that the rank of \(L_\alpha \) (i.e. \(n\dim \ker L_\alpha \)) is \(n1\) when \(\alpha ={{\mathrm{\mathbf {1}}}}\), and \({{\mathrm{wt}}}(\mathtt {varibits} + \mathtt {doublebits})\) otherwise. Secondly we need to prove that \( \beta +\alpha \odot S^1(\alpha ) \in \mathsf {Img}(L_{\alpha })\) iff \({{\mathrm{wt}}}(\beta ) \equiv 0 \mod 2\) when \(\alpha = {{\mathrm{\mathbf {1}}}}\), and that \( \beta +\alpha \odot S^1(\alpha ) \in \mathsf {Img}(L_{\alpha })\) iff \(\beta \odot \mathtt {varibits} = {{\mathrm{\mathbf {0}}}} \text { and } (\beta + S^{1}(\beta )) \odot \mathtt {doublebits} = {{\mathrm{\mathbf {0}}}}\) when \(\alpha \ne {{\mathrm{\mathbf {1}}}}\).
By associating the rows in the above matrix with the bits in \(\mathtt {varibits}\), we can clearly see that the number of nonzero rows in the matrices corresponds to the number of 1s in \(\mathtt {varibits} = S^1(\alpha ) \vee \alpha \).
For the second part of the proof, we need to prove the conditions that check whether \(\beta +\alpha \odot S^1(\alpha ) \in \mathsf {Img}(L_{\alpha })\). First notice that \(\alpha \odot S^1(\alpha )\) is in the image of \(L_\alpha \) (consider for x the vector with bits alternately set to 0 and 1). Thus it is sufficient to test whether \(\beta \) is in \(\mathsf {Img}L_\alpha \). Let \(y = L_\alpha (x)\). Let us first look at the case of \(\alpha = {{\mathrm{\mathbf {1}}}}\). Then \(L_\alpha (x) = x+S^1(x)\). We can thus deduce from bit \(y_i\) whether \(x_i=x_{i1}\) or \(x_i\ne x_{i1}\). Thus the bits in y create a chain of equalities/inequalities in the bits of x which can only be fulfilled if there the number of inequalities is even. Hence in that case \(\beta \in \mathsf {Img}L_\alpha \) iff \({{\mathrm{wt}}}(\beta ) \equiv 0 \mod 2\).
For the case that \(\alpha \ne {{\mathrm{\mathbf {1}}}}\), we first note that \(y_i\) has to be zero if the corresponding row i in the matrix of Eq. (4) is all zeroes. Furthermore following our discussion of this matrix earlier, we see that \(y_i\) is independent of the rest of y if the corresponding row is linearly independent of the other rows and that \(y_i\) has to be the same as \(y_{i1}\) if the corresponding rows are identical. Thus we only need to check that the zerorows of the matrix correspond to zero bits in \(\beta \) and that the bits in \(\beta \) which correspond to identical rows in the matrix are equal. Thus \(\beta \) is in the image of \(L_\alpha \) iff \(\beta \odot \overline{\mathtt {varibits}} = {{\mathrm{\mathbf {0}}}}\) and \((\beta + S^{1}(\beta )) \odot \mathtt {doublebits} = {{\mathrm{\mathbf {0}}}}\). \(\square \)
3.2 The Full Formula for Differentials
Above we treated only the case for the simplified function \(f(x)=x\cdot S^1(x)\). As mentioned earlier, the general case where \(\gcd (ab,n) = 1\) can be deduced from this with linear algebra. When \(\gcd (d,n) \ne 1\) though, the function \(f(x) = x \odot S^d(x)\) partitions the output bits into independent classes. This not only raises differential probabilities (worst case \(d=0\)), it also makes the notation for the formulas more complex and cumbersome, though not difficult. We thus restrict ourselves to the most important case when \(\gcd (ab,n) = 1\). The general formulas are then
Theorem 3
For a more intuitive approach and some elaboration on the differential probabilities, we refer to the ePrint version of this paper.
4 Linear Correlations of SIMONlike Round Functions
As in the differential case, for the study of linear approximations, we also build up on the results from Sects. 2.3 and 2.4. We will thus start with studying linear approximations for the function \(f(x) = x \odot S^a(x)\). Again, the key point here is that all those functions are quadratic and thus their Fourier coefficient, or equivalently their correlation, can be computed by linear algebra (cf. Theorem 4). Theorem 5 is then, in analogy to the differential case, the explicit expression for the linear correlations. It basically corresponds to an explicit formula for the dimension of the involved subspace.
The first result is the following:
Theorem 4
Proof
Let us now restrict ourselves to the case where \(f(x) = x\odot S^1(x)\). The general case can be deduced analogously to the differential probabilities. For simplicity we also restrict ourselves to the case where n is even.
First we need to introduce some notation. Let \(x\in {{\mathrm{\mathbb {F}}}}_2^n\) with not all bits equal to 1. We now look at blocks of consecutive 1s in x, including potentially a block that “wraps around” the ends of x. Let the lengths of these blocks, measured in bits, be denoted as \(c_0,\dots , c_m\). For example, the bitstring 100101111011 has blocks of length 1, 3, and 4. With this notation define \(\theta (x) := \sum \limits _{i=0}^{m} \lceil \frac{c_i}{2} \rceil .\)
Noting that the linear square correlation of f is \(\frac{{\widehat{f}}(\alpha ,\beta )^2}{2^{2n}}\), we then have the following theorem:
Theorem 5
Proof
Analogously to the differential probabilities, the linear probabilities in the general case can be derived from this. It is likewise straightforward to derive how to determine whether \(\alpha \in U^\perp _\beta \). As an explicit formulation of this is rather tedious, we instead refer to the implementation in Python given in the Appendix A where both is achieved in the case where \(\gcd (ab,n) = 1\) and n is even.
For a more intuitive approach and some elaboration on the linear probabilities, we refer to the ePrint version of this paper.
5 Finding Optimal Differential and Linear Characteristics
While there are various methods for finding good characteristics, determining optimal differential or linear characteristics remains a hard problem in general. The formulas derived for both differential and linear probabilities enable us to apply an algebraic approach to finding the best characteristics. A similar technique has been applied to the ARX cipher Salsa20 [14] and the CAESAR candidate NORX [4]. For finding the optimal characteristics for Simon we implemented an open source tool [13] based on the SAT/SMT solvers CryptoMiniSat [15] and STP [11].
In the next section we will show how Simon can be modeled to find both the best differential and linear characteristics in this framework and how this can be used to solve cryptanalytic problems.
5.1 Model for Differential Cryptanalysis of SIMON
First we define the variables used in the model of Simon. We use two nbit variables \(x_i\), \(y_i\) to represent the XORdifference in the left and right halves of the state for each round and an additional variable \(z_i\) to store the XORdifference of the output of the AND operation.
5.2 Finding Optimal Characteristics
We can now use the previous model for Simon to search for optimal differential characteristics. This is done by formulating the problem of finding a valid characteristic, with respect to our constraints, for a given probability w. This is important to limit the search space and makes sense as we are usually more interested in differential characteristics with a high probability as they are more promising to lead to attacks with a lower complexity. Therefore, we start with a high probability and check if such a characteristic exists. If not we lower the probability.

