Enhanced related-key differential neural distinguishers for SIMON and SIMECK block ciphers

Convolution layer

Convolutional layers are the core component of convolutional neural networks. It is responsible for extracting features from input data through convolution operations. In a convolution operations, a convolutional kernel (also known as a filter) continuously slides over the input feature map. At each step, it calculates the sum of the product of the values at each position and takes it as the value in the corresponding position on the output feature map.

Activation function

In neural networks and deep learning, the activation function plays a crucial role in introducing nonlinear properties that enable the neural network to learn complex patterns in the data. The activation functions Sigmoid (Little, 1974) and rectified linear unit (ReLU) (Nair & Hinton, 2010) are used in this article. The Sigmoid function can map any real value to an output between 0 and 1. Therefore, it is a common choice for the output layer in binary classification problems. The ReLU function returns the input value itself for the positive inputs and zero for the negative inputs. It performs well in many deep learning tasks because of its effectiveness in mitigating the gradient vanishing problem. Their mathematical formulations are as follows:

(6) $$\mathbf{S}\mathbf{i}\mathbf{g}\mathbf{m}\mathbf{o}\mathbf{i}\mathbf{d}:f(x)=\frac{1}{1+e^{-x}},\mathbf{R}\mathbf{e}\mathbf{L}\mathbf{U}:f(x)=max(0,x).$$

Fully connected layer

The fully connected layer (also known as dense layer) is a fundamental element of neural networks. In this layer, every neuron establishes a connection to each neuron in the preceding layer. This connection ensures that all the outputs from the previous layer are the inputs to every neuron in the current layer. This structure allows the fully connected layer to execute a weighted combination of input features, effectively capturing the intricate relationships between them. For a single neuron in the fully connected layer, its output can be represented as $\sigma \left({\sum }_{i=1}^n{w}_i\cdot x_i+b\right)$, where $n$ is the total number of neurons, $\sigma$ represents the activation function, $x_i$ denotes the input of the $i$-th neuron, $w_i$ corresponds to the weight of the connection, and $b$ is the bias of the neuron.

Residual network

Gradient vanishing and explosion are issues in deep neural networks where gradients become extremely small or large during back-propagation, respectively, hindering effective training. The residual neural network (ResNet) (He et al., 2016) is an effective deep learning model that solves the problem of gradient vanishing and gradient explosion by introducing shortcut connections as shown in Fig. 3. Shortcut connections can mitigate these problems by providing alternative paths for gradient flow, reducing the dependency on gradients passing through all intermediate layers and improving information flow through the network.

Squeeze-and-excitation network (SENet)

The Squeeze-and-Excitation (SE) block (Hu, Shen & Sun, 2018) is a plug-and-play channel attention mechanism that can be integrated into any network, as shown in Fig. 4. It can adjust the weights of each channel and improves the attention to important channels, which is particularly beneficial in deep residual architectures. In this article, the SE block is directly integrated with the residual network to form the SE-ResNet architecture. This integration allows SE-ResNet to achieve improved performance in differential cryptanalysis, by making the network more sensitive to informative features and more robust to variations in input data.

Differences selection

Selecting an appropriate plaintext difference $\mathrm{\Delta }P$ and a master key difference $\mathrm{\Delta }K$ for sample generation is a crucial step in the development of basic related-key differential neural distinguishers, since it significantly influences the features embodied within the samples. The study of Gohr, Leander & Neumann (2022), Bellini et al. (2023b) indicates that the differences that can yield the ciphertext differences with high bias scores $b_r$ may be more suitable for constructing neural distinguishers. In the related-key scenario, the $r$-round exact bias score of ciphertext difference is defined as follows.

