 Thank you for the introduction. So Lightweight Cryptography received a lot of attention over the last few years, and there's a high demand from industry to our solutions for resource constraint environments. These resource constrained environments bring new challenges for designers of cyphers and there's been a lot of research going on about designing cyphers which optimize chip area or latency, power consumption and and so on. Also recently NIST showed interest into discussing Lightweight crypto and potential futures standardizations. Now two years ago NSA published two Lightweight cyphers on the e-print archive which is quite surprisingly because they don't often publish cyphers, so the last time was skip check which we heard before. Yes and so Simon is a Lightweight cypher which is meant to use for hardware and spec is the other one which is for software, but this talk is about Simon and both designs have a very simple design and competitive performance. So Simon uses a Faisal construction with a very simple round function. It's only uses XOR rotations which we denote with S here and bitwise end. Unsurprisingly there was no crypt analysis published with with the specifications of Simons and only performance figures were given but the research community has been very active over the last two years and published a lot of work on Simon. Mainly we focused on attacks and up to now the best attacks can cover up to around 74 percent of the total number of rounds. So in our talk we were more interested in the general class of Simon-like functions and their properties regarding to statistical attacks like differential or linear crypt analysis. So for other cyphers like AES or in general SPN cyphers, it's easier to show bounds against differential and linear attacks than it is for Simon-like functions or AIX. It's not so easy how to achieve the same goals and also the best attacks so far, you know, are of differential and linear nature. So the basic idea behind differential crypt analysis is we look at some pair of inputs and observe the outputs and look try to find some correlation between the input and output difference. So in particular we're interested that if we take a random pair with a input difference alpha with what probability can we observe the output difference beta? We then use this to construct what we call differential characteristic to cover more rounds. So we assume like assumptions like independence of rounds and then we can concatenate this one-round differential to get multiple rounds. But actually in a text we often do not care what happens in between. So it looks more like this. So we only care we have some input difference and some output difference and what's the probability that this happens? So first to simplify our analysis, we show in the paper that it's sufficient if we look at this. So for one round we can derive the differential and linear properties using this construction. Of course for many rounds it matters because this is different diffusion properties. So let's look at one round. So I would like to give a more intuitive approach how we obtained our results. So when we look at a message and an input difference, so we use the message M input difference D, then there are four cases for the output difference. If the input difference at position I and I-1 is 0 then the output difference has to be 0. If the difference at position I is 0 but the difference at position I-1 is 1 then the output difference only depends on M at position I. Why is worse? If I is 1 and I-1 is 0 then the output difference depends on message bit I-1 and if they're both 1 then it depends on the X or of these two messages. So let's look at a simple example with only six-speed word size and use the difference 0 0 1 0 1 0 and we can look at the first bit. So it's 0 0, so the output difference has to be 0. On 0 the output difference has to be M0, M2, M2, M4 and 0. So we can when we look at the output difference we see it only depends on these three message bits. So therefore we can only have eight possible output differences and we can use this to compute a differential probability. So we can use very simple bit operations to derive this probability and for this we use these two definitions. So the first we call vari-bits. So these are basically the bits which can be non-serial output and the second definition is double-bits. These are the bits which have to be equal to the right neighbor. So if we go back to our example, so we use these bit operations now to compute this. If we look at vari-bits we can see okay only the output differences vary in the bits at the positions which are 1 in vari-bits. And if we look at double-bits we can see that the right neighbor always has to be equal. So to summarize this for a value differential for one round there can only be a different output difference at position i if vari-bits at position i is 1 and if double-bits at position i is 1 then the right neighbor has to be equal. The most interesting is that then the probability for this transition is simply given by the 2 to the minus the hamming weight of the XOR of these two definitions. Obtaining this result we can then transform it back to the full Simon function just with some simple fn transformations. And in the paper we provide proofs for the correctness of this and also the proofs by this gives you the correct probability. We also show there a similar approach for linear cryptanalysis. Okay so we got it now for one round but we want to know how can we construct good or optimal differential characteristics. And for this we use an approach on ZSMT solvers which has been previously also used for the StreamCypher 1000-20 and authenticated encryption scheme NOx. And this allows us to both get bounds on the probability of the best differential characteristics but also estimate the probability of a differential. And we also made our framework publicly available to encourage further research. So how does it work? Well for each round we basically add a set of constraints which we derive from these two definitions very bits and double bits. And we also keep the probability for this one round in some variable wi. If we now want to find the characteristic with a specific probability we build up the system at the constraints for each round and check is this assignment valid. If not then we know there's no characteristic with this probability otherwise we know there's a characteristic with this probability. And