Rotational-XOR Rectangle Cryptanalysis on Round-Reduced Simon

Recently, Ashur and Liu introduced the Rotational-XOR-difference approach which is a modification of rotational cryptanalysis, for an ARX cipher Speck (Ashur and Liu, 2016). In this paper, we apply the Rotational-XOR-difference (RXD) approach to a nonARX cipher Simon and evaluate its security. First, we studied how to calculate the probability of an RXD for bitwise AND operation that the round function of Simon is based on unlike Speck is on modular addition. Next, we prove that two RXD trails can be connected such that it becomes possible to construct a boomerang/rectangle distinguisher similar to the case using differential characteristics. Finally, we construct related-key rectangle distinguishers for round-reduced versions of Simon with block lengths of 32, 48, and 64, and we suggest a fiveor six-round key recovery attack. To our knowledge, it is the first attempt to apply the notion of rotational cryptanalysis for a non-ARX cipher. Although our attack does not show the best results for Simon thus far, the attempt here to define and apply a new cryptanalytic characteristic is meaningful, and we expect further improvements and applications to other ciphers to be made in subsequent studies.


Introduction
In a cryptosystem for confidentiality, the block cipher is a necessary building block for core functionality. So, because the security of block ciphers affects the applicability of the algorithm and the usability of the cryptosystem which uses the cipher as well, the security of a block cipher should be evaluated comprehensively and precisely. Over the last decade, many researchers have studied various techniques by which to design outstanding lightweight ciphers. One notable result of such research stream is design paradigm is omitting S-box, such as ARX. ARX is a design methodology for secret key primitives which uses only modular Addition, Rotation, and eXclusive OR operations. A number of outperforming lightweight block ciphers, such as reefish [1], Chaskey Cipher [2], HIGHT [3], Speck [4], LEA [5], and Sparx [6] are designed in this framework. Another design strategy is to use the bitwise AND operation for nonlinear part of an algorithm. Although this approach is somewhat less popular than ARX, outstanding hardware-oriented ciphers such as KATAN/KTANTAN [7], Simon [4], and Simeck [8] utilize this strategy.
Rotational cryptanalysis was initially proposed to attack the block cipher reefish, which is an internal permutation of the hash function Skein [9]. It was combined with the notion of a rebound attack considering the results of the best attack against Skein. Subsequently, the rotational probability was recalculated [10] considering the failure of the Markov assumption of chained modular additions, and a new calculating algorithm was applied to correct the results on BLAKE2 and to provide valid results on simplified Skein. Nevertheless, it appears to be difficult to apply rotational cryptanalysis to ciphers in which constant XOR is used for the enciphering procedure.
is problem has remained unsolved until the following result is presented.
Recently, Ashur and Liu proposed a new type of rotational cryptanalysis that can overcome the aforementioned disadvantage by injecting constants into states [11]. is new approach can be used to evaluate the security of ciphers with constant XOR in their encryption scheme. erefore, they applied it to the block cipher Speck-32/64 and successfully constructed a seven-round distinguisher. To do this, they introduced the notion of the Rotational-XOR (RX) pair (x ⊕ a 1 , (x⋘c) ⊕ a 2 ) and the associated rotational-XOR-differences (RXD) ((a 1 , a 2 ), c), where x is a random variable and a 1 and a 2 are constants. In particular, they presented a closed formula for calculating the RX probability occurred upon a modular addition.
In the present paper, we attempt to apply Ashur's constant injecting approach to a non-ARX cipher Simon which is based on the bitwise AND operation. While Ashur and Liu demonstrated how to calculate the RX probability and how to propagate an RX pair through the modular addition, we present a closed formula for calculating the probability and propagation rule of an RX pair through a bitwise AND operation. We also find that the propagation of the RX pair due to the operations used in Simon is similar to those of the ordinary differential characteristics and we show that the probability of boomerang/rectangle characteristics using RXD can be calculated similarly to the boomerang/rectangle characteristic using the ordinary differential characteristics. erefore, we can construct boomerang/rectangle characteristics using two RXD trails. We refer to this cryptanalysis with such characteristics as Rotational-XOR boomerang (or rectangle) cryptanalysis. Our attack works in the related-key model in which the attacker uses ciphertexts encrypted with different but related keys because rotational cryptanalysis is naturally a related-key attack.
Based on our results, we evaluate the security of several instances of Simon in the related-key model. Because our approach is more effective on ciphers with smaller block sizes, we apply it to Simon with a block length of less than or equal to 64. As a result, for some parameters, we could obtain results very close to the best results on Simon thus far. Table 1 shows the results of our attacks compared to the results of other attacks.
Although our results are not the best records for Simon, our approach can be adopted to analyze other existing or future ciphers based on the bitwise AND. Examples include Simeck and KATAN/KTANTAN. e rest of this paper is organized as follows: in Section 2, we define some of the notations used here and give brief introductions of rotational cryptanalysis, the rotational-XOR-difference, and boomerang/rectangle cryptanalysis. e RX probability and RX characteristics of Simon are described in Section 3. In Section 4, we present the RX rectangle attack on Simon, including the key recovery phase, and calculate the computational and data complexities of the attacks. Finally, Section 5 concludes the paper.

