Doesn't Simon look similar to MD5? Sure, it includes a few more rotates and less additions, but it looks pretty close to one of MD5's F-functions. Or maybe Ripemd.
Interestingly, it wouldn't take much to convert Simon into a Type-1 feistel network of state size 256 bits (although I'd use Speck's key schedule). Even more interestingly, extended MD4 shows that it is harder to cryptanalyze double branch hash functions than a single one. While obvious, the only difference between MD4 and extended MD4 is a different set of round constants, yet the cryptanalytic cost of collision is 2^1 for MD4, and 2^37 for extended MD4, while preimage is 2^107 for MD4 and 2^243 for extended MD4. This is despite that theoretically two parallel hash functions should have cryptanalytic efficacy equal to the stronger of the two hash functions. Personally I'm in favor for a serial round function before a parallel round function to increase diffusion per cycle count in software. So maybe convert Simon into a Type-1 feistel network for 32 rounds, and convert it to a Type-2 feistel network for an additional 32 rounds. It would also have the benefit of increasing the difficult of finding trails as it is technically two different ciphers. Although I'm waiting for chosen key cryptanalysis for Simon, it is afterall meant to be implemented in RFID chips, which means very weak key generation. _______________________________________________ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography