Cryptanalysis of SPEEDY

Jinliang Wang; Chao Niu; Qun Liu; Muzhou Li; Bart Preneel; Meiqin Wang

Paper 2023/612

Cryptanalysis of SPEEDY

Jinliang Wang, Key Laboratory of Cryptologic Technology and Information Security, Ministry of Education, Shandong University, Jinan, China, School of Cyber Science and Technology, Shandong University, Qingdao, China

Chao Niu, Key Laboratory of Cryptologic Technology and Information Security, Ministry of Education, Shandong University, Jinan, China, School of Cyber Science and Technology, Shandong University, Qingdao, China

Qun Liu, Key Laboratory of Cryptologic Technology and Information Security, Ministry of Education, Shandong University, Jinan, China, School of Cyber Science and Technology, Shandong University, Qingdao, China

Muzhou Li, Key Laboratory of Cryptologic Technology and Information Security, Ministry of Education, Shandong University, Jinan, China, School of Cyber Science and Technology, Shandong University, Qingdao, China

Bart Preneel, imec-COSIC, KU Leuven, Belgium

Meiqin Wang, Key Laboratory of Cryptologic Technology and Information Security, Ministry of Education, Shandong University, Jinan, China, School of Cyber Science and Technology, Shandong University, Qingdao, China, Quan Cheng Shandong Laboratory, Jinan, China

Abstract

SPEEDY is a family of ultra-lightweight block ciphers designed by Leander et al. at CHES 2021. There are three recommended variants denoted as SPEEDY-$r$-192 with $r$∈{5,6,7}. All of them support the 192-bit block and the 192-bit key. The main focus during its design is to ensure hardware-aware low latency, thus, whether it is designed to have enough security is worth to be studied. Recently, the full-round security of SPEEDY-7-192 is announced to be broken by Boura et al. at EUROCRYPT 2023 under the chosen-ciphertext setting, where a round-reduced attack on SPEEDY-6-192 is also proposed. However, no valid attack on SPEEDY-5-192 is given due to its more restricted security parameters. Up to now, the best key recovery attack on this variant only covers 3 rounds proposed by Rohit et al. at AFRICACRYPT 2022. In this paper, we give three full-round attacks on SPEEDY-7-192. Using the divide-and-conquer strategy and other new proposed techniques, we found a 5.5-round differential distinguisher which can be used to mount the first chosen-plaintext full-round key recovery attack. With a similar strategy, we also found a 5-round linear distinguisher which leads to the first full-round attack under the known-plaintext setting. Meanwhile, the 5.5-round differential distinguisher also helps us slightly improve the full-round attack in the chosen-ciphertext setting compared with the previous result. Besides, we also present a 4-round differential attack on SPEEDY-5-192, which is the best attack on this variant in terms of the number of rounds so far. A faster key recovery attack covering the same rounds is also given using a differential-linear distinguisher. Both attacks cannot threaten the full round security of SPEEDY-5-192.

Metadata

Available format(s): PDF
Category: Secret-key cryptography
Publication info: Published elsewhere. ACISP 2023
Keywords: Lightweight Cryptography Low Latency SPEEDY
Contact author(s): jinliangwang @ mail sdu edu cn
niuchao @ mail sdu edu cn
qunliu @ mail sdu edu cn
muzhouli @ mail sdu edu cn
Bart Preneel @ esat kuleuven be
mqwang @ sdu edu cn
History: 2023-05-01: approved; 2023-04-29: received; See all versions
Short URL: https://ia.cr/2023/612
License: CC BY

BibTeX

@misc{cryptoeprint:2023/612,
      author = {Jinliang Wang and Chao Niu and Qun Liu and Muzhou Li and Bart Preneel and Meiqin Wang},
      title = {Cryptanalysis of SPEEDY},
      howpublished = {Cryptology ePrint Archive, Paper 2023/612},
      year = {2023},
      note = {\url{https://eprint.iacr.org/2023/612}},
      url = {https://eprint.iacr.org/2023/612}
}