Notations.
In this paper, we use the following notations: Hamming weight of bit string x (ii) x ⊞ y: modular addition of bit strings x and y (iii) x ∨ y: bitwise OR of bit strings x and y (iv) x ∧ y: bitwise AND of bit strings x and y (v) x ≪ r: r bit left shift of a bit string x (vi) x <r , x ⋘ r: r bit left rotation (cyclic shift) of a bit string x (vii) x >r : r bit right rotation (cyclic shift) of a bit string x (viii) x → : left rotation (cyclic shift) of a bit string x by a predefined c, usually c � 1 (ix) x ← : right rotation (cyclic shift) of a bit string x by a predefined c, usually c � 1 (x) x i : i-th bit of a bit string x (xi) x ≺ y means that every bit in y is larger or equal to the corresponding bit in x 2.2. Rotational Cryptanalysis. Since Khovratovich et al. introduced rotational cryptanalysis in 2010 [9], it has been used to evaluate symmetric key cryptographic primitives based on the ARX design framework [10,18,19]. Rotational cryptanalysis appears to be suitable for ARX ciphers because the rotational pair is preserved through rotations and XORes between variables and transformed by modular additions with high probability levels, unlike ciphers based on S-boxes. Rotational cryptanalysis exploits the nonrandom behavior of ciphertext pairs generated from the rotational plaintext pairs ((p 0 , p 1 , ..., p m− 1 ), ( p 0 �→ , p 1 �→ , ..., p m− 1 ����→ )) where p i → � p i ⋘c for some integer c (c is typically selected to 1 for a higher probability). e probability that modular addition of two rotational pairs (x, x → ) and (y, y → ) is also a rotational pair is given by where n is the bit length of both x and y [20]. For a large n, that probability goes to 2 − 1.415 when c � 1 and to 2 − 2 when c � (n/2). However, XOR or modular addition with a constant destroys the rotational relationship of a pair when the constant cannot transform into itself by c-bit rotation. So, the rotational cryptanalysis cannot be widely adopted in relation to the block cipher analysis.

Rotational-XOR-Difference.
In 2016, Ashur and Liu introduced modified rotational cryptanalysis using the rotational-XOR-difference (RXD) to overcome the limitations caused by the constants and applied it to block cipher Speck [11]. ey defined an RX pair as (x ⊕ a 1 , x → ⊕ a 2 ) and its RXD as ((a 1 , a 2 ), c). It is obvious that the RX pair is preserved even if some constant is XORed to the values of the pair. In addition, they proved the following eorem 1, which shows us how to calculate the transition probability of RX pair through modular addition. We assume that c � 1 throughout this paper; hence, we let x → denote x⋘1.
Theorem 1 (Theorem 1 in [11]). Let x, y ∈ F 2 n represent independent uniform random variables. Let a 1 , a 2 , b 1 , b 2 , c 1 , and c 2 be constants in F 2 n and δ x , δ y , and δ z be the n − 1 most significant bits of It is clear that the rotation of an RX pair is an RX pair and that the XOR of two RX pairs is also an RX pair.

