Skip to main content
SpringerLink
Log in

The Deoxys AEAD Family

  • Published:
Journal of Cryptology Aims and scope Submit manuscript

Abstract

We present the Deoxys family of authenticated encryption schemes, which consists of Deoxys-I and Deoxys-II. Both are nonce-based authenticated encryption schemes with associated data and have either 128- or 256-bit keys. Deoxys-I is similar to OCB: It is single-pass but insecure when nonces are repeated; in contrast, Deoxys-II is nonce-misuse resistant. Deoxys-II was selected as first choice in the final portfolio of the CAESAR competition for the defense-in-depth category. Deoxys uses a new family of tweakable block ciphers as internal primitive, Deoxys-TBC, which follows the TWEAKEY framework (Jean, Nikolić, and Peyrin, ASIACRYPT 2014) and relies on the AES round function. Our benchmarks indicate that Deoxys does not sacrifice efficiency for security and performs very well both in software (e.g., Deoxys-I efficiency is similar to AES-GCM) and hardware.

This is a preview of subscription content, log in via an institution to check access.

Access this article

Log in via an institution

Price excludes VAT (USA)
Tax calculation will be finalised during checkout.

Instant access to the full article PDF.

Institutional subscriptions

Fig. 1
Fig. 2
Fig. 3
Fig. 4
Fig. 5
Fig. 6
Fig. 7
Fig. 8
Fig. 9

Similar content being viewed by others

Notes

  1. https://competitions.cr.yp.to/caesar-submissions.html.

  2. Albeit at the cost of a stronger security assumption on the primitive.

  3. We assume that \(\mathsf {Rand}\) returns the same output if a query is repeated.

  4. Despite being one-pass, decryption makes two primitive calls per message blocks as in SIV [60]. Misuse-resistant schemes with rate-1 decryption have been recently proposed [49].

  5. Tags can be truncated to \(\tau < n\) bits, but we recommend using \(\tau = n\).

  6. Tweak separation is only required in order to combine CTRT with a PRF also based on E through NSIV.

  7. The statement of the theorem in [19] mentions MAC-security, but the proof actually shows the stronger nPRM notion. Besides, queries to the first and second oracle are counted separately in [19]; we upper bound both of them by q.

  8. https://sites.google.com/view/deoxyscipher.

  9. https://bench.cr.yp.to/ebaead.html.

  10. https://cryptography.gmu.edu/athena.

References

  1. M.R. Albrecht, K.G. Paterson, G.J. Watson, Plaintext recovery attacks against SSH, in 2009 IEEE Symposium on Security and Privacy (IEEE Computer Society Press, 2009), pp. 16–26

  2. N.J. AlFardan, K.G. Paterson, Lucky thirteen: Breaking the TLS and DTLS record protocols, in 2013 IEEE Symposium on Security and Privacy (IEEE Computer Society Press, 2013), pp. 526–540

  3. E. Andreeva, A. Bogdanov, N. Datta, A. Luykx, B. Mennink, M. Nandi, E. Tischhauser, K. Yasuda COLM v1. Submission to the CAESAR competition (2015)

  4. E. Andreeva, A. Bogdanov, A. Luykx, B. Mennink, N. Mouha, K. Yasuda, How to securely release unverified plaintext in authenticated encryption, in P. Sarkar and T. Iwata, editors, ASIACRYPT 2014, Part I, volume 8873 of LNCS (Springer, Heidelberg, 2014), pp. 105–125

  5. C. Beierle, J. Jean, S.Kölbl, G. Leander, A. Moradi, T. Peyrin, Y. Sasaki, P. Sasdrich, S.M. Sim, The SKINNY family of block ciphers and its low-latency variant MANTIS, in M. Robshaw and J. Katz, editors, CRYPTO 2016, Part II, volume 9815 of LNCS (Springer, Heidelberg, 2016), pp. 123–153

  6. M. Bellare, A. Desai, E. Jokipii, P. Rogaway, A concrete security treatment of symmetric encryption, in 38th FOCS (IEEE Computer Society Press, 1997), pp. 394–403

