Paper 2020/309

Cryptanalysis Results on Spook

Patrick Derbez, Paul Huynh, Virginie Lallemand, María Naya-Plasencia, Léo Perrin, and André Schrottenloher


Spook is one of the 32 candidates that has made it to the second round of the NIST Lightweight Cryptography Standardization process, and is particularly interesting since it proposes differential side channel resistance. In this paper, we present practical distinguishers of the full 6-step version of the underlying permutations of Spook, namely Shadow-512 and Shadow-384, solving challenges proposed by the designers on the permutation. We also propose practical forgeries with 4-step Shadow for the S1P mode of operation in the nonce misuse scenario, which is allowed by the CIML2 security game considered by the authors. All the results presented in this paper have been implemented.

Available format(s)
Secret-key cryptography
Publication info
Published by the IACR in CRYPTO 2020
dedicated cryptanalysisdifferential attacksimplemented attacksSpookround constantslightweight primitivesdistinguisherforgery
Contact author(s)
patrick derbez @ irisa fr
paul huynh @ loria fr
virginie lallemand @ loria fr
maria naya_plasencia @ inria fr
leo perrin @ inria fr
andre schrottenloher @ inria fr
2020-06-08: revised
2020-03-12: received
See all versions
Short URL
Creative Commons Attribution


      author = {Patrick Derbez and Paul Huynh and Virginie Lallemand and María Naya-Plasencia and Léo Perrin and André Schrottenloher},
      title = {Cryptanalysis Results on Spook},
      howpublished = {Cryptology ePrint Archive, Paper 2020/309},
      year = {2020},
      note = {\url{}},
      url = {}
Note: In order to protect the privacy of readers, does not use cookies or embedded third party content.