The block cipher Simon has a very simple round function.
This simplicity allows us to compute
the correlation matrix of the round function.
Despite its simplicity, Simon exhibits
some very interesting phenomena with respect to
linear cryptanalysis.
The combination of an expanding linear function and
a compressing nonlinear function creates
one-round hulls. These hulls complicate the estimation of the
correlation contribution of trails as well as the potential of
linear hulls. They cause difficulties in the commonly used
methods to estimate the cipher's security
against linear cryptanalysis.
Finally, because most hulls contain many trails with similar correlation
contributions, we can demonstrate
erratical behaviour of Matsui's Algorithm 1 when applied in the default way.
We also show how Algorithm 1 can be adapted to this situation
and recover multiple key bits.
↧