Boomerang/Rectangle Characteristics.
A boomerang attack [21] uses two differential characteristics Δ ⟶ Δ * for E0 and ∇ ⟶ ∇ * for E1, whose probabilities are p and q, respectively, where the target block cipher E is a composition of subciphers E0 and E1, i.e., E � E1 ∘ E0. If two plaintexts P and P ′ such that P ⊕ P ′ � Δ satisfy with probability p and both are satisfied with probability q 2 , then, clearly Hence, with probability p. erefore, if we denote E − 1 (E(P) ⊕ ∇) and E − 1 (E(P ′ ) ⊕ ∇) as Q and Q ′ , we can distinguish E from the random permutation according to the distribution of Q ⊕ Q ′ , where P ⊕ P ′ � Δ and p 2 q 2 > 2 − n .
A boomerang attack is an adaptive chosen-ciphertext attack that can be transformed into a known-plaintext attack based on the following rectangle distinguisher [22].
Suppose that we have two pairs of plaintext (P, P ′ ) and (Q, Q ′ ) such that In such a case, we have accordingly with probability q 2 . us, we can distinguish E from the random permutation using the distributions of E(P) ⊕ E(Q) and

Description of Simon. Simon [4] is a family of block ciphers which support various bit lengths of blocks and keys.
For w � 16, 24, 32, 48, and 64, Simon-n/k has a block size of n � 2w and a key size of k �2w, 3w, or 4w. Encryption of Simon involves iterations of the round transformations shown in Figure 1, where ∧ and ⊕ are bitwise AND and XOR, respectively. rk i for i � 1, 2, ... denotes the i-th round keys generated by one of the three key schedules shown in Figure 2 depending on the number of keywords, where c is equal to 2 w − 4 and (z j ) i is the i-th bit of z j , defined as follows.
More specific descriptions for each instance of Simon can be found in the literature [4].

Rotational-XOR-Differences for Simon
Unlike Speck, based on modular addition, Simon uses the bitwise AND for its round function, though this operation does not always preserve RX pairs. Consequently, here it is necessary to calculate the probability that two RX pairs are transformed into another RX pair through the bitwise AND operation.

Calculating the Probabilities of Rotational-XOR Pairs for the Bitwise AND Operation. Suppose
operation. In such a case, the output pair is constants c 1 and c 2 . e probability that the output pair becomes an RX pair then becomes We can observe when the probability is nonzero and how to calculate the probability by eorem 2, under the assumption that two inputs of the bitwise AND are independent uniformly random variables.
Theorem 2 (bitwise AND of two random variables). Let x, y ∈ F w 2 represent independent uniformly random variables for some positive integer w, and let a 1 , a 2 , b 1 , b 2 , c 1 , and c 2 be In this case, we will calculate the probability that z � z → .
Because ⊕ and ∧ are bitwise operations, it is clear that erefore, now we calculate the probability that According to the definitions of δ x , δ y , and δ z , we have the following equations: At this point, we consider equation (16) in bit by bit. For x be a uniform random variable, the probability that the requirements associated with the i-th bit of equation (16) are satisfied is 1/2. Similarly, if δ i x � 1 and δ i y � 0, the conditions of the i-th bit of equation (16) are met with a probability of 1/2 depending on y →i regardless of the value of δ i z . e last case is one in which δ i x � 1 and δ i y � 1. In this case, (16) implies that x →i ⊕ y →i ⊕ 1 ⊕ a i 2 ⊕ b i 2 � δ i z and the conditions of this equation are also satisfied with a probability of 1/2 regardless of the value of δ i z because a i 2 and b i 2 are fixed values. us, for some fixed δ x , δ y , and δ z , if there exists i such that δ i x � δ i y � 0 and δ i z � 1, the probability is then 0. erefore, the probability is nonzero only if (δ x | δ y ) ∧ δ z � δ z . And for each i such that δ i x ∨ δ i y � 1, the conditions of the i-th bit of (16) are met with a probability of 1/2. erefore, the probability that the conditions of (16) are met (which we want to calculate) is 2 − w H (δ x ∨δ y ) .
However, as shown in Figure 1, the two inputs x and y of the bitwise AND operation in Simon are highly dependent on each other. erefore, we need to calculate the probability more precisely. e following eorem 3 is analogous to eorem 3 for covering the Simon case and the case of j � 7 is relevant to Simon-2w/k.

