# Linear Cryptanalysis of Reduced-Round Simeck Using Super Rounds

^{1}

^{2}

^{*}

## Abstract

**:**

## 1. Introduction

#### 1.1. Our Contributions

#### 1.2. Comparison with Other Work

- The average case was a result of counting key bits involved in the XOR as a half bit. For the worst case, the key bits were counted as a single bit as in the literature.
- We made changes to how the data complexity was computed in his work for a fair comparison. Furthermore, since we are using multiple linear approximations, we applied the capacity model [3] to both our work and his.

## 2. Simeck

#### 2.1. Notations

#### 2.2. Description of Simeck

## 3. Related Work

## 4. Super Rounds and Super Keys for Simeck

#### 4.1. The Construction of Super Rounds and Derivations of Super Keys

#### 4.2. The Super Key

- 14 copies of ${k}_{s}^{0}$
- 7 copies of ${k}_{s}^{0}\oplus {k}_{s+1}^{1}$
- 2 copies of ${k}_{s}^{0}\oplus {k}_{s+2}^{0}\oplus {k}_{s+1}^{1}\oplus {k}_{s}^{2}$

## 5. Linear Approximations for Simeck 32/64

#### 5.1. 8-Round Attack

#### 5.2. 10-Round Attack

#### 5.3. 12-Round Attack

## 6. Experimental Verification

#### 6.1. 8-Round Key Recovery Attack

#### 6.2. 10-Round Key Recovery Attack

#### 6.3. 12-Round Key Recovery Attack

#### 6.4. Experimental Results of 8-Round Attack without Approximations

#### 6.5. Summary of Experimental Results

## 7. Projected Results Using Multiple Linear Cryptanalysis

#### 7.1. Linear Attacks Using a Single Super-Round

- Seven bits of ${k}_{i}^{19}$ for $i=3,8,13,0,5,2,7$;
- Two bits of the sum:${k}_{i+1}^{19}\oplus {k}_{i}^{18}$ for $i=3,8$.

- Eight bits of ${k}_{i}^{19}$ for $i=0,5,10,2,7,12,1,6$;
- Four bits of the sum:${k}_{i+1}^{19}\oplus {k}_{i}^{18}$ for $i=0,5,2,7$.

- Fourteen bits of ${k}_{i}^{19}$ for $i=3,8,13,4,2,7,9,14,0,5,10,12,1,6$, with each counted as a half bit.
- Seven bits of the sum:${k}_{i+1}^{19}\oplus {k}_{i}^{18}$ for $i=5,13,2,7,3,58$.
- Two bits of the sum:${k}_{i,i+2}^{19}\oplus {k}_{i+1}^{18}\oplus {k}_{i}^{17}$, for $i=3,8$

- Thirteen bits of ${k}_{i}^{19}$ for $i=0,5,8,10,1,6,15,11,2,7,12,3,13$, each counted as a half bit
- Eight bits of the sum: ${k}_{i+1}^{19}\oplus {k}_{i}^{18}$ for $i=0,5,10,2,7,12,1,6$.
- Four bits of the sum: ${k}_{i,i+2}^{19}\oplus {k}_{i+1}^{18}\oplus {k}_{i}^{17}$, for $i=0,5,2,7$

#### 7.2. Improved Linear Approximations for Simeck 32/64

#### 7.3. Linear Attacks Using Multiple Super Rounds

- Fourteen bits of the last round key ${k}_{i}^{0}$ for $i=10,5,14,9,4,8,3,2,13,0,1,6,7,12$, with each counted as a half bit.
- Nine bits of the sum ${k}_{i+1}^{0}\oplus {k}_{i}^{1}$ for $i=9,4,13,8,3,0,5,2,7$.
- Two bits of the sum ${k}_{i,i+2}^{0}\oplus {k}_{i+1}^{1}\oplus {k}_{i}^{2}$ for $i=3,8$.

- Five bits of ${k}_{i}^{19}$ for $i=0,5,10,1,6$, with each counted as a half bit.
- Four bits of the sum: ${k}_{i+1}^{19}\oplus {k}_{i}^{18}$ for $i=0,5$.