However, due to the immense computational demands posed by the exhaustive enumeration of all possible plaintexts and keys, computing the exact bias score is impractical. Therefore, we have to adopt more efficient methods to do this work. One promising approach is statistical sampling techniques, which is employed in Gohr, Leander & Neumann (2022). By employing random sampling method, we could reduce the time and resources required for data collection and analysis while maintaining a high level of accuracy and reliability. By randomly selecting $t$ samples from the plaintext and key space, we can obtain an approximate bias score ${\tilde{b}}_r^t(\mathrm{\Delta }P,\mathrm{\Delta }K)$ as follow:

(8) $${\tilde{b}}_r^t(\mathrm{\Delta }P,\mathrm{\Delta }K)=\frac{1}{n}\sum _{j=0}^{n-1}\left|0.5-\frac{1}{t}\sum _{i=0}^{t-1}(E_{K_i}(X_i)\oplus E_{K_i\oplus \mathrm{\Delta }K}(X_i\oplus \mathrm{\Delta }P){)}_j\right|.$$

In addition, to mitigate the instance where certain differences have low bit bias in the initial few rounds but exhibit favorable bit bias in subsequent rounds, a practical strategy is to calculate the bias score from the initial round and adopt their weighted bias score as the final the final metric for evaluation. This approach can enhance the robustness of the differential evaluation. Specifically, the R-rounds weighted bias score $S_R(\mathrm{\Delta }P,\mathrm{\Delta }K)$ for a given plaintext difference $\mathrm{\Delta }P$ and master key difference $\mathrm{\Delta }K$ is the sum of the product of the number of rounds and their bias score. The mathematical expression is as follows:

(9) $$S_R(\mathrm{\Delta }P,\mathrm{\Delta }K)=\sum _{r=1}^{R}r\times {\tilde{b}}_r^t(\mathrm{\Delta }P,\mathrm{\Delta }K).$$

Sample generation

The related-key differential neural distinguisher is a supervised binary classifier. Thus, its dataset consists of positive and negative samples, labeled as 1 and 0, respectively. The positive samples are obtained by encrypting the plaintext pairs using the key pairs that exhibit the plaintext difference $\mathrm{\Delta }P$ and key difference $\mathrm{\Delta }K$. In contrast, the negative samples are derived from encrypting the random plaintext pairs using the random key pairs.

Following the work of Lu et al. (2024), we use eight ciphertext pairs with boosted data formats to train the related-key differential neural distinguishers for SIMON and SIMECK. Specifically, the $i$-th ( $1\le i\le 8$) $r$-round ciphertext pair $(C_l,C_r,C_l^{\mathrm{\prime }},C_r^{\mathrm{\prime }}{)}_i$, derived from the $i$-th plaintext pair $(P,P^{\mathrm{\prime }}{)}_i$ and key pair $(K,K^{\mathrm{\prime }}{)}_i$, can be extended to $({\mathrm{\Delta }}_L^r,{\mathrm{\Delta }}_R^r,C_l,C_r,C_l^{\mathrm{\prime }},C_r^{\mathrm{\prime }},{\mathrm{\Delta }}_R^{r-1},p{\mathrm{\Delta }}_R^{r-2}{)}_i$, denoted as ${\mathrm{\Omega }}_i$, where

(10) $$\{\begin{array}{c}{\mathrm{\Delta }}_L^r=C_l\oplus C_l^{\mathrm{\prime }},\hfill \\ {\mathrm{\Delta }}_R^r=C_r\oplus C_r^{\mathrm{\prime }},\hfill \\ f(x)=(x<<<\alpha )\odot (x<<<\beta )\oplus (x<<<\gamma ),\hfill \\ {\mathrm{\Delta }}_R^{r-1}=f(C_r)\oplus C_l\oplus f(C_r^{\mathrm{\prime }})\oplus C_l^{\mathrm{\prime }},\hfill \\ p{\mathrm{\Delta }}_R^{r-2}=f(f(C_r)\oplus C_l)\oplus C_r\oplus f(f(C_r^{\mathrm{\prime }})\oplus C_l^{\mathrm{\prime }})\oplus C_r^{\mathrm{\prime }}.\hfill \end{array}$$

The label Y of the sample $({\mathrm{\Omega }}_1\Vert {\mathrm{\Omega }}_2\Vert ...\Vert {\mathrm{\Omega }}_s)$ can be expressed as

