Abstract
We present the Deoxys family of authenticated encryption schemes, which consists of Deoxys-I and Deoxys-II. Both are nonce-based authenticated encryption schemes with associated data and have either 128- or 256-bit keys. Deoxys-I is similar to OCB: It is single-pass but insecure when nonces are repeated; in contrast, Deoxys-II is nonce-misuse resistant. Deoxys-II was selected as first choice in the final portfolio of the CAESAR competition for the defense-in-depth category. Deoxys uses a new family of tweakable block ciphers as internal primitive, Deoxys-TBC, which follows the TWEAKEY framework (Jean, Nikolić, and Peyrin, ASIACRYPT 2014) and relies on the AES round function. Our benchmarks indicate that Deoxys does not sacrifice efficiency for security and performs very well both in software (e.g., Deoxys-I efficiency is similar to AES-GCM) and hardware.
Similar content being viewed by others
Notes
Albeit at the cost of a stronger security assumption on the primitive.
We assume that \(\mathsf {Rand}\) returns the same output if a query is repeated.
Tags can be truncated to \(\tau < n\) bits, but we recommend using \(\tau = n\).
Tweak separation is only required in order to combine CTRT with a PRF also based on E through NSIV.
References
M.R. Albrecht, K.G. Paterson, G.J. Watson, Plaintext recovery attacks against SSH, in 2009 IEEE Symposium on Security and Privacy (IEEE Computer Society Press, 2009), pp. 16–26
N.J. AlFardan, K.G. Paterson, Lucky thirteen: Breaking the TLS and DTLS record protocols, in 2013 IEEE Symposium on Security and Privacy (IEEE Computer Society Press, 2013), pp. 526–540
E. Andreeva, A. Bogdanov, N. Datta, A. Luykx, B. Mennink, M. Nandi, E. Tischhauser, K. Yasuda COLM v1. Submission to the CAESAR competition (2015)
E. Andreeva, A. Bogdanov, A. Luykx, B. Mennink, N. Mouha, K. Yasuda, How to securely release unverified plaintext in authenticated encryption, in P. Sarkar and T. Iwata, editors, ASIACRYPT 2014, Part I, volume 8873 of LNCS (Springer, Heidelberg, 2014), pp. 105–125
C. Beierle, J. Jean, S.Kölbl, G. Leander, A. Moradi, T. Peyrin, Y. Sasaki, P. Sasdrich, S.M. Sim, The SKINNY family of block ciphers and its low-latency variant MANTIS, in M. Robshaw and J. Katz, editors, CRYPTO 2016, Part II, volume 9815 of LNCS (Springer, Heidelberg, 2016), pp. 123–153
M. Bellare, A. Desai, E. Jokipii, P. Rogaway, A concrete security treatment of symmetric encryption, in 38th FOCS (IEEE Computer Society Press, 1997), pp. 394–403
M. Bellare, C. Namprempre, Authenticated encryption: Relations among notions and analysis of the generic composition paradigm, in T. Okamoto, editor, ASIACRYPT 2000, volume 1976 of LNCS (Springer, Heidelberg, 2000), pp. 531–545
E. Biham, O. Dunkelman, N. Keller, The rectangle attack—rectangling the Serpent, in B. Pfitzmann, editor, EUROCRYPT 2001, volume 2045 of LNCS (Springer, Heidelberg, 2001), pp. 340–357
E. Biham, O. Dunkelman, N. Keller, New results on boomerang and rectangle attacks, in J. Daemen and V. Rijmen, editors, FSE 2002, volume 2365 of LNCS (Springer, Heidelberg, 2002), pp. 1–16
B. Bilgin, A. Bogdanov, M. Knežević, F. Mendel, Q. Wang, Fides: Lightweight authenticated cipher with side-channel resistance for constrained hardware, in G. Bertoni and J.-S. Coron, editors, CHES 2013, volume 8086 of LNCS (Springer, Heidelberg, 2013), pp. 142–158