## 8. The Effect of Super Rounds on Larger Variants of Simeck

## 9. Discussion

## 10. Conclusions and Future Work

## Author Contributions

## Funding

## Conflicts of Interest

## Appendix A. The Deduction of k 3 from k 9

## Appendix B. Derive 13-Round Linear Approximations for Simeck 32/64

**Table A1.**The sequence of approximations used to derive 13-round linear trails for the left-half of Simeck 32.

Active Bits in the Left Side | Active Bits in the Right Side | Used Approximation | Number of Approximations |
---|---|---|---|

0 | - | ||

- | 0 | 1 | 1 |

0 | 1 | 1 | 1 |

1 | 0,2 | 1;1 | 2 |

0,2 | 3 | 1 | 1 |

3 | 0,2,4 | 3;1;1 | 3 |

0,2,4 | 1 | 1 | 1 |

1 | 0,4 | 3;1 | 2 |

0,4 | 0 | ||

0,4 | 3;1 | 2 | |

0,4 | 1 | 1 | 1 |

1 | 0,2,4 | 3;1;1 | 3 |

0,2,4 | 3 |

Active Bits in the Left Side | Active Bits in the Right Side | Used Approximation | Number of Approximations |
---|---|---|---|

- | 0 | 1 | 1 |

0 | 1 | 1 | 1 |

1 | 0,2 | 1:1 | 2 |

0,2 | 3 | 1 | 1 |

3 | 0,2,4 | 3;1;1 | 3 |

0,2,4 | 1 | 1 | 1 |

1 | 0,4 | 3;1 | 2 |

0,4 | - | ||

0,4 | 3;1 | 2 | |

0,4 | 1 | 1 | 1 |

1 | 0,2,4 | 3;1;1 | 3 |

0,2,4 | 3 | 1 | 1 |

3 | 0,2 |

## Appendix C. Derive an Improved 13-Round Linear Approximations for Simeck 32/64

Active Bits in the Left Side | Active Bits in the Right Side | Used Approximation | Number of Approximations |
---|---|---|---|

3 | 0, 2 | 1:1 | 2 |

0,2 | 1 | 1 | 1 |

1 | 0 | 1 | 1 |

0 | - | ||

0 | 1 | 1 | 1 |

0 | 1 | 1 | |

1 | 0,2 | 1;1 | 2 |

0,2 | 3 | 1 | 1 |

3 | 0,2,4 | 3;1;1 | 3 |

0,2,4 | 1 | 1 | 1 |

1 | 0,4 | 3;1 | 2 |

0,4 | - | ||

0.4 | 3;1 | 2 | |

0,4 | 1 |

## Appendix D. Linear Cryptanalysis of Simeck 48/96 Using a Single Super Round

#### Appendix D.1. Linear Approximations for Simeck 48/96

**Table A4.**The sequence of approximations used to derive 20-round linear trails for the left-half of Simeck 48.

Active Bits on the Left Side | Active Bits on the Right Side | Used Approximation | Number of Approximations |
---|---|---|---|

0 | - | ||

- | 0 | 1 | 1 |

0 | 1 | 1 | 1 |

1 | 0,2 | 1;1 | 2 |

0,2 | 3 | 1 | 1 |

3 | 0,2,4 | 3;1;1 | 3 |

0,2,4 | 1 | 1 | 1 |

1 | 0,4 | 3;1 | 2 |

0,4 | 0 | ||

0,4 | 3;1 | 2 | |

0,4 | 1 | 1 | 1 |

1 | 0,2,4 | 3;1;1 | 3 |

0,2,4 | 3 | 1 | 1 |

3 | 0,2 | 1;1 | 2 |

0,2 | 1 | 1 | 1 |

1 | 0 | 1 | 1 |

0 | - | ||

- | 0 | 1 | 1 |

0 | 1 | 1 | 1 |

1 | 0,2 | 1;1 | 2 |

0,2 | 3 |

Active Bits on the Left Side | Active Bits on the Right Side | Used Approximation | Number of Approximations |
---|---|---|---|

- | 0 | 1 | 1 |

0 | 1 | 1 | 1 |

1 | 0,2 | 1:1 | 2 |

0,2 | 3 | 1 | 1 |

3 | 0,2,4 | 3;1;1 | 3 |

0,2,4 | 1 | 1 | 1 |

1 | 0,4 | 3;1 | 2 |

0,4 | - | ||

- | 0,4 | 3;1 | 2 |

0,4 | 1 | 1 | 1 |

1 | 0,2,4 | 3;1;1 | 3 |

0,2,4 | 3 | 1 | 1 |

3 | 0,2 | 1;1 | 2 |

0,2 | 1 | 1 | 1 |

1 | 0 | 1 | 1 |

0 | - | ||

- | 0 | 1 | 1 |

0 | 1 | 1 | 1 |

1 | 0,2 | 1;1 | 2 |

0,2 | 3 | 1 | 1 |

3 | 0,2,4 |

#### Appendix D.2. 28-Round Linear Attacks of Simeck 48/96

- 14 bits of ${k}_{i}^{27}$, for $i=3,8,13,4,7,18,9,14,0,5,10,2,6,12$
- 9 bits of the sum ${k}_{i,i+2}^{27}\oplus {k}_{i+1}^{26}$ for $i=3,8,13,0,5,2,7,4,9$
- 2 bits of the sum ${k}_{i,i+2}^{27}\oplus {k}_{i+1}^{26}\oplus {k}_{i}^{25}$ for $i=3,8$