  7. M. Bellare, C. Namprempre, Authenticated encryption: Relations among notions and analysis of the generic composition paradigm, in T. Okamoto, editor, ASIACRYPT 2000, volume 1976 of LNCS (Springer, Heidelberg, 2000), pp. 531–545

  8. E. Biham, O. Dunkelman, N. Keller, The rectangle attack—rectangling the Serpent, in B. Pfitzmann, editor, EUROCRYPT 2001, volume 2045 of LNCS (Springer, Heidelberg, 2001), pp. 340–357

  9. E. Biham, O. Dunkelman, N. Keller, New results on boomerang and rectangle attacks, in J. Daemen and V. Rijmen, editors, FSE 2002, volume 2365 of LNCS (Springer, Heidelberg, 2002), pp. 1–16

  10. B. Bilgin, A. Bogdanov, M. Knežević, F. Mendel, Q. Wang, Fides: Lightweight authenticated cipher with side-channel resistance for constrained hardware, in G. Bertoni and J.-S. Coron, editors, CHES 2013, volume 8086 of LNCS (Springer, Heidelberg, 2013), pp. 142–158

  11. A. Biryukov, D. Khovratovich, Related-key cryptanalysis of the full AES-192 and AES-256, in M. Matsui, editor, ASIACRYPT 2009, volume 5912 of LNCS (Springer, Heidelberg, 2009), pp. 1–18

  12. A. Biryukov, D. Khovratovich, I. Nikolic, Distinguisher and related-key attack on the full AES-256, in S. Halevi, editor, CRYPTO 2009, volume 5677 of LNCS (Springer, Heidelberg, 2009), pp. 231–249

  13. A. Biryukov, I. Nikolic, Automatic search for related-key differential characteristics in byte-oriented block ciphers: Application to AES, Camellia, Khazad and others, in H. Gilbert, editor, EUROCRYPT 2010, volume 6110 of LNCS (Springer, Heidelberg, 2010), pp. 322–344

  14. A. Biryukov, I. Nikolic, Search for related-key differential characteristics in DES-like ciphers, in A. Joux, editor, FSE 2011, volume 6733 of LNCS (Springer, Heidelberg, 2011), pp. 18–34

  15. A. Biryukov, D. Wagner, Slide attacks, in L. R. Knudsen, editor, FSE’99, volume 1636 of LNCS (Springer, Heidelberg, 1999), pp. 245–259

  16. A. Bogdanov, F. Mendel, F. Regazzoni, V. Rijmen, E. Tischhauser, ALE: AES-based lightweight authenticated encryption, in S. Moriai, editor, FSE 2013, volume 8424 of LNCS (Springer, Heidelberg, 2014), pp. 447–466

  17. C. Cid, T. Huang, T. Peyrin, Y. Sasaki, L. Song, A security analysis of Deoxys and its internal tweakable block ciphers. IACR Trans. Symm. Cryptol. 2017(3), 73–107 (2017)

    Article  Google Scholar 

  18. C. Cid, T. Huang, T. Peyrin, Y. Sasaki, L. Song, Boomerang connectivity table: A new cryptanalysis tool, in J.B. Nielsen and V. Rijmen, editors, EUROCRYPT 2018, Part II, volume 10821 of LNCS (Springer, Heidelberg, 2018), pp. 683–714

  19. B. Cogliati, J. Lee, Y. Seurin, New constructions of macs from (tweakable) block ciphers. IACR Trans. Symm. Cryptol. 2017(2), 27–58 (2017)

    Article  Google Scholar 

  20. G. M. U. Cryptographic Engineering Research Group. ATHENa: Automated Tools for Hardware EvaluatioN - Deoxys-I-128 implementation, 2016. https://cryptography.gmu.edu/athena/.

  21. H. Demirci, A.A. Selçuk, A meet-in-the-middle attack on 8-round AES, in K. Nyberg, editor, FSE 2008, volume 5086 of LNCS (Springer, Heidelberg, 2008), pp. 116–126

  22. P. Derbez, P.-A. Fouque, J. Jean, Faster chosen-key distinguishers on reduced-round AES, in S.D. Galbraith and M. Nandi, editors, INDOCRYPT 2012, volume 7668 of LNCS (Springer, Heidelberg, 2012), pp. 225–243

  23. P. Derbez, P.-A. Fouque, J. Jean, Improved key recovery attacks on reduced-round AES in the single-key setting, in T. Johansson and P. Q. Nguyen, editors, EUROCRYPT 2013, volume 7881 of LNCS (Springer, Heidelberg, 2013), pp. 371–387

  24. I. Dinur, J. Jean, Cryptanalysis of FIDES, in C. Cid and C. Rechberger, editors, FSE 2014, volume 8540 of LNCS (Springer, Heidelberg, 2015), pp. 224–240

  25. C. Dobraunig, M. Eichlseder, F. Mendel, M. Schläffer, Ascon v1.2. Submission to Round 3 of the CAESAR competition (2016)

  26. O. Dunkelman, N. Keller, A. Shamir, Improved single-key attacks on 8-round AES-192 and AES-256, in M. Abe, editor, ASIACRYPT 2010, volume 6477 of LNCS (Springer, Heidelberg, 2010), pp. 158–176

  27. S. Emami, S. Ling, I. Nikolic, J. Pieprzyk, H. Wang, The resistance of PRESENT-80 against related-key differential attacks. Cryptogr. Commun. 6(3), 171–187 (2014)

    Article  Google Scholar 

  28. E. Fleischmann, C. Forler, S. Lucks, McOE: A family of almost foolproof on-line authenticated encryption schemes, in A. Canteaut, editor, FSE 2012, volume 7549 of LNCS (Springer, Heidelberg, 2012), pp. 196–215

  29. P.-A. Fouque, J. Jean, T. Peyrin, Structural evaluation of AES and chosen-key distinguisher of 9-round AES-128, in R. Canetti and J.A. Garay, editors, CRYPTO 2013, Part I, volume 8042 of LNCS (Springer, Heidelberg, 2013), pp. 183–203

  30. K. Gaj, J. Kaps, V. Amirineni, M. Rogawski, E. Homsirikamol, B.Y. Brewster, ATHENa - Automated Tool for Hardware EvaluatioN: Toward Fair and Comprehensive Benchmarking of Cryptographic Hardware Using FPGAs, in International Conference on Field Programmable Logic and Applications - FPL 2010 (2010), pp. 414–421

    Google Scholar 

  31. H. Gilbert, T. Peyrin, Super-sbox cryptanalysis: Improved attacks for AES-like permutations, in S. Hong and T. Iwata, editors, FSE 2010, volume 6147 of LNCS (Springer, Heidelberg, 2010), pp. 365–383

  32. S. Gueron, A. Langley, Y. Lindell, AES-GCM-SIV: Specification and Analysis. IACR Cryptology ePrint Archive, Report 2017/168, 2017. Available at http://eprint.iacr.org/2017/168

  33. V. T. Hoang, T. Krovetz, P. Rogaway, Robust authenticated-encryption AEZ and the problem that it solves, in E. Oswald and M. Fischlin, editors, EUROCRYPT 2015, Part I, volume 9056 of LNCS (Springer, Heidelberg, 2015), pp. 15–44

  34. T. Iwata, K. Minematsu, T. Peyrin, Y. Seurin, ZMAC: A fast tweakable block cipher mode for highly secure message authentication, in J. Katz and H. Shacham, editors, CRYPTO 2017, Part III, volume 10403 of LNCS (Springer, Heidelberg, 2017), pp. 34–65

  35. J. Jean, M. Naya-Plasencia, T. Peyrin, Improved rebound attack on the finalist Grøstl, in A. Canteaut, editor, FSE 2012, volume 7549 of LNCS (Springer, Heidelberg, 2012), pp. 110–126

  36. J. Jean, I. Nikolic, T. Peyrin, Tweaks and keys for block ciphers: The TWEAKEY framework, in P. Sarkar and T. Iwata, editors, ASIACRYPT 2014, Part II, volume 8874 of LNCS (Springer, Heidelberg, 2014), pp. 274–288

  37. J. Jean, I. Nikolić, T. Peyrin, Y. Seurin, Deoxys v1.41. Submitted to CAESAR (October 2016)

  38. J. Kelsey, T. Kohno, B. Schneier, Amplified boomerang attacks against reduced-round MARS and Serpent, in B. Schneier, editor, FSE 2000, volume 1978 of LNCS (Springer, Heidelberg, 2001), pp. 75–93

  39. M. Khairallah, A. Chattopadhyay, T. Peyrin, Looting the LUTs: FPGA optimization of AES and AES-like ciphers for authenticated encryption, in A. Patra and N. P. Smart, editors, INDOCRYPT 2017, volume 10698 of LNCS (Springer, Heidelberg, 2017), pp. 282–301

  40. D. Khovratovich, I. Nikolic, Rotational cryptanalysis of ARX, in S. Hong and T. Iwata, editors, FSE 2010, volume 6147 of LNCS (Springer, Heidelberg, 2010), pp. 333–346

  41. D. Khovratovich, C. Rechberger, The LOCAL attack: Cryptanalysis of the authenticated encryption scheme ALE, in T. Lange, K. Lauter, and P. Lisonek, editors, SAC 2013, volume 8282 of LNCS (Springer, Heidelberg, 2014), pp. 174–184

  42. T. Kranz, G. Leander, F. Wiemer, Linear cryptanalysis: Key schedules and tweakable block ciphers. IACR Trans. Symm. Cryptol. 2017(1), 474–505 (2017)

    Article  Google Scholar 

  43. H. Krawczyk, The order of encryption and authentication for protecting communications (or: How secure is SSL?), in J. Kilian, editor, CRYPTO 2001, volume 2139 of LNCS (Springer, Heidelberg, 2001), pp. 310–331

  44. T. Krovetz, P. Rogaway, The software performance of authenticated-encryption modes, in A. Joux, editor, FSE 2011, volume 6733 of LNCS (Springer, Heidelberg, 2011), pp. 306–327

  45. S. Kumar, J. Haj-Yahya, M. Khairallah, M.A. Elmohr, A. Chattopadhyay, A comprehensive performance analysis of hardware implementations of CAESAR candidates. Cryptology ePrint Archive, Report 2017/1261, 2017. https://eprint.iacr.org/2017/1261

  46. R. Li, C. Jin, Meet-in-the-middle attacks on round-reduced tweakable block cipher Deoxys-BC. IET Inf. Secur. 13(1), 70–75 (2019)

    Article  Google Scholar 

  47. M. Liskov, R.L. Rivest, D. Wagner, Tweakable block ciphers. J. Cryptol. 24(3), 588–613 (2011)

    Article  MathSciNet  Google Scholar 

  48. D. A. McGrew, J. Viega, The security and performance of the Galois/counter mode (GCM) of operation, in A. Canteaut and K. Viswanathan, editors, INDOCRYPT 2004, volume 3348 of LNCS (Springer, Heidelberg, 2004), pp. 343–355

  49. K. Minematsu, Fast decryption: a new feature of misuse-resistant AE. IACR Trans. Symm. Cryptol. 2020(3), 87–118 (2020)

    Article  MathSciNet  Google Scholar 

  50. F. Moazami, A. Mehrdad, H. Soleimany, Impossible differential cryptanalysis on Deoxys-BC-256. ISeCure 10(2), 93–105 (2018)

    Google Scholar 

  51. N. Mouha, Q. Wang, D. Gu, B. Preneel, Differential and linear cryptanalysis using mixed-integer linear programming, in Information Security and Cryptology - Inscrypt 2011 (2011), pp. 57–76

  52. C. Namprempre, P. Rogaway, T. Shrimpton, Reconsidering generic composition, in P. Q. Nguyen and E. Oswald, editors, EUROCRYPT 2014, volume 8441 of LNCS (Springer, Heidelberg, 2014), pp. 257–274