then we carried out experiments for different variants of Simon. So here on the horizontal axis you have the number of rounds and on the vertical axis the probability of a single characteristic. And you can see for Simon 32 there are no characteristics with a probability higher than 2 to the minus 32 for 12 rounds. For Simon 48 it's similar but there you have to bound at 16 rounds. And for Simon 64 we only ran experiments up to 15 rounds but you can expect a similar bound at around 20 rounds. But as I mentioned before in a tech we care about the differentials not the characteristics. It's often assumed that for a differential or a differential is dominated by one characteristic but this is not the case for Simon. And it only gives a very inaccurate estimate. So this has also been observed in previous work but with our method we can give better estimates on this. And the idea behind this is similar we add the constraints for each round but additionally we fix the input and output difference. And after this we try to find all solutions to this system. We also observed that it's if we are looking at a differential it's very easy to determine the interval in which characteristics lie. But still the intervals are quite large so it's computational and feasible to compute it for a bigger variance. So you can see here for instance for Simon 32 for 13 rounds the best characteristic has a probability 2 to the minus 36 but the corresponding differential has a much higher probability. And the same is true for the other variance. And this number always means we counted all characteristics between 2 to the minus 50 and 2 to the minus 68. And for Simon 32 we were able to cover the whole space which then looks like this. So on the horizontal axis we have the probability of a single characteristic and on the horizontal axis we have the number of characteristics. So you can see for instance for 2 to the minus 36 there's only one characteristic. For 2 to the minus 37 we have four characteristics. And this basically seems to grow exponentially but then it goes flat. But this seems like a very artificial bound here so it's probably more likely that there is some limit on the underlying solvers. So if we now look at the probability, so this is the probability you get by summing up all the characteristics up to a certain bound. The good thing is for Simon 32 we can basically run two random encryptions with random keys for the full code book to obtain this experimentally which is the green line. So you can see by summing up more and more characteristics we get closer and closer to this real probability. So to give you some numbers how long this takes. So summing up all characteristics up to this point takes 90 seconds. Then after three hours we are already very close to the real probability here but covering the whole space takes around one month on a single call. And it doesn't give you much from here to here. In the last part of our work we were investigating some design decisions on Simon. So we were looking at the choice of rotation constants because there was no justification from the designers. And we were interested how they perform in respect to security. So other like parameters which are better with regard to some metrics. So first we just did some basic tests for diffusion. So we look after how many rounds a single input bit affects all the output bits. And this is basically the rank of the original parameters. So they are most of the time in the second best group but there are better parameters. But we were actually more interested in how the rotation constants influence the differential and linear bounds. So we looked at all possible parameters and tried to find those who have optimal bounds basically. And we came up with these three candidates. So they all offer bounds against differential and linear characteristics which are as good as the original parameters or slightly better. And of this like Simon with rotation 12.5.3 offers the best diffusion amongst those with optimal bounds. And then we also choose parameter sets which have one zero constant because they might be better for implementations. So while these offer also optimal bounds against differential characteristics, again the question is how does this affect the differentials? So if we now look at again this is the probability for one characteristic and this is the number of characteristics. So these are the original parameters. If we now compare them with Simon with 702, we can see that more characteristics contribute to the differential. So the differential effect is slightly stronger which you kind of would expect because the diffusion is worse here. And you can also see it with the other variant which has a zero constant. However when you look at our candidate which has optimal diffusion, it looks quite different. So this with this parameter set the differential effect seems to be weaker. So this plot can only show one differential of course. But we observe the same behavior for the other differentials we tested. But still it's difficult to argue that with these parameters for all differentials you will have this weak differential effect. So there's more analysis required on this. So to summarize this we presented a constant time algorithm for computing the differential probability for one round which can be useful for further cryptanalysis on Simon. We also in the paper present a linear time algorithm in the word size for the square correlation. Then we presented some first bounds for differential characteristics and linear characteristics and compared the quality of the rotation constants. So there's still some open problems like there should be a more refined analysis of the parameter space and it would be very nice if there is a more efficient method to test this differential effect for the different constants. Because at the moment it's it's it's we can only test like a single differential and it takes then half an hour and then but you can't test all the differentials. Also to build up some theory while while these constants have a weaker differential effect. And the final remark so while there's no evidence hinting down any problem with this algorithm we should keep in mind who designed these algorithms and that they try to insert vulnerabilities into commercial crypto systems and have done so in the past. Therefore we recommend refraining from using or standardizing any such algorithms and treat them very carefully. Thank you.