[Resource Topic] 2018/680: Related-Tweakey Impossible Differential Attack on Reduced-Round Deoxys-BC-256

Welcome to the resource topic for 2018/680

Related-Tweakey Impossible Differential Attack on Reduced-Round Deoxys-BC-256

Authors: Rui Zong, Xiaoyang Dong, Xiaoyun Wang


Deoxys-BC is the internal tweakable block cipher of Deoxys, a third-round authenticated encryption candidate at the CAESAR competition. In this study, by adequately studying the tweakey schedule, we seek a six-round related-tweakey impossible distinguisher of Deoxys-BC-256, which is transformed from a 3.5-round single-key impossible distinguisher of AES, by application of the mixed integer linear programming (MILP) method. We present a detailed description of this interesting transformation method and the MILP-modeling process. Based on this distinguisher, we mount a key-recovery attack on 10 (out of 14) rounds of Deoxys-BC-256. Compared to previous results that are valid only when the key size >204 and the tweak size <52, our method can attack 10-round Deoxys-BC-256 as long as the key size \geq174 and the tweak size \leq82. For the popular setting in which the key size is 192 bits, we can attack one round more than previous works. This version gives the distinguisher and the attack differential which follows the description of the h permutation in the Deoxys document, instead of that in the Deoxys reference implementation in the SUPERCOP package, which is wrong confirmed by the designers. Note that this work only gives a more accurate security evaluation and does not threaten the security of full-round Deoxys-BC-256.

ePrint: https://eprint.iacr.org/2018/680

See all topics related to this paper.

Feel free to post resources that are related to this paper below.

Example resources include: implementations, explanation materials, talks, slides, links to previous discussions on other websites.

For more information, see the rules for Resource Topics .