Cryptanalysis of Reduced-Round SPECK

SPECK, a family of lightweight block ciphers proposed by the National Security Agency (NSA), is widely used under resource constrained environment. There are many cryptanalytic results on SPECK concentrated on differential and linear attacks. However, the security evaluation against other popular cryptanalysis methods seems to lag behind. In this paper, we investigate both the security of SPECK against impossible differential, zero-correlation linear, and integral attacks as well as the design choice of NSA. First, we construct the satisfiability (SAT)-based model to automatically search impossible differentials and zero-correlation linear hulls and then obtain several integral distinguishers based on the links between the zero-correlation linear hull and integral distinguisher. Second, based on the new distinguishers, we propose the first zero-correlation attack on 11-round SPECK64 and integral attack on 11-round SPECK32, SPECK48, and SPECK64 by exploring the iterated expression of the modulo subtraction operation and utilizing the partial-sum technique. Finally, we study the design principle of the rotation parameters selection of SPECK32. We show that SPECK32 with parameters (8, 3) is better than SPECK32 with the original parameters (7, 2) with respect to security against impossible differential, zero-correlation linear and integral cryptanalysis.