A Security Analysis of Deoxys and its Internal Tweakable Block Ciphers. / Cid, Carlos; Huang, Tao; Peyrin, Thomas; Sasaki, Yu; Song, Ling.

In: IACR Transactions on Symmetric Cryptology, Vol. 2017, No. 3, 19.09.2017, p. 73-107.

Research output: Contribution to journalArticle

Published

Standard

A Security Analysis of Deoxys and its Internal Tweakable Block Ciphers. / Cid, Carlos; Huang, Tao; Peyrin, Thomas; Sasaki, Yu; Song, Ling.

In: IACR Transactions on Symmetric Cryptology, Vol. 2017, No. 3, 19.09.2017, p. 73-107.

Research output: Contribution to journalArticle

Harvard

Cid, C, Huang, T, Peyrin, T, Sasaki, Y & Song, L 2017, 'A Security Analysis of Deoxys and its Internal Tweakable Block Ciphers', IACR Transactions on Symmetric Cryptology, vol. 2017, no. 3, pp. 73-107. https://doi.org/10.13154/tosc.v2017.i3.73-107

APA

Cid, C., Huang, T., Peyrin, T., Sasaki, Y., & Song, L. (2017). A Security Analysis of Deoxys and its Internal Tweakable Block Ciphers. IACR Transactions on Symmetric Cryptology, 2017(3), 73-107. https://doi.org/10.13154/tosc.v2017.i3.73-107

Vancouver

Cid C, Huang T, Peyrin T, Sasaki Y, Song L. A Security Analysis of Deoxys and its Internal Tweakable Block Ciphers. IACR Transactions on Symmetric Cryptology. 2017 Sep 19;2017(3):73-107. https://doi.org/10.13154/tosc.v2017.i3.73-107

Author

Cid, Carlos ; Huang, Tao ; Peyrin, Thomas ; Sasaki, Yu ; Song, Ling. / A Security Analysis of Deoxys and its Internal Tweakable Block Ciphers. In: IACR Transactions on Symmetric Cryptology. 2017 ; Vol. 2017, No. 3. pp. 73-107.

BibTeX

@article{09c752ced7ae41409fa77980d4fe0228,
title = "A Security Analysis of Deoxys and its Internal Tweakable Block Ciphers",
abstract = "In this article, we provide the first independent security analysis of Deoxys, a third-round authenticated encryption candidate of the CAESAR competition, and its internal tweakable block ciphers Deoxys-BC-256 and Deoxys-BC-384. We show that the related-tweakey differential bounds provided by the designers can be greatly improved thanks to a Mixed Integer Linear Programming (MILP) based search tool. In particular, we develop a new method to incorporate linear incompatibility in the MILP model. We use this tool to generate valid differential paths for reduced-round versions of Deoxys-BC-256 and Deoxys-BC-384, later combining them into broader boomerang or rectangle attacks. Here, we also develop a new MILP model which optimises the two paths by taking into account the effect of the ladder switch technique. Interestingly, with the tweak in Deoxys-BC providing extra input as opposed to a classical block cipher, we can even consider beyond full-codebook attacks. As these primitives are based on the TWEAKEY framework, we further study how the security of the cipher is impacted when playing with the tweak/key sizes. All in all, we are able to attack 10 rounds of Deoxys-BC-256 (out of 14) and 13 rounds of Deoxys-BC-384 (out of 16). The extra rounds specified in Deoxys-BC to balance the tweak input (when compared to AES) seem to provide about the same security margin as AES-128. Finally we analyse why the authenticated encryption modes of Deoxys mostly prevent our attacks on Deoxys-BC to apply to the authenticated encryption primitive.",
author = "Carlos Cid and Tao Huang and Thomas Peyrin and Yu Sasaki and Ling Song",
year = "2017",
month = sep,
day = "19",
doi = "10.13154/tosc.v2017.i3.73-107",
language = "English",
volume = "2017",
pages = "73--107",
journal = "IACR Transactions on Symmetric Cryptology",
issn = "2519-173X",
publisher = "Ruhr-Universitat Bochum",
number = "3",

}

RIS

TY - JOUR

T1 - A Security Analysis of Deoxys and its Internal Tweakable Block Ciphers

AU - Cid, Carlos

AU - Huang, Tao

AU - Peyrin, Thomas

AU - Sasaki, Yu

AU - Song, Ling

PY - 2017/9/19

Y1 - 2017/9/19

N2 - In this article, we provide the first independent security analysis of Deoxys, a third-round authenticated encryption candidate of the CAESAR competition, and its internal tweakable block ciphers Deoxys-BC-256 and Deoxys-BC-384. We show that the related-tweakey differential bounds provided by the designers can be greatly improved thanks to a Mixed Integer Linear Programming (MILP) based search tool. In particular, we develop a new method to incorporate linear incompatibility in the MILP model. We use this tool to generate valid differential paths for reduced-round versions of Deoxys-BC-256 and Deoxys-BC-384, later combining them into broader boomerang or rectangle attacks. Here, we also develop a new MILP model which optimises the two paths by taking into account the effect of the ladder switch technique. Interestingly, with the tweak in Deoxys-BC providing extra input as opposed to a classical block cipher, we can even consider beyond full-codebook attacks. As these primitives are based on the TWEAKEY framework, we further study how the security of the cipher is impacted when playing with the tweak/key sizes. All in all, we are able to attack 10 rounds of Deoxys-BC-256 (out of 14) and 13 rounds of Deoxys-BC-384 (out of 16). The extra rounds specified in Deoxys-BC to balance the tweak input (when compared to AES) seem to provide about the same security margin as AES-128. Finally we analyse why the authenticated encryption modes of Deoxys mostly prevent our attacks on Deoxys-BC to apply to the authenticated encryption primitive.

AB - In this article, we provide the first independent security analysis of Deoxys, a third-round authenticated encryption candidate of the CAESAR competition, and its internal tweakable block ciphers Deoxys-BC-256 and Deoxys-BC-384. We show that the related-tweakey differential bounds provided by the designers can be greatly improved thanks to a Mixed Integer Linear Programming (MILP) based search tool. In particular, we develop a new method to incorporate linear incompatibility in the MILP model. We use this tool to generate valid differential paths for reduced-round versions of Deoxys-BC-256 and Deoxys-BC-384, later combining them into broader boomerang or rectangle attacks. Here, we also develop a new MILP model which optimises the two paths by taking into account the effect of the ladder switch technique. Interestingly, with the tweak in Deoxys-BC providing extra input as opposed to a classical block cipher, we can even consider beyond full-codebook attacks. As these primitives are based on the TWEAKEY framework, we further study how the security of the cipher is impacted when playing with the tweak/key sizes. All in all, we are able to attack 10 rounds of Deoxys-BC-256 (out of 14) and 13 rounds of Deoxys-BC-384 (out of 16). The extra rounds specified in Deoxys-BC to balance the tweak input (when compared to AES) seem to provide about the same security margin as AES-128. Finally we analyse why the authenticated encryption modes of Deoxys mostly prevent our attacks on Deoxys-BC to apply to the authenticated encryption primitive.

U2 - 10.13154/tosc.v2017.i3.73-107

DO - 10.13154/tosc.v2017.i3.73-107

M3 - Article

VL - 2017

SP - 73

EP - 107

JO - IACR Transactions on Symmetric Cryptology

JF - IACR Transactions on Symmetric Cryptology

SN - 2519-173X

IS - 3

ER -