A. Biryukov, D. Khovratovich, Related-key cryptanalysis of the full AES-192 and AES-256, in M. Matsui, editor, ASIACRYPT 2009, volume 5912 of LNCS (Springer, Heidelberg, 2009), pp. 1–18
A. Biryukov, D. Khovratovich, I. Nikolic, Distinguisher and related-key attack on the full AES-256, in S. Halevi, editor, CRYPTO 2009, volume 5677 of LNCS (Springer, Heidelberg, 2009), pp. 231–249
A. Biryukov, I. Nikolic, Automatic search for related-key differential characteristics in byte-oriented block ciphers: Application to AES, Camellia, Khazad and others, in H. Gilbert, editor, EUROCRYPT 2010, volume 6110 of LNCS (Springer, Heidelberg, 2010), pp. 322–344
A. Biryukov, I. Nikolic, Search for related-key differential characteristics in DES-like ciphers, in A. Joux, editor, FSE 2011, volume 6733 of LNCS (Springer, Heidelberg, 2011), pp. 18–34
A. Biryukov, D. Wagner, Slide attacks, in L. R. Knudsen, editor, FSE’99, volume 1636 of LNCS (Springer, Heidelberg, 1999), pp. 245–259
A. Bogdanov, F. Mendel, F. Regazzoni, V. Rijmen, E. Tischhauser, ALE: AES-based lightweight authenticated encryption, in S. Moriai, editor, FSE 2013, volume 8424 of LNCS (Springer, Heidelberg, 2014), pp. 447–466
C. Cid, T. Huang, T. Peyrin, Y. Sasaki, L. Song, A security analysis of Deoxys and its internal tweakable block ciphers. IACR Trans. Symm. Cryptol. 2017(3), 73–107 (2017)
C. Cid, T. Huang, T. Peyrin, Y. Sasaki, L. Song, Boomerang connectivity table: A new cryptanalysis tool, in J.B. Nielsen and V. Rijmen, editors, EUROCRYPT 2018, Part II, volume 10821 of LNCS (Springer, Heidelberg, 2018), pp. 683–714
B. Cogliati, J. Lee, Y. Seurin, New constructions of macs from (tweakable) block ciphers. IACR Trans. Symm. Cryptol. 2017(2), 27–58 (2017)
G. M. U. Cryptographic Engineering Research Group. ATHENa: Automated Tools for Hardware EvaluatioN - Deoxys-I-128 implementation, 2016. https://cryptography.gmu.edu/athena/.
H. Demirci, A.A. Selçuk, A meet-in-the-middle attack on 8-round AES, in K. Nyberg, editor, FSE 2008, volume 5086 of LNCS (Springer, Heidelberg, 2008), pp. 116–126
P. Derbez, P.-A. Fouque, J. Jean, Faster chosen-key distinguishers on reduced-round AES, in S.D. Galbraith and M. Nandi, editors, INDOCRYPT 2012, volume 7668 of LNCS (Springer, Heidelberg, 2012), pp. 225–243
P. Derbez, P.-A. Fouque, J. Jean, Improved key recovery attacks on reduced-round AES in the single-key setting, in T. Johansson and P. Q. Nguyen, editors, EUROCRYPT 2013, volume 7881 of LNCS (Springer, Heidelberg, 2013), pp. 371–387
I. Dinur, J. Jean, Cryptanalysis of FIDES, in C. Cid and C. Rechberger, editors, FSE 2014, volume 8540 of LNCS (Springer, Heidelberg, 2015), pp. 224–240
C. Dobraunig, M. Eichlseder, F. Mendel, M. Schläffer, Ascon v1.2. Submission to Round 3 of the CAESAR competition (2016)
O. Dunkelman, N. Keller, A. Shamir, Improved single-key attacks on 8-round AES-192 and AES-256, in M. Abe, editor, ASIACRYPT 2010, volume 6477 of LNCS (Springer, Heidelberg, 2010), pp. 158–176
S. Emami, S. Ling, I. Nikolic, J. Pieprzyk, H. Wang, The resistance of PRESENT-80 against related-key differential attacks. Cryptogr. Commun. 6(3), 171–187 (2014)
