Distinguishing and Key-recovery Attacks against Wheesht

Wheesht is one of the candidates to the CAESAR competition. In this note we present several attacks on Wheesht, showing that it is far from the advertised security level of 256 bits. In particular we describe a distinguishing attack with $2^{70.3}$ known plaintext words for any number of rounds of Wheesht, and a key-recovery attack (recovering the encryption key) for versions of Wheesht with a single finalization round with very little data and time complexity $2^{192}$.

Data and Resources

Distinguishing and Key-recovery Attacks against WheeshtHTML
Explore
- More information
- Go to resource

Additional Info

Field	Value
Source	https://inria.hal.science/hal-00966346
Author	Canteaut, Anne, Leurent, Gaëtan
Maintainer	CCSD
Last Updated	May 5, 2026, 20:25 (UTC)
Created	May 5, 2026, 20:25 (UTC)
Identifier	hal-00966346
Language	en
Rights	https://about.hal.science/hal-authorisation-v1/
contributor	Security, Cryptology and Transmissions (SECRET) ; Inria Paris-Rocquencourt ; Institut National de Recherche en Informatique et en Automatique (Inria)-Institut National de Recherche en Informatique et en Automatique (Inria)
creator	Canteaut, Anne
date	2014-03-26T00:00:00
harvest_object_id	884f6817-69e8-460d-8686-d290deff2319
harvest_source_id	3374d638-d20b-4672-ba96-a23232d55657
harvest_source_title	test moissonnage SELUNE
metadata_modified	2025-02-26T00:00:00
set_spec	type:UNDEFINED