Linear Cryptanalysis of Reduced-Round Simon Using Super Rounds

Reham Almukhlifi, Poorvi L. Vora
2020 Cryptography  
We present attacks on 21-rounds of Simon 32/64, 21-rounds of Simon 48/96, 25-rounds of Simon 64/128, 35-rounds of Simon 96/144 and 43-rounds of Simon 128/256, often with direct recovery of the full master key without repeating the attack over multiple rounds. These attacks result from the observation that, after four rounds of encryption, one bit of the left half of the state of 32/64 Simon depends on only 17 key bits (19 key bits for the other variants of Simon). Further, linear cryptanalysis
more » ... equires the guessing of only 16 bits, the size of a single round key of Simon 32/64. We partition the key into smaller strings by focusing on one bit of state at a time, decreasing the cost of the exhaustive search of linear cryptanalysis to 16 bits at a time for Simon 32/64. We also present other example linear cryptanalysis, experimentally verified on 8, 10 and 12 rounds for Simon 32/64.
doi:10.3390/cryptography4010009 fatcat:ldk2auxgpnbwjim7pcx4yjm7cu