Welcome to the resource topic for 2022/612
Title:
Cryptanalysis of Reduced Round SPEEDY
Authors: Raghvendra Rohit, Santanu Sarkar
Abstract:SPEEDY is a family of ultra low latency block ciphers proposed by Leander, Moos, Moradi and Rasoolzadeh at TCHES 2021. Although the designers gave some differential/linear distinguishers for reduced rounds, a concrete cryptanalysis considering key recovery attacks on SPEEDY was completely missing. The latter is crucial to understand the security margin of designs like SPEEDY which typically use low number of rounds to have low latency. In this work, we present the first third-party cryptanalysis of SPEEDY-r-192, where r \in \{5, 6, 7\} is the number of rounds and 192 is block and key size in bits. We identify cube distinguishers for 2 rounds with data complexities 2^{14} and 2^{13}, while the differential/linear distinguishers provided by designers has a complexity of 2^{39}. Notably, we show that there are several such cube distinguishers, and thus, we then provide a generic description of them. We also investigate the structural properties of 13-dimensional cubes and give experimental evidence that the partial algebraic normal form of certain state bits after two rounds is always the same. Next, we utilize the 2 rounds distinguishers to mount a key recovery attack on 3 rounds SPEEDY. Our attack require 2^{17.6} data, 2^{25.5} bits of memory and 2^{52.5} time. Our results show that the practical variant of SPEEDY, i.e., SPEEDY-5-192 has a security margin of only 2 rounds. We believe our work will bring new insights in understanding the security of SPEEDY.
ePrint: https://eprint.iacr.org/2022/612
See all topics related to this paper.
Feel free to post resources that are related to this paper below.
Example resources include: implementations, explanation materials, talks, slides, links to previous discussions on other websites.
For more information, see the rules for Resource Topics .