Automated Differential-Linear Cryptanalysis for AND-RX Ciphers

Differential and linear cryptanalysis are two important methods to evaluate the security of block ciphers. Building on these two methods, differential-linear (DL) cryptanalysis was introduced by Langford and Hellman in 1994. This cryptanalytic method has been not only extensively researched but also proven to be effective. In this paper, a security evaluation framework for AND-RX ciphers against DL cryptanalysis is proposed, which is denoted as K 6. In addition to modeling the structure of all the possible differential trails and linear trails at the bit level, we introduce a method to calculate this structure round by round. Based on this approach, an automatic algorithm is proposed to construct the DL distinguisher. Unlike previous methods, K 6 uses a truncated differential and a linear hull instead of a differential characteristic and a linear approximation, which brings the bias of the DL distinguisher close to the experimental value. To validate the effectiveness of the framework, K 6 is applied to Simon and Simeck, which are two typical AND-RX ciphers. With the automatic algorithm, we discover an 11-round DL distinguisher of Simon32 with bias 2 − 14 : 89 and a 12-round DL distinguisher of Simeck32 with bias 2 − 14 : 89 . Moreover, the 14-round DL distinguisher of Simon48 with bias 2 − 22 : 30 is longer than the longest DL distinguisher currently known. In addition, the framework K 6 shows advantages when analyzing ciphers with large block sizes. As far as we know, for Simon64/96/128 and Simeck48/64, the ﬁ rst DL distinguishers are obtained with our framework. The DL distinguishers are 16, 23, 32, 17, and 22 rounds of Simon64/96/128 and Simeck48/64 with bias 2 − 24 : 31 , 2 − 47 : 57 , 2 − 60 : 75 , 2 − 22 : 54 , and 2 − 31 : 41 , respectively. To prove the correctness of distinguishers, experiments on Simon32 and Simeck32 have been performed. The experimental bias are 2 − 13 : 76 and 2 − 14 : 82 , respectively. Comparisons of the theoretical and experimental results show good agreement.