(11) $$Y({\mathrm{\Omega }}_1\Vert {\mathrm{\Omega }}_2\Vert ...\Vert {\mathrm{\Omega }}_s)=\{\begin{array}{cc}1,& if{P}_i\oplus {P^{\mathrm{\prime }}}_i=\mathrm{\Delta }Pand{K}_i\oplus {K^{\mathrm{\prime }}}_i=\mathrm{\Delta }K,\\ 0,& else.\end{array}$$

Network architecture

We evaluate the various neural network architectures for the SIMON and SIMECK, such as neural network architectures used in Gohr (2019), Bao et al. (2022), Lu et al. (2024) and Zhang, Wang & Chen (2023), the architecture shown in Fig. 6 can achieve best accuracy under the same conditions. It consists of the following components:

• Input Layer: For the SIMON and SIMECK with a block length of $bl$, the input of neural network is a tensor with a shape of $(8\times bl\times 4,1)$.

• Reshape Layer: This layer transforms the input tensor into a new shape of $(8,bl\times 8)$ to enhance the feature extraction for subsequent convolutional layers.

• Conv-1: A convolutional layer with $bl$ convolutional kernels of size 1, followed by a batch normalization layer and a ReLU activation function.

• Dense $bl\times 2$: Two dense layers implemented sequentially to process the features extracted from the Conv-1. Each dense layer consists of $bl$ neurons followed by a batch normalization layer and a ReLU activation function.

• SE-ResNet $\times$ 5: A sequence of five SE-ResNet layers. Each SE-ResNet integrates the ResNet and SENet architectures and contains two convolutional layers with 3 × 3 kernels for feature extraction, followed by a batch normalization layer, a ReLU activation function, and a Squeeze-and-Excitation module. The features from different layers are merged by $Multiply$ and $Add$ operations.

• Flatten: This layer flattens the multi-dimensional output from the SE-ResNet layer into a one-dimensional tensor.

• Dense-128 $\times$ 2: Two fully connected layers with 128 neurons are used to connect all the features and send the output to the Sigmoid classifier in the subsequent layer.

• Output: The final layer of the neural network is responsible for generating the final prediction result.

Training and evaluation

The training process of a related-key differential neural distinguisher can be divided into two phases: the offline phase and the online phase. During the offline phase, the attacker aims to train a neural network that can effectively distinguish between positive and negative samples. To achieve this, the attacker first generates training samples and validation samples using selected plaintext difference $\mathrm{\Delta }P$ and master key difference $\mathrm{\Delta }K$. The training samples are used to train the neural network, while the validation samples are used to evaluate the recognition ability of the neural network. Ultimately, we can determine whether we have successfully constructed an effective neural distinguisher based on whether its accuracy surpasses the threshold of 0.5.

In the online phase, the neural distinguisher trained in the offline phase is employed to distinguish the ciphertext data generated by a block cipher or a random function. If the score of more than half of the samples exceeds 0.5, we consider the ciphertext data comes from the block cipher. Otherwise, these data are considered to originate from the random function.

Parameter setting

The number of training samples and validation samples used in this article is $2\times {10}^7$ and $2\times {10}^6$. In addition, we set the number of epochs to $120$, and each epoch contains multiple batches, each containing 30,000 samples. In order to adjust the learning rate more efficiently, we adopt the cyclic learning rate. Specifically, for the $i$-th epoch, its learning rate $l_i$ is dynamically calculated by $l_i=a+\frac{(n-i)\mathrm{m}\mathrm{o}\mathrm{d}(n+1)}{n}\times (b-a),$ where $a=0.0001$, $b=0.003$, and $n=29$. Moreover, we choose Adam (Kingma & Ba, 2014) as the optimizer and Mean Squared Error (MSE) as the loss function. To prevent the model from overfitting, we use L2 regularization with the parameter $c$ of 0.00001.