E. Fleischmann, C. Forler, S. Lucks, McOE: A family of almost foolproof on-line authenticated encryption schemes, in A. Canteaut, editor, FSE 2012, volume 7549 of LNCS (Springer, Heidelberg, 2012), pp. 196–215
P.-A. Fouque, J. Jean, T. Peyrin, Structural evaluation of AES and chosen-key distinguisher of 9-round AES-128, in R. Canetti and J.A. Garay, editors, CRYPTO 2013, Part I, volume 8042 of LNCS (Springer, Heidelberg, 2013), pp. 183–203
K. Gaj, J. Kaps, V. Amirineni, M. Rogawski, E. Homsirikamol, B.Y. Brewster, ATHENa - Automated Tool for Hardware EvaluatioN: Toward Fair and Comprehensive Benchmarking of Cryptographic Hardware Using FPGAs, in International Conference on Field Programmable Logic and Applications - FPL 2010 (2010), pp. 414–421
H. Gilbert, T. Peyrin, Super-sbox cryptanalysis: Improved attacks for AES-like permutations, in S. Hong and T. Iwata, editors, FSE 2010, volume 6147 of LNCS (Springer, Heidelberg, 2010), pp. 365–383
S. Gueron, A. Langley, Y. Lindell, AES-GCM-SIV: Specification and Analysis. IACR Cryptology ePrint Archive, Report 2017/168, 2017. Available at http://eprint.iacr.org/2017/168
V. T. Hoang, T. Krovetz, P. Rogaway, Robust authenticated-encryption AEZ and the problem that it solves, in E. Oswald and M. Fischlin, editors, EUROCRYPT 2015, Part I, volume 9056 of LNCS (Springer, Heidelberg, 2015), pp. 15–44
T. Iwata, K. Minematsu, T. Peyrin, Y. Seurin, ZMAC: A fast tweakable block cipher mode for highly secure message authentication, in J. Katz and H. Shacham, editors, CRYPTO 2017, Part III, volume 10403 of LNCS (Springer, Heidelberg, 2017), pp. 34–65
J. Jean, M. Naya-Plasencia, T. Peyrin, Improved rebound attack on the finalist Grøstl, in A. Canteaut, editor, FSE 2012, volume 7549 of LNCS (Springer, Heidelberg, 2012), pp. 110–126
J. Jean, I. Nikolic, T. Peyrin, Tweaks and keys for block ciphers: The TWEAKEY framework, in P. Sarkar and T. Iwata, editors, ASIACRYPT 2014, Part II, volume 8874 of LNCS (Springer, Heidelberg, 2014), pp. 274–288
J. Jean, I. Nikolić, T. Peyrin, Y. Seurin, Deoxys v1.41. Submitted to CAESAR (October 2016)
J. Kelsey, T. Kohno, B. Schneier, Amplified boomerang attacks against reduced-round MARS and Serpent, in B. Schneier, editor, FSE 2000, volume 1978 of LNCS (Springer, Heidelberg, 2001), pp. 75–93
M. Khairallah, A. Chattopadhyay, T. Peyrin, Looting the LUTs: FPGA optimization of AES and AES-like ciphers for authenticated encryption, in A. Patra and N. P. Smart, editors, INDOCRYPT 2017, volume 10698 of LNCS (Springer, Heidelberg, 2017), pp. 282–301
D. Khovratovich, I. Nikolic, Rotational cryptanalysis of ARX, in S. Hong and T. Iwata, editors, FSE 2010, volume 6147 of LNCS (Springer, Heidelberg, 2010), pp. 333–346
D. Khovratovich, C. Rechberger, The LOCAL attack: Cryptanalysis of the authenticated encryption scheme ALE, in T. Lange, K. Lauter, and P. Lisonek, editors, SAC 2013, volume 8282 of LNCS (Springer, Heidelberg, 2014), pp. 174–184
T. Kranz, G. Leander, F. Wiemer, Linear cryptanalysis: Key schedules and tweakable block ciphers. IACR Trans. Symm. Cryptol. 2017(1), 474–505 (2017)