Theorem 3. (bitwise AND of two values from one random variable)
. Let x ∈ F w 2 be an uniformly random variable for a positive integer w and j ≤ w be a positive integer that does not divide w. Additionally, let a 1 , a 2 , c 1 , and c 2 be constants in F w 2 and δ x � a 1 → ⊕ a 2 and δ z � c 1 → ⊕ c 2 . In this case, Proof. Similar to the proof of eorem 3, we now calculate the probability that the following equation holds: Here, we consider equation (18) in bit by bit.
with a probability of 1.
However, because ( x → ) i would appear again when we define (δ >j z ) i , it is necessary to consider the subcases along with the value of (δ > j ) i can be regarded as a free random variable (which means it is not used to define other bits of δ z ); therefore, (δ z ) i can be 0 or 1 with a probability of 1/2. Otherwise (i.e., (δ > j and then we have the relationship of (δ z ) i � (δ <j z ) i . Otherwise, (δ x ) i � 1 and (δ <j x ) i � 1, according to equation (18), It is necessary to check for subcases for (δ < 2j is means that three bits of δ z are defined as four independent bits of the random variable x → . Such chain ends with the bit of δ z , which is independently defined except when δ x � 2 n − 1 because j∤n. us, every bit in the chain, including (δ z ) i , has a value of 0 or 1 with a probability of 1/2. If δ x � 2 n − 1, every single bit of δ z is defined by two bits of x → and they are related to each other. Hence, the probability that δ z has some value is x ) i � 1 for some i, then the freedom of (δ z ) i and (δ > j z ) i is decreased by 1 bit and there are exactly

How to Define the Rotational-XOR-Differences Trail.
Because we let c � 1, the RXD of an RX pair ( can be denoted as ((a 1 , a 2 ), 1). However, we use δ x � a 1 → ⊕ a 2 to calculate the probability of the occurrence of the bitwise AND of the RX pair regardless of the actual values of a 1 and a 2 . us, we can redefine the RXD of an RX pair (x ⊕ a 1 , x → ⊕ a 2 ) as δ x � a 1 → ⊕ a 2 for the following reason.
Let there be another RX pair (y ⊕ b 1 , y → ⊕ b 2 ) such that y ⊕ b 1 � x ⊕ a 1 and y → ⊕ b 2 � x → ⊕ a 2 for some random variable y ≠ x. In this case, we have is means that the relationship between the constants (i.e., δ's) is sufficient to represent the RX pair and thus is also sufficient to trace the transition of δ's instead of RX pairs to search for an RXD trail. We also refer to this δ value as RXD and we denote an To find a suitable RXD trail, we need to know how the RXDs are transformed by the operations used in the target cipher.
Because Simon uses only three operations, XOR, rotation, and the bitwise AND, we can discuss these operations. An RXD is transformed by XOR as follows. Let there be two RX pairs (x ⊕ a 1 , x → ⊕ a 2 ) and (y ⊕ b 1 , y → ⊕ b 2 ), and If a constant c is XORed into an RXD δ, the RX pair en, clearly, 6 Security and Communication Networks For the rotation operations, similar to the above case of XOR, if y � x <l , then δ y � δ < l x . e transition of an RXD by the bitwise AND is as follows. Let z � x∧y; then, every ω satisfying (δ x ∨δ y )∧ω � ω could be δ z with the probability given in eorem 2 In the case of Simon, the random variables x and y are dependent on each other such that the ω values that could be δ z differ lightly from the general case, as shown in eorem 3

Considerations.
We took the following considerations into account during the search for the RXD trails of Simon.
(1) Round indices. e indices of start and end round of the characteristic should be specified because a rotational attack is basically in the related-key model and the δ values (RXDs) of the round keys vary according to the round constants z i 's XORed in the key schedule.

