×

The Deoxys AEAD family. (English) Zbl 1470.94091

Summary: We present the Deoxys family of authenticated encryption schemes, which consists of Deoxys-I and Deoxys-II. Both are nonce-based authenticated encryption schemes with associated data and have either 128- or 256-bit keys. Deoxys-I is similar to OCB: It is single-pass but insecure when nonces are repeated; in contrast, Deoxys-II is nonce-misuse resistant. Deoxys-II was selected as first choice in the final portfolio of the CAESAR competition for the defense-in-depth category. Deoxys uses a new family of tweakable block ciphers as internal primitive, Deoxys-TBC, which follows the TWEAKEY framework [J. Jean et al., Lect. Notes Comput. Sci. 8874, 274–288 (2014; Zbl 1317.94113)] and relies on the AES round function. Our benchmarks indicate that Deoxys does not sacrifice efficiency for security and performs very well both in software (e.g., Deoxys-I efficiency is similar to AES-GCM) and hardware.

MSC:

94A60 Cryptography
94A62 Authentication, digital signatures and secret sharing
68P25 Data encryption (aspects in computer science)

Citations:

Zbl 1317.94113
PDF BibTeX XML Cite
Full Text: DOI

References:

[1] M.R. Albrecht, K.G. Paterson, G.J. Watson, Plaintext recovery attacks against SSH, in 2009 IEEE Symposium on Security and Privacy (IEEE Computer Society Press, 2009), pp. 16-26
[2] N.J. AlFardan, K.G. Paterson, Lucky thirteen: Breaking the TLS and DTLS record protocols, in 2013 IEEE Symposium on Security and Privacy (IEEE Computer Society Press, 2013), pp. 526-540
[3] E. Andreeva, A. Bogdanov, N. Datta, A. Luykx, B. Mennink, M. Nandi, E. Tischhauser, K. Yasuda COLM v1. Submission to the CAESAR competition (2015)
[4] E. Andreeva, A. Bogdanov, A. Luykx, B. Mennink, N. Mouha, K. Yasuda, How to securely release unverified plaintext in authenticated encryption, in P. Sarkar and T. Iwata, editors, ASIACRYPT 2014, Part I, volume 8873 of LNCS (Springer, Heidelberg, 2014), pp. 105-125 · Zbl 1306.94021
[5] C. Beierle, J. Jean, S.Kölbl, G. Leander, A. Moradi, T. Peyrin, Y. Sasaki, P. Sasdrich, S.M. Sim, The SKINNY family of block ciphers and its low-latency variant MANTIS, in M. Robshaw and J. Katz, editors, CRYPTO 2016, Part II, volume 9815 of LNCS (Springer, Heidelberg, 2016), pp. 123-153 · Zbl 1372.94412
[6] M. Bellare, A. Desai, E. Jokipii, P. Rogaway, A concrete security treatment of symmetric encryption, in 38th FOCS (IEEE Computer Society Press, 1997), pp. 394-403
[7] M. Bellare, C. Namprempre, Authenticated encryption: Relations among notions and analysis of the generic composition paradigm, in T. Okamoto, editor, ASIACRYPT 2000, volume 1976 of LNCS (Springer, Heidelberg, 2000), pp. 531-545 · Zbl 0973.68059
[8] E. Biham, O. Dunkelman, N. Keller, The rectangle attack—rectangling the Serpent, in B. Pfitzmann, editor, EUROCRYPT 2001, volume 2045 of LNCS (Springer, Heidelberg, 2001), pp. 340-357 · Zbl 0981.94017
[9] E. Biham, O. Dunkelman, N. Keller, New results on boomerang and rectangle attacks, in J. Daemen and V. Rijmen, editors, FSE 2002, volume 2365 of LNCS (Springer, Heidelberg, 2002), pp. 1-16 · Zbl 1045.94512