Introduction
1.1.Background.Differential and linear cryptanalysis are two powerful techniques for analyzing the security of block ciphers.Differential cryptanalysis was first proposed by Biham and Shamir [1], and linear cryptanalysis was introduced by Matsui [2].While avoiding long differential characteristics and linear approximations seems to be sufficient for the cipher against differential and linear cryptanalysis, it turns out that short characteristics and approximations can also be utilized to break the cipher.Differential-linear (DL for short) cryptanalysis proposed by Langford and Hellman in 1994 [3] first demonstrates this fact.In 2002, Biham et al. [4] presented an enhancement of DL cryptanalysis, which is based on two independence assumptions.Several subsequent papers aimed at taking into consideration multiple linear approximations instead of a single one and at formalizing the assumption.Liu et al. [5] and Lu [6] are the research results of the former research direction.In 2017, Blondeau et al. [7] gave an exact expression of the bias under the sole assumption that the two parts of the cipher are independent.Some cryptanalysts have studied DL cryptanalysis from other perspectives.In 2019, Bar-On et al. [8] took into account the dependency between the differential and linear approximation and presented the Differential-Linear Connectivity Table to get a more accurate bias of the DL distinguisher.In 2021, Liu et al. [9] developed a new theory of estimation of the DL bias from an algebraic perspective.
AND-RX cipher is a class of symmetric primitives that consists of three operations-AND, Rotation, and XOR.There are many AND-RX ciphers, such as Simon and Simeck.Simon [10] is a family of lightweight block ciphers published by the National Security Agency in 2013.Due to the Feistel structure and simple round function, Simon has significant advantages in terms of hardware implementation.Inspired by this design idea, Yang et al. [11] presented another family of lightweight block ciphers, named Simeck, in which only the rotation constant and key schedule are different from Simon.
In 2018, the first DL cryptanalysis of Simon was proposed by Chen and Zhang [13].They constructed a 15-round DL distinguisher of Simon32 with bias 2 −30:36 , which is too small to produce an effective attack.In 2022, Hu et al. [14] constructed a 13-round DL distinguisher of Simon32 with bias 2 −13 (a mistake is shown in the note in Table 1) and a 13-round DL distinguisher of Simon48 with bias 2 −21 , which led to a 16-round attack on Simon32 and a 16-round attack on Simon48, respectively.The DL distinguishers constructed above are all based on a differential characteristic and a linear approximation.In 2023, Zhang et al. [15] used statistical analysis to search for suitable DL distinguishers of Simon32 and Simeck32.They found a 12-round DL distinguisher of Simon32 with bias 2 −12:69 and a 13-round DL distinguisher of Simeck32 with bias 2 −14:03 .Then, attacks against 20-round Simon32 and 21-round Simeck32 can be obtained with the distinguishers, respectively.However, statistical analysis is useless for Simon and Simeck, with a block size greater than 32.
Traceablepattern was first proposed in [16].Until now, traceablepattern has been applied to several cryptanalytic methods, and many good distinguishers are obtained by this technique.For a meet-in-the-middle attack, a general automatic framework K2 was proposed with the splice-and-cut technique [17].For impossible differential cryptanalysis, an automatic framework K3 was constructed for AND-RX ciphers [18].For rotational-XOR differential cryptanalysis, an automatic framework K5 was proposed for AND-RX ciphers in [19].Actually, this paper is a continuation of our teem's series of work.We focus on the application of traceablepattern to DL cryptanalysis and establish an automatic framework K6 to search for the DL distinguisher of AND-RX ciphers.
1.3.Our Contributions.In this paper, our overall contribution is establishing an automatic framework K6 to construct the distinguisher and evaluate the security of AND-RX cipher against DL cryptanalysis.The specific implementation includes the following three aspects.
(1) Model the structure for all the possible DL trails For difference and mask, the concept of traceablepattern is proposed to describe the structure at the bit level.The patternoperation is presented to characterize the propagation rules of the traceablepattern between different components -AND, Rotation, and XOR.Further, the structure for the possible DL trails is modeled.
(2) Establish an automatic framework to construct the DL distinguisher Based on traceablepattern and patternoperation, combined with DL cryptanalysis, an automatic framework, denoted K6, is proposed to construct the DL distinguisher.According to the input difference and patternoperation, the truncated differential can be calculated round by round.The probability of truncated differential is 1 larger than that of differential characteristic.Similarly, according to the input mask, the output mask, and patternoperation, the linear hull is represented with traceablepatterns.The correlation of linear hull is calculated by summing the correlations of all linear approximations, so it is larger than that of only one linear approximation.If it is difficult to calculate the correlation of linear hull, the cipher can be decomposed into a cascade of several subciphers to reduce the search space.Further, the space of all the possible DL trails is obtained, and the bias of the DL distinguisher is calculated with Matsui's Piling-up lemma.Namely, the DL distinguisher built with K6 consists of a truncated differential and a linear hull instead of a differential characteristic and a linear approximation.This method of constructing the DL distinguisher is different from the previous analysis.Theoretically, it makes the theoretical bias of the DL distinguisher close to the experimental value.Moreover, since the search space is reduced by decomposing the cipher into a cascade of several subciphers, our framework is suitable for ciphers with large block sizes.Some of the previous methods are not applicable.

(3) Apply and verify
To show the effectiveness of K6, Simon and Simeck, the two famous AND-RX ciphers, are investigated.Among the results of all block sizes, the DL distinguisher of Simon48 is 14  1.
To prove the correctness of the DL distinguishers, experimental verifications on Simon32 and Simeck32 are given.The experimental bias of the 11-round distinguisher of Simon32 is 2 −13:76 , and the experimental bias of the 12-round distinguisher of Simeck32 is 2 −14:82 .The experimental results match the theoretical analysis well.
1.4.Organization of the Paper.The rest of this paper is organized as follows.In Section 2, we give an overview of DL cryptanalysis and provide detailed descriptions of Simon and Simeck.In Section 3, we propose an automatic framework to search for the DL distinguisher of AND-RX ciphers.In Section 4, we apply the framework to Simon and Simeck.In Section 5, we summarize this paper.

Preliminaries
2.1.Notations.The notations used in this paper are illustrated in Table 2.

