Impossible Differential Cryptanalysis on Deoxys-BC-256

Home , UES (cipher)

The ISC Int'l Journal of Information Security July 2018, Volume 10, Number 2 (pp. 93–105) ISeCure http://www.isecure-journal.org Impossible Differential Cryptanalysis on Deoxys-BC-256 Alireza Mehrdad 1, Farokhlagha Moazami 1,∗, and Hadi Soleimany 1 1Cyberspace Research Institute, Shahid Beheshti University, Tehran, Iran

A R T I C L E I N F O. ABSTRACT

Article history: Deoxys is a final-round candidate of the CAESAR competition. Deoxys is Received: 9 January 2018 First Revised: 20 January 2018 built upon an internal tweakable block cipher Deoxys-BC, where in addition to Last Revised: 4 May 2018 the plaintext and key, it takes an extra non-secret input called a tweak. This Accepted: 30 May 2018 paper presents the first impossible differential cryptanalysis of Deoxys-BC-256 Published Online: 5 July 2018 which is used in Deoxys as an internal tweakable block cipher. First, we find a Keywords: CAESAR Competition, 4.5-round ID characteristic by utilizing a miss-in-the-middle-approach. We then Deoxys-BC, Impossible Differential present several cryptanalysis based upon the 4.5 rounds distinguisher against Cryptanalysis, Distinguisher. round-reduced Deoxys-BC-256 in both single-key and related-key settings. Our contributions include impossible differential attacks on up to 8-round Deoxys-BC-256 in the single-key model. Our attack reaches 9 rounds in the related-key related-tweak model which has a slightly higher data complexity than the best previous results obtained by a related-key related-tweak rectangle attack presented at FSE 2018, but requires a lower memory complexity with an equal time complexity. c 2018 ISC. All rights reserved.

1 Introduction Deoxys is one of the final-round authenticated encryption candidates in the CAESAR competition. De- ecent real-world applications that need to protect oxys is built upon an internal tweakable block cipher Rboth confidentiality and authentication have led Deoxys-BC, where in addition to the plaintext and to a renewed interest in designing novel authenticated key, it takes an extra non-secret input called a “tweak. encryption. Due to the lack of well-studied authenti- Deoxys-BC is an AES-like design with the SPN struc- cated encryption schemes with the desirable level of se- ture which is based on the TWEAKEY framework. curity and performance, an ongoing CAESAR compe- The inner tweakable block cipher Deoxys-BC has two tition, funded by NIST, plans to identify a promising variants, each with a block size of 128 bits and a tweak new portfolio of reliable and efficient authenticated size of 128 bits, but two different key lengths: 128 and encryptions that are suitable for widespread applica- 256 bits. These variants are called Deoxys-BC-256 tions. A total of 58 diverse proposals from interna- and Deoxys-BC-384, respectively. We note that the tional cryptographers have been submitted on March specification of Deoxys-BC has been slightly changed 2014. According to the results of a public evaluation, during the competition. In this paper, we study the the CAESAR committee has announced 7 schemes as last version submitted to the CAESAR competition the final round candidates. called Deoxys v1.41.

∗ The security of Deoxys-BC was studied against a Corresponding author. wide variety of cryptanalyses by the designers and Email addresses: [email protected] (A. Mehrdad), f [email protected] (F. Moazami), h [email protected] as was proved by them, the cipher is secure against (H. Soleimany) several known attacks. However, impossible differen- ISSN: 2008-2045 c 2018 ISC. All rights reserved. tial cryptanalysis was not covered by the designers in

ISeCure 94 Impossible Differential Cryptanalysis on Deoxys-BC-256 — A. Mehrdad et al.