[10] B. Bilgin, A. Bogdanov, M. Knežević, F. Mendel, Q. Wang, Fides: Lightweight authenticated cipher with side-channel resistance for constrained hardware, in G. Bertoni and J.-S. Coron, editors, CHES 2013, volume 8086 of LNCS (Springer, Heidelberg, 2013), pp. 142-158 · Zbl 1353.94038
[11] A. Biryukov, D. Khovratovich, Related-key cryptanalysis of the full AES-192 and AES-256, in M. Matsui, editor, ASIACRYPT 2009, volume 5912 of LNCS (Springer, Heidelberg, 2009), pp. 1-18 · Zbl 1267.94041
[12] A. Biryukov, D. Khovratovich, I. Nikolic, Distinguisher and related-key attack on the full AES-256, in S. Halevi, editor, CRYPTO 2009, volume 5677 of LNCS (Springer, Heidelberg, 2009), pp. 231-249 · Zbl 1252.94051
[13] A. Biryukov, I. Nikolic, Automatic search for related-key differential characteristics in byte-oriented block ciphers: Application to AES, Camellia, Khazad and others, in H. Gilbert, editor, EUROCRYPT 2010, volume 6110 of LNCS (Springer, Heidelberg, 2010), pp. 322-344 · Zbl 1280.94041
[14] A. Biryukov, I. Nikolic, Search for related-key differential characteristics in DES-like ciphers, in A. Joux, editor, FSE 2011, volume 6733 of LNCS (Springer, Heidelberg, 2011), pp. 18-34 · Zbl 1282.94033
[15] A. Biryukov, D. Wagner, Slide attacks, in L. R. Knudsen, editor, FSE’99, volume 1636 of LNCS (Springer, Heidelberg, 1999), pp. 245-259 · Zbl 0942.94020
[16] A. Bogdanov, F. Mendel, F. Regazzoni, V. Rijmen, E. Tischhauser, ALE: AES-based lightweight authenticated encryption, in S. Moriai, editor, FSE 2013, volume 8424 of LNCS (Springer, Heidelberg, 2014), pp. 447-466 · Zbl 1321.94042
[17] Cid, C.; Huang, T.; Peyrin, T.; Sasaki, Y.; Song, L., A security analysis of Deoxys and its internal tweakable block ciphers, IACR Trans. Symm. Cryptol., 2017, 3, 73-107 (2017)
[18] C. Cid, T. Huang, T. Peyrin, Y. Sasaki, L. Song, Boomerang connectivity table: A new cryptanalysis tool, in J.B. Nielsen and V. Rijmen, editors, EUROCRYPT 2018, Part II, volume 10821 of LNCS (Springer, Heidelberg, 2018), pp. 683-714 · Zbl 1428.94065
[19] Cogliati, B.; Lee, J.; Seurin, Y., New constructions of macs from (tweakable) block ciphers, IACR Trans. Symm. Cryptol., 2017, 2, 27-58 (2017)
[20] G. M. U. Cryptographic Engineering Research Group. ATHENa: Automated Tools for Hardware EvaluatioN - Deoxys-I-128 implementation, 2016. https://cryptography.gmu.edu/athena/.
[21] H. Demirci, A.A. Selçuk, A meet-in-the-middle attack on 8-round AES, in K. Nyberg, editor, FSE 2008, volume 5086 of LNCS (Springer, Heidelberg, 2008), pp. 116-126 · Zbl 1154.68391
[22] P. Derbez, P.-A. Fouque, J. Jean, Faster chosen-key distinguishers on reduced-round AES, in S.D. Galbraith and M. Nandi, editors, INDOCRYPT 2012, volume 7668 of LNCS (Springer, Heidelberg, 2012), pp. 225-243 · Zbl 1295.94051
[23] P. Derbez, P.-A. Fouque, J. Jean, Improved key recovery attacks on reduced-round AES in the single-key setting, in T. Johansson and P. Q. Nguyen, editors, EUROCRYPT 2013, volume 7881 of LNCS (Springer, Heidelberg, 2013), pp. 371-387 · Zbl 1306.94044
[24] I. Dinur, J. Jean, Cryptanalysis of FIDES, in C. Cid and C. Rechberger, editors, FSE 2014, volume 8540 of LNCS (Springer, Heidelberg, 2015), pp. 224-240 · Zbl 1382.94091