- 18 bits of ${k}_{i}^{27}$, for $i=0,5,10,15,1,6,11,2,7,12,3,8,17,13,4,9,14,19$
- 11 bits of the last round key ${k}_{i}^{26}$ for $i=0,5,10,2,7,12,4,9,14,1,6$
- 6 bits of the sum ${k}_{i+1}^{26}\oplus {k}_{i}^{25}$ for $i=0,5,2,7,4,9$

## Appendix E. Linear Cryptanalysis of Simeck 48/96 Using Multiple Super-Rounds

#### 28-Round and 29-Round Linear Attacks of Simeck 48/96

- Fifteen bits of the last round key ${k}_{i}^{0}$ for $i=10,5,14,9,4,8,3,2,18,13,0,1,6,7,12$.
- Nine bits of the sum ${k}_{i+1}^{0}\oplus {k}_{i}^{1}$ for $i=9,4,13,8,3,0,5,2,7$.
- Two bits of the sum ${k}_{i,i+2}^{0}\oplus {k}_{i+1}^{1}\oplus {k}_{i}^{2}$ for $i=3,8$.

- Nine bits of the last round key ${k}_{i}^{19}$ for $i=7,2,11,6,1,5,0,15,10$.
- Five bits of the sum ${k}_{i+1}^{19}\oplus {k}_{i}^{18}$ for $i=6,1,10,5,0$.
- Two bits of the sum ${k}_{i,i+2}^{19}\oplus {k}_{i+1}^{18}\oplus {k}_{i}^{17}$ for $i=0,5$.

- Twelve bits of the last round key ${k}_{i}^{28}$ for $i=0,5,10,1,6,15,11,2,7,16,12,20$, with each counted as a half bit.
- Nine bits of the sum ${k}_{i+1}^{28}\oplus {k}_{i}^{27}$ for $i=7,2,11,6,1,5,0,15,10$.
- Five bits of the sum ${k}_{i,i+2}^{28}\oplus {k}_{i+1}^{27}\oplus {k}_{i}^{26}$ for $i=6,1,10,5,0$.
- Two bits of the sum ${k}_{i+3}^{28}\oplus {k}_{i,i+2}^{27}\oplus {k}_{i+1}^{26}\oplus {k}_{i}^{25}$ for $\mathrm{s}i=0,5$.

Active Bits in the Left Side | Active Bits in the Right Side | Used Approximation | Number of Approximations |
---|---|---|---|

3 | 0, 2 | 1:1 | 2 |

0,2 | 1 | 1 | 1 |

1 | 0 | 1 | 1 |

0 | - | ||

0 | 1 | 1 | 1 |

0 | 1 | 1 | |

1 | 0,2 | 1;1 | 2 |

0,2 | 3 | 1 | 1 |

3 | 0,2,4 | 1;1;1 | 3 |

0,2,4 | 1 | 1 | 1 |

1 | 0,4 | 1;1 | 2 |

0,4 | - | ||

0.4 | 1;1 | 2 | |

0,4 | 1 | 1 | 1 |

1 | 0,2,4 | 3;1;1 | 3 |

0,2,4 | 3 | 1 | 1 |

3 | 0,2 | 1;1 | 2 |

0,2 | 1 | 1 | 1 |

1 | 0 | 1 | 1 |

0 | - | ||

- | 0 |

## Appendix F. Linear Cryptanalysis of Simeck 64/128 Using a Single Super-Round

#### Appendix F.1. Linear Approximations for Simeck 64/128

**Table A7.**The sequence of approximations used to derive 25-round linear trails for the left half of Simeck 64.

Active Bits in the Left Side | Active Bits in the Right Side | Used Approximation | Number of Approximations |
---|---|---|---|

