Improved Differential Cryptanalysis of SPEEDY

SPEEDY is a family of lightweight block ciphers designed by Leander et al. Several differential attacks have been reported on the SPEEDY variants. However, nearly all of these attacks are based on differential characteristics with probabilities that differ from their reported values. These discrepancies arise from incorrect calculations of the (key-averaged) probability, particularly in consecutive steps within one round without intermediate key addition. In this paper, we revisit all reported differential characteristics and accurately calculate their key-averaged probabilities using quasidifferential trails. We extend this to also estimate the fixed-key probability. Our analysis reveals several characteristics with zero or significantly altered probability, invalidating several proposed attacks. We further implement a search algorithm and find a 5.5-round differential distinguisher that can be used to mount a full-round key-recovery attack with a data complexity of 2 ¹⁸³ and a time complexity of 2 ¹⁸⁵. The memory complexity varies: in the chosen-plaintext setting, it is 2 ¹⁵⁶, whereas in the chosen-ciphertext setting, it is 2 ³⁶.