the original proposal, instead, third-party experts are impossible differential attacks on 8-round Deoxys-BC- encouraged to investigate the security of Deoxys-BC 256 in the related-tweak single-key model. In addition, against impossible differential cryptanalysis in differ- we present an impossible differential cryptanalysis on ent settings. The aim of this work is to evaluate the 9-round Deoxys-BC-256 in the related-key related- security of Deoxys-BC-256 against impossible differ- tweak model in which the required data is two times ential cryptanalysis which is an important class of more than the rectangle attack while the memory cryptanalytic techniques applicable to a wide variety complexity is decreased by a factor of 215. of block ciphers. Impossible differential cryptanaly- After the submission of this paper and uploaded sis was proposed by Knudsen and independently by our results in Cryptology ePrint Archive, we noticed Biham. Impossible differential cryptanalysis exploits that Jiang and Jin presented a single-key impossible differential characteristic with a probability of (ex- differential cryptanalysis on 8-Round Deoxys-BC-256 actly) zero to eliminate the wrong key candidates of in [2]. In addition, during the preparation the final some key bits involved in outer rounds that lead to version of this paper Zong et al. published a key- such impossible differences. recovery attack on 10 rounds of Deoxys-BC-256 which is applicable only when the key size ≥ 174 and the Previous Work and Our Contributions tweak size ≤ 82 [3]. However, the h permutation is Carlos Cid et al. [1], present a related-key related- not considered correctly in both published papers and tweak rectangle attack against up to 9 rounds of it should be interpreted the other way. So the results Deoxys-BC-256 with a data complexity of 2117, a are not valid. In addition, our paper includes more memory complexity of 2117 states and a time complex- results in both single-key and related-key settings. ity of 2118. They also present a related-key related- tweak cryptanalysis on a particular variant of 10-round Outline of the Paper Deoxys-BC-256 in which the key length is greater The paper is organized as follows: Section 2 starts than 204 and the tweak length is less than 52. The with a short description of Deoxys. This is followed described cryptanalysis is not applicable to the cipher by a brief introduction of the internal tweakable block with the key length of 128-bits. In addition, the pro- cipher Deoxys-BC-256 and some notations that are posed cryptanalysis on the 10-round Deoxys-BC-256 used throughout the paper. After that we introduce a requires 2127.58 chosen plainetexts while the maximum 4.5-round impossible differential characteristic which permitted amount of data for a given key in the Doexys can be utilized in both single-key and related-key scheme is 2t−4 where t denotes the size of the tweak. settings. Then we describe related-tweak impossible In this paper, we present several impossible differ- differential cryptanalysis on 8-round Deoxys-BC-256 ential cryptanalysis on the round-reduced variants of in Section 4. We also present impossible differential Deoxys-BC-256: characteristic of the 8-round and 9-round of the cipher in the related-key related-tweak model in Section 5 • First, we study the security of Deoxys-BC-256 in and Section 6, respectively. We conclude the paper the related-tweak single-key model. We describe in Section 7. how to mount an impossible differential attack on the 8 rounds of Deoxys-BC-256 given 2118 2 Description of Deoxys and 102 plaintext-ciphertext pairs and 2 memories. Deoxys-BC • After that we propose a related-key related- tweak impossible differential attack on 8-round In this section, we describe Deoxys and Deoxys-BC- Deoxys-BC-256 with a memory complexity of 256. The section starts with a short description of 244, a data complexity of 2116.5 chosen plain- Deoxys authenticated encryption. This is followed by texts and a time complexity of 2116.5 full en- a specification of the internal tweakable block cipher cryptions. Then we exploit a precomputation Deoxys-BC-256. We assume the reader is familiar with phase to apply a similar attack on the 9 rounds the concept of tweaks and keys for block ciphers and of Deoxys-BC-256 which comes with the cost of also the standard block cipher AES; otherwise, we increasing the required memory to 2102 states. refer to [5] and [6], respectively for the full specification details. The results of our attacks compared with the previous attacks on Deoxys-BC-256 in the single-key and related-key models are summarized in Table 1. The 2.1 Deoxys Authenticated Encryption designers presented an upper bound for an efficient Scheme related-key related-tweak differential cryptanalysis The designers of Deoxys proposed two operating on 8 rounds of Deoxys-BC-256 without proposing a modes, called Deoxys-I and Deoxys-II. The former specific attack. However, our contributions include

ISeCure July 2018, Volume 10, Number 2 (pp. 93–105) 95

Table 1. Results of attacks on Deoxys-BC-256.

