A Security Analysis of Deoxys and its Internal Tweakable Block Ciphers

In this article, we provide the first independent security analysis of Deoxys, a third-round authenticated encryption candidate of the CAESAR competition, and its internal tweakable block ciphers Deoxys-BC-256 and Deoxys-BC-384. We show that the related-tweakey differential bounds provided by the designers can be greatly improved thanks to a Mixed Integer Linear Programming (MILP) based search tool. In particular, we develop a new method to incorporate linear incompatibility in the MILP model. We use this tool to generate valid differential paths for reduced-round versions of Deoxys-BC-256 and Deoxys-BC-384, later combining them into broader boomerang or rectangle attacks. Here, we also develop a new MILP model which optimises the two paths by taking into account the effect of the ladder switch technique. Interestingly, with the tweak in Deoxys-BC providing extra input as opposed to a classical block cipher, we can even consider beyond full-codebook attacks. As these primitives are based on the TWEAKEY framework, we further study how the security of the cipher is impacted when playing with the tweak/key sizes. All in all, we are able to attack 10 rounds of Deoxys-BC-256 (out of 14) and 13 rounds of Deoxys-BC-384 (out of 16). The extra rounds specified in Deoxys-BC to balance the tweak input (when compared to AES) seem to provide about the same security margin as AES-128. Finally we analyse why the authenticated encryption modes of Deoxys mostly prevent our attacks on Deoxys-BC to apply to the authenticated encryption primitive.

[1]  Roberto Avanzi,et al.  The QARMA Block Cipher Family , 2017 .

[2]  Alex Biryukov,et al.  Automatic Search for Related-Key Differential Characteristics in Byte-Oriented Block Ciphers: Application to AES, Camellia, Khazad and Others , 2010, EUROCRYPT.

[3]  Mihir Bellare,et al.  Message-Recovery Attacks on Feistel-Based Format Preserving Encryption , 2016, CCS.

[4]  Andrey Bogdanov,et al.  How to Securely Release Unverified Plaintext in Authenticated Encryption , 2014, ASIACRYPT.

[5]  Thomas Peyrin,et al.  Structural Evaluation of AES and Chosen-Key Distinguisher of 9-Round AES-128 , 2013, CRYPTO.

[6]  Alex Biryukov,et al.  Related-Key Cryptanalysis of the Full AES-192 and AES-256 , 2009, ASIACRYPT.

[7]  Thomas Peyrin,et al.  Tweaks and Keys for Block Ciphers: The TWEAKEY Framework , 2014, ASIACRYPT.

[8]  Thomas Peyrin,et al.  The SKINNY Family of Block Ciphers and its Low-Latency Variant MANTIS , 2016, IACR Cryptol. ePrint Arch..

[9]  Dawu Gu,et al.  Differential and Linear Cryptanalysis Using Mixed-Integer Linear Programming , 2011, Inscrypt.

[10]  Eli Biham,et al.  Related-Key Boomerang and Rectangle Attacks , 2005, EUROCRYPT.

[11]  David A. Wagner,et al.  Tweakable Block Ciphers , 2002, Journal of Cryptology.

[12]  Sean Murphy,et al.  The Return of the Cryptographic Boomerang , 2011, IEEE Transactions on Information Theory.

[13]  Serge Vaudenay,et al.  Breaking the FF3 Format-Preserving Encryption Standard over Small Domains , 2017, CRYPTO.

[14]  Lei Hu,et al.  Analysis of AES, SKINNY, and Others with Constraint Programming , 2017, IACR Trans. Symmetric Cryptol..

[15]  Huaxiong Wang,et al.  The resistance of PRESENT-80 against related-key differential attacks , 2014, Cryptography and Communications.

[16]  Daniel Kales,et al.  Practical Key-Recovery Attack on MANTIS5 , 2016, IACR Trans. Symmetric Cryptol..

[17]  D. McGrew,et al.  The Galois/Counter Mode of Operation (GCM) , 2005 .

[18]  Eli Biham,et al.  The Rectangle Attack - Rectangling the Serpent , 2001, EUROCRYPT.

[19]  David A. Wagner,et al.  The Boomerang Attack , 1999, FSE.

[20]  Alex Biryukov,et al.  Search for Related-Key Differential Characteristics in DES-Like Ciphers , 2011, FSE.

[21]  Guozhen Liu,et al.  Security Analysis of SKINNY under Related-Tweakey Settings , 2017, IACR Cryptol. ePrint Arch..

[22]  Bruce Schneier,et al.  Amplified Boomerang Attacks Against Reduced-Round MARS and Serpent , 2000, FSE.

[23]  Eli Biham,et al.  New Results on Boomerang and Rectangle Attacks , 2002, FSE.