## Cryptology ePrint Archive: Report 2018/680

Related-Tweakey Impossible Differential Attack on Reduced-Round Deoxys-BC-256

Rui Zong and Xiaoyang Dong and Xiaoyun Wang

Abstract: Deoxys-BC is the internal tweakable block cipher of Deoxys, a third-round authenticated encryption candidate at the CAESAR competition. In this study, by adequately studying the tweakey schedule, we seek a six-round related-tweakey impossible distinguisher of Deoxys-BC-256, which is transformed from a 3.5-round single-key impossible distinguisher of AES, by application of the mixed integer linear programming (MILP) method. We present a detailed description of this interesting transformation method and the MILP-modeling process.

Based on this distinguisher, we mount a key-recovery attack on 10 (out of 14) rounds of Deoxys-BC-256. Compared to previous results that are valid only when the key size $>204$ and the tweak size $<52$, our method can attack 10-round Deoxys-BC-256 as long as the key size $\geq174$ and the tweak size $\leq82$. For the popular setting in which the key size is 192 bits, we can attack one round more than previous works.

This version gives the distinguisher and the attack differential which follows the description of the $h$ permutation in the Deoxys document, instead of that in the Deoxys reference implementation in the SUPERCOP package, which is wrong confirmed by the designers.

Note that this work only gives a more accurate security evaluation and does not threaten the security of full-round Deoxys-BC-256.

Category / Keywords: related-tweakey impossible di erential attack, tweakable block cipher, Deoxys-BC-256, tweakey schedule, MILP

Original Publication (with major differences): SCIENCE CHINA Information Sciences
DOI:
10.1007/s11432-017-9382-2

Date: received 16 Jul 2018, last revised 6 Sep 2018

Contact author: zongrui3 at 163 com

Available format(s): PDF | BibTeX Citation

Short URL: ia.cr/2018/680

[ Cryptology ePrint archive ]