DL Cryptanalysis
. Let E : f0; 1g n → f0; 1g n be an r-round cipher that can be decomposed into a cascade E ¼ E 1 ∘ E 0 , as shown in Figure 1, where E 0 and E 1 consist of r 0 and r 1 rounds, respectively.Assume that there is a differential characteristic X 0 À! p X r 0 for E 0 , namely an input difference X 0 to E 0 leads to an output difference X r 0 from E 0 with probability as follows: Similarly, assume that there also is a linear approximation Y r 0 À! c Y r for E 1 , namely a random input/output pair ðS r 0 ; S r Þ: of E 1 satisfies Y r 0 ⋅ S r 0 ¼ Y r ⋅ S r with correlation as follows: In order to distinguish E from a random permutation with DL cryptanalysis, the adversary needs to obtain the bias by checking whether the pairs ðS r ; r when the pairs ðS 0 ; S 0 0 Þ: satisfy S 0 ⊕ S 0 0 ¼ X 0 .The bias of the r-round DL distinguisher X 0 À! ε Y r is defined as follows: Since the cipher behaves randomly, assume that Y r ⋅ S r ¼ Y r ⋅ S 0 r holds in half of the cases where the pairs do not satisfy the difference.Therefore, the overall bias of the DL distinguisher is as follows: Therefore, the adversary can distinguish E from a random permutation with Oðp −2 c −4 Þ: chosen plaintexts when p; c are sufficiently large.
In general, the correlation of an r 1 -round linear trail is calculated as follows: where c j is the correlation of the linear approximation Y j−1 → Y j , and the correlation of an r 1 -round linear hull Y 0 → Y r 1 is calculated as follows: Usually, c hull for E 1 is hard to evaluate, but it matches the experimental value much more than c trail .Note that many previous analyses take c trail as the correlation for E 1 .IET Information Security However, the framework K6 allows the adversary to take into account c hull for E 1 .Moreover, if the linear approximation for E 1 is made by concatenating several short-round linear approximations, according to Matsui's Piling-up lemma [2], the correlation is calculated as follows: where Simeck has the same round function but with different rotation constants: The round functions of Simon and Simeck are depicted in Figure 2.

Automatic Search for the DL Distinguisher of AND-RX Ciphers
In this section, an automatic framework is established to search for the DL distinguisher of AND-RX ciphers, denoted as K6.First, the general idea of the framework is introduced, then the main techniques used in this framework are presented, and finally, the details for this method are illustrated in the Algorithm.
, and the correlation for E 1 can be obtained with Equation (7).According to Equation (4), the overall bias of the DL distinguisher is as follows: where c j hull is the correlation of the linear hull for E j 1 .

Traceable pattern for DL Cryptanalysis.
To accurately describe the structure of the differential and linear trail at the bit level, we present a concept of traceable pattern for DL cryptanalysis.Meanwhile, to characterize the propagation property of the difference and linear mask between different cipher modules, the pattern operation for AND-RX ciphers is introduced.Based on the traceable pattern and pattern operation, we can construct a DL distinguisher and calculate its bias.For all possible trails, the difference/mask of each state bit is generally 0, 1, or uncertain.To depict this property, we define the traceable pattern at the bit level, as shown in Table 4. Notice that the traceable pattern is equal to the difference/mask of the bit when the difference/mask is 0 or 1.
In this way, the difference/mask of each bit of the intermediate state can be accurately described by a traceable pattern.If the traceable pattern can be calculated round by round, the space comprised of all possible differential trails and linear trails can be derived.Therefore, in order to model the calculating rule between traceable patterns, we define the pattern operation for the differential part, the linear part, and the connected part.Since AND-RX ciphers contain only three possible operations-AND, Rotation, and XOR, we only consider pattern operation for these operations.
(1) Differential part (2) Linear part 3.3.Automatic Search for the DL Distinguisher.For our automatic framework K6, the DL distinguisher targets an ðr 0 þ r 1 Þ : -round AND-RX cipher denoted by E. It can be decomposed as , where E 0 consists of r 0 rounds, and E 1 consists of r 1 rounds.
For the differential part E 0 , TP X 0 is equal to X 0 .According to the pattern operation, TP X i can be accurately calculated round by round.In particular, using a distinguisher with a single active bit in the input and output can make the adversary add more rounds of key-recovery than using a distinguisher with multiple active bits.Therefore, the longest truncated differential is obtained by exhaustive searching TP X 0 with a single active bit.In other words, there is only one bit with TP ¼ 1, and all the other bits have TP ¼ 0 in X 0 .The longest truncated differential is obtained with the difference part in the Algorithm.Therefore, for E 0 , the probability p is equal to 1, and r 0 ¼ r max .
For the connected part, TP X r 0 b ⋅ TP Y 0 should be equal to 0. According to the output difference TP X r 0 of E 0 , there may be multiple masks that meet the conditions.For instance, if TP X r 0 is (2,2,2,2,2,2,0,0), TP Y 0 can be (0,0,0,0,0,0,0,1), (0,0,0,0,0,0,1,0), or (0,0,0,0,0,0,1,1).However, (0,0,0,0,0,0,0,1) and (0,0,0,0,0,0,1,0) will lead to a much longer distinguisher (because they have fewer active bits).Therefore, we choose the mask with fewer active bits as the input mask For the linear part E 1 , we focus on how to search for a high-correlation linear hull with input mask Y 0 and calculate its correlation.First, using the algorithm of searching for the optimal linear trail and the method of calculating the correlation of the round function, we can select one target round number R and the corresponding output mask Y R .Then, the space of all possible linear trails can be determined with the round function and pattern operation.Finally, the correlation of the linear hull Y 0 → Y R can be obtained by calculating

