Selecting Rotation Constants on SIMON-Type Ciphers

In 2013, a lightweight block cipher SIMON is proposed by NSA. This paper tries to investigate this design criterion in terms of resisting against impossible differential cryptanalysis. On one hand, starting from all the possible rotation constants, this paper sieves those “bad parameters” step by step, for each step, the regular patterns for those “bad parameters” are deduced. Accordingly, basic rules for selecting rotation constants on SIMON-type ciphers to construct shorter longest impossible differentials are proposed. On the other hand, the authors categorize the optimal parameters proposed in CRYPTO 2015, according to these results, some “good parameters” in terms of differential cryptanalysis may be rather “bad parameters” while considering impossible differential cryptanalysis. Finally, a concrete attack on 26-round SIMON(13,0,10) is proposed, which is a suggested SIMON variant in CRYPTO 2015 against differential cryptanalysis and linear cryptanalysis. The result in this paper indicates that it is very important to choose appropriate rotation constants when designing a new block cipher.