Simon is a family of lightweight block ciphers publicly released by the National Security Agency (NSA) in June 2013.

[6][7] The NSA began working on the Simon and Speck ciphers in 2011.

The agency anticipated some agencies in the US federal government would need a cipher that would operate well on a diverse collection of Internet of Things devices while maintaining an acceptable level of security.

The key length is a multiple of n by 2, 3, or 4, which is the value m. Therefore, a Simon cipher implementation is denoted as Simon2n/nm.

For example, Simon64/128 refers to the cipher operating on a 64-bit plaintext block (n = 32) that uses a 128-bit key.

is used to determine the structure of the key expansion, resulting in a total bit width of

The key word expansion consists of a right shift, XOR and a constant sequence,

, is created by a Linear Feedback Shift Register (LFSR).

The logical sequence of bit constants is set by the value of the key and block sizes.

The constant bit operates on a key block once per round on the lowest bit in order to add non-key-dependent entropy to the key schedule.

The initial condition of the LFSR for decryption varies on the round.

The designers claim that Simon, though a "lightweight" cipher, is designed to have the full security possible for each block and key size, against standard chosen-plaintext (CPA) and chosen-ciphertext (CCA) attacks.

Due to interest in Simon and Speck, about 70 cryptanalysis papers have been published on them.

[9]: 10  As is typical for iterated ciphers, reduced-round variants have been successfully attacked.

[11][12] [13][9]: 12  The design team states that while designing Simon, they found differential attacks to be the limiting attacks, i.e. the type of attack that makes it through the most rounds; they then set the number of rounds to leave a security margin similar to AES-128's at approximately 30%.

[14] Ciphers with small security margins are more likely to be broken by future advances in cryptanalysis.

Simon's design team counters that there is a real-world cost to unnecessarily large security margins, especially on lightweight devices, that cryptanalysis during the design phase allowed the number of rounds to be set appropriately, and that they targeted AES's security margin.

[9]: 17 Simon includes a round counter in the key schedule.

The designers state this was included to block slide and rotational cryptanalysis attacks.

[9]: 16  Still, rotational-XOR cryptanalysis has been used to find distinguishers against reduced-round versions of related ciphers like Speck.

One of the authors has said that his research was resource-constrained and that rotational-XOR distinguishers on more rounds are probably possible.

[10]: 8 The designers state that NSA cryptanalysis found the algorithms to have no weaknesses, and security commensurate with their key lengths.

[8]: 2  The design team says that their cryptanalysis included linear and differential cryptanalysis using standard techniques such as Matsui's algorithm and SAT/SMT solvers, though a full list of techniques used is not given.

[9]: 10  Simon's designers have been criticized for not providing more details on NSA cryptanalysis of the ciphers.

[16] The NSA has approved Simon128/256 and Speck128/256 for use in U.S. National Security Systems, though AES-256 is still recommended for non-constrained applications.

[17] Initial attempts to standardise Simon and Speck failed to meet International Organization for Standardization super-majority required by the process and the ciphers were not adopted.

[18][16] Expert delegates to the ISO from several countries including Germany, Japan and Israel opposed the efforts by the NSA to standardise the Simon and Speck ciphers, citing concerns that the NSA is pushing for their standardisation with knowledge of exploitable weaknesses in the ciphers.

The position was based on partial evidence of weaknesses in the ciphers, lack of clear need for standardisation of the new ciphers, and the NSA's previous involvement in the creation and promotion of the backdoored Dual_EC_DRBG cryptographic algorithm.

[19][20] In response to concerns, the NSA stated that more than 70 security analysis papers from some of the world's leading cryptographers support NSA's conclusion that the algorithms are secure and NSA affirmed that it is not aware of any cryptanalytic techniques that would allow them or anyone else to exploit Simon or Speck.