[25] C. Dobraunig, M. Eichlseder, F. Mendel, M. Schläffer, Ascon v1.2. Submission to Round 3 of the CAESAR competition (2016)
[26] O. Dunkelman, N. Keller, A. Shamir, Improved single-key attacks on 8-round AES-192 and AES-256, in M. Abe, editor, ASIACRYPT 2010, volume 6477 of LNCS (Springer, Heidelberg, 2010), pp. 158-176 · Zbl 1253.94045
[27] Emami, S.; Ling, S.; Nikolic, I.; Pieprzyk, J.; Wang, H., The resistance of PRESENT-80 against related-key differential attacks, Cryptogr. Commun., 6, 3, 171-187 (2014) · Zbl 1291.94079
[28] E. Fleischmann, C. Forler, S. Lucks, McOE: A family of almost foolproof on-line authenticated encryption schemes, in A. Canteaut, editor, FSE 2012, volume 7549 of LNCS (Springer, Heidelberg, 2012), pp. 196-215 · Zbl 1312.94113
[29] P.-A. Fouque, J. Jean, T. Peyrin, Structural evaluation of AES and chosen-key distinguisher of 9-round AES-128, in R. Canetti and J.A. Garay, editors, CRYPTO 2013, Part I, volume 8042 of LNCS (Springer, Heidelberg, 2013), pp. 183-203 · Zbl 1310.94144
[30] Gaj, K.; Kaps, J.; Amirineni, V.; Rogawski, M.; Homsirikamol, E.; Brewster, BY, ATHENa - Automated Tool for Hardware EvaluatioN: Toward Fair and Comprehensive Benchmarking of Cryptographic Hardware Using FPGAs, International Conference on Field Programmable Logic and Applications - FPL, 2010, 414-421 (2010)
[31] H. Gilbert, T. Peyrin, Super-sbox cryptanalysis: Improved attacks for AES-like permutations, in S. Hong and T. Iwata, editors, FSE 2010, volume 6147 of LNCS (Springer, Heidelberg, 2010), pp. 365-383 · Zbl 1279.94077
[32] S. Gueron, A. Langley, Y. Lindell, AES-GCM-SIV: Specification and Analysis. IACR Cryptology ePrint Archive, Report 2017/168, 2017. Available at http://eprint.iacr.org/2017/168
[33] V. T. Hoang, T. Krovetz, P. Rogaway, Robust authenticated-encryption AEZ and the problem that it solves, in E. Oswald and M. Fischlin, editors, EUROCRYPT 2015, Part I, volume 9056 of LNCS (Springer, Heidelberg, 2015), pp. 15-44 · Zbl 1365.94485
[34] T. Iwata, K. Minematsu, T. Peyrin, Y. Seurin, ZMAC: A fast tweakable block cipher mode for highly secure message authentication, in J. Katz and H. Shacham, editors, CRYPTO 2017, Part III, volume 10403 of LNCS (Springer, Heidelberg, 2017), pp. 34-65 · Zbl 1390.94845
[35] J. Jean, M. Naya-Plasencia, T. Peyrin, Improved rebound attack on the finalist Grøstl, in A. Canteaut, editor, FSE 2012, volume 7549 of LNCS (Springer, Heidelberg, 2012), pp. 110-126 · Zbl 1312.94062
[36] J. Jean, I. Nikolic, T. Peyrin, Tweaks and keys for block ciphers: The TWEAKEY framework, in P. Sarkar and T. Iwata, editors, ASIACRYPT 2014, Part II, volume 8874 of LNCS (Springer, Heidelberg, 2014), pp. 274-288 · Zbl 1317.94113
[37] J. Jean, I. Nikolić, T. Peyrin, Y. Seurin, Deoxys v1.41. Submitted to CAESAR (October 2016)
[38] J. Kelsey, T. Kohno, B. Schneier, Amplified boomerang attacks against reduced-round MARS and Serpent, in B. Schneier, editor, FSE 2000, volume 1978 of LNCS (Springer, Heidelberg, 2001), pp. 75-93 · Zbl 0994.68635
[39] M. Khairallah, A. Chattopadhyay, T. Peyrin, Looting the LUTs: FPGA optimization of AES and AES-like ciphers for authenticated encryption, in A. Patra and N. P. Smart, editors, INDOCRYPT 2017, volume 10698 of LNCS (Springer, Heidelberg, 2017), pp. 282-301 · Zbl 1421.94059