For each round of the cipher add the corresponding constraints as defined in (11). This system of constraints then exactly describes the form of a valid characteristic for the given parameters.

Add a condition which accumulates the probabilities of each round as defined in (10) and check if it is equal to our target probability w.

Query if there exists an assignment of variables which is satisfiable under the constraints.

Decrement the probability w and repeat the procedure.
Overview of the optimal differential (on top) and linear characteristics for different variants of Simon. The probabilities are given as \(\log _2(p)\), for linear characteristic the squared correlation is used.
Rounds:  2  3  4  5  6  7  8  9  10  11  12  13  14  15  16 

Differential  
Simon32  \(2\)  \(4\)  \(6\)  \(8\)  \(12\)  \(14\)  \(18\)  \(20\)  \(25\)  \(30\)  \(34\)  \(36\)  \(38\)  \(40\)  \(42\) 
Simon48  \(2\)  \(4\)  \(6\)  \(8\)  \(12\)  \(14\)  \(18\)  \(20\)  \(26\)  \(30\)  \(35\)  \(38\)  \(44\)  \(46\)  \(50\) 
Simon64  \(2\)  \(4\)  \(6\)  \(8\)  \(12\)  \(14\)  \(18\)  \(20\)  \(26\)  \(30\)  \(36\)  \(38\)  \(44\)  \(48\)  \(54\) 
Linear  
Simon32  \(2\)  \(4\)  \(6\)  \(8\)  \(12\)  \(14\)  \(18\)  \(20\)  \(26\)  \(30\)  \(34\)  \(36\)  \(38\)  \(40\)  \(42\) 
Simon48  \(2\)  \(4\)  \(6\)  \(8\)  \(12\)  \(14\)  \(18\)  \(20\)  \(26\)  \(30\)  \(36\)  \(38\)  \(44\)  \(46\)  \(50\) 
Simon64  \(2\)  \(4\)  \(6\)  \(8\)  \(12\)  \(14\)  \(18\)  \(20\)  \(26\)  \(30\)  \(36\)  \(38\)  \(44\)  \(48\)  \(54\) 
Upper Bound for the Characteristics. During our experiments we observed that it seems to be an easy problem for the SMT/SAT solver to prove the absence of differential characteristics above \(w_{\text {max}}\). This can be used to get a lower bound on the probability of characteristics contributing to the differential. The procedure is similar to finding the optimal characteristics.