  53. I. Nikolic, How to use metaheuristics for design of symmetric-key primitives, in T. Takagi and T. Peyrin, editors, ASIACRYPT 2017, Part III, volume 10626 of LNCS (Springer, Heidelberg, 2017), pp. 369–391

  54. T. Peyrin, Improved differential attacks for ECHO and Grøstl, in T. Rabin, editor, CRYPTO 2010, volume 6223 of LNCS (Springer, Heidelberg, 2010), pp. 370–392

  55. T. Peyrin, Y. Seurin, Counter-in-tweak: Authenticated encryption modes for tweakable block ciphers, in M. Robshaw and J. Katz, editors, CRYPTO 2016, Part I, volume 9814 of LNCS (Springer, Heidelberg, 2016), pp. 33–63

  56. A. Poschmann, M. Stöttinger, Personal communication

  57. A. Poschmann, M. Stottinger, ATHENa: Automated Tools for Hardware EvaluatioN - Deoxys-I-128 implementation (2016). https://cryptography.gmu.edu/athena/

  58. P. Rogaway, Efficient instantiations of tweakable blockciphers and refinements to modes OCB and PMAC, in P. J. Lee, editor, ASIACRYPT 2004, volume 3329 of LNCS (Springer, Heidelberg, 2004), pp. 16–31

  59. P. Rogaway, Nonce-based symmetric encryption, in B. K. Roy and W. Meier, editors, FSE 2004, volume 3017 of LNCS (Springer, Heidelberg, 2004), pp. 348–359

  60. P. Rogaway, T. Shrimpton, A provable-security treatment of the key-wrap problem, in S. Vaudenay, editor, EUROCRYPT 2006, volume 4004 of LNCS (Springer, Heidelberg, 2006), pp. 373–390

  61. Y. Sasaki, Improved related-tweakey boomerang attacks on deoxys-BC, in A. Joux, A. Nitaj, and T. Rachidi, editors, AFRICACRYPT 18, volume 10831 of LNCS (Springer, Heidelberg, 2018), pp. 87–106

  62. S. Sun, L. Hu, P. Wang, K. Qiao, X. Ma, L. Song, Automatic security evaluation and (related-key) differential characteristic search: Application to SIMON, PRESENT, LBlock, DES(L) and other bit-oriented block ciphers, in P. Sarkar and T. Iwata, editors, ASIACRYPT 2014, Part I, volume 8873 of LNCS (Springer, Heidelberg, 2014), pp. 158–178

  63. S. Vaudenay, Security flaws induced by CBC padding—applications to SSL, IPSEC, WTLS, in L.R. Knudsen, editor, EUROCRYPT 2002, volume 2332 of LNCS (Springer, Heidelberg, 2002), pp. 534–546

  64. Virtual Silicon Inc. 0.18 \(\mu \)m VIP Standard Cell Library Tape Out Ready, Part Number: UMCL18G212T3, Process: UMC Logic 0.18 \(\mu \)m Generic II Technology: 0.18\(\mu \)m, July 2004

  65. D. Wagner, The boomerang attack, in L. R. Knudsen, editor, FSE’99, volume 1636 of LNCS (Springer, Heidelberg, 1999), pp. 156–170

  66. H. Wang, T. Peyrin, Boomerang switch in multiple rounds. IACR Trans. Symm. Cryptol. 2019(1), 142–169 (2019)

    Article  Google Scholar 

  67. H. Wu, Related-cipher attacks. in R. H. Deng, S. Qing, F. Bao, and J. Zhou, editors, ICICS 02, volume 2513 of LNCS (Springer, Heidelberg, 2002), pp. 447–455

  68. H. Wu, ACORN v3. Submission to Round 3 of the CAESAR competition (2016)

  69. H. Wu, AEGIS v1.1. Submission to Round 3 of the CAESAR competition (2016)

  70. B. Zhao, X. Dong, K. Jia, New Related-Tweakey Boomerang and Rectangle Attacks on Deoxys-BC Including BDT Effect. Cryptology ePrint Archive, Report 2020/102, 2020. https://eprint.iacr.org/2020/102