Attack Attack Tweak Complexity Rds Key size Time Memory Ref. type mode size Date (CP)

8 MitM SK 128 128 ≤ 2128 [4] 8 Differential SK 128 128 ≤ 2128 [4] 8 Imp. dif. SK 128 128 2118 2118 2102 Section 4

8 Imp. dif. RK 128 128 2116.5 2116.5 244 Section 5 9 Rectangle RK 128 128 2118 2117 2117 [1] 9 Imp. dif. RK 128 128 2118 2118 2102 Section 6

CP=chosen plaintext; RK= related-key; SK= single-key.

mode, Deoxys-I, is a nonce-based scheme which is Tweakey Schedule (ρ = 2) proven to be secure against nonce-respecting adver- saries. The latter mode, Deoxys-II, is a nonce-based AEAD scheme that provides security in the nonce misuse model in which the adversary can query different plaintexts while keeping the nonce constant. In this section, we only present a brief description of Deoxys-I. We refer the readers to the original proposal [4] for more details. The encryption process, in the nonce-respecting Figure 1. TWEAKEY framework for Deoxys-BC. mode with no padding is described in Table 2. method to concatenate the tweak and key as a unified Table 2. Encryption algorithm when we have no padding to state called tweakey. Deoxys-BC has two variants, each associated data and message. with a block size of 128 bits, but a different tweakey Processing associated data size of 128 and 256 bits which are called Deoxys-BC- 256 and Deoxys-BC-384, respectively. Since the aim 1 divide A to 128-bit blocks A to A 1 la of this paper is to study the security of to Deoxys-BC- 2 Auth ← 0 256 against impossible differential cryptanalysis, we 3 for i = 0 to la − 1 do only describe Deoxys-BC-256 in this section. 4 Auth ← Auth ⊕ EK (0010||i, Ai+1) Deoxys-BC-256 has 14 rounds. The round function 5 end reuses the existing components of AES, with the main Message encryption and tag generation differences with the tweakeys that are used every round as the round subkeys. One round of the Deoxys- 6 divide M to 128-bit blocks M to M 1 l BC (f-function in Figure 1) consists of the following 7 Checksum ← 0 four transformations: 8 for j = 0 to l − 1 do • AddRoundTweakey – XoR the subtweakey 9 Checksum ← Checksum ⊕ Mj and internal state. 10 Cj ← EK (0000||N||j, Mj+1) • SubBytes – Apply the AES S-box to the 16 11 end bytes of the internal state. • ShiftRows – Rotate i-th row left by i positions, 12 Final ← E (0001||N||l, Checksum) K where i = (0, 1, 2, 3). 13 tag ← Final ⊕ Auth • MixColumns – Multiply the four input bytes in each column by the MDS matrix of AES.

2.2 Deoxys-BC-256 To achieve the ciphertext, a final AddRoundTweakey operation is performed after the last round. Deoxys utilizes a dedicated tweakable block cipher, Definition of the subtweakeys. Deoxys-BC as its internal encryption. The inner tweakable block cipher Deoxys-BC is an AES-based tweak- Let KT be the concatenation of key and tweak. In able block cipher that makes use of the TWEAKEY Deoxys-BC-256, we denote the most significant 128- 1 framework. The TWEAKEY framework is a general bit of KT by TK0 and the least significant 128-bit

ISeCure 96 Impossible Differential Cryptanalysis on Deoxys-BC-256 — A. Mehrdad et al.

2 of KT by TK0 . For Deoxys-BC-256, a subtweakey 1 2 STKi is defined as STKi = TKi ⊕TKi ⊕RCi where 1 2 TKi is the most significant 128-bit and TKi is the least significant 128-bit of the tweakey of round i. j The 128-bit words TKi+1 produces recursively from j TKi by a byte permutation h and an LF SR as follows: 1 1 2 2 TKi+1 = h(TKi ),TKi+1 = h(LFSR(TKi )), where the byte permutation h, is defined as:   0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15   , Figure 2. Subtweakeys difference Schedule used for impossible 1 6 11 12 5 10 15 0 9 14 3 4 13 2 7 8 differential characteristic.

