Paper 2022/369

Matching Attacks on Romulus-M

Makoto Habu, Kazuhiko Minematsu, and Tetsu Iwata


This paper considers a problem of identifying matching attacks against Romulus-M, one of the ten finalists of NIST Lightweight Cryptography standardization project. Romulus-M is provably secure, i.e., there is a theorem statement showing the upper bound on the success probability of attacking the scheme as a function of adversaries' resources. If there exists an attack that matches the provable security bound, then this implies that the attack is optimal, and that the bound is tight in the sense that it cannot be improved. We show that the security bounds of Romulus-M are tight for a large class of parameters by presenting concrete matching attacks.

Available format(s)
Secret-key cryptography
Publication info
Preprint. MINOR revision.
Lightweight cryptographyProvable securityRomulus-MTightnessMatching attack
Contact author(s)
habu makoto @ f mbox nagoya-u ac jp
tetsu iwata @ nagoya-u jp
k-minematsu @ nec com
2022-03-22: received
Short URL
Creative Commons Attribution


      author = {Makoto Habu and Kazuhiko Minematsu and Tetsu Iwata},
      title = {Matching Attacks on Romulus-M},
      howpublished = {Cryptology ePrint Archive, Paper 2022/369},
      year = {2022},
      note = {\url{}},
      url = {}
Note: In order to protect the privacy of readers, does not use cookies or embedded third party content.