Start with a very low initial probability \(w_i\).

Add the same system of constraints which were used for finding the characteristic.

Add a constraint fixing the variables \((x_0, y_0)\) to \(\varDelta _{\text {in}}\) and \((x_r, y_r)\) to \(\varDelta _{\text {out}}\).

Query if there is a solution for this weight.

Increase the probability \(w_i\) and repeat the procedure until a solution is found.
5.3 Computing the Probability of a Differential
Given a differential characteristic it is of interest to determine the probability of the associated differential \(\Pr (\varDelta _{\text {in}} \xrightarrow {f^r} \varDelta _{\text {out}})\) as it might potentially have a much higher probability then the single characteristic. It is often assumed that the probability of the best characteristic can be used to approximate the probability of the best differential. However, this assumption only gives an inaccurate estimate in the case of Simon.

Add the same system of constraints which were used for finding the characteristic.

Add a constraint fixing the variables \((x_0, y_0)\) to \(\varDelta _{\text {in}}\) and \((x_r, y_r)\) to \(\varDelta _{\text {out}}\).

Use a SAT solver to find all solutions \(s_i\) for the probability w.

Decrement the probability w and repeat the procedure.
We used this approach to compute better estimates for the probability of various differentials (see Table 2). In the case of Simon32 we were able to find all characteristics contributing to the differentials for 13 and 14 rounds. The distribution of the characteristics and accumulated probability of the differential is given in Fig. 2. It is interesting to see that the distribution of w in the range [55, 89] is close to uniform and therefore the probability of the corresponding differential improves only negligible and converges quickly towards the measured probability^{3}.
The performance of the whole process is very competitive compared to dedicated approaches. Enumerating all characteristics up to probability \(2^{46}\) for the 13round Simon32 differential takes around 90 seconds on a single CPU core and already gives a better estimate compared to the results in [6]. A complete enumeration of all characteristics for 13round Simon32 took close to one core month using CryptoMiniSat4 [15]. The computational effort for other variants of Simon is comparable given the same number of rounds. However, for these variants we can use differentials with a lower probability covering more rounds due to the increased block size. In this case the running time increases due to the larger interval \([w_{\text {min}}, w_{\text {max}}]\) and higher number of rounds.
For Simon48 and Simon64 we are able to improve the estimate given in [16]. Additionally we found differentials which can cover 17 rounds for Simon48 and 22 rounds for Simon64 which might have potential to improve previous attacks. Our results are also closer to the experimentally obtained estimates given in [10] but give a slightly lower probability. This can be due to the limited number of characteristics we use for the larger Simon variants or the different assumptions on the independence of rounds.
Overview of the differentials and the range \([w_{\text {min}},w_{\text {max}}]\) of the \(\log _2\) probabilities of the characteristics contributing to the differential. For computing the lower bound \(\log _2(p)\) of the probability of the differentials, we used all characteristics with probabilities in the range from \(w_{\text {min}}\) up to the values in brackets in the \(w_{\text {max}}\) column.

6 Analysis of the Parameter Choices
The designers of Simon so far gave no justification for their choice of the rotation constants. Here we evaluate the space of rotation parameters with regard to different metrics for the quality of the parameters. Our results are certainly not a definite answer but are rather intended as a starting point to evaluating the design space and reverse engineering the design choices. We consider all possible sets of rotation constants (a, b, c)^{4} and checked them for diffusion properties and the optimal differential and linear characteristics.
6.1 Diffusion
As a very simple measure to estimate the quality of the rotation constants, we measure the number of rounds that are needed to reach full diffusion. Full diffusion is reached when every state bit principally depends on all input bits. Compared to computing linear and differential properties it is an easy task to determine the dependency.
The number of rounds after which full diffusion is reached for the standard Simon parameters in comparison to the whole possible set of parameters.
Block size  32  48  64  96  128 

