The NSA-designed Speck encryption algorithm will be removed from version 4.20 of the Linux kernel, after just recently being added to the Linux kernel version 4.17 in June. The move comes after the International Standards Organization (ISO) rejected two of NSA’s cryptographic designs, Simon and Speck, on the basis of not being trustworthy.
How Speck Got Into Linux
Even though ISO rejected Speck months before the Linux kernel 4.17 was finished, the algorithm still landed in the kernel due primarily to Google's backing. The company said it wanted to use the Speck algorithm on Android Go devices that lacked AES encryption instructions, which come with the newer ARMv8 chips. In the developing markets, smartphone companies continue to sell sub-$100 phones with ARMv7 chips and no additional crypto processor.
It seems Google thought that the performance benefit of Speck outweighed the fact that it didn't have the same security guarantees as AES. In the cryptography world it’s often thought that choosing performance over a stronger and more secure algorithm is a bad idea. This is especially true when those algorithms get to live on the devices for many years, thus increasing the chances that the encryption that was weak from the start will be broken faster.
XChaCha - Faster and More Secure Than Speck
Google eventually chose to use the XChaCha algorithm for default storage encryption on lower-end Android smartphones. XChaCha is significantly faster than AES in software, but not quite as fast compared to hardware-accelerated AES encryption. The XChaCha algorithm is not completely new to Google, as the company had already implemented the original version of this algorithm, called ChaCha, in the Chrome browser as a fallback for devices that didn’t support AES crypto accelerators.
The XChaCha algorithm will be used in a construction called HPolyC. According to a Google engineer, this construction is actually faster than the Speck implementation. This makes one wonder why Google was in such a hurry to enable NSA's Speck in low-end smartphones sold in developing countries, when it could have looked to ChaCha from the beginning. ChaCha is a much more reputable and audited algorithm, it has the same security level as AES (unlike Speck), and as it turns out, it even beats Speck's supposedly superior performance.
Why Speck Was Rejected By ISO
Both of the NSA-designed Speck and Simon algorithms were rejected by ISO because the NSA refused to provide certain technical details about their designs or answer certain questions about them. This is what ultimately led ISO to reject them as untrustworthy.
This wouldn’t be the first time the NSA had attempted to get software or hardware providers to include weakened or backdoored cryptographic algorithms in their products. In the 1990’s the NSA tried to get all device makers to adopt the “Clipper Chip,” a crypto processor with a backdoor for the NSA, as well as forced browser vendors and other software providers to use weak encryption protocols via export restrictions and other government rules. Dan Bernstein, the inventor of the ChaCha algorithm that Google has now chosen for its low-end devices, was actually the one to sue the government and get those export restrictions on encryption invalidated.
Even though the Speck algorithm will be removed from the next version of the Linux kernel (4.20), it will continue to live within kernel versions 4.17, 4.18, and 4.19. Those who run systems using these kernels will need to check whether or not their default storage encryption uses the Speck algorithm or not to be sure.