In this paper, we present some new observations on the branch number and study concrete differential analysis of SPEEDY. It is a new low-latency block cipher proposed at TCHES 2021. It employs SPS-type round function and consists of only 5/6/7 rounds. Since the iteration rounds are rather small so as to achieve ultra low-latency in encryption speed, it will be crucially important to analyze its security margin accurately. In this paper, we first propose a new notation of partition branch number which can describe the minimum number of active S-boxes for 2-round SPEEDY more accurately. An efficient algorithm to compute the value of partition branch number is also given. Then by extending the notation to higher-order partition branch number, we can obtain more accurate results of the minimum number of active S-boxes for 3–7 rounds. As a result, the maximum expected differential probabilities are significantly higher than the results estimated by designers. Based on this, we search for optimal differential characteristics of SPEEDY while considering the difference distribution table of S-box. We present examples of differential characteristics for 2–7 rounds. Furthermore, by utilizing the simple bit-permutation key schedule of SPEEDY, we can extend the differential trail search method and construct an efficient 6-round related-key differential trail with probability \(2^{-179.2}\). Based on it, we can present related-key differential attack on full round SPEEDY-7-192 with data complexity of \(2^{186.2}\) chosen-plaintexts and time complexity of \(2^{160.13}\) encryptions.

在本文中，我们提出了一些关于分支数的新观察，并研究了SPEEDY的具体微分分析。它是 TCHES 2021 上提出的一种新的低延迟分组密码。它采用SPS类型的轮函数，仅由 5/6/7 轮组成。由于迭代轮次相当小，才能实现超低延迟的加密速度，因此准确分析其安全裕度至关重要。在本文中，我们首先提出了一种新的分区分支数表示法，它可以更准确地描述 2 轮SPEEDY的活动 S 盒的最小数量。还给出了计算分区分支数值的有效算法。然后通过将表示法扩展到高阶分区分支数，我们可以获得 3-7 轮的最小活动 S 盒数量的更准确结果。因此，最大预期微分概率明显高于设计者估计的结果。在此基础上，我们在考虑S盒的差分分布表的同时，寻找SPEEDY的最优差分特性。我们提供 2-7 轮差异特征的示例。此外，通过利用SPEEDY的简单位排列密钥调度，我们可以扩展差分路径搜索方法并以概率\(2^{-179.2}\)构造高效的 6 轮相关密钥差分路径。在此基础上，我们可以对全轮SPEEDY-7-192提出相关密钥差分攻击，数据复杂度为\(2^{186.2}\)选择明文，时间复杂度为\(2^{160.13}\)加密。