in which we use the byte indexing as follows: round tweak and RCi. We indicate the corresponding −1 Aw   subkey by wi = MC (ki). Let xi represent the 0 4 8 12 R   result of the XoRing of xi and wi of the round i.    1 5 9 13    . 3 4.5-round Impossible Differential    2 6 10 14  Characteristic   3 7 11 15 Impossible differential attack was first introduced at [7] and [8]. This attack mainly composed of two parts. Also, the LF SR function is defined as follows: The first section is to find impossible characteristic   with maximum length. The second part of the attack (x7 k x6 k x5 k x4 k x3 k x2 k x1 k x0 ) is to use this characteristic to recover (part of) round LFSR :  ↓    subkeys, which is also called the key filtering step. (x6 k x5 k x4 k x3 k x2 k x1 k x0 k x7 ⊕ x5 ) This attack has become one of the most important attacks in the field of cryptanalysis, and has been used in several articles such as [9–13], to attack a large 2.3 Notations number of ciphers. We use the following notations throughout the paper: By the subtweakey schedule, one can easily check I that if 4STKi[15] is an active byte then the structure • xi : The input of the round i. S of the subtweakey of other rounds is like Figure 2. • xi : The SubBytes output of the round i. R Since the difference of subtweakeys is only due to the • xi : The ShiftRows output of the round i. M difference between tweaks and keys, the difference • xi : The MixColumns output of the round i. O values of gray bytes can be zero in special cases. • xi : The AddRoundTweakey output of the round i. That is to say, after eight rounds, the subtweakeys • xi,col(j): The j-th column of xi, where j= difference, is just like the arrangement of first round (0,1,2,3). difference(4STKi = 4STKi+8). This repetition • STKi: The Subtweakey of the round i. may be efficient for some future probable attack. • K : The Subkey of the round i. i Figure 3 shows an illustration of an impossible dif- • T : The tweak of the round i. i ferential of 4.5-round Deoxys. The gray boxes denote • RC : The key schedule round constant of round i the (active) bytes in which the pair differs while the i. white boxes refer to the equal (passive) bytes in the • TR : The result of XoRing of T and RC . i i i pair. The black boxes refer to the byte that can be Also, we use the following enumeration [0, 1, 2, ··· , 15]. active or passive. By this enumeration, x[l] represents the l-th byte of In forward direction, we use a tweakey difference the x. with one non-zero difference byte 4STKi[0] 6= 0 that O Since MixColumns and AddRoundTweakey opera- leads to one active byte, xi [0]. According to the pro- tions are linear, they can be interchanged, that is, we cess of producing subtweakey, we know 4STKi[0] 6= 0 can first do AddRoundTweakey and then MixColumns. leads to 4STKi+1[7] 6= 0. That leads to the five ac- O Hence, we first begin by XoRing the internal state tive bytes, xi+1[0, 1, 2, 3, 7]. This process always gives O with a corresponding subkey and after that use the eleven active bytes, xi+2[0, 1, 2, 3, 4, 5, 6, 7, 12, 13, 15], MixColumns and finally, XoR the obtained value with at the end of round i+2.