Motivation

Benamira et al. (2021) found that Gohr’s neural distinguisher showed a superior recognition ability for the ciphertext pairs exhibiting truncated differences with high probability in the last two rounds, suggesting a potential understanding and learning of differential-linear characteristics in the ciphertext pairs. Subsequently, Gohr, Leander & Neumann (2022) expanded their study to five different block, including SIMON, Speck (Beaulieu et al., 2015), Skinny (Beierle et al., 2016), PRESENT Bogdanov et al. (2007), Katan (De Canniere, Dunkelman & Knežević, 2009), and ChaCha (Bernstein, 2008). Notably, their research highlights the close connection between the accuracy of the neural distinguisher and the mean absolute distance of the ciphertext differential distribution and the uniform distribution. In light of these investigations, we enhance the basic differential neural distinguisher by using two distinct non-zero plaintext differences and master key differences, symbolically represented as ( $\mathrm{\Delta }P,\mathrm{\Delta }{P}^{\mathrm{\prime }},\mathrm{\Delta }K,\mathrm{\Delta }{K}^{\mathrm{\prime }}$).

The primary rationale behind selecting two input differences instead of one or more stems from the objective of minimizing conflicts among the output differences arising from positive and negative samples. When an input difference is chosen, as the number of rounds increases, some output differences will tend to be uniformly distributed due to the inherent confusion and diffusion properties of the block cipher. This poses a great challenge for the neural network to distinguish them from the uniformly distributed negative samples. However, if the negative samples are generated from another good difference, the mean absolute distance between the positive and negative samples may become more significant, which can allow the neural network to distinguish them more effectively. There are two reasons for limiting the number of input differences to two rather than more: firstly, the input differences that can maintain their unique distribution across several rounds are rare; secondly, an increase in the variety of ciphertext data may heighten the likelihood of collisions.

Differences selection

To develop an efficient and enhanced neural distinguisher, ( $\mathrm{\Delta }P,\mathrm{\Delta }{P}^{\mathrm{\prime }},\mathrm{\Delta }K,\mathrm{\Delta }{K}^{\mathrm{\prime }}$) needs to satisfy two pivotal requirements. Firstly, they must exhibit a favorable weighted bias score after several rounds, ensuring that the resulting ciphertext data possess distinct and discernible features. This can be straightforwardly accomplished by adopting the differential evaluation scheme detailed in “Basic Related-Key Differential Neural Distinguishers”. Second, the disparity between the ciphertext data derived from the input differences ( $\mathrm{\Delta }P,\mathrm{\Delta }K$) and ( $\mathrm{\Delta }{P}^{\mathrm{\prime }},\mathrm{\Delta }{K}^{\mathrm{\prime }}$) should be maximized, thereby ensuring that there are sufficient features for the neural network to leverage during the learning process.

Inspired by the role of weighted bias scores, we try to directly utilize their relative weighted bias scores, denoted as $S_R(\mathrm{\Delta }P,\mathrm{\Delta }{P}^{\mathrm{\prime }},\mathrm{\Delta }K,\mathrm{\Delta }{K}^{\mathrm{\prime }})$, as a rough metric to evaluate the suitability of $(\mathrm{\Delta }P,\mathrm{\Delta }{P}^{\mathrm{\prime }},\mathrm{\Delta }K,\mathrm{\Delta }{K}^{\mathrm{\prime }})$ for building the enhanced neural distinguishers, where

(12) $${\tilde{b}}_r^t(\mathrm{\Delta }P,\mathrm{\Delta }{P}^{\mathrm{\prime }},\mathrm{\Delta }K,\mathrm{\Delta }{K}^{\mathrm{\prime }})=\frac{1}{n}\sum _{j=0}^{n-1}\left|\frac{1}{t}\sum _{i=0}^{t-1}(E_{K_i\oplus \mathrm{\Delta }K}(X_i\oplus \mathrm{\Delta }P)-E_{K_i\oplus \mathrm{\Delta }{K}^{\mathrm{\prime }}}(X_i\oplus \mathrm{\Delta }{P}^{\mathrm{\prime }}){)}_j\right|.$$

(13) $$S_R(\mathrm{\Delta }P,\mathrm{\Delta }{P}^{\mathrm{\prime }},\mathrm{\Delta }K,\mathrm{\Delta }{K}^{\mathrm{\prime }})=\sum _{r=1}^{R}r\times {\tilde{b}}_r^t(\mathrm{\Delta }P,\mathrm{\Delta }{P}^{\mathrm{\prime }},\mathrm{\Delta }K,\mathrm{\Delta }{K}^{\mathrm{\prime }}).$$

However, the outcomes are disappointing, primarily due to the fact that the relative weighted bias scores among all combinations derived from two input differences with weighted high bias scores have a high degree of similarity.

