Paper 2017/693

Cryptanalysis of Deoxys and its Internal Tweakable Block Ciphers

Carlos Cid, Tao Huang, Thomas Peyrin, Yu Sasaki, and Ling Song

Abstract

In this article, we provide the first independent security analysis of Deoxys, a third-round authenticated encryption candidate of the CAESAR competition, and its internal tweakable block ciphers Deoxys-BC-256 and Deoxys-BC-384. We show that the related-tweakey differential bounds provided by the designers can be greatly improved thanks to a MILP-based search tool. In particular, we develop a new method to incorporate linear incompatibility in the MILP model. We use this tool to generate valid differential paths for reduced-round versions of Deoxys-BC-256 and Deoxys-BC-384, later combining them into broader boomerang or rectangle attacks. Here, we also develop a new MILP model which optimises the two paths by taking into account the effect of the ladder switch technique. Interestingly, with the tweak in Deoxys-BC providing extra input as opposed to a classical block cipher, we can even consider beyond full-codebook attacks, and we analyse how our results can be improved in this setting. As these primitives are based on the TWEAKEY framework, we further study how the security of the cipher is impacted when playing with the tweak/key sizes. All in all, we are able to attack 10 rounds of Deoxys-BC-256 (out of 14) and 14 rounds of Deoxys-BC-384 (out of 16). The extra rounds specified in Deoxys-BC to balance the tweak input (when compared to AES) seem to provide about the same security margin as AES-128. Finally we analyse why the authenticated encryption modes of Deoxys mostly prevent our attacks on Deoxys-BC to apply to the authenticated encryption primitive.

Metadata
Available format(s)
PDF
Category
Secret-key cryptography
Publication info
Published by the IACR in FSE 2018
Keywords
DeoxysAESauthenticated encryptionblock cipherdifferential cryptanalysisboomerang attackMILPlinear incompatibilityladder switch
Contact author(s)
thomas peyrin @ gmail com
History
2017-09-04: last of 2 revisions
2017-07-21: received
See all versions
Short URL
https://ia.cr/2017/693
License
Creative Commons Attribution
CC BY

BibTeX

@misc{cryptoeprint:2017/693,
      author = {Carlos Cid and Tao Huang and Thomas Peyrin and Yu Sasaki and Ling Song},
      title = {Cryptanalysis of Deoxys and its Internal Tweakable Block Ciphers},
      howpublished = {Cryptology ePrint Archive, Paper 2017/693},
      year = {2017},
      note = {\url{https://eprint.iacr.org/2017/693}},
      url = {https://eprint.iacr.org/2017/693}
}
Note: In order to protect the privacy of readers, eprint.iacr.org does not use cookies or embedded third party content.