Paper 2015/285

Improved Linear Trails for the Block Cipher Simon

Tomer Ashur


Simon is a family of block ciphers designed by the NSA and published in 2013. Due to their simple structure and the fact that the specification lacked security design rationale, the ciphers have been the subject of much cryptanalytic work, especially using differential and linear cryptanalysis. We improve previously published linear trail bias estimations by presenting a novel method to calculate the bias of short linear hulls in Simon and use them to construct longer linear approximations. By using these linear approximations we present key recovery attacks of up to 25 rounds for Simon64/128, 24 rounds for Simon32/64, Simon48/96, and Simon64/96, and 23 rounds for Simon48/72. The attacks on Simon32 and Simon48 are currently the best attacks on these versions. The attacks on Simon64 do not cover as many rounds as attacks using differential cryptanalysis but they work in the more natural setting of known plaintexts rather than chosen plaintexts.

Available format(s)
Secret-key cryptography
Publication info
Preprint. MINOR revision.
Linear cryptanalysisLinear hullsLinear super-trailSimon
Contact author(s)
tashur @ esat kuleuven be
2015-03-26: received
Short URL
Creative Commons Attribution


      author = {Tomer Ashur},
      title = {Improved Linear Trails for the Block Cipher Simon},
      howpublished = {Cryptology ePrint Archive, Paper 2015/285},
      year = {2015},
      note = {\url{}},
      url = {}
Note: In order to protect the privacy of readers, does not use cookies or embedded third party content.