Paper 2013/663

Linear Cryptanalysis of Round Reduced SIMON

Javad Alizadeh, Nasour Bagheri, Praveen Gauravaram, Abhishek Kumar, and Somitra Kumar Sanadhya

Abstract

SIMON is a family of lightweight block ciphers that was proposed by U.S National Security Agency (NSA). A cipher in this family with $K$-bit key and $N$-bit block is called SIMON ${N}/{K}$. In this paper we analyze the security of SIMON against linear cryptanalysis. We present several linear characteristics for all variants of SIMON with reduced number of rounds. Our best linear characteristic covers SIMON 32/64 reduced to 13 rounds out of 32 rounds with the bias of $2^{-16}$. In addition, we describe a connection between linear and differential characteristics for SIMON. This connection is then exploited by using the differential characteristics of the previous work of Abed \textit{et al.} to construct linear characteristics presented in this work. Our attacks extend to all variants of SIMON covering more number of rounds compared to the previous results on linear cryptanalysis. We have implemented our attacks for small scale variants of SIMON and our experiments confirm the theoretical bias of various characteristics presented in this work. %We also verified the results for SIMON32/64 experimentally to see whether implementation confirms theory. So far, our results are the best known with respect to linear cryptanalysis for any variant of SIMON.

Note: In this version we have fixed some typos and improved our results for SIMON96/144 and SIMON128/256.