SIMON Cryptanalysis

Question

I'm reading Cryptanalysis of the SIMON Family of Block Ciphers. In Section 3.1, it says:

For SIMON, consider an n-bit input difference $\alpha= x\oplus x'$ to $F$ of Hamming weight one. As the operation $\oplus$ is invariant with respect to rotation, say w.l.o.g. that $\alpha= (0...01)$

I understand that the operation $\oplus$ is invariant with respect to rotation, but I don't understand how apply that claim to the $F$ … According the theory of differential cryptanalysis I understand that $\alpha$ is not evaluated by $F$ but $x$ and $x'$ are evaluated individually, then I don't understand Why say "the operation $\oplus$ is invariant with respect to rotation, say w.l.o.g. that $\alpha= (0...01)$".

Answer 1

As one of the authors of the paper, let me give you an answer. The operation $F$ is indeed applied to both $x$ and $x'$. By stating that $\oplus$ is invariant under rotation, we mean that if you first rotate $x$ and $x'$ and take the difference with $\oplus$, you get the same result as if you first take the difference with $\oplus$ and then rotate the difference by the same amount.