(2) Including Rounds with an RXD Probability of 1. If
RXDs with two input words of encryption and k/w keywords for a round are all zero, we find some output RXD that is maximally k/(w + 2) rounds with a probability of 1. us, it is effective to search for RXD trails forward and backward beginning with such zero (or with a lower Hamming weight) states to find trails with a high probability. (3) Maximizing the Probability of the Next Round. e probability of an RXD trail of a round is determined by the RXD of the left half of the input. Hence, if we can control the right half of the output of the current round, we can maximize the RX probability of the next round. According to eorem 3, one input RXD can be transformed into several output RXDs through the bitwise AND, and because their probabilities are identical, we can choose one of them with a condition identical to that of the current round. Let δ i,L and δ i,R be the RXDs of the left and the right inputs of i-th round, respectively, and δ i K be the δ value of the i-th round key. To maximize the RX probability of the i + 1-th round, δ i+1,L should have a lower Hamming weight. Because where δ i,z is the RXD of the output of the bitwise AND in the i-th round, we can choose δ i,z for which minimizes the Hamming weight of δ i+1,L . Note that minimizing the Hamming weight of δ i+1,L does not always guarantee the best RXD trail; however, we searched for RXD trails with such conditions in mind. As a result, we can find numerous trails with the maximum probability for various starting round indices. erefore, we can construct rectangle characteristics using short trails with high probabilities with considering the round indices.

Rotational Rectangle Characteristic.
In this section, we show that rotational-XOR-differences can be used to construct rectangle characteristics similar to differential characteristics by proving the following eorem 4. x and y be independent random variables  and a 1 , a 2 , b 1 , and b 2 be constants in F n 2 for some positive integer n. In addition, let (x ⊕ a 1 , x → ⊕ a 2 ) and

Theorem 4. Le
also forms an RX pair and its RXD is Proof. Because we assumed that (x ⊕ a 1 , y → ⊕ b 2 ) is an RX pair and that its RXD is δ c , we can assume that for a random variable z and for some constants c 1 and c 2 such that c 1 → ⊕ c 2 � δ c .
We will show that y According to this assumption, we have us, we have → ⊕ a 2 , we then have Accordingly, the proof is complete. With eorem 4 in mind, we introduce the rotational rectangle distinguisher as follows. Denote an encryption algorithm E with a key K by E K . Suppose that E K is a composition of E0 K and E1 K such that E K � E1 K ∘E0 K . We have RXD trails (δ a ⟶ δ b ) satisfied with probability p for E0 and (δ c ⟶ δ d ) with probability q for E1.
Because the probability that δ c � δ c ′ is 2 − n for block length n, two RX pairs (P 0 , P 1 ) and (Q 0 , Q 1 ) with δ a are transformed into two RX pairs: according to E K0 , E K1 , E K2 , and E K3 with a probability of p 2 · q 2 · 2 − n . However, if E is a random permutation, the probability that the resulting four values form two RX pairs both with the expected RXDs is 2 − 2n . erefore, we can mount an RX rectangle attack when 2 − 2n < p 2 · q 2 · 2 − n .

Constructing RX Rectangle Distinguishers.
We have found many RXD trails for each of the Simon parameters that correspond to the probabilities presented in Table 2. Using these trails, we construct RX rectangle distinguishers by joining two RXD trails with consideration of round indices. As an example of Simon-32/64, we found that there exist eight-round RXD trails which start at eighth and sixteenth rounds. erefore, we successfully combined them for the rectangle distinguisher with the maximum probability (2 − 6 · 2 − 6 ) 2 · 2 − 32 � 2 − 56 . However, for Simon-48/72, we did not find two eight-round trails that could be combined for a rectangle distinguisher to maximize the probability. erefore, we use a nine-round trail starting at fifth round and a seven-round trail starting at fourteenth round for the rectangle distinguisher with a probability of (2 − 4 · 2 − 17 ) 2 · 2 − 48 � 2 − 90 . e number of rounds and the probability of the RX rectangle distinguisher for each of the Simon parameters are given in Table 3 and examples of RXD trails are presented in Tables 4 and 5.

Key Recovery Attack and Complexity.
In this section, we present the key recovery attack framework on Simon with block sizes of 32, 48, and 64 using the RX rectangle distinguishers.
We assume the following: p and q denote the probabilities of RXD trails for E0 and E1, respectively, and p 2 · q 2 � 2 − m for each version of Simon. erefore, the probabilities of RX rectangle distinguishers are 2 − (m+n) . We add r t rounds on top and three rounds at the bottom of the distinguisher for each version of Simon. us, the numbers of attacked rounds are R � r d + r t + 3, where r d is the number of rounds of distinguishers for each version of Simon. Consequently, we attack round-reduced Simon from the i s -th round to the i f � i s + R − 1-th round. e actual round indices of attacked rounds for each version of Simon can be found in Tables 4 and 5. We use N � 2 ((m+n+α)/2)+β plaintexts for adequate positive values α and β. δ L i , δ R i , and δ K i denote the RXDs of the left half of an input, the right half of an input, and a round key of i-th round, respectively. δ L init ||δ R init and δ L final ‖δ R final are RXDs of an input and an output of the characteristic, respectively.

