### Related-Tweakey Impossible Differential Attack on Reduced-Round Deoxys-BC-256

Rui Zong, Xiaoyang Dong, and Xiaoyun Wang

##### Abstract

Deoxys-BC is the internal tweakable block cipher of Deoxys, a third-round authenticated encryption candidate at the CAESAR competition. In this study, by adequately studying the tweakey schedule, we seek a six-round related-tweakey impossible distinguisher of Deoxys-BC-256, which is transformed from a 3.5-round single-key impossible distinguisher of AES, by application of the mixed integer linear programming (MILP) method. We present a detailed description of this interesting transformation method and the MILP-modeling process. Based on this distinguisher, we mount a key-recovery attack on 10 (out of 14) rounds of Deoxys-BC-256. Compared to previous results that are valid only when the key size $>204$ and the tweak size $<52$, our method can attack 10-round Deoxys-BC-256 as long as the key size $\geq174$ and the tweak size $\leq82$. For the popular setting in which the key size is 192 bits, we can attack one round more than previous works. This version gives the distinguisher and the attack differential which follows the description of the $h$ permutation in the Deoxys document, instead of that in the Deoxys reference implementation in the SUPERCOP package, which is wrong confirmed by the designers. Note that this work only gives a more accurate security evaluation and does not threaten the security of full-round Deoxys-BC-256.

Available format(s)
Publication info
Published elsewhere. MAJOR revision.SCIENCE CHINA Information Sciences
DOI
10.1007/s11432-017-9382-2
Keywords
related-tweakey impossible dierential attacktweakable block cipherDeoxys-BC-256tweakey scheduleMILP
Contact author(s)
zongrui3 @ 163 com
History
2018-09-06: revised
See all versions
Short URL
https://ia.cr/2018/680

CC BY

BibTeX

@misc{cryptoeprint:2018/680,
author = {Rui Zong and Xiaoyang Dong and Xiaoyun Wang},
title = {Related-Tweakey Impossible Differential Attack on Reduced-Round Deoxys-BC-256},
howpublished = {Cryptology ePrint Archive, Paper 2018/680},
year = {2018},
doi = {10.1007/s11432-017-9382-2},
note = {\url{https://eprint.iacr.org/2018/680}},
url = {https://eprint.iacr.org/2018/680}
}

Note: In order to protect the privacy of readers, eprint.iacr.org does not use cookies or embedded third party content.