0 | - | ||

- | 0 | 1 | 1 |

0 | 1 | 1 | 1 |

1 | 0,2 | 1;1 | 2 |

0,2 | 3 | 1 | 1 |

3 | 0,2,4 | 3;1;1 | 3 |

0,2,4 | 1 | 1 | 1 |

1 | 0,4 | 3;1 | 2 |

0,4 | 0 | ||

0,4 | 3;1 | 2 | |

0,4 | 1 | 1 | 1 |

1 | 0,2,4 | 3;1;1 | 3 |

0,2,4 | 3 | 1 | 1 |

3 | 0,2 | 1;1 | 2 |

0,2 | 1 | 1 | 1 |

1 | 0 | 1 | 1 |

0 | - | ||

- | 0 | 1 | 1 |

0 | 1 | 1 | 1 |

1 | 0,2 | 1;1 | 2 |

0,2 | 3 | 1 | 1 |

3 | 0,2,4 | 1;1;1 | 3 |

0,2,4 | 1 | 1 | 1 |

1 | 0,4 | 1;1 | 2 |

0,4 | - | ||

0,4 |

Active Bits on the Left Side | Active Bits on the Right Side | Used Approximation | Number of Approximations |
---|---|---|---|

- | 0 | 1 | 1 |

0 | 1 | 1 | 1 |

1 | 0,2 | 1:1 | 2 |

0,2 | 3 | 1 | 1 |

3 | 0,2,4 | 3;1;1 | 3 |

0,2,4 | 1 | 1 | 1 |

1 | 0,4 | 3;1 | 2 |

0,4 | - | ||

- | 0,4 | 3;1 | 2 |

0,4 | 1 | 1 | 1 |

1 | 0,2,4 | 3;1;1 | 3 |

0,2,4 | 3 | 1 | 1 |

3 | 0,2 | 1;1 | 2 |

0,2 | 1 | 1 | 1 |

1 | 0 | 1 | 1 |

0 | - | ||

- | 0 | 1 | 1 |

0 | 1 | 1 | 1 |

1 | 0,2 | 1;1 | 2 |

0,2 | 3 | 1 | 1 |

3 | 0,2,4 | 1;1;1 | 3 |

0,2,4 | 1 | 1 | 1 |

1 | 0,4 | 1;3 | 2 |

0,4 | - | ||

- | 0,4 | 1;1 | 2 |

0,4 | 1,5 |

#### Appendix F.2. 34-Round Linear Attacks of Simeck 64/128

- Eighteen bits of ${k}_{i}^{33}$ for $i=0,5,10,1,6,11,2,7,20,16,12,4,9,14,19,24,3,8$.
- Thirteen bits of the last round key ${k}_{i}^{32}$ for $i=0,3,10,1,6,15,11,4,9,14,5,19,2$.
- Eight bits of the sum ${k}_{i+1}^{32}\oplus {k}_{i}^{31}$ for $i=6,1,10,5,0,14,9,4$.
- Four bits of the sum ${k}_{i,i+2}^{32}\oplus {k}_{i+1}^{31}\oplus {k}_{i}^{30}$ for $i=0,5,9,4$.

- Twenty-one bits of ${k}_{i}^{33}$ for $i=15,20,10,5,6,11,2,7,1,12,8,13,4,9,14,19,16,21,3,17,0$.
- Seventeen bits of the last round key ${k}_{i}^{32}$ for $i=1,6,11,2,7,16,12,5,10,15,20,0,4,9,14,3,8$.
- Eleven bits of the sum ${k}_{i+1}^{32}\oplus {k}_{i}^{31}$ for $i=7,2,11,6,1,15,10,5,0,4,9$.
- Four bits of the sum ${k}_{i,i+2}^{32}\oplus {k}_{i+1}^{31}\oplus {k}_{i}^{30}$ for $i=6,1,10,5$.

## Appendix G. Linear Cryptanalysis of Simeck 64/128 Using Multiple Super Rounds

#### Appendix G.1. Improved Linear Approximation for Simeck 64/128

#### Appendix G.2. 33-Round and 34-Round Linear Attacks of Simeck 64/128 Using Multiple Super-Rounds

- Fourteen bits of the last round key ${k}_{i}^{0}$ for $i=10,5,14,9,4,8,3,2,18,13,0,1,6,7,12$, with each counted as a half bit.
- Nine bits of the sum ${k}_{i+1}^{0}\oplus {k}_{i}^{1}$ for $i=9,4,13,8,3,0,5,2,7$.
- Two bits of the sum ${k}_{i,i+2}^{0}\oplus {k}_{i+1}^{1}\oplus {k}_{i}^{2}$ for $i=3,8$.

- Thirteen bits of the last round key ${k}_{i}^{32}$ for $i=7,2,11,6,1,5,0,15,10,14,3,4,9$.
- Seven bits of the sum ${k}_{i+1}^{32}\oplus {k}_{i}^{31}$ for $i=1,6,11,0,5,4,9$.
- Two bits of the sum ${k}_{i,i+2}^{32}\oplus {k}_{i+1}^{31}\oplus {k}_{i}^{30}$ for $i=1,6$.

