Related-tweakey impossible differential attack on reduced-round Deoxys-BC-256


Deoxys-BC is the internal tweakable block cipher of Deoxys, a third-round authenticated encryption candidate at the CAESAR competition. In this study, by adequately studying the tweakey schedule, we seek a six-round related-tweakey impossible distinguisher of Deoxys-BC-256, which is transformed from a 3.5-round single-key impossible distinguisher of AES, by application of the mixed integer linear programming (MILP) method. We present a detailed description of this interesting transformation method and the MILPmodeling process. Based on this distinguisher, we mount a key-recovery attack on 10 (out of 14) rounds of Deoxys-BC-256. Compared to previous results that are valid only when the key size > 204 and the tweak size < 52, our method can attack 10-round Deoxys-BC-256 as long as the key size > 174 and the tweak size 6 82. For the popular setting in which the key size is 192 bits, we can attack one round more than previous studies. Note that this paper only gives a more accurate security evaluation and does not threaten the security of full-round Deoxys-BC-256.

This is a preview of subscription content, access via your institution.


  1. 1

    Jean J, Nikolić I, Peyrin T, et al. Deoxys v1.41. 2016.

    Google Scholar 

  2. 2

    Daemen J, Rijmen V. The design of rijndael. In: AES - the Advanced Encryption Standard. Berlin: Springer, 2002

    Google Scholar 

  3. 3

    Liskov M, Rivest R L, Wagner D. Tweakable block ciphers. J Cryptol, 2011, 24: 588–613

    MathSciNet  Article  MATH  Google Scholar 

  4. 4

    Beierle C, Jean J, Kölbl S, et al. The SKINNY family of block ciphers and its low-latency variant MANTIS. In: Advances in Cryptology - CRYPTO 2016. Berlin: Springer, 2016. 123–153

    Google Scholar 

  5. 5

    Borghoff J, Canteaut A, Gneysu T, et al. PRINCE - a low-latency block cipher for pervasive computing applications. In: Advances in Cryptology - ASIACRYPT 2012. Berlin: Springer, 2012. 208–225

    Google Scholar 

  6. 6

    Avanzi R. The QARMA block cipher family - almost MDS matrices over rings with zero divisors, nearly symmetric Even-Mansour constructions with non-involutory central rounds, and search heuristics for low-latency S-Boxes. IACR Trans Symmetric Cryptol, 2017, 1: 4–44

    Google Scholar 

  7. 7

    Jean J, Nikolić I, Peyrin T. Tweaks and keys for block ciphers: The TWEAKEY framework. In: Advances in Cryptology - ASIACRYPT 2014. Berlin: Springer, 2014. 274–288

    Google Scholar 

  8. 8

    Cid C, Huang T, Peyrin T, et al. A security analysis of Deoxys and its internal tweakable block cphers. IACR Trans Symmetric Cryptol, 2017, 3: 73–107

    Google Scholar 

  9. 9

    Ankele R, Banik S, Chakraborti A, et al. Related-key impossible-differential attack on reduced-round SKINNY. In: Applied Cryptography and Network Security - ACNS 2017. Berlin: Springer, 2017. 208–228

    Google Scholar 

  10. 10

    Bellare M, Hoang V, Tessaro S. Message-recovery attacks on Feistel-based format preserving encryption. In: Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Seucrity, Vienna, 2016. 444–455

    Google Scholar 

  11. 11

    Derbez P, Fouque P-A, Jean J. Improved key recovery attacks on reduced-round AES in the single-key setting. In: Advances in Cryptology - EUROCRYPT 2013. Berlin: Springer, 2013. 371–387

    Google Scholar 

  12. 12

    Biham E, Keller N. Cryptanalysis of reduced variants of Rijndael. In: Prcoeedings of the 3rd AES Candidate Conference, New York, 2000

    Google Scholar 

  13. 13

    Mouha N, Wang Q J, Gu D W, et al. Differential and linear cryptanalysis using mixed-integer linear programming. In: Proceedings of the 7th International Conference on Information Security and Cryptology, Beijing, 2011. 57–76

    Google Scholar 

  14. 14

    Wu S B, Wang M S. Security evaluation against differential cryptanalysis for block cipher structures.

  15. 15

    Sun S W, Hu L, Wang P, et al. Automatic security evaluation and (related-key) differential characteristic search: Application to SIMON, PRESENT, LBlock, DES(L) and other bit-oriented block ciphers. In: Advances in Cryptology - ASIACRYPT 2014. Berlin: Springer, 2014. 158–178

    Google Scholar 

  16. 16

    Sun S W, Hu L, Song L, et al. Automatic security evaluation of block ciphers with S-bP structures against related-key differential attacks. In: Proceedings of International Conference on Information Security and Cryptology. Berlin: Springer, 2013. 39–51

    Google Scholar 

  17. 17

    Sun S W, Hu L, Wang M Q, et al. Towards finding the best characteristics of some bit-oriented blcok ciphers and automatic enumeration of (related-key) differential and linear characteristics with predefined properties.

    Google Scholar 

  18. 18

    Fu K, Wang M Q, Guo Y H, et al. MILP-based automatic search algorithms for differential and linear trails for Speck. In: Fast Software Encryption - FSE 2016. Berlin: Springer, 2016. 268–288

    Google Scholar 

  19. 19

    Sasaki Y, Todo Y. New impossible differential search tool from design and cryptanalysis aspects. In: Advances in Cryptology - EUROCRYPT 2017. Berlin: Springer, 2017. 185–215

    Google Scholar 

  20. 20

    Cui T T, Jia K T, Fu K, et al. New automatic search tool for impossible differentials and zero-correlation linear approximations.

Download references


This work was supported by National Key Research and Development Program of China (Grant No. 2017YFA0303903), National Natural Science Foundation of China (Grant No. 61672019), National Cryptography Development Fund (Grant No. MMJJ20170121), Zhejiang Province Key R&D Project (Grant No. 2017C01062), Fundamental Research Funds of Shandong University (Grant No. 2016JC029), and China Postdoctoral Science Foundation (Grant No. 2017M620807).

Author information



Corresponding authors

Correspondence to Xiaoyang Dong or Xiaoyun Wang.

Rights and permissions

Reprints and Permissions

About this article

Verify currency and authenticity via CrossMark

Cite this article

Zong, R., Dong, X. & Wang, X. Related-tweakey impossible differential attack on reduced-round Deoxys-BC-256. Sci. China Inf. Sci. 62, 32102 (2019).

Download citation


  • related-tweakey impossible differential attack
  • tweakable block cipher
  • Deoxys-BC-256
  • tweakey schedule
  • MILP