Cryptology ePrint Archive: Report 2020/102

New Related-Tweakey Boomerang and Rectangle Attacks on Deoxys-BC Including BDT Effect

Boxin Zhao and Xiaoyang Dong and Keting Jia

Abstract: In the CAESAR competition, Deoxys-I and Deoxys-II are two important authenticated encryption schemes submitted by Jean et al. Recently, Deoxys-II together with Ascon, ACORN, AEGIS-128, OCB and COLM have been selected as the final CAESAR portfolio. Notably, Deoxys-II is also the primary choice for the use case ``Defense in depth''. However, Deoxys-I remains to be one of the third-round candidates of the CAESAR competition. Both Deoxys-I and Deoxys-II adopt Deoxys-BC-256 and Deoxys-BC-384 as their internal tweakable block ciphers.

In this paper, we investigate the security of round-reduced Deoxys-BC-256/-384 and Deoxys-I against the related-tweakey boomerang and rectangle attacks with some new boomerang distinguishers. For Deoxys-BC-256, we present 10-round related-tweakey boomerang and rectangle attacks for the popular setting $(|tweak|,|key|)=(128,128)$, which reach one more round than the previous attacks in this setting. Moreover, an 11-round related-tweakey rectangle attack on Deoxys-BC-256 is given for the first time. We also put forward a 13-round related-tweakey boomerang attack in the popular setting $(|tweak|,|key|)=(128,256)$ for Deoxys-BC-384, while the previous attacks in this setting only work for 12 rounds at most. In addition, the first 14-round related-tweakey rectangle attack on Deoxys-BC-384 is given when $(|tweak|<98,|key|>286)$, that attacks one more round than before. Besides, we give the first 10-round rectangle attack on the authenticated encryption mode Deoxys-I-128-128 with one more round than before, and we also reduce the complexity of the related-tweakey rectangle attack on 12-round Deoxys-I-256-128 by a factor of $2^{28}$. Our attacks can not be applied to (round-reduced) Deoxys-II.

Category / Keywords: secret-key cryptography / CAESAR, Deoxys-BC, Boomerang Attack, Rectangle Attack, TWEAKEY

Original Publication (in the same form): IACR-FSE-2020

Date: received 2 Feb 2020

Contact author: xiaoyangdong at tsinghua edu cn

Available format(s): PDF | BibTeX Citation

Version: 20200204:160956 (All versions of this report)

Short URL: ia.cr/2020/102


[ Cryptology ePrint archive ]