Paper 2021/960

The SPEEDY Family of Block Ciphers - Engineering an Ultra Low-Latency Cipher from Gate Level for Secure Processor Architectures

Gregor Leander, Thorben Moos, Amir Moradi, and Shahram Rasoolzadeh


We introduce SPEEDY, a family of ultra low-latency block ciphers. We mix engineering expertise into each step of the cipher’s design process in order to create a secure encryption primitive with an extremely low latency in CMOS hardware. The centerpiece of our constructions is a high-speed 6-bit substitution box whose coordinate functions are realized as two-level NAND trees. In contrast to other low-latency block ciphers such as PRINCE, PRINCEv2, MANTIS and QARMA, we neither constrain ourselves by demanding decryption at low overhead, nor by requiring a super low area or energy. This freedom together with our gate- and transistor-level considerations allows us to create an ultra low-latency cipher which outperforms all known solutions in single-cycle encryption speed. Our main result, SPEEDY-6-192, is a6-round 192-bit block and 192-bit key cipher which can be executed faster in hardware than any other known encryption primitive (including Gimli in Even-Mansour scheme and the Orthros pseudorandom function) and offers 128-bit security. One round more, i.e., SPEEDY-7-192, provides full 192-bit security. SPEEDY primarily targets hardware security solutions embedded in high-end CPUs, where area and energy restrictions are secondary while high performance is the number one priority.

Available format(s)
Secret-key cryptography
Publication info
A minor revision of an IACR publication in TCHES 2021
Low-Latency CryptographyHigh-Speed EncryptionBlock Cipher
Contact author(s)
gregor leander @ rub de
thorben moos @ rub de
amir moradi @ rub de
shahram rasoolzadeh @ ru nl
2021-07-22: received
Short URL
Creative Commons Attribution


      author = {Gregor Leander and Thorben Moos and Amir Moradi and Shahram Rasoolzadeh},
      title = {The SPEEDY Family of Block Ciphers - Engineering an Ultra Low-Latency Cipher from Gate Level for Secure Processor Architectures},
      howpublished = {Cryptology ePrint Archive, Paper 2021/960},
      year = {2021},
      note = {\url{}},
      url = {}
Note: In order to protect the privacy of readers, does not use cookies or embedded third party content.