H. Krawczyk, The order of encryption and authentication for protecting communications (or: How secure is SSL?), in J. Kilian, editor, CRYPTO 2001, volume 2139 of LNCS (Springer, Heidelberg, 2001), pp. 310–331
T. Krovetz, P. Rogaway, The software performance of authenticated-encryption modes, in A. Joux, editor, FSE 2011, volume 6733 of LNCS (Springer, Heidelberg, 2011), pp. 306–327
S. Kumar, J. Haj-Yahya, M. Khairallah, M.A. Elmohr, A. Chattopadhyay, A comprehensive performance analysis of hardware implementations of CAESAR candidates. Cryptology ePrint Archive, Report 2017/1261, 2017. https://eprint.iacr.org/2017/1261
R. Li, C. Jin, Meet-in-the-middle attacks on round-reduced tweakable block cipher Deoxys-BC. IET Inf. Secur. 13(1), 70–75 (2019)
M. Liskov, R.L. Rivest, D. Wagner, Tweakable block ciphers. J. Cryptol. 24(3), 588–613 (2011)
D. A. McGrew, J. Viega, The security and performance of the Galois/counter mode (GCM) of operation, in A. Canteaut and K. Viswanathan, editors, INDOCRYPT 2004, volume 3348 of LNCS (Springer, Heidelberg, 2004), pp. 343–355
K. Minematsu, Fast decryption: a new feature of misuse-resistant AE. IACR Trans. Symm. Cryptol. 2020(3), 87–118 (2020)
F. Moazami, A. Mehrdad, H. Soleimany, Impossible differential cryptanalysis on Deoxys-BC-256. ISeCure 10(2), 93–105 (2018)
N. Mouha, Q. Wang, D. Gu, B. Preneel, Differential and linear cryptanalysis using mixed-integer linear programming, in Information Security and Cryptology - Inscrypt 2011 (2011), pp. 57–76
C. Namprempre, P. Rogaway, T. Shrimpton, Reconsidering generic composition, in P. Q. Nguyen and E. Oswald, editors, EUROCRYPT 2014, volume 8441 of LNCS (Springer, Heidelberg, 2014), pp. 257–274
I. Nikolic, How to use metaheuristics for design of symmetric-key primitives, in T. Takagi and T. Peyrin, editors, ASIACRYPT 2017, Part III, volume 10626 of LNCS (Springer, Heidelberg, 2017), pp. 369–391
T. Peyrin, Improved differential attacks for ECHO and Grøstl, in T. Rabin, editor, CRYPTO 2010, volume 6223 of LNCS (Springer, Heidelberg, 2010), pp. 370–392
T. Peyrin, Y. Seurin, Counter-in-tweak: Authenticated encryption modes for tweakable block ciphers, in M. Robshaw and J. Katz, editors, CRYPTO 2016, Part I, volume 9814 of LNCS (Springer, Heidelberg, 2016), pp. 33–63
A. Poschmann, M. Stöttinger, Personal communication
A. Poschmann, M. Stottinger, ATHENa: Automated Tools for Hardware EvaluatioN - Deoxys-I-128 implementation (2016). https://cryptography.gmu.edu/athena/
P. Rogaway, Efficient instantiations of tweakable blockciphers and refinements to modes OCB and PMAC, in P. J. Lee, editor, ASIACRYPT 2004, volume 3329 of LNCS (Springer, Heidelberg, 2004), pp. 16–31
P. Rogaway, Nonce-based symmetric encryption, in B. K. Roy and W. Meier, editors, FSE 2004, volume 3017 of LNCS (Springer, Heidelberg, 2004), pp. 348–359
P. Rogaway, T. Shrimpton, A provable-security treatment of the key-wrap problem, in S. Vaudenay, editor, EUROCRYPT 2006, volume 4004 of LNCS (Springer, Heidelberg, 2006), pp. 373–390
Y. Sasaki, Improved related-tweakey boomerang attacks on deoxys-BC, in A. Joux, A. Nitaj, and T. Rachidi, editors, AFRICACRYPT 18, volume 10831 of LNCS (Springer, Heidelberg, 2018), pp. 87–106