Fortunately, the differences that have high weighted bias scores are generally scarce. For a set of $m$ input differences, the total number of potential combinations is $\frac{m\times (m-1)}{2}$. Consequently, when $m$ is small, the exhaustive approach that compares all potential combinations to identify the optimal one is feasible. Nonetheless, as the value of $m$ increases, the number of combinations grows rapidly. Specifically, when $m$ is 32, it is a daunting task to train 496 neural distinguishers. Given that the training of a single neural distinguisher takes about an hour and a half, the aggregate time required for this task approximating 31 days, which is impractical and and unacceptable for most researchers. Therefore, the adoption of a more efficient and targeted strategy for selecting promising combinations becomes imperative.

An available greedy strategy is to fix $(\mathrm{\Delta }P,\mathrm{\Delta }K)$ as the optimal or top-ranked input difference that can be used to construct the most effective basic neural distinguisher. Subsequently, $(\mathrm{\Delta }{P}^{\mathrm{\prime }},\mathrm{\Delta }{K}^{\mathrm{\prime }})$ is chosen from the remaining differences with good weighted bias score. This strategy can ensure that the ciphertext data generated with $(\mathrm{\Delta }P,\mathrm{\Delta }K)$ have discernible and distinctive features. In this article, we adopt the exhaustive approach for SIMON32/64 and SIMON32/64. For the remaining variants, we adopt this greedy strategy to speed up the process of differences selection.

Sample generation

The sample generation for enhanced neural distinguisher is different from method outlined for the basic neural distinguisher in “Basic Related-Key Differential Neural Distinguishers”. For the enhanced neural distinguisher, the positive and negative samples are ciphertext data generated from the plaintext pairs and key pairs with the differences $(\mathrm{\Delta }P,,\mathrm{\Delta }K)$ and $(\mathrm{\Delta }{P}^{\mathrm{\prime }},\mathrm{\Delta }{K}^{\mathrm{\prime }})$. The label of a sample $({\mathrm{\Omega }}_1\Vert {\mathrm{\Omega }}_2\Vert ...\Vert {\mathrm{\Omega }}_s)$ is represented as

(14) $$Y({\mathrm{\Omega }}_1\Vert {\mathrm{\Omega }}_2\Vert ...\Vert {\mathrm{\Omega }}_s)=\{\begin{array}{cc}1,& if{P}_i\oplus {P^{\mathrm{\prime }}}_i=\mathrm{\Delta }Pand{K}_i\oplus {K^{\mathrm{\prime }}}_i=\mathrm{\Delta }K,\\ 0,& if{P}_i\oplus {P^{\mathrm{\prime }}}_i=\mathrm{\Delta }{P}^{\mathrm{\prime }}and{K}_i\oplus {K^{\mathrm{\prime }}}_i=\mathrm{\Delta }{K}^{\mathrm{\prime }}.\end{array}$$

The neural network architecture and the process of training and evaluation remain consistent with that in “Basic Related-Key Differential Neural Distinguishers”.

The differences with Hamming weights of 1 and 2

For a block cipher with block length $bl$ and key length $kl$, the number of input differences we need to evaluate is $2^{bl+kl}$. Even for the smallest variants, i.e., SIMON32/64 and SIMECK32/64, the number of differences that need to be evaluated reaches $2^{96}$, which would take a lot of time. Therefore, we first evaluate the weighted bias scores for all the differences with Hamming weights of 1 and 2.

For the 8-round SIMON32/64, there are 16 input differences with weighted bias scores around 11.0, which are $\mathrm{\Delta }P=(0\times 0,0\times 1<<<i),\mathrm{\Delta }K=(0\times 0,0\times 0,0\times 0,0\times 1<<<i),i\in [0,15]$. This is followed by another 16 input differences with a weighted bias score of about 10.8, specified as $\mathrm{\Delta }P=(0\times 0,0\times 21<<<i),\mathrm{\Delta }K=(0\times 0,0\times 0,0\times 0,0\times 21<<<i),i\in [0,15]$. The score for all remaining input differences with Hamming weights of 1 and 2 is less than 10.00.