  71. B. Zhao, X. Dong, K. Jia, W. Meier, Improved Related-Tweakey Rectangle Attacks on Reduced-round Deoxys-BC-384 and Deoxys-I-256-128. Cryptology ePrint Archive, Report 2020/103, 2020. https://eprint.iacr.org/2020/103

Download references

Acknowledgements

We would like to thank the anonymous reviewer of the CAESAR committee for their helpful comments and suggestions, Tetsu Iwata, Guo Jian, Gaëtan Leurent, and Wang Lei for very fruitful discussion on authenticated encryption designs, Christof Beierle and Anne Canteaut for pointing out issues in our first general formulations of the bound on the number of active S-boxes coming from the subtweakeys schedule in the STK construction, and Axel Poschmann and Marc Stöttinger for their hardware implementations of Deoxys presented in Sect. 9. This work is supported by the Singapore National Research Foundation Fellowship 2012 (NRF-NRFF2012-06).

Author information

Authors and Affiliations

  1. ANSSI, Paris, France

    Jérémy Jean & Yannick Seurin

  2. National University of Singapore, Singapore, Singapore

    Ivica Nikolić

  3. Nanyang Technological University, Singapore, Singapore

    Thomas Peyrin

Authors
  1. Jérémy Jean
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Ivica Nikolić
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Thomas Peyrin
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. Yannick Seurin
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Thomas Peyrin.

Additional information

Communicated by Tetsu Iwata.

Publisher's Note

Springer Nature remains neutral with regard to jurisdictional claims in published maps and institutional affiliations.

Appendices

AES S-box and constants

1.1 AES S-box and Its Inverse

We define here the AES S-box \({\mathcal {S}}\) and its inverse \({\mathcal {S}}^{-1}\), as an array where the value of \({\mathcal {S}}(x)\) can be found at the position x in the array (Tables 16, 17).

Table 16 The AES S-box \({\mathcal {S}}\)
Full size table
Table 17 The AES inverse S-box \({\mathcal {S}}^{-1}\)
Full size table

RCON Constants

Table 18 gives the values of constants RCON used in the tweakey scheduling algorithm of the Deoxys.

Table 18 The RCON constants used in the key scheduling algorithm
Full size table

Algorithmic Descriptions of the Deoxys Variants

1.1 Deoxys-I

figure c
figure d

1.2 Deoxys-AE1

See Figs. 10 and 11.

Fig. 10
figure 10

Handling of the associated data for Deoxys-AE1: In the case where the associated data are a multiple of the block size, no padding is needed

Full size image
Fig. 11
figure 11

Message processing for Deoxys-AE1: In the case where the message length is a multiple of the block size, no padding is needed. Note that the checksum \({\varSigma }\) is computed with a \(10^*\) padding for block \(M^*\)

Full size image
figure e
figure f

1.3 Deoxys-II

figure g
figure h

1.4 Deoxys-AE2

See Figs. 12, 13 and 14.

Fig. 12
figure 12

Handling of the associated data for Deoxys-AE2: In the case where the associated data are a multiple of the block size, no padding is needed

Full size image
Fig. 13
figure 13

Message processing in the authentication part of Deoxys-AE2: In the case where the message length is a multiple of the block size, no padding is needed

Full size image
Fig. 14
figure 14

Message processing for the encryption part of Deoxys-AE2

Full size image
figure i
figure j

Rights and permissions

Reprints and permissions

About this article

Check for updates. Verify currency and authenticity via CrossMark

Cite this article

Jean, J., Nikolić, I., Peyrin, T. et al. The Deoxys AEAD Family. J Cryptol 34, 31 (2021). https://doi.org/10.1007/s00145-021-09397-w

Download citation

  • Received:

  • Revised:

  • Accepted:

  • Published:

  • DOI: https://doi.org/10.1007/s00145-021-09397-w

Keywords

Search

Navigation