Traceable pattern
Description 0 The difference/mask of this bit is 0 1 The difference/mask of this bit is 1 2 The difference/mask of this bit is uncertain the correlation of every trail in this space and summing them up.However, there may be a case where there are so many trails in the space that it is impossible to calculate the correlation of every trail.In this case, we can decompose the optimal linear trail into a cascade and calculate the correlation of each part by the above steps.The integral correlation for E 1 can be obtained by using Equation (7).Moreover, if the integral bias for E does not achieve expectation (such as too small a bias like the bias in [13]), we can choose a new R to calculate again.Denote the final round number as r 1 and the corresponding correlation as c.All details are in the linear part of the Algorithm.In summary, we obtain an r 0 þ r 1 -round DL distinguisher which consists of an r 0 -round truncated differential with probability 1 and an r 1 -round linear hull with correlation c.According to Equation (4), the bias of the DL distinguisher is as follows:

Applications
In order to show the effectiveness of our framework K6, applications to Simon and Simeck, two typical AND-RX ciphers, are presented.The aim is also to evaluate the security of Simon and Simeck of all block sizes against DL cryptanalysis.In addition to constructing DL distinguishers of Simon32, Simon48, and Simeck32, we obtain the first DL distinguishers of Simon64, Simon96, Simon128, Simeck48, and Simeck64.
4.1.Application to Simon.For the Simon family, the differential part of the DL distinguisher can be obtained with the Algorithm.The input and output differences represented with traceablepatterns are shown in Table 7.Details of the trails are exhibited in the Appendix.Before searching for the linear hull of Simon, Algorithm 1 in [20] can help us obtain the initial optimal linear trail needed in the preliminary of the Algorithm.Meanwhile, we utilize Algorithm 2 in [20] to calculate the correlation of the Input: the round function of target cipher output: the DL distinguisher Preliminary: 1: Search for the optimal linear trail of the target cipher; 2: Set the formula for calculating the correlation of the target cipher round function; Differential part: Step 1: Let X ¼ ð0; …; 0; 1Þ: , X max ¼ ð0; …; 0Þ: , r max ¼ 0, and num ¼ 0.
Step 2: For a 2 f0; 1; …; n − 1g: Let X 0 ¼ X ⋘ a, and r ¼ 0. If num ≠ n, do the following substeps.Substep 1: Let r ← r þ 1. Substep 2: Calculate TP X r according to the round function and pattern operation in the encryption direction; Substep 3: Count the traceable pattern "2" in TP X r and denote as num; If r − 1>r max , let r max ¼ r − 1, and f1; 2; …; r max g: .Connected part: Step 4: Choose the mask Y 0 ð ¼ TP Y 0 Þ: which satisfies TP X r 0 b ⋅ TP Y 0 ¼ 0 as the input mask in the following part.Linear part: Step 5: According to Preliminary 1 and 2, select one optimal linear trail with target round number R, the input mask Y 0 , and the output mask Calculate Y iþ1 according to the round function and pattern operation in the encryption direction.Let Y ¼ fY i ; i ¼ 0; …; Rg: , which is the space of all possible linear trails with round number R and input mask Y 0 .
Step 7: For i ¼ R; i>0; i − − Calculate Y 0 i−1 according to the round function and pattern operation in the decryption direction.Let Y 0 ¼ fY 0 i ; i ¼ 0; …; Rg: , which is the space of all possible linear trails with the round number R and output mask Y 0 R .Step 8: Obtain the space of all possible linear trails with round number R, input mask Y 0 , and output mask Y 0 R by calculating the intersection of Y and Y 0 .Count the traceable pattern "2" in this space and denote it as num.
Step 9: Calculate the correlations of all possible linear trails in the space, namely the correlation of linear hull with round number R, input mask Y 0 , and output mask Y 0 R .
Step 10: If num is too large to fulfill Step 9, decompose the initial optimal linear trail into several parts.Then perform Steps 5-9 for each part, respectively.Finally, calculate the overall correlation c by using Matsui's Piling-up lemma.
ALGORITHM 1: Automatic search for the DL distinguisher for AND-RX ciphers.