For the 8-round SIMON48/96, there are 24 input differences with a Hamming weight of 1 that have a weighted bias score between 15.3 and 14.4: $\mathrm{\Delta }P=(0\times 0,0\times 1<<<i),\mathrm{\Delta }K=(0\times 0,0\times 0,0\times 0,0\times 1<<<i),i\in [0,23].$ For differences with a Hamming weight of 2, only 11 input differences yield weighted bias scores greater than 14.4. They are $\mathrm{\Delta }P=(0\times 0,0\times 41000\ll i),\mathrm{\Delta }K=(0\times 0,0\times 0,0\times 0,0\times 41000\ll i),i\in [0,6]$, $\mathrm{\Delta }P=(0\times 0,0\times 21000\ll i),\mathrm{\Delta }K=(0\times 0,0\times 0,0\times 0,0\times 21000\ll i),i\in [0,2]$, and $\mathrm{\Delta }P=(0\times 0,0\times 30000),\mathrm{\Delta }K=(0\times 0,0\times 0,0\times 0,0\times 30000)$.

For the 8-round SIMON64/128, there are 32 differences with a Hamming weight of 1 that exhibit scores around 13.4. These differences are denoted as $\mathrm{\Delta }P=(0\times 0,0\times 1<<<i),\mathrm{\Delta }K=(0\times 0,0\times 0,0\times 0,0\times 1<<<i),i\in [0,31]$. After that, there are 32 differences with Hamming weight 2 that have scores close to 12.6 or 12.5, which are $\mathrm{\Delta }P=(0\times 0,0\times 21<<<i),\mathrm{\Delta }K=(0\times 0,0\times 0,0\times 0,0\times 21<<<i),i\in [0,31]$, and $\mathrm{\Delta }P=(0\times 0,0\times 41<<<i),\mathrm{\Delta }K=(0\times 0,0\times 0,0\times 0,0\times 41<<<i),i\in [0,31]$, respectively. The scores for all remaining differences are below 12.2.

Structural features of SIMON

For SIMON32/64, SIMON48/96, and SIMON64/128, the input differences with high weighted bias scores are those with the structure $\mathrm{\Delta }P=(0\times 0,\mathrm{\Delta }X)$ and $\mathrm{\Delta }K=(0\times 0,0\times 0,0\times 0,\mathrm{\Delta }X)$. By analyzing the propagation process of the difference in SIMON, we can find that the plaintext differences and key differences cancel each other out in the first round. In the next three rounds, both plaintext difference and key difference are zero. Only in the fifth round, the key difference $\mathrm{\Delta }X$ is re-injected, and the plaintext difference is still zero. The detailed differential propagation process is given in Table 3. This is easily verified by analyzing the transformations of the plaintext difference and the key difference in the round function and the round key.

The differences with a Hamming weight greater than 2

Based on the structural feature of SIMON, for differences with a weight greater than 2, we only consider the differences with a structure of $\mathrm{\Delta }P=(0\times 0,\mathrm{\Delta }X)$ and $\mathrm{\Delta }K=(0\times 0,0\times 0,0\times 0,\mathrm{\Delta }X)$. For 8-round SIMON32/64, there are only 32 differences with Hamming weights of 3 that have weighted bias scores greater than 10.0. Specifically, they are $\mathrm{\Delta }P=(0\times 0,0\times 43/0\times 421<<<i),\mathrm{\Delta }K=(0\times 0,0\times 0,0\times 0,0\times 43/0\times 421<<<i),i\in [0,15]$, with scores between 10.7 and 10.3. For the 8-round SIMON48/96 and SIMON64/128, the weighted bias scores for all differences with a Hamming weight greater than two are less than 14.4 and 12.2, respectively.