Generation of Pairs.
Because we add r t rounds on top, it is necessary to explain how to construct the quartets of the plaintexts for each key. We need to generate more than N q � 2 m+n+α quartets to distinguish E from a random permutation when the expected number of right quartets is 2 α . To generate more than N q quartets, we need two sets of pairs which contains at least N p � 2 ((m+n+α)/2) pairs.
We generate the first set of pairs as follows. Let Ω be set of plaintexts. First, we select a random plaintext from Ω and let this value be (x ⊕ a 1 ) for a fixed a 1 . And then, we encrypt it for r t − 1 rounds with a guessed subkey of K0 and let this value be (y ⊕ b 1 ). Next, we should define the intermediate value of the opposite side of a pair. By rotating (y ⊕ b 1 ) and adding an adequate RXD δ, the value is defined by Finally, we could have another plaintext of the pair by decrypting y → ⊕ (b 1 → ⊕ δ) for r t − 1 rounds with subkeys of the related K1. If the decryption result which is considered as x → ⊕ a 2 is in Ω again, then the two plaintexts and corresponding ciphertexts by K0 and K1, respectively, are regarded as an RX pair. Similarly, another set of pairs are generated from the Ω and subkeys of K2 and K3. e numbers of elements in Ω required to obtain N p pairs will be discussed later in terms of data complexity.
(1) Generate Ω of a sufficient size from the oracles.
Calculate x i s +r t − 1 ′ using x i s +r t − 1 and δ L init ||δ R init . Decrypt x i s +r t − 1 ′ for r t − 1 rounds with rk1 i s , . . ., rk1 i s +1 to obtain x i s ′ (r t − 1 round decryptions). If x i s ′ ∈ Ω, register (x i s , x i s ′ ) and their corresponding ciphertexts as a RX pair. For each element y i s in Ω, do the following: Encrypt y i s for r t − 1 rounds with rk2 i s , . . ., rk2 i s +1 to obtain y i s +r t − 1 (r t − 1 round encryptions).
Calculate y i s +r t − 1 ′ using y i s +r t − 1 and δ L init ||δ R init . Decrypt y i s +r t − 1 ′ for r t − 1 rounds with rk3 i s , . . ., rk3 i s +1 to obtain y i s ′ (r t − 1 round decryptions). If y i s ′ ∈ Ω, register (y i s , y i s ′ ) and their corresponding ciphertexts as a RX pair.
Using two sets of pairs, construct a set of quartets (x i s , x i s ′ , y i s , y i s ′ ), and for each quartet, do the following: For ciphertext pairs (x i f +1 , y i f +1 ′ ) and (y i f +1 , x i f +1 ′ ), calculate the δ values of (F(x i f +1 ), F(y i f +1 ′ )) and (F(y i f +1 ), F(x i f +1 ′ )). Using these values and δ K i f , calculate δ L i f − 1 . en, first   e discard ratios for each filtering step are denoted by t 0 , t 1 , and t 2 . ese would be determined by the exact RXDs of the characteristic and should satisfy t 0 + t 1 + t 2 < n.

Data Complexity.
e data complexity of this attack is estimated by the required number of elements in Ω. Using elements in Ω, we generate two sets of N p � 2 ((m+n+α)/2) pairs so that we have N q � 2 m+n+α quartets. Let l � ((m + n + α)/2). We define pairs by choosing a text in Ω, encrypting it for the r t − 1 round with a guessed key, adding some differences, and decrypting for r t − 1 rounds with the related key. erefore, we should assume that the processes after choosing a text are random permutations from 0, 1 { } n to 0, 1 { } n , for counting the required number of elements in Ω. e question is that if we have set Ω of random texts in 0, 1 { } n with 2 l+β elements and a random permutation f of 0, 1 { } n , what is the condition of β such that we have more than 2 l pairs (x, f(x)) where f(x) ∈ Ω. Because we assume that f is a random permutation, for an x ∈ Ω. erefore, the expected number of pairs that we could have is 2 l+β × 2 l+β− n � 2 2l+2β− n . Given that we would like to have more than 2 l pairs, β should satisfy So, we could have a lower bound of the β as follows: As we have assumed that l � ((m + n + α)/2), a straightforward computation gives the condition: us, if we choose the minimum β, we can have the required number of pairs on average. Table 6 shows the data complexities of these attacks for each version of Simon.