- Seventeen bits of the last round key ${k}_{i}^{33}$ for $i=1,6,11,16,2,7,12,21,17,0,5,10,15,4,9,14,19$, with each counted as a half bit.
- Thirteen bits of the sum ${k}_{i+1}^{33}\oplus {k}_{i}^{32}$ for $i=7,2,11,6,1,5,0,15,10,14,3,4,9$.
- Seven bits of the sum ${k}_{i,i+2}^{33}\oplus {k}_{i+1}^{32}\oplus {k}_{i}^{30}$ for $i=1,6,11,0,5,4,9$.
- Two bits of the sum ${k}_{i+3}^{33}\oplus {k}_{i,i+2}^{32}\oplus {k}_{i+1}^{31}\oplus {k}_{i}^{30}$ for $\mathrm{s}i=1,6$.

Active Bits in the Left Side | Active Bits in the Right Side | Used Approximation | Number of Approximations |
---|---|---|---|

3 | 0, 2 | 1:1 | 2 |

0,2 | 1 | 1 | 1 |

1 | 0 | 1 | 1 |

0 | - | ||

0 | 1 | 1 | 1 |

0 | 1 | 1 | |

1 | 0,2 | 1;1 | 2 |

0,2 | 3 | 1 | 1 |

3 | 0,2,4 | 1;1;1 | 3 |

0,2,4 | 1 | 1 | 1 |

1 | 0,4 | 1;1 | 2 |

0,4 | - | ||

0.4 | 1;1 | 2 | |

0,4 | 1 | 1 | 1 |

1 | 0,2,4 | 3;1;1 | 3 |

0,2,4 | 3 | 1 | 1 |

3 | 0,2 | 1;1 | 2 |

0,2 | 1 | 1 | 1 |

1 | 0 | 1 | 1 |

0 | - | ||

- | 0 | 1 | 1 |

0 | 1 | 1 | 1 |

1 | 0,2 | 1;1 | 2 |

0,2 | 3 | 1 | 1 |

3 | 0,2,4 | 3;1;1 | 3 |

0,2,4 | 1 |

## References

- Almukhlifi, R.; Vora, P. Linear Cryptanalysis of Reduced-Round Simon Using Super Rounds. Cryptography
**2020**, 4, 9. [Google Scholar] [CrossRef] - Bagheri, N. Linear Cryptanalysis of Reduced-Round SIMECK Variants. In Proceedings of the Progress in Cryptology—INDOCRYPT 2015—16th International Conference On Cryptology In India, Bangalore, India, 6–9 December 2015; Volume 9462, pp. 140–152. [Google Scholar] [CrossRef]
- Biryukov, A.; Cannière, C.; Quisquater, M. On Multiple Linear Approximations. In Proceedings of the Advances in Cryptology—CRYPTO 2004, 24th Annual International Cryptology Conference, Santa Barbara, CA, USA, 15–19 August 2004; Volume 3152, pp. 1–22. [Google Scholar] [CrossRef]
- Yang, G.; Zhu, B.; Suder, V.; Aagaard, M.; Gong, G. The Simeck Family of Lightweight Block Ciphers. In Proceedings of the Cryptographic Hardware and Embedded Systems—CHES 2015—17th International Workshop, Saint-Malo, France, 13–16 September 2015; Volume 9293, pp. 307–329. [Google Scholar] [CrossRef]
- Kölbl, S.; Roy, A. A Brief Comparison of Simon and Simeck. In Proceedings of the Lightweight Cryptography for Security And Privacy—5th International Workshop, LightSec 2016, Aksaray, Turkey, 21–22 September 2016; Volume 10098, pp. 69–88. [Google Scholar] [CrossRef]
- Qiao, K.; Hu, L.; Sun, S. Differential Security Evaluation of Simeck with Dynamic Key-guessing Techniques. In Proceedings of the 2nd International Conference on Information Systems Security and Privacy, ICISSP 2016, Rome, Italy, 19–21 February 2016; pp. 74–84. [Google Scholar] [CrossRef]
- Qin, L.; Chen, H.; Wang, X. Linear Hull Attack on Round-Reduced Simeck with Dynamic Key-Guessing Techniques. In Proceedings of the Information Security And Privacy—21st Australasian Conference, ACISP 2016, Proceedings, Part II, Melbourne, VIC, Australia, 4–6 July 2016; Volume 9723, pp. 409–424. [Google Scholar] [CrossRef]
- Bogdanov, A.; Rijmen, V. Linear hulls with correlation zero and linear cryptanalysis of block ciphers. Des. Codes Cryptogr.