6
IET Information Security round function of Simon.For Simon32, Simon48, and Simon64, an appropriate linear hull can be constructed without decomposing the initial optimal linear trail.For Simon96 and Simon128, the trail is decomposed into several parts.The linear hulls are described in Table 8.The space of all possible linear trails represented with traceable patterns is exhibited in the Appendix.
Review the description of DL cryptanalysis in Section 2.2; the DL distinguishers of the Simon family are constructed in Table 9.For the framework K6, the bias of the DL distinguisher can be calculated by Equation (13).To validate the correctness of K6, experiments are performed on an 11-round distinguisher of Simon32.The experimental results closely match the theoretical analysis (Table 10).In practice, the Algorithm runs on a 12-core personal laptop with 16 GB of RAM.

Application to Simeck.
For Simeck with all block sizes, the input and output differences of the longest truncated differential are represented with traceable patterns and shown in Table 11.Details of the differential part are displayed in the Appendix.
For Simeck, the methods of obtaining the initial optimal linear trail and calculating the correlation of the round function are the same as the methods for Simon.With the framework K6, a linear hull of Simeck32 is obtained without decomposing the initial optimal linear trail.However, for Simeck48 and Simeck64, the initial trail is decomposed into two parts, respectively.The linear hulls are given in Table 12.The space of all possible linear trails represented with traceable patterns can be found in the Appendix.

IET Information Security
Table 13 is a summary of the DL distinguishers of Simeck.For Simeck32, some experiments have been performed to show whether the theoretical analysis matches the experimental result, as seen in Table 14.

Conclusion
In this paper, we proposed an automatic framework for constructing the DL distinguisher of AND-RX ciphers, denoted as K6.The DL distinguisher consists of a truncated differential and a linear hull.To validate the effectiveness of our framework, some applications are demonstrated.We found 11-round, 14-round, 16-round, 23-round, 32-round, 12-round, 17-round, and 22-round DL distinguisher of Simon32, Simon48, Simon64, Simon96, Simon128, Simeck32, Simeck48, and Simeck64 with bias 2 −14:89 , 2 −22:30 , 2 −24:31 , 2 −47:57 , 2 −60:75 , 2 −14:89 , 2 −22:54 , and 2 −31:41 , respectively.The experimental bias of the 11-round distinguisher of Simon32 is 2 −13:76 .The experimental bias of the 12round distinguisher of Simeck32 is 2 −14:82 .The experimental results match the theoretical analysis well.These applications indicate that our framework is effective for the AND-RX cipher with a large block size.In other words, the practicability of our framework is not affected by the block size of the target cipher.For instance, the time complexity of searching for the DL distinguisher of an AND-RX cipher with a large block size using the method mentioned in [15] will be larger than that using the

TABLE 1 :
Summary of all DL distinguishers of Simon and Simeck.
rounds, which is longer than the current longest DL distinguisher.As far as we know, for Simon64/96/128 and Simeck48/64, the DL distinguishers proposed in this paper are the first DL distinguishers.The comparisons with previous results are in Table

TABLE 2 :
Notations in this paper.

TABLE 3 :
Parameters of Simon and simeck.
XOR: If z ¼ x ⊕ y, TP z ¼ TP x b ⊕TP y .The bitwise calculating rules for b & and b ⊕ are illustrated in

TABLE 7 :
The truncated differentials of Simon represented with traceable patterns.

TABLE 8 :
The linear hulls of Simon in hexadecimal notation.

TABLE 9 :
The DL distinguishers of Simon in hexadecimal notation.

TABLE 10 :
The experimental results of the DL distinguisher of Simon32.

TABLE 11 :
The truncated differentials of Simeck represented with traceable patterns.

TABLE 12 :
The linear hulls of Simeck in hexadecimal notation.

TABLE 13 :
The DL distinguishers of Simeck in hexadecimal notation.

TABLE 14 :
The experimental results of the DL distinguisher of Simeck32.Therefore, the framework K6 is a generic method to search for the DL distinguisher of AND-RX ciphers.More block ciphers will be analyzed with this framework, which will be left as future work.

TABLE 15 :
The DL distinguisher of Simon32 represented with traceable patterns.

TABLE 16 :
The DL distinguisher of Simon48 represented with traceable patterns.

TABLE 17 :
The DL distinguisher of Simon64 represented with traceable patterns.

TABLE 18 :
The DL distinguisher of Simon96 represented with traceable patterns.

TABLE 19 :
The DL distinguisher of Simon128 represented with traceable patterns.

TABLE 20 :
The DL distinguisher of Simeck32 represented with traceable patterns.

TABLE 21 :
The DL distinguisher of Simeck48 represented with traceable patterns.

TABLE 22 :
The DL distinguisher of Simeck64 represented with traceable patterns.