Abstract
In this article, we provide the first independent security analysis of Deoxys, a third-round authenticated encryption candidate of the CAESAR competition, and its internal tweakable block ciphers Deoxys-BC-256 and Deoxys-BC-384. We show that the related-tweakey differential bounds provided by the designers can be greatly improved thanks to a Mixed Integer Linear Programming (MILP) based search tool. In particular, we develop a new method to incorporate linear incompatibility in the MILP model. We use this tool to generate valid differential paths for reduced-round versions of Deoxys-BC-256 and Deoxys-BC-384, later combining them into broader boomerang or rectangle attacks. Here, we also develop a new MILP model which optimises the two paths by taking into account the effect of the ladder switch technique. Interestingly, with the tweak in Deoxys-BC providing extra input as opposed to a classical block cipher, we can even consider beyond full-codebook attacks. As these primitives are based on the TWEAKEY framework, we further study how the security of the cipher is impacted when playing with the tweak/key sizes. All in all, we are able to attack 10 rounds of Deoxys-BC-256 (out of 14) and 13 rounds of Deoxys-BC-384 (out of 16). The extra rounds specified in Deoxys-BC to balance the tweak input (when compared to AES) seem to provide about the same security margin as AES-128. Finally we analyse why the authenticated encryption modes of Deoxys mostly prevent our attacks on Deoxys-BC to apply to the authenticated encryption primitive.
Highlights
Authenticated Encryption (AE) schemes are symmetric-key cryptographic algorithms that provide both confidentiality and authenticity of data in one single primitive
The recent growing interest in new AE schemes resulted in the launch in 2013 of CAESAR, a competition organised by the international cryptologic research community to identify a portfolio of authenticated ciphers that offer advantages over AES-Galois/Counter Mode (GCM) and are suitable for widespread adoption1
With the recommended parameters given in [JNPS16], when instantiated with the Deoxys-BC-256 block cipher, the two AE modes lead to a 128-bit key version, while when using Deoxys-BC-384, they lead to a 256-bit key version (Deoxys-I-256-128 and Deoxys-II-256-128)
Summary
Authenticated Encryption (AE) schemes are symmetric-key cryptographic algorithms that provide both confidentiality and authenticity of data in one single primitive. This allows one to add a tweak of (almost) any length to a key-alternating block cipher and/or to extend the key space of the block cipher to (almost) any size: an n-bit block cipher using the framework will take a k-bit key and a t-bit tweak, and a dedicated tweakey schedule will use the (k + t)-bit tweakey to produce the n-bit round subtweakeys This approach allows designers to claim full security of the tweakable block cipher, which in turn translates to the AE scheme when employing a provable secure authenticated encryption mode. For Deoxys-BC-384 at least 22 S-boxes are active after 12 rounds This led the designers to claim that “all versions of Deoxys-BC (used in Deoxys) have a security margin of at least four rounds and [are] highly resistant against related-key related-tweak attacks” [JNPS16].
Sign-in/Register to view highlights & summary Sign-in/Register to access full text options 
Free) 
Talk to us
Join us for a 30 min session where you can share your feedback and ask us any queries you have
Schedule a call
