International Association
for Cryptologic Research

The block cipher Simon has a very simple round function. This simplicity allows us to compute the correlation matrix of the round function. Despite its simplicity, Simon exhibits some very interesting phenomena with respect to linear cryptanalysis. The combination of an expanding linear function and a compressing nonlinear function creates one-round hulls. These hulls complicate the estimation of the correlation contribution of trails as well as the potential of linear hulls. They cause difficulties in the commonly used methods to estimate the cipher's security against linear cryptanalysis. Finally, because most hulls contain many trails with similar correlation contributions, we can demonstrate erratical behaviour of Matsui's Algorithm 1 when applied in the default way. We also show how Algorithm 1 can be adapted to this situation and recover multiple key bits.