Embedded systems are deployed in domains as varied as environmental surveillance, traffic control and medical monitoring. The limited resources of such systems have led to a growing need for lightweight cryptographic primitives. In 2013, the National Security Agency (NSA) of the United States presented two families of lightweight block ciphers:Simon and Speck. Simeck, which combines the strengths of Simon and Speck, was proposed in 2015.

We analyze the security of Simon-like ciphers---Simon and Simeck---and present an efficient linear cryptanalysis of reduced-round versions of each. Our improvement of classical linear cryptanalytic approaches arises from an important observation valid for Simon-like ciphers: after four rounds of encryption, one bit of the left half of the state depends on only 16 key bits---the size of one round key in the smallest version of the cipher, which is a fourth of the size of the master key. It is hence possible to perform four rounds of encryption using only 16 bits of the key for each bit of state. This partitioning of the master key reduces considerably the cost of trying every possible key and enables the efficient application of Matsui's second cryptanalysis. This, in turn, enables us to define the notion of a super-round which is a generalization of four-round encryption in Simon-like ciphers.

We validate the efficiency of our proposed linear attack by carrying out several experiments on 8-round, 10-round and 12-round reduced-round Simon and Simeck ciphers. We project improved linear attacks on a far larger number of rounds on all variants of Simon and Simeck that use classical linear cryptanalysis. For some variants, we are able to attack more rounds than any other approaches that use Matsui's second linear cryptanalysis (except for approaches relying on linear hulls). Finally, we complement our analysis by testing different choices of parameters of the Simon-like round function to understand how a change in these parameters affects the success of our attack.