The differences with Hamming weights of 1 and 2

Following the experiments on SIMON, we first explore the applicability of the input differences with Hamming weights of 1 and 2 in constructing neural distinguishers for SIMECK. For 10-round SIMECK32/64, 16 differences with a Hamming weight of 1, denoted as $\mathrm{\Delta }P=(0\times 0,0\times 1<<<i),\mathrm{\Delta }K=(0\times 0,0\times 0,0\times 0,0\times 1<<<i),i\in [0,15]$, achieve the optimal weighted bias score around 16.3. Then there are 32 differences with Hamming weight of 2, $\mathrm{\Delta }P=(0\times 0,0\times 3/0\times 11<<<i),\mathrm{\Delta }K=(0\times 0,0\times 0,0\times 0,0\times 3/0\times 11<<<i),i\in [0,15]$, with scores greater than 13.0. The rest of the differences are scored below 13.0.

For the 12-round SIMECK48/96, there are 24 differences with a Hamming weight of 1, $\mathrm{\Delta }P=(0\times 0,0\times 1\ll i),\mathrm{\Delta }K=(0\times 0,0\times 0,0\times 0,0\times 1\ll i),i\in [0,23]$, that have a weighted bias score between 30.4 and 26.6. For differences with a Hamming weight of 2, there are 33 differences with scores greater than or equal to 26.6. They are $\mathrm{\Delta }P=(0\times 0,0\times 30\ll i),\mathrm{\Delta }K=(0\times 0,0\times 0,0\times 0,0\times 30\ll i),i\in [0,12]$, $\mathrm{\Delta }P=(0\times 0,0\times 220\ll i),\mathrm{\Delta }K=(0\times 0,0\times 0,0\times 0,0\times 220\ll i),i\in [0,8]$, $\mathrm{\Delta }P=(0\times 0,0\times 140\ll i),\mathrm{\Delta }K=(0\times 0,0\times 0,0\times 0,0\times 140\ll i),i\in [0,6]$, and $\mathrm{\Delta }P=(0\times 0,0\times 480\ll i),\mathrm{\Delta }K=(0\times 0,0\times 0,0\times 0,0\times 480\ll i),i\in [0,3]$. The scores of all remaining differences are all less than 26.5.

For the 15-round SIMECK64/128, the best weighted bias score around 30.1 is achieved by 32 differences with a Hamming weight of 1, which are $\mathrm{\Delta }P=(0\times 0,0\times 1<<<i),\mathrm{\Delta }K=(0\times 0,0\times 0,0\times 0,0\times 1<<<i),i\in [0,31]$. Then there are 32 differences, $\mathrm{\Delta }P=(0\times 0,0\times 3<<<i),\mathrm{\Delta }K=(0\times 0,0\times 0,0\times 0,0\times 3<<<i),iin[0,31]$, with scores close to 26.7. All the other differences have scores below 26.0.

Structural features of SIMECK

Similar to SIMON, for all variants of SIMECK, the input differences that exhibit good weighted bias scores adhere to the format: $\mathrm{\Delta }P=(0\times 0,\mathrm{\Delta }X)$ and $\mathrm{\Delta }K=(0\times 0,0\times 0,0\times 0,\mathrm{\Delta }X)$. This is also due to the fact, as shown in Table 4, that the plaintext difference and key difference cancel each other out in the first round, and in the subsequent three rounds, both the plaintext difference and key difference are zero. It is not until the fifth round that the key difference $\mathrm{\Delta }{X}^{\mathrm{\prime }}$, resulting from the $\odot$ operation of $\mathrm{\Delta }{K}_r<<<\alpha$ and $\mathrm{\Delta }{K}_r<<<\beta$, is reintroduced.

The differences with a Hamming weight greater than 2

For the 10-round SIMECK32/64 and 15-round SIMECK64/128, none of the differences with a Hamming weight of more than two yields a weighted bias score above 12.5 and 24.5, respectively. For 12-round SIMECK48/96, there are only three differences with a Hamming weight of three that have a score of 26.8, which are $\mathrm{\Delta }P=(0\times 0,0\times 700/0xe00/0\times 2300)$, $\mathrm{\Delta }K=(0\times 0,0\times 0,0\times 0,0\times 700/0xe00/0\times 2300)$. The scores for all remaining differences with a Hamming weight of three or higher are all below 26.6.