# Simon (cipher)

General One round of Simon Ray Beaulieu, Douglas Shors, Jason Smith, Stefan Treatman-Clark, Bryan Weeks, Louis Wingers NSA 2013[1] Speck 64, 72, 96, 128, 144, 192 or 256 bits 32, 48, 64, 96 or 128 bits Balanced Feistel network 32, 36, 42, 44, 52, 54, 68, 69 or 72 (depending on block and key size) 7.5 cpb (21.6 without SSE) on Intel Xeon 5640 (Simon128/128) Differential cryptanalysis can break 46 rounds of Simon128/128 with 2125.6 data, 240.6 bytes memory and time complexity of 2125.7 with success rate of 0.632.[2][3][4]

Simon is a family of lightweight block ciphers publicly released by the National Security Agency (NSA) in June 2013.[5][1] Simon has been optimized for performance in hardware implementations, while its sister algorithm, Speck, has been optimized for software implementations.[6][7] Security researchers have warned against the algorithm for potentially having a backdoor which would compromise the effectiveness of the algorithm, completely nullifying it. The privacy concerns came after NSA failed to give detailed technical details to the researchers from ISO, thereby standardization of this algorithm has not taken place. [8]

## Description of the cipher

The Simon block cipher is a balanced Feistel cipher with an n-bit word, and therefore the block length is 2n. The key length is a multiple of n by 2, 3, or 4, which is the value m. Therefore, a Simon cipher implementation is denoted as Simon2n/nm. For example, Simon64/128 refers to the cipher operating on a 64-bit plaintext block (n=32) that uses a 128-bit key.[1] The block component of the cipher is uniform between the Simon implementations; however, the key generation logic is dependent on the implementation of 2, 3 or 4 keys.

Simon supports the following combinations of block sizes, key sizes and number of rounds:[1]

Block size (bits) Key size (bits) Rounds
32 64 32
48 72 36
96 36
64 96 42
128 44
96 96 52
144 54
128 128 68
192 69
256 72

### Description of the Key Schedule

The key schedule is mathematically described as

${\displaystyle k_{i+m}=\left\{{\begin{array}{ll}c\oplus \left(z_{j}\right)_{i}\oplus k_{i}\oplus \left(I\oplus S^{-1}\right)\left(S^{-3}k_{i+1}\right),&m=2\\c\oplus \left(z_{j}\right)_{i}\oplus k_{i}\oplus \left(I\oplus S^{-1}\right)\left(S^{-3}k_{i+2}\right),&m=3\\c\oplus \left(z_{j}\right)_{i}\oplus k_{i}\oplus \left(I\oplus S^{-1}\right)\left(S^{-3}k_{i+3}\oplus k_{i+1}\right),&m=4\\\end{array}}\right.}$

The key schedule structure may or may not be balanced. The key word count of ${\displaystyle m}$ is used to determine the structure of the key expansion, resulting in a total bit width of ${\displaystyle m*n}$. The key word expansion consists of a right shift, XOR and a constant sequence, ${\displaystyle z_{x}}$. The ${\displaystyle z_{x}}$ bit operates on the lowest bit of the key word once per round[7].

### Description of the Constant Sequence

The constant sequence, ${\displaystyle z_{x}}$, is created by a Linear Feedback Shift Register (LFSR). The logical sequence of bit constants is set by the value of the key and block sizes. The LFSR is created by a 5-bit field. The constant bit operates on a key block once per round on the lowest bit in order to add non-key-dependent entropy to the key schedule. The LFSR has different logic for each ${\displaystyle z_{x}}$ sequence; however, the initial condition is the same for encryption. The initial condition of the LFSR for decryption varies on the round.

Constant Sequence
${\displaystyle z_{0}=11111010001001010110000111001101111101000100101011000011100110}$
${\displaystyle z_{1}=10001110111110010011000010110101000111011111001001100001011010}$
${\displaystyle z_{2}=10101111011100000011010010011000101000010001111110010110110011}$
${\displaystyle z_{3}=11011011101011000110010111100000010010001010011100110100001111}$
${\displaystyle z_{4}=11010001111001101011011000100000010111000011001010010011101111}$

## Opposition to ISO approval

Expert delegates to the International Organization for Standardization from several countries including Germany, Japan and Israel have opposed the efforts by the NSA to standardise the Simon and Speck ciphers, citing concerns that the NSA is pushing for their standardisation with knowledge of exploitable weaknesses in the ciphers, based on partial evidence of weaknesses in the ciphers, lack of clear need for standardisation of the new ciphers, and the NSA's previous involvement in the creation and promotion of the backdoored Dual_EC_DRBG cryptographic algorithm.[9]

Simon has been severely criticized and ISO standardization has been rejected.[10]