**2014**, 70, 369–383. [Google Scholar] [CrossRef] - Zhang, K.; Guan, J.; Hu, B.; Lin, D. Security evaluation on Simeck against zero-correlation linear cryptanalysis. IET Inf. Secur.
**2018**, 12, 87–93. [Google Scholar] [CrossRef] - Sadeghi, S.; Bagheri, N. Improved zero-correlation and impossible differential cryptanalysis of reduced-round SIMECK block cipher. IET Inf. Secur.
**2018**, 12, 314–325. [Google Scholar] [CrossRef] - Li, H.; Ren, J.; Chen, S. Improved Integral Attack on Reduced-Round Simeck. IEEE Access
**2019**, 7, 118806–118814. [Google Scholar] [CrossRef] - Nalla, V.; Sahu, R.; Saraswat, V. Differential Fault Attack on SIMECK. In Proceedings of the Third Workshop on Cryptography and Security in Computing Systems, CS2@HiPEAC, Prague, Czech Republic, 20 January 2016; pp. 45–48. [Google Scholar] [CrossRef]
- Le, D.; Lu, R.; Ghorbani, A. Improved fault analysis on SIMECK ciphers. J. Cryptogr. Eng.
**2022**, 12, 169–180. [Google Scholar] [CrossRef] - Dofe, J.; Frey, J.; Pahlevanzadeh, H.; Yu, Q. Strengthening SIMON Implementation Against Intelligent Fault Attacks. IEEE Embed. Syst. Lett.
**2015**, 7, 113–116. [Google Scholar] [CrossRef] - Benjamin, A.; Herzoff, J.; Babinkostova, L.; Serra, E. Deep Learning Based Side Channel Attacks on Lightweight Cryptography (Student Abstract). In Proceedings of the Thirty-Sixth AAAI Conference on Artificial Intelligence, AAAI 2022, Thirty-Fourth Conference on Innovative Applications of Artificial Intelligence, IAAI 2022, the Twelveth Symposium on Educational Advances in Artificial Intelligence, EAAI 2022, Virtual Event, 22 February–1 March 2022; pp. 12911–12912. [Google Scholar]
- Wu, C.; Zhang, H.; Xu, J.; Sun, S. Side Channel Attack of Lightweight Block Cipher Simeck Based on Deep Learning. In Proceedings of the 2019 IEEE 6th International Symposium on Electromagnetic Compatibility (ISEMC), Nanjing, China, 1–4 November 2019; pp. 1–5. [Google Scholar]
- Baksi, A.; Breier, J.; Dasu, V.; Dong, X.; Yi, C. Following-up on Machine Learning Assisted Differential Distinguishers. (SILC Workshop, 2020). Available online: https://www.esat.kuleuven.be/cosic/events/silc2020/wp-content/uploads/sites/4/2020/10/Submission4.pdf (accessed on 24 January 2023).
- Baksi, A.; Breier, J.; Chen, Y.; Dong, X. Machine Learning Assisted Differential Distinguishers For Lightweight Ciphers. In Proceedings of the Design, Automation & Test in Europe Conference & Exhibition, DATE 2021, Grenoble, France, 1–5 February 2021; pp. 176–181. [Google Scholar] [CrossRef]
- Tian, J.; Wu, B.; Wang, Z. High-Speed FPGA Implementation of SIKE Based on an Ultra-Low-Latency Modular Multiplier. IEEE Trans. Circuits Syst. I Regul. Pap.
**2021**, 68, 3719–3731. [Google Scholar] [CrossRef] - Nyberg, K. Linear Approximation of Block Ciphers. In Proceedings of the Advances in Cryptology—EUROCRYPT’94, Workshop on the Theory and Application of Cryptographic Techniques, Perugia, Italy, 9–12 May 1994; Volume 950, pp. 439–444. [Google Scholar] [CrossRef]
- Matsui, M. Linear Cryptanalysis Method for DES Cipher. In Proceedings of the Advances in Cryptology—EUROCRYPT’93, Workshop on the Theory And Application of Cryptographic Techniques, Lofthus, Norway, 23–27 May 1993; Volume 765, pp. 386–397. [Google Scholar] [CrossRef]

**Table 1.**Comparison of previous results using Matsui’s second algorithm and multiple linear cryptanalysis (without recourse to linear hull) on Simeck.

