Abstract
In the CAESAR competition, Deoxys-I and Deoxys-II are two important authenticated encryption schemes submitted by Jean et al. Recently, Deoxys-II together with Ascon, ACORN, AEGIS-128, OCB and COLM have been selected as the final CAESAR portfolio. Notably, Deoxys-II is also the primary choice for the use case “Defense in depth”. However, Deoxys-I remains to be one of the third-round candidates of the CAESAR competition. Both Deoxys-I and Deoxys-II adopt Deoxys-BC-256 and Deoxys-BC-384 as their internal tweakable block ciphers.In this paper, we investigate the security of round-reduced Deoxys-BC-256/-384 and Deoxys-I against the related-tweakey boomerang and rectangle attacks with some new boomerang distinguishers. For Deoxys-BC-256, we present 10-round related-tweakey boomerang and rectangle attacks for the popular setting (|tweak|, |key|) = (128, 128), which reach one more round than the previous attacks in this setting. Moreover, an 11-round related-tweakey rectangle attack on Deoxys-BC-256 is given for the first time. We also put forward a 13-round related-tweakey boomerang attack in the popular setting (|tweak|, |key|) = (128, 256) for Deoxys-BC-384, while the previous attacks in this setting only work for 12 rounds at most. In addition, the first 14-round relatedtweakey rectangle attack on Deoxys-BC-384 is given when (|tweak| < 98, |key| > 286), that attacks one more round than before. Besides, we give the first 10-round rectangle attack on the authenticated encryption mode Deoxys-I-128-128 with one more round than before, and we also reduce the complexity of the related-tweakey rectangle attack on 12-round Deoxys-I-256-128 by a factor of 228. Our attacks can not be applied to (round-reduced) Deoxys-II.
Highlights
Authenticated encryption (AE) is a form of encryption algorithm providing confidentiality, integrity and authenticity assurances on messages
Cid et al [CHP+17] introduced the first third-party analysis of Deoxys-BC at ToSC 2017. They proposed a new method to search for related-key boomerang trails with Mixed Integer Linear Programming (MILP) by incorporating linear incompatibility, and presented a 8-round and a 9-round related-tweakey boomerang distinguisher of Deoxys-BC-256 with probability 2−72 and 2−122, and a 10-round and an 11-round related-tweakey boomerang distinguishers of Deoxys-BC-384 with probability 2−84 and 2−120, respectively
The results show that the average probability of getting a right quartet for Deoxys-BC-256 is 2−12.4 and for Deoxys-BC-384 is 214, which verifies the correctness of our characteristics
Summary
Authenticated encryption (AE) is a form of encryption algorithm providing confidentiality, integrity and authenticity assurances on messages. Cid et al [CHP+17] introduced the first third-party analysis of Deoxys-BC at ToSC 2017 They proposed a new method to search for related-key boomerang trails with Mixed Integer Linear Programming (MILP) by incorporating linear incompatibility, and presented a 8-round and a 9-round related-tweakey boomerang distinguisher of Deoxys-BC-256 with probability 2−72 and 2−122, and a 10-round and an 11-round related-tweakey boomerang distinguishers of Deoxys-BC-384 with probability 2−84 and 2−120, respectively. Later, based on the related-key boomerang paths proposed in [CHP+17], Sasaki introduced improved boomerang attacks on reduced-round DeoxysBC-256 and Deoxys-BC-384 with lower complexities in [Sas18]. The related-tweakey rectangle attack on 12-round Deoxys-BC-384 is introduced with 2115 chosen plaintexts, which can be applied to the AE mode Deoxys-I-256-128 as well. What’s more, we propose the first related-tweakey rectangle attacks on 14-round Deoxys-BC-384 with 2127 chosen plaintexts and 2286.2 encryptions. All the three advantages help us to attack Deoxys-BC in less time complexity
Sign-in/Register to view highlights & summary Sign-in/Register to access full text options 
Free) 
Talk to us
Join us for a 30 min session where you can share your feedback and ask us any queries you have
Schedule a call
