[Cryptography] Lighweight goes Heavyweight: Simon 256, 256

[dj at deadhat.com]

It's the new year, so 'tis the season to roll-your-own crypto.

We wanted a light(er)weight block cipher with a 256 bit block size and 256
bit key for a thing. Simon seemed like a good candidate.

The Simon papers give the following parameters for the different key and
block sizes:

Block Size 2n,	Key Size mn,	Word size n,	Key words m,	Const Seq,	Rounds T
32	64	16	4	Z0	32
48	72	24	3	Z0	36
48	96	24	4	Z1	36
64	96	32	3	Z2	42
64	128	32	4	Z3	44
96	96	48	2	Z2	52
96	144	48	3	Z3	54
128	128	64	2	Z2	68
128	192	64	3	Z3	69
128	256	64	4	Z4	72
256,256 is missing:
256     256     ??      ?       ??      ??

After some fiddling and meddling, we came up with:
256     256     128     2       Z5      126

Where Z5 = w =
10000100101100111110001101110101000010010110011111000110111010100001001011001111100011011101010000100101100111110001101110101000
This was the only unused combination of patterns in the sequences (Z0-Z1
and the same XORed with 10101010... for Z3-Z5) . It slots right in.

124 rounds was the minimum we were comfortable with. 126 rounds gives the
most unrolling factors 2, 3, 6, 7, 9, 12, 14, 21, 42 and 63. So we picked
126 rounds. 128 rounds was the second place contender, but running for a
couple of clocks less than an integer multiple of the number of bits in
the input word is a fine thing in hardware, giving a spare couple of
clocks for strobes, so 126 wins. The other parameters just drop out from
the spec.

Having done this, we thought it a good idea to publish the parameters and
suggest that these are the right parameters for this, so people could use
them or shoot holes in them. So here they are.