Average-Case Computations | ||||
---|---|---|---|---|

Simeck | Number ofRounds | Data Complexity | Time Complexity | Presented in |

32/64 | 20-round | ${2}^{30}$ | ${2}^{61.56}$ | Section 7.1 |

20-round | ${2}^{30}$ | ${2}^{58.5}$ | Section 7.3 | |

18-round | ${2}^{24}$ | ${2}^{61.5}$ | Bagheri [2] | |

48/96 | 28-round | ${2}^{47.42}$ | ${2}^{84.08}$ | Appendix D |

29-round | ${2}^{47.42}$ | ${2}^{92.505}$ | Appendix E | |

23-round | ${2}^{41.42}$ | ${2}^{95}$ | Bagheri [2] | |

64/128 | 34-round | ${2}^{61}$ | ${2}^{112}$ | Appendix F |

34-round | ${2}^{63}$ | ${2}^{116.5}$ | Appendix G | |

27-round | ${2}^{49}$ | ${2}^{104}$ | Bagheri [2] |

**Table 2.**Comparison of previous results using Matsui’s second algorithm and multiple linear cryptanalysis (without recourse to linear hull) on Simeck.

Worst-Case Computations | ||||
---|---|---|---|---|

Simeck | Number ofRounds | Data Complexity | Time Complexity | Presented in |

32/64 | 19-round | ${2}^{30}$ | ${2}^{59.02}$ | Section 7.1 |

19-round | ${2}^{30}$ | ${2}^{61}$ | Section 7.3 | |

18-round | ${2}^{24}$ | ${2}^{72}$ | Bagheri [2] | |

48/96 | 2-round | ${2}^{47.42}$ | ${2}^{94.58}$ | Appendix D |

28-round | ${2}^{47.42}$ | ${2}^{94.005}$ | Appendix E | |

23-round | ${2}^{41.42}$ | ${2}^{108}$ | Bagheri [2] | |

64/128 | 34-round | ${2}^{61}$ | ${2}^{126.5}$ | Appendix F |

33-round | ${2}^{63}$ | ${2}^{115}$ | Appendix G | |

27-round | ${2}^{53}$ | ${2}^{134}$ | Bagheri [2] |

Block Size $2n$ | Key Size $\mathrm{mn}$ | Word Size n | Key Words m | Number of Rounds |
---|---|---|---|---|

Simeck 32 | 64 | 16 | 4 | 32 |

Simeck 48 | 96 | 24 | 4 | 36 |

Simeck 64 | 128 | 32 | 4 | 44 |

Super Key of the Left Half | Super Key of the Right Half |
---|---|

${k}_{i}^{0}\oplus {k}_{i+2}^{0}\oplus {k}_{i+1}^{1}\oplus {k}_{i}^{2}$ | ${k}_{i+1}^{0}\oplus {k}_{i}^{1}$ |

${k}_{i+5}^{0}\oplus {k}_{i+7}^{0}\oplus {k}_{i+6}^{1}\oplus {k}_{i+5}^{2}$ | ${k}_{i+6}^{0}\oplus {k}_{i+5}^{1}$ |