S. Sun, L. Hu, P. Wang, K. Qiao, X. Ma, L. Song, Automatic security evaluation and (related-key) differential characteristic search: Application to SIMON, PRESENT, LBlock, DES(L) and other bit-oriented block ciphers, in P. Sarkar and T. Iwata, editors, ASIACRYPT 2014, Part I, volume 8873 of LNCS (Springer, Heidelberg, 2014), pp. 158–178
S. Vaudenay, Security flaws induced by CBC padding—applications to SSL, IPSEC, WTLS, in L.R. Knudsen, editor, EUROCRYPT 2002, volume 2332 of LNCS (Springer, Heidelberg, 2002), pp. 534–546
Virtual Silicon Inc. 0.18 \(\mu \)m VIP Standard Cell Library Tape Out Ready, Part Number: UMCL18G212T3, Process: UMC Logic 0.18 \(\mu \)m Generic II Technology: 0.18\(\mu \)m, July 2004
D. Wagner, The boomerang attack, in L. R. Knudsen, editor, FSE’99, volume 1636 of LNCS (Springer, Heidelberg, 1999), pp. 156–170
H. Wang, T. Peyrin, Boomerang switch in multiple rounds. IACR Trans. Symm. Cryptol. 2019(1), 142–169 (2019)
H. Wu, Related-cipher attacks. in R. H. Deng, S. Qing, F. Bao, and J. Zhou, editors, ICICS 02, volume 2513 of LNCS (Springer, Heidelberg, 2002), pp. 447–455
H. Wu, ACORN v3. Submission to Round 3 of the CAESAR competition (2016)
H. Wu, AEGIS v1.1. Submission to Round 3 of the CAESAR competition (2016)
B. Zhao, X. Dong, K. Jia, New Related-Tweakey Boomerang and Rectangle Attacks on Deoxys-BC Including BDT Effect. Cryptology ePrint Archive, Report 2020/102, 2020. https://eprint.iacr.org/2020/102
B. Zhao, X. Dong, K. Jia, W. Meier, Improved Related-Tweakey Rectangle Attacks on Reduced-round Deoxys-BC-384 and Deoxys-I-256-128. Cryptology ePrint Archive, Report 2020/103, 2020. https://eprint.iacr.org/2020/103
Acknowledgements
We would like to thank the anonymous reviewer of the CAESAR committee for their helpful comments and suggestions, Tetsu Iwata, Guo Jian, Gaëtan Leurent, and Wang Lei for very fruitful discussion on authenticated encryption designs, Christof Beierle and Anne Canteaut for pointing out issues in our first general formulations of the bound on the number of active S-boxes coming from the subtweakeys schedule in the STK construction, and Axel Poschmann and Marc Stöttinger for their hardware implementations of Deoxys presented in Sect. 9. This work is supported by the Singapore National Research Foundation Fellowship 2012 (NRF-NRFF2012-06).
Author information
Authors and Affiliations
Corresponding author
Additional information
Communicated by Tetsu Iwata.
Publisher's Note
Springer Nature remains neutral with regard to jurisdictional claims in published maps and institutional affiliations.
Appendices
AES S-box and constants
1.1 AES S-box and Its Inverse
We define here the AES S-box \({\mathcal {S}}\) and its inverse \({\mathcal {S}}^{-1}\), as an array where the value of \({\mathcal {S}}(x)\) can be found at the position x in the array (Tables 16, 17).
RCON Constants
Table 18 gives the values of constants RCON used in the tweakey scheduling algorithm of the Deoxys.
Algorithmic Descriptions of the Deoxys Variants
1.1 Deoxys-I
1.2 Deoxys-AE1
1.3 Deoxys-II
1.4 Deoxys-AE2
Rights and permissions
About this article
Cite this article
Jean, J., Nikolić, I., Peyrin, T. et al. The Deoxys AEAD Family. J Cryptol 34, 31 (2021). https://doi.org/10.1007/s00145-021-09397-w
Received:
Revised:
Accepted:
Published:
DOI: https://doi.org/10.1007/s00145-021-09397-w