Computational Complexity.
At this stage, we calculate the computational complexities of this attack. At the beginning of the attack, we perform four rounds of encryption on N texts to define the pairs for each guessed n/2-bit key. We then filter out quartets with two rounds of decryption without key guessing. Next, we consume one round of encryption for each filtering step with n/2-bit key guessing. Finally, we should exhaustively search the remaining key bits. erefore, we can estimate the computational complexity of this attack as follows while taking the above factors into account: We have assumed that N � 2 ((m+n+α)/2)+β and N p � 2 ((m+n+α)/2) . erefore, if we apply these assumptions to equation (36), then we have the following formula for computational complexity: 1 R 2 nr t +m+α+2β+4 ( )/2 + 3 · 2 nr t +m+α ( )/2 + 3 · 2 n r t +1 ( )+m+α− 4t 0 /2 + 2 · 2 n r t +2 ( )+m+α− 4t 0 − 4t 1 ( )/2 .
(37) Table 6 shows the computational complexities of these attacks as calculated using equation (37) along with the data complexities when α � 2 and β has the minimum value. e filtering ratio t 0 , which is most crucial with regard to the computational complexity among the ratios, is affected by how many types of RXDs of the outputs that could be produced by the round function where δ L final and a random δ value are the respective inputs. According to our investigation, t 0 > (n/3) on average; thus, we assume that t 0 � t 1 � (n/3).

Signal-to-Noise Ratio and Success Probabilities.
Similar to differential cryptanalysis, rotational cryptanalysis uses randomly selected dataset so the attack works with probability less than or equal to one. us, we should calculate the success probability of each attack to make sure the possibility of the attack. By an earlier literature [23], the success probability of differential cryptanalysis could be calculated using signal-to-noise (S/N) ratio. We adopt that methodology for calculating the success probability of our attacks. We use the following equation for estimating success probabilities: where Φ is the cumulative distribution function of the standard normal distribution, μ denotes the number of right quartets, and we set the advantage a to 8. e S/N ratio S N is calculated as follows: In the above equation, k 0 denotes the bit length of the target subkey, which is assumed to be equal to the bit length of the secret key. P char denotes probability of characteristic, which is 2 − (m+n) . α 0 is the average number of subkeys suggested by one analysed quartet. Since this attack generates N q � 2 m+n+α quartets, α 0 � (2 k 0 /N q ). β 0 is the ratio of filtering before key guessing but β 0 is fixed to 1 for all attacks because there is no filtering before key guessing. erefore, the S/N ratio S N is 2 α , and thus, the success probability P S is 0.73 when α � 2.

Conclusion
In this paper, we study how to apply cryptanalysis based on the rotational-XOR-difference approach to the block cipher Simon. We present a closed formula that is used to calculate the transition probability of an RXD trail according to the bitwise AND operation. Moreover, we demonstrate that we could construct the rectangle characteristic using RXD trails in a manner similar to how ordinary differential trails are used. Consequently, we could define a new RX rectangle attack and mount it onto some instances of the Simon family. Although our results are not the best for Simon to date, it is the first result for rotational cryptanalysis applied to a non-ARX cipher and it would be a worthwhile endeavor to attempt to improve our approach or to apply to other ciphers based on bitwise AND. Tables 4 and 5 show actual RXD trails for which establish the rectangle distinguishers for each version of Simon, presented in Table 3.

Data Availability
e RXD trails used to support the findings of this study are included within Tables 4 and 5. More trails are available from the corresponding author upon reasonable request.

Conflicts of Interest
e authors declare that there are no conflicts of interest regarding the publication of this paper.