${k}_{i+1}^{0}\oplus {k}_{i}^{1}$ | ${k}_{i}^{0}$ |

${k}_{i+6}^{0}\oplus {k}_{i+5}^{1}$ | ${k}_{i+1}^{0}$ |

${k}_{i+11}^{0}\oplus {k}_{i+10}^{1}$ | ${k}_{i+6}^{0}$ |

${k}_{i+2}^{0}\oplus {k}_{i+1}^{1}$ | ${k}_{i+5}^{0}$ |

${k}_{i+7}^{0}\oplus {k}_{i+6}^{1}$ | ${k}_{i+10}^{0}$ |

${k}_{i+1}^{0}$ | |

${k}_{i}^{0}$ | |

${k}_{i+2}^{0}$ | |

${k}_{i+5}^{0}$ | |

${k}_{i+6}^{0}$ | |

${k}_{i+7}^{0}$ | |

${k}_{i+10}^{0}$ | |

${k}_{i+11}^{0}$ | |

${k}_{i+15}^{0}$ |

Bits Correctly | Number of | ||
---|---|---|---|

Number of Rounds | Super Key Bits Estimated | Guessed | Experiments |

(Out of 16 Bits) | (Out of 14) | ||

8-round (left half) | $Bit1$ | 16 | 14 |

$Bit2$ | 16 | 10 | |

average number of bits guessed correctly = 15.7 | 15 | 4 | |

15 | 3 | ||

$Bit3$ | 14 | 2 | |

13 | 2 | ||

average number of bits guessed correctly = 12.6 | 12 | 2 | |

11 | 3 | ||

10 | 2 | ||

8-round (left and right halves) | $Bit1$ | 16 | 14 |

$Bit2$ | 16 | 10 | |

15 | 3 | ||

average number of bits guessed correctly = 15.6 | 14 | 1 | |

15 | 3 | ||

$Bit3$ | 14 | 2 | |

13 | 3 | ||

average number of bits guessed correctly = 12.7 | 12 | 2 | |

11 | 2 | ||

10 | 2 |

Bits Correctly | No. of | ||
---|---|---|---|

Number of Rounds | Super Key Bits Estimated | Guessed | Experiments |

(Out of 16 Bits) | (Out of 14) | ||

10-round (left half) | $Bit1$ | 16 | 14 |

$Bit2$ | 16 | 10 | |

average no. bits guessed correctly = 15.7 | 15 | 4 | |

$Bit3$ average no. bits guessed correctly = 12.6 | 16 | 2 | |

14 | 4 | ||

13 | 1 | ||

11 | 5 | ||

10 | 2 | ||

$Bit4$ average no. bits guessed correctly = 13 | 16 | 1 | |

15 | 1 | ||

14 | 3 | ||

13 | 4 | ||

12 | 3 | ||

11 | 2 | ||

10-round (left and right halves) | $Bit1$ | 16 | 14 |

$Bit2$ average no. bits guessed correctly =15.7 | 16 | 11 | |

15 | 2 | ||

14 | 1 | ||

$Bit3$ average no. bits guessed correctly = 12.6 | 16 | 2 | |

14 | 4 | ||

13 | 1 | ||

11 | 5 | ||

10 | 2 | ||

$Bit4$ average no. bits guessed correctly = 15.5 | 16 | 9 | |

15 | 3 | ||

14 | 2 |

Bits Correctly | No. of | ||
---|---|---|---|

Number of Rounds | Super Key Bits Estimated | Guessed | Experiments |

(Out of 16 Bits) | (Out of 3) | ||

$Bit1$ | 16 | 3 | |

12-round | $Bit2$ | 16 | 3 |

(left half) | $Bit3$ | 15 | 1 |

average no. bits guessed correctly = 14.3 | 14 | 2 | |

$Bit1$ | 16 | 3 | |

12-round | $Bit2$ | 16 | 3 |

(left and right halves) | $Bit3$ | 15 | 1 |

average no. bits guessed correctly = 14.3 | 14 | 2 |

Experimental | Super Key Bits | Master Key Bits | Data | Time | Success |
---|---|---|---|---|---|

Results | Recovered | Recovered | Complexity | Complexity | Probability |

8-round | 46–48 bits | 46–48 bits | ${2}^{14}$ | ${2}^{34.0028}$ | $93\%$ |

10-round | 62–64 bits | 56–62 bits | ${2}^{14}$ | ${2}^{36.044}$ | $93.4\%$ |

12-round | 46–48 bits | 46–48 bits | ${2}^{24}$ | ${2}^{44.0028}$ | $96.45\%$ |

8-round without | 112 bits | 64 bits | ${2}^{5.58}$ | ${2}^{30.58}$ | $100\%$ |

approximations |

Average Case Computations | |||
---|---|---|---|

Simeck | Number of Rounds | Data Complexity | Time Complexity |

32/64 | Using Single Super Round Presented in Section 7.1 | ||

20-round | ${2}^{30}$ | ${2}^{61.56}$ | |

Using Multiple Super Rounds Presented in Section 7.3 | |||

20-round | ${2}^{30}$ | ${2}^{58.5}$ | |

Projections from data in [2] | |||

18-round | ${2}^{24}$ | ${2}^{60.5}$ |

Disclaimer/Publisher’s Note: The statements, opinions and data contained in all publications are solely those of the individual author(s) and contributor(s) and not of MDPI and/or the editor(s). MDPI and/or the editor(s) disclaim responsibility for any injury to people or property resulting from any ideas, methods, instructions or products referred to in the content. |

© 2023 by the authors. Licensee MDPI, Basel, Switzerland. This article is an open access article distributed under the terms and conditions of the Creative Commons Attribution (CC BY) license (https://creativecommons.org/licenses/by/4.0/).

## Share and Cite

**MDPI and ACS Style**

Almukhlifi, R.; Vora, P.L.
Linear Cryptanalysis of Reduced-Round Simeck Using Super Rounds. *Cryptography* **2023**, *7*, 8.
https://doi.org/10.3390/cryptography7010008

**AMA Style**

Almukhlifi R, Vora PL.
Linear Cryptanalysis of Reduced-Round Simeck Using Super Rounds. *Cryptography*. 2023; 7(1):8.
https://doi.org/10.3390/cryptography7010008

**Chicago/Turabian Style**

Almukhlifi, Reham, and Poorvi L. Vora.
2023. "Linear Cryptanalysis of Reduced-Round Simeck Using Super Rounds" *Cryptography* 7, no. 1: 8.
https://doi.org/10.3390/cryptography7010008