Standard parameters  7  8  9  11  13 
Median  8  10  11  13  14 
First quartile  7  9  9  11  12 
Best possible  6  7  8  9  10 
Rank  2nd  2nd  2nd  3rd  4th 
6.2 Differential and Linear
As a second criteria for our parameters, we computed for all \(a > b\) and \(\gcd (ab, n) = 1\) the optimal differential and linear characteristics for 10 rounds of Simon32, Simon48 and Simon64. A list of the parameters which are optimal for all three variants of Simon can be found in Appendix C.
It is important here to note that there are also many parameter sets, including the standard choice, for which the best 10round characteristics of Simon32 have a probability of \(2^{25}\) compared to the optimum of \(2^{26}\). However, this difference by a factor of 2 does not seem to occur for more than 10 rounds and also not any larger variants of Simon.
6.3 Interesting Alternative Parameter Sets
As one result of our investigation we chose three exemplary sets of parameters that surpass the standard parameters with regards to some metrics. Those variants are Simon[12, 5, 3], Simon[7, 0, 2] and Simon[1, 0, 2].
Simon[12, 5, 3] has the best diffusion amongst the parameters which have optimal differential and linear characteristics for 10 rounds. The two other choices are both restricted by setting \(b = 0\) as this would allow a more efficient implementation in software. Among those Simon[7, 0, 2] has the best diffusion and the characteristics behave similar to the standard parameters. Ignoring the diffusion Simon[1, 0, 2] seems also an interesting choice as it is optimal for the differential and linear characteristics.
If we look though at the differential corresponding to the best differential characteristic of Simon[7, 0, 2] and Simon[1, 0, 2], then we can see the number of characteristics contributing to it is significantly higher than for the standard parameters (see Appendix Table 6). However, for Simon[12, 5, 3] the differential shows a surprisingly different behaviour and the probability of the differential is much closer to the probability of the characteristic. On the other side, the characteristics seem to be worse for the larger variants as can be seen in Table 7. Furthermore it might be desirable to have at least one rotation parameter that corresponds to a byte length, something that the standard parameter set features.
7 Conclusion and Future Work
In this work we analysed the general class of functions underlying the Simon block cipher. First we rigorously derived efficiently computable and easily implementable expressions for the exact differential and linear behaviour of Simonlike round functions.
Building upon this, we used those expressions for a computer aided approach based on SAT/SMT solvers to find both optimal differential and linear characteristics for Simon. Furthermore, we were able to find all characteristics contributing to the probability of a differential for Simon32 and gave better estimates for the probability for other variants.
Finally, we investigated the space of Simon variants using different rotation constants with respect to diffusion, and the optimal differential and linear characteristics. Interestingly, the default parameters seem to be not always optimal.
This work opens up for further investigations. In particular, the choice and justifications of the NSA parameters for Simon remains unclear. Besides our first progress concerning the round function, the design of the key schedule remains largely unclear and further investigation is needed here.
Footnotes
 1.
Note that we can transform the equation \(f(x) = S^a(x)\odot S_b(x)+S^c(x)\) to the equation \(S^{a}(f(x)) + S^{ca}(x) = x\odot S^{ba}(x)\).
 2.
The rank is \(n1\) when n is odd.
 3.
We encrypted all \(2^{32}\) possible texts under 100 random keys to obtain the estimate of the probability for 13round Simon32.
 4.
Without lack of generality, we assume though that \(a\ge b\).
Notes
Acknowledgments
First of all, we wish to thank Tomer Ashur. Both the method to check whether a linear input mask gives a correlated or uncorrelated linear 1round characteristic for a given output mask as well as the first version of the SMT/SAT model for linear characteristics in Simon were an outcome of our discussions. We furthermore wish to thank the reviewers for comments that helped to improve the paper.
Supplementary material
