Rotational-XOR Cryptanalysis of Simon-Like Block Ciphers

Rotational-XOR cryptanalysis is a cryptanalytic method aimed at finding distinguishable statistical properties in ARX-C ciphers, i.e., ciphers that can be described only by using modular addition, cyclic rotation, XOR, and the injection of constants. In this paper we extend RX-cryptanalysis to AND-RX ciphers, a similar design paradigm where the modular addition is replaced by vectorial bitwise AND; such ciphers include the block cipher families Simon and Simeck. We analyze the propagation of RX-differences through AND-RX rounds and develop closed form formula for their expected probability. Finally, we formulate an SMT model for searching RX-characteristics in Simon and Simeck. Evaluating our model we find RX-characteristics of up to 20, 27, and 35 rounds with respective probabilities of 2(-26), 2(-42), and 2(-54) for versions of Simeck with block sizes of 32, 48, and 64 bits, respectively, for large classes of weak keys in the related-key model. In most cases, these are the longest published distinguishers for the respective variants of Simeck. Interestingly, when we apply the model to the block cipher Simon, the best characteristic we are able to find covers 11 rounds of Simon32 with probability 2-24. To explain the gap between Simon and Simeck in terms of the number of distinguished rounds we study the impact of the key schedule and the specific rotation amounts of the round function on the propagation of RX-characteristics in Simon-like ciphers.