International Association
for Cryptologic Research

In June 2013 the U.S. National Security Agency proposed two families of ultra-lightweight block ciphers, called Simon and Speck. In this paper we present the first cryptanalysis of round-reduced versions of Simon. We mount differential distinguishers and key-recovery attacks on up to 14/32, 17/36, 21/44, 26/54, and 32/72 rounds, for the 32-, 48-, 64-, 96-, and 128-bit versions, respectively. Furthermore, we briefly consider impossible-differential and rotational attacks. While our attacks are mostly academic, they demonstrate the drawback of the aggressive optimizations in Simon which allow powerful differential cryptanalysis.