References
 1.Abed, F., List, E., Lucks, S., Wenzel, J.: Differential cryptanalysis of roundreduced SIMON and SPECK. In: Cid, C., Rechberger, C. (eds.) FSE 2014. LNCS, vol. 8540, pp. 525–545. Springer, Heidelberg (2015) Google Scholar
 2.Albrecht, M.R., Driessen, B., Kavun, E.B., Leander, G., Paar, C., Yalçın, T.: Block ciphers – focus on the linear layer (feat. PRIDE). In: Garay, J.A., Gennaro, R. (eds.) CRYPTO 2014, Part I. LNCS, vol. 8616, pp. 57–76. Springer, Heidelberg (2014) Google Scholar
 3.Alizadeh, J., Alkhzaimi, H.A., Aref, M.R., Bagheri, N., Gauravaram, P., Kumar, A., Lauridsen, M.M., Sanadhya, S.K.: Cryptanalysis of SIMON variants with connections. In: Sadeghi, A.R., Saxena, N. (eds.) RFIDSec 2014. LNCS, vol. 8651, pp. 90–107. Springer, Heidelberg (2014) Google Scholar
 4.Aumasson, J.P., Jovanovic, P., Neves, S.: Analysis of NORX: investigating differential and rotational properties. In: Aranha, D.F., Menezes, A. (eds.) LATINCRYPT 2014. LNCS, vol. 8895, pp. 306–323. Springer, Heidelberg (2015) Google Scholar
 5.Beaulieu, R., Shors, D., Smith, J., TreatmanClark, S., Weeks, B., Wingers, L.: The SIMON and SPECK families of lightweight block ciphers. Cryptology ePrint Archive, Report 2013/404 (2013). http://eprint.iacr.org/
 6.Biryukov, A., Roy, A., Velichkov, V.: Differential analysis of block ciphers SIMON and SPECK. In: Cid, C., Rechberger, C. (eds.) FSE 2014. LNCS, vol. 8540, pp. 546–570. Springer, Heidelberg (2015) Google Scholar
 7.Borghoff, J., et al.: PRINCE – a lowlatency block cipher for pervasive computing applications  extended abstract. In: Wang, X., Sako, K. (eds.) ASIACRYPT 2012. LNCS, vol. 7658, pp. 208–225. Springer, Heidelberg (2012) Google Scholar
 8.Carlet, C.: Vectorial boolean functions for cryptography. In: Crama, Y., Hammer, P.L. (eds.) Boolean Models and Methods in Mathematics, Computer Science, and Engineering. Encyclopedia of Mathematics and its Applications, vol. 134, pp. 398–469. Cambridge University Press, Cambridge (2010) Google Scholar
 9.Daemen, J., Peeters, M., Assche, G.V., Rijmen, V.: The NOEKEON block cipher. Submission to the NESSIE project (2000)Google Scholar
 10.Dinur, I., Dunkelman, O., Gutman, M., Shamir, A.: Improved topdown techniques in differential cryptanalysis. Cryptology ePrint Archive, Report 2015/268 (2015). http://eprint.iacr.org/
 11.Ganesh, V., Hansen, T., Soos, M., Liew, D., Govostes, R.: STP constraint solver (2014). https://github.com/stp/stp
 12.Grosso, V., Leurent, G., Standaert, F.X., Varıcı, K.: LSdesigns: bitslice encryption for efficient masked software implementations. In: Cid, C., Rechberger, C. (eds.) FSE 2014. LNCS, vol. 8540, pp. 18–37. Springer, Heidelberg (2015) Google Scholar
 13.Kölbl, S.: CryptoSMT: An easy to use tool for cryptanalysis of symmetric primitives (2015). https://github.com/kste/cryptosmt
 14.Mouha, N., Preneel, B.: Towards finding optimal differential characteristics for ARX: Application to Salsa20. Cryptology ePrint Archive, Report 2013/328 (2013). http://eprint.iacr.org/
 15.Soos, M.: CryptoMiniSat SAT solver (2014). https://github.com/msoos/cryptominisat/
 16.Sun, S., Hu, L., Wang, M., Wang, P., Qiao, K., Ma, X., Shi, D., Song, L., Fu, K.: Towards finding the best characteristics of some bitoriented block ciphers and automatic enumeration of (relatedkey) differential and linear characteristics with predefined properties. Cryptology ePrint Archive, Report 2014/747 (2014). http://eprint.iacr.org/
 17.Sun, S., Hu, L., Wang, M., Wang, P., Qiao, K., Ma, X., Shi, D., Song, L., Fu, K.: Constructing mixedinteger programming models whose feasible region is exactly the set of all valid differential characteristics of SIMON. Cryptology ePrint Archive, Report 2015/122 (2015). http://eprint.iacr.org/
 18.Sun, S., Hu, L., Wang, P., Qiao, K., Ma, X., Song, L.: Automatic security evaluation and (relatedkey) differential characteristic search: application to SIMON, PRESENT, LBlock, DES(L) and other bitoriented block ciphers. In: Sarkar, P., Iwata, T. (eds.) ASIACRYPT 2014. LNCS, vol. 8873, pp. 158–178. Springer, Heidelberg (2014) Google Scholar
 19.Wang, Q., Liu, Z., Varici, K., Sasaki, Y., Rijmen, V., Todo, Y.: Cryptanalysis of reducedround SIMON32 and SIMON48. In: Meier, W., Mukhopadhyay, D. (eds.) INDOCRYPT 2014. LNCS, vol. 8885, pp. 143–160. Springer, Heidelberg (2014) Google Scholar