Springer Nature is making SARS-CoV-2 and COVID-19 research free. View research | View latest news | Sign up for updates

Related-tweakey impossible differential attack on reduced-round Deoxys-BC-256

  • 46 Accesses

  • 1 Citations


Deoxys-BC is the internal tweakable block cipher of Deoxys, a third-round authenticated encryption candidate at the CAESAR competition. In this study, by adequately studying the tweakey schedule, we seek a six-round related-tweakey impossible distinguisher of Deoxys-BC-256, which is transformed from a 3.5-round single-key impossible distinguisher of AES, by application of the mixed integer linear programming (MILP) method. We present a detailed description of this interesting transformation method and the MILPmodeling process. Based on this distinguisher, we mount a key-recovery attack on 10 (out of 14) rounds of Deoxys-BC-256. Compared to previous results that are valid only when the key size > 204 and the tweak size < 52, our method can attack 10-round Deoxys-BC-256 as long as the key size > 174 and the tweak size 6 82. For the popular setting in which the key size is 192 bits, we can attack one round more than previous studies. Note that this paper only gives a more accurate security evaluation and does not threaten the security of full-round Deoxys-BC-256.

This is a preview of subscription content, log in to check access.


  1. 1

    Jean J, Nikolić I, Peyrin T, et al. Deoxys v1.41. 2016.

  2. 2

    Daemen J, Rijmen V. The design of rijndael. In: AES - the Advanced Encryption Standard. Berlin: Springer, 2002

  3. 3

    Liskov M, Rivest R L, Wagner D. Tweakable block ciphers. J Cryptol, 2011, 24: 588–613

  4. 4

    Beierle C, Jean J, Kölbl S, et al. The SKINNY family of block ciphers and its low-latency variant MANTIS. In: Advances in Cryptology - CRYPTO 2016. Berlin: Springer, 2016. 123–153

  5. 5

    Borghoff J, Canteaut A, Gneysu T, et al. PRINCE - a low-latency block cipher for pervasive computing applications. In: Advances in Cryptology - ASIACRYPT 2012. Berlin: Springer, 2012. 208–225

  6. 6

    Avanzi R. The QARMA block cipher family - almost MDS matrices over rings with zero divisors, nearly symmetric Even-Mansour constructions with non-involutory central rounds, and search heuristics for low-latency S-Boxes. IACR Trans Symmetric Cryptol, 2017, 1: 4–44

  7. 7

    Jean J, Nikolić I, Peyrin T. Tweaks and keys for block ciphers: The TWEAKEY framework. In: Advances in Cryptology - ASIACRYPT 2014. Berlin: Springer, 2014. 274–288

  8. 8

    Cid C, Huang T, Peyrin T, et al. A security analysis of Deoxys and its internal tweakable block cphers. IACR Trans Symmetric Cryptol, 2017, 3: 73–107

  9. 9

    Ankele R, Banik S, Chakraborti A, et al. Related-key impossible-differential attack on reduced-round SKINNY. In: Applied Cryptography and Network Security - ACNS 2017. Berlin: Springer, 2017. 208–228

  10. 10

    Bellare M, Hoang V, Tessaro S. Message-recovery attacks on Feistel-based format preserving encryption. In: Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Seucrity, Vienna, 2016. 444–455

  11. 11

    Derbez P, Fouque P-A, Jean J. Improved key recovery attacks on reduced-round AES in the single-key setting. In: Advances in Cryptology - EUROCRYPT 2013. Berlin: Springer, 2013. 371–387

  12. 12

    Biham E, Keller N. Cryptanalysis of reduced variants of Rijndael. In: Prcoeedings of the 3rd AES Candidate Conference, New York, 2000

  13. 13

    Mouha N, Wang Q J, Gu D W, et al. Differential and linear cryptanalysis using mixed-integer linear programming. In: Proceedings of the 7th International Conference on Information Security and Cryptology, Beijing, 2011. 57–76

  14. 14

    Wu S B, Wang M S. Security evaluation against differential cryptanalysis for block cipher structures.

  15. 15

    Sun S W, Hu L, Wang P, et al. Automatic security evaluation and (related-key) differential characteristic search: Application to SIMON, PRESENT, LBlock, DES(L) and other bit-oriented block ciphers. In: Advances in Cryptology - ASIACRYPT 2014. Berlin: Springer, 2014. 158–178

  16. 16

    Sun S W, Hu L, Song L, et al. Automatic security evaluation of block ciphers with S-bP structures against related-key differential attacks. In: Proceedings of International Conference on Information Security and Cryptology. Berlin: Springer, 2013. 39–51

  17. 17

    Sun S W, Hu L, Wang M Q, et al. Towards finding the best characteristics of some bit-oriented blcok ciphers and automatic enumeration of (related-key) differential and linear characteristics with predefined properties.

  18. 18

    Fu K, Wang M Q, Guo Y H, et al. MILP-based automatic search algorithms for differential and linear trails for Speck. In: Fast Software Encryption - FSE 2016. Berlin: Springer, 2016. 268–288

  19. 19

    Sasaki Y, Todo Y. New impossible differential search tool from design and cryptanalysis aspects. In: Advances in Cryptology - EUROCRYPT 2017. Berlin: Springer, 2017. 185–215

  20. 20

    Cui T T, Jia K T, Fu K, et al. New automatic search tool for impossible differentials and zero-correlation linear approximations.

Download references


This work was supported by National Key Research and Development Program of China (Grant No. 2017YFA0303903), National Natural Science Foundation of China (Grant No. 61672019), National Cryptography Development Fund (Grant No. MMJJ20170121), Zhejiang Province Key R&D Project (Grant No. 2017C01062), Fundamental Research Funds of Shandong University (Grant No. 2016JC029), and China Postdoctoral Science Foundation (Grant No. 2017M620807).

Author information

Correspondence to Xiaoyang Dong or Xiaoyun Wang.

Rights and permissions

Reprints and Permissions

About this article

Verify currency and authenticity via CrossMark

Cite this article

Zong, R., Dong, X. & Wang, X. Related-tweakey impossible differential attack on reduced-round Deoxys-BC-256. Sci. China Inf. Sci. 62, 32102 (2019).

Download citation


  • related-tweakey impossible differential attack
  • tweakable block cipher
  • Deoxys-BC-256
  • tweakey schedule
  • MILP