Paper 2023/612

Cryptanalysis of SPEEDY

Jinliang Wang, Key Laboratory of Cryptologic Technology and Information Security, Ministry of Education, Shandong University, Jinan, China, School of Cyber Science and Technology, Shandong University, Qingdao, China
Chao Niu, Key Laboratory of Cryptologic Technology and Information Security, Ministry of Education, Shandong University, Jinan, China, School of Cyber Science and Technology, Shandong University, Qingdao, China
Qun Liu, Key Laboratory of Cryptologic Technology and Information Security, Ministry of Education, Shandong University, Jinan, China, School of Cyber Science and Technology, Shandong University, Qingdao, China
Muzhou Li, Key Laboratory of Cryptologic Technology and Information Security, Ministry of Education, Shandong University, Jinan, China, School of Cyber Science and Technology, Shandong University, Qingdao, China
Bart Preneel, imec-COSIC, KU Leuven, Belgium
Meiqin Wang, Key Laboratory of Cryptologic Technology and Information Security, Ministry of Education, Shandong University, Jinan, China, School of Cyber Science and Technology, Shandong University, Qingdao, China, Quan Cheng Shandong Laboratory, Jinan, China
Abstract

SPEEDY is a family of ultra-lightweight block ciphers designed by Leander et al. at CHES 2021. There are three recommended variants denoted as SPEEDY-$r$-192 with $r$∈{5,6,7}. All of them support the 192-bit block and the 192-bit key. The main focus during its design is to ensure hardware-aware low latency, thus, whether it is designed to have enough security is worth to be studied. Recently, the full-round security of SPEEDY-7-192 is announced to be broken by Boura et al. at EUROCRYPT 2023 under the chosen-ciphertext setting, where a round-reduced attack on SPEEDY-6-192 is also proposed. However, no valid attack on SPEEDY-5-192 is given due to its more restricted security parameters. Up to now, the best key recovery attack on this variant only covers 3 rounds proposed by Rohit et al. at AFRICACRYPT 2022. In this paper, we give three full-round attacks on SPEEDY-7-192. Using the divide-and-conquer strategy and other new proposed techniques, we found a 5.5-round differential distinguisher which can be used to mount the first chosen-plaintext full-round key recovery attack. With a similar strategy, we also found a 5-round linear distinguisher which leads to the first full-round attack under the known-plaintext setting. Meanwhile, the 5.5-round differential distinguisher also helps us slightly improve the full-round attack in the chosen-ciphertext setting compared with the previous result. Besides, we also present a 4-round differential attack on SPEEDY-5-192, which is the best attack on this variant in terms of the number of rounds so far. A faster key recovery attack covering the same rounds is also given using a differential-linear distinguisher. Both attacks cannot threaten the full round security of SPEEDY-5-192.

Metadata
Available format(s)
PDF
Category
Secret-key cryptography
Publication info
Published elsewhere. ACISP 2023
Keywords
Lightweight CryptographyLow LatencySPEEDY
Contact author(s)
jinliangwang @ mail sdu edu cn
niuchao @ mail sdu edu cn
qunliu @ mail sdu edu cn
muzhouli @ mail sdu edu cn
Bart Preneel @ esat kuleuven be
mqwang @ sdu edu cn
History
2023-05-01: approved
2023-04-29: received
See all versions
Short URL
https://ia.cr/2023/612
License
Creative Commons Attribution
CC BY

BibTeX 

@misc{cryptoeprint:2023/612,
      author = {Jinliang Wang and Chao Niu and Qun Liu and Muzhou Li and Bart Preneel and Meiqin Wang},
      title = {Cryptanalysis of {SPEEDY}},
      howpublished = {Cryptology {ePrint} Archive, Paper 2023/612},
      year = {2023},
      url = {https://eprint.iacr.org/2023/612}
}
Note: In order to protect the privacy of readers, eprint.iacr.org does not use cookies or embedded third party content.