[40] D. Khovratovich, I. Nikolic, Rotational cryptanalysis of ARX, in S. Hong and T. Iwata, editors, FSE 2010, volume 6147 of LNCS (Springer, Heidelberg, 2010), pp. 333-346 · Zbl 1279.94092
[41] D. Khovratovich, C. Rechberger, The LOCAL attack: Cryptanalysis of the authenticated encryption scheme ALE, in T. Lange, K. Lauter, and P. Lisonek, editors, SAC 2013, volume 8282 of LNCS (Springer, Heidelberg, 2014), pp. 174-184 · Zbl 1339.94077
[42] Kranz, T.; Leander, G.; Wiemer, F., Linear cryptanalysis: Key schedules and tweakable block ciphers, IACR Trans. Symm. Cryptol., 2017, 1, 474-505 (2017)
[43] H. Krawczyk, The order of encryption and authentication for protecting communications (or: How secure is SSL?), in J. Kilian, editor, CRYPTO 2001, volume 2139 of LNCS (Springer, Heidelberg, 2001), pp. 310-331 · Zbl 1002.94529
[44] T. Krovetz, P. Rogaway, The software performance of authenticated-encryption modes, in A. Joux, editor, FSE 2011, volume 6733 of LNCS (Springer, Heidelberg, 2011), pp. 306-327 · Zbl 1307.94119
[45] S. Kumar, J. Haj-Yahya, M. Khairallah, M.A. Elmohr, A. Chattopadhyay, A comprehensive performance analysis of hardware implementations of CAESAR candidates. Cryptology ePrint Archive, Report 2017/1261, 2017. https://eprint.iacr.org/2017/1261
[46] Li, R.; Jin, C., Meet-in-the-middle attacks on round-reduced tweakable block cipher Deoxys-BC, IET Inf. Secur., 13, 1, 70-75 (2019)
[47] Liskov, M.; Rivest, RL; Wagner, D., Tweakable block ciphers, J. Cryptol., 24, 3, 588-613 (2011) · Zbl 1258.94040
[48] D. A. McGrew, J. Viega, The security and performance of the Galois/counter mode (GCM) of operation, in A. Canteaut and K. Viswanathan, editors, INDOCRYPT 2004, volume 3348 of LNCS (Springer, Heidelberg, 2004), pp. 343-355 · Zbl 1113.94315
[49] Minematsu, K., Fast decryption: a new feature of misuse-resistant AE, IACR Trans. Symm. Cryptol., 2020, 3, 87-118 (2020)
[50] Moazami, F.; Mehrdad, A.; Soleimany, H., Impossible differential cryptanalysis on Deoxys-BC-256, ISeCure, 10, 2, 93-105 (2018)
[51] N. Mouha, Q. Wang, D. Gu, B. Preneel, Differential and linear cryptanalysis using mixed-integer linear programming, in Information Security and Cryptology - Inscrypt 2011 (2011), pp. 57-76 · Zbl 1292.94118
[52] C. Namprempre, P. Rogaway, T. Shrimpton, Reconsidering generic composition, in P. Q. Nguyen and E. Oswald, editors, EUROCRYPT 2014, volume 8441 of LNCS (Springer, Heidelberg, 2014), pp. 257-274 · Zbl 1332.94092
[53] I. Nikolic, How to use metaheuristics for design of symmetric-key primitives, in T. Takagi and T. Peyrin, editors, ASIACRYPT 2017, Part III, volume 10626 of LNCS (Springer, Heidelberg, 2017), pp. 369-391 · Zbl 1417.94078
[54] T. Peyrin, Improved differential attacks for ECHO and Grøstl, in T. Rabin, editor, CRYPTO 2010, volume 6223 of LNCS (Springer, Heidelberg, 2010), pp. 370-392 · Zbl 1283.94081
[55] T. Peyrin, Y. Seurin, Counter-in-tweak: Authenticated encryption modes for tweakable block ciphers, in M. Robshaw and J. Katz, editors, CRYPTO 2016, Part I, volume 9814 of LNCS (Springer, Heidelberg, 2016), pp. 33-63 · Zbl 1351.94063
