International Association for Cryptologic Research

International Association
for Cryptologic Research

CryptoDB

New Related-Tweakey Boomerang and Rectangle Attacks on Deoxys-BC Including BDT Effect

Authors:
Boxin Zhao , Key Laboratory of Cryptologic Technology and Information Security, Ministry of Education, Shandong University, Shandong, P.R. China; School of Cyber Science and Technology, Shandong University, Shandong, P.R. China
Xiaoyang Dong , Institute for Advanced Study, Tsinghua University, Beijing, P.R. China
Keting Jia , Department of Computer Science and Technology, Tsinghua University, Beijing, P.R. China
Download:
DOI: 10.13154/tosc.v2019.i3.121-151
URL: https://tosc.iacr.org/index.php/ToSC/article/view/8360
Search ePrint
Search Google
Abstract: In the CAESAR competition, Deoxys-I and Deoxys-II are two important authenticated encryption schemes submitted by Jean et al. Recently, Deoxys-II together with Ascon, ACORN, AEGIS-128, OCB and COLM have been selected as the final CAESAR portfolio. Notably, Deoxys-II is also the primary choice for the use case “Defense in depth”. However, Deoxys-I remains to be one of the third-round candidates of the CAESAR competition. Both Deoxys-I and Deoxys-II adopt Deoxys-BC-256 and Deoxys-BC-384 as their internal tweakable block ciphers.In this paper, we investigate the security of round-reduced Deoxys-BC-256/-384 and Deoxys-I against the related-tweakey boomerang and rectangle attacks with some new boomerang distinguishers. For Deoxys-BC-256, we present 10-round related-tweakey boomerang and rectangle attacks for the popular setting (|tweak|, |key|) = (128, 128), which reach one more round than the previous attacks in this setting. Moreover, an 11-round related-tweakey rectangle attack on Deoxys-BC-256 is given for the first time. We also put forward a 13-round related-tweakey boomerang attack in the popular setting (|tweak|, |key|) = (128, 256) for Deoxys-BC-384, while the previous attacks in this setting only work for 12 rounds at most. In addition, the first 14-round relatedtweakey rectangle attack on Deoxys-BC-384 is given when (|tweak| < 98, |key| > 286), that attacks one more round than before. Besides, we give the first 10-round rectangle attack on the authenticated encryption mode Deoxys-I-128-128 with one more round than before, and we also reduce the complexity of the related-tweakey rectangle attack on 12-round Deoxys-I-256-128 by a factor of 228. Our attacks can not be applied to (round-reduced) Deoxys-II.
Video from TOSC 2019
BibTeX
@article{tosc-2019-29946,
  title={New Related-Tweakey Boomerang and Rectangle Attacks on Deoxys-BC Including BDT Effect},
  journal={IACR Transactions on Symmetric Cryptology},
  publisher={Ruhr-Universität Bochum},
  volume={2019, Issue 3},
  pages={121-151},
  url={https://tosc.iacr.org/index.php/ToSC/article/view/8360},
  doi={10.13154/tosc.v2019.i3.121-151},
  author={Boxin Zhao and Xiaoyang Dong and Keting Jia},
  year=2019
}