[56] A. Poschmann, M. Stöttinger, Personal communication
[57] A. Poschmann, M. Stottinger, ATHENa: Automated Tools for Hardware EvaluatioN - Deoxys-I-128 implementation (2016). https://cryptography.gmu.edu/athena/
[58] P. Rogaway, Efficient instantiations of tweakable blockciphers and refinements to modes OCB and PMAC, in P. J. Lee, editor, ASIACRYPT 2004, volume 3329 of LNCS (Springer, Heidelberg, 2004), pp. 16-31 · Zbl 1094.94035
[59] P. Rogaway, Nonce-based symmetric encryption, in B. K. Roy and W. Meier, editors, FSE 2004, volume 3017 of LNCS (Springer, Heidelberg, 2004), pp. 348-359 · Zbl 1079.68559
[60] P. Rogaway, T. Shrimpton, A provable-security treatment of the key-wrap problem, in S. Vaudenay, editor, EUROCRYPT 2006, volume 4004 of LNCS (Springer, Heidelberg, 2006), pp. 373-390 · Zbl 1140.94369
[61] Y. Sasaki, Improved related-tweakey boomerang attacks on deoxys-BC, in A. Joux, A. Nitaj, and T. Rachidi, editors, AFRICACRYPT 18, volume 10831 of LNCS (Springer, Heidelberg, 2018), pp. 87-106 · Zbl 1423.94101
[62] S. Sun, L. Hu, P. Wang, K. Qiao, X. Ma, L. Song, Automatic security evaluation and (related-key) differential characteristic search: Application to SIMON, PRESENT, LBlock, DES(L) and other bit-oriented block ciphers, in P. Sarkar and T. Iwata, editors, ASIACRYPT 2014, Part I, volume 8873 of LNCS (Springer, Heidelberg, 2014), pp. 158-178 · Zbl 1306.94093
[63] S. Vaudenay, Security flaws induced by CBC padding—applications to SSL, IPSEC, WTLS, in L.R. Knudsen, editor, EUROCRYPT 2002, volume 2332 of LNCS (Springer, Heidelberg, 2002), pp. 534-546 · Zbl 1056.94517
[64] Virtual Silicon Inc. \(0.18 \mu\) m VIP Standard Cell Library Tape Out Ready, Part Number: UMCL18G212T3, Process: UMC Logic \(0.18 \mu\) m Generic II Technology: \(0.18 \mu\) m, July 2004
[65] D. Wagner, The boomerang attack, in L. R. Knudsen, editor, FSE’99, volume 1636 of LNCS (Springer, Heidelberg, 1999), pp. 156-170 · Zbl 0942.94022
[66] Wang, H.; Peyrin, T., Boomerang switch in multiple rounds, IACR Trans. Symm. Cryptol., 2019, 1, 142-169 (2019)
[67] H. Wu, Related-cipher attacks. in R. H. Deng, S. Qing, F. Bao, and J. Zhou, editors, ICICS 02, volume 2513 of LNCS (Springer, Heidelberg, 2002), pp. 447-455 · Zbl 1023.94540
[68] H. Wu, ACORN v3. Submission to Round 3 of the CAESAR competition (2016)
[69] H. Wu, AEGIS v1.1. Submission to Round 3 of the CAESAR competition (2016)
[70] B. Zhao, X. Dong, K. Jia, New Related-Tweakey Boomerang and Rectangle Attacks on Deoxys-BC Including BDT Effect. Cryptology ePrint Archive, Report 2020/102, 2020. https://eprint.iacr.org/2020/102
[71] B. Zhao, X. Dong, K. Jia, W. Meier, Improved Related-Tweakey Rectangle Attacks on Reduced-round Deoxys-BC-384 and Deoxys-I-256-128. Cryptology ePrint Archive, Report 2020/103, 2020. https://eprint.iacr.org/2020/103 · Zbl 1456.94123
This reference list is based on information provided by the publisher or from digital mathematics libraries. Its items are heuristically matched to zbMATH identifiers and may contain data conversion errors. It attempts to reflect the references listed in the original paper as accurately as possible without claiming the completeness or perfect precision of the matching.