ISeCure July 2018, Volume 10, Number 2 (pp. 93–105) 97

Figure 4. 8-round single key impossible differential trail

ure 3. We extend our impossible differential characteristic by one round at the beginning and 2.5-round at the end. Figure 4 shows this attack. In this attack, we use an improvement that is suggested by Lu et al. [14] and is based on the following observation. Figure 3. 4.5-round impossible differential characteristic of Deoxys Observation I: Given a random pair (4X, 4Y ) as input and output differences of the AES S-box, 0 In backward direction, three active bytes, xR [8, 9, 10] there is on average one pair of (X,X ), such that i+4 0 R R S(X) ⊕ S(X ) = 4Y . or xi+4[8, 9, 11] or xi+4[8, 10, 11] afford one zero dif- R ference column in xi+3. This passive column brings Before we explain details of the attack, we define I one zero difference byte at each column of xi+3 which the concept of structure and set of plaintexts. O contradicts with 4xi+2,col(0,1) 6= 0. 40 A structure L consists of 2 plaintexts Pi which all Thus, according to this 4.5-round impossible dif- of them are different in the bytes Pi[0, 5, 6, 10, 15] and 32 ferential, a plaintext pair which is equal at all bytes, equal at other bytes. Each 2 plaintexts Pi of one after 4.5-round Deoxys encryption cannot convert to structure that have equal 6th byte value of plaintexts i the ciphertext pair which is equal at all bytes except Pi, form a set S. The value of T0[6] is equal to Pi[6], so i three bytes: [8, 9, 10] or [8, 9, 11] or [8, 10, 11]. a dedicated tweak T0[6] (and Pi[6]) is assigned to each 8 We will use this 4.5-round impossible characteristic set. Clearly, there exist 2 sets in each structure. In our for both the single key mode and related key mode. attack procedure, we need the pair of plaintext-tweaks 0 0 0 What’s important is that in single key mode, the sub- ((P,T ), (P ,T )) such that P ⊕ P has active bytes in 0 0 tweakey differences are only caused by the difference positions [0, 5, 6, 10, 15] and P [6]⊕P [6] = T [6]⊕T [6]. We can build about 232 ×(28 −1)4 ≈ 264 distinct pairs of the tweaks (4STKi = 4Ti), but in the case of the related key attack, the subtweakey differences are that have four active bytes [0, 5, 10, 15]. Also, we can 28 due to the both differences of the tweaks and the choose 2 different sets from a structure to be sure th keys(4STKi = 4Ti ⊕ 4Ki). that the 6 byte is active too. Totally, we can build 28 32 8 4 79 about 2 × 2 × (2 − 1) ≈ 2 pairs per structure, 4 8-round Single-Key Impossible that have five active bytes in positions [0, 5, 6, 10, 15]. Differential Attack The attack procedure has two phases, online phase We achieve a single key impossible differential crypt- and precomputation (offline phase). Algorithm1 illus- analysis of 8-round Deoxys, using impossible differen- trates a high level of the attack procedure. The details tial characteristic of 4.5-round Deoxys as shown in Fig- of the attack are as follows.

ISeCure 98 Impossible Differential Cryptanalysis on Deoxys-BC-256 — A. Mehrdad et al.

Algorithm 1 8-round Single-Key Attack on Deoxys- round subtweakey 4STK8 is only depen- BC dent on the difference of tweaks 4T8 that we 40 Precomputation Phase make a list Hp of 2 valid know. So we can invert the final subtweakey R ﬁrst round constructions. XoR and mixcolumn and compute 4x8 = −1 Online Phase MC ◦ (4C ⊕ 4STK8). We just select the 118 R for all 2 chosen plaintexts do pairs that corresponding to 4x8 , have eight keep corresponding ciphertexts which have only active bytes [2, 3, 5, 6, 8, 9, 12, 15]. Since we I must have eight equal bytes 4xR in positions two active last columns x8,col(2,3). 8 8 Aw [0,1,4,7,10,11,13,14], the expected number of for all 2 possible values of 4x7 [15] that leads n+79 −64 n+15 R remaining pairs is 2 × 2 = 2 . to 4x8 [3, 6, 9, 12] do 0 (2) Since we know the value of (C,C ) and 4STK8, compute w8[3, 6, 9, 12]. S 8 Aw the difference 4x8,col(3) can be determined. for all 2 possible values of 4x7 [8] that leads R Thus, by knowing the value of 4xAw , we to 4x8 [2, 5, 8, 15] do 7,col(3) compute w [2, 5, 8, 15]. S 0S 8 can obtain the values of x8,col(3) and x 8,col(3) Aw for all 3 × 255 possible values of 4x6,col(2) according to observation I. Since we know R Aw 8 that leads to 4x7 [8, 15] do 4x7 [15] 6= 0, we have only 2 − 1 different Aw compute w7[8, 15]. possible values of 4x7,col(3). Therefore, this for all 237 remaining pairs do step can be done as follows: 32 discard each STK0[0, 5, 10, 15] that is Initialize 2 empty lists, for each guess of in Hp. w8[3, 6, 9, 12]. end for For each remaining pair (C,C0), and for each Aw end for possible value of 4x7 [15], calculate the key 0 end for w8[3, 6, 9, 12] that leads the pair (C,C ) to Aw end for 4x7,col(3), and add this pair to the list related end for to the guessed key. Do exhaustive search for all remaining subkey bits. Due to observation I, for each pair and dis- tinction guess, on average we have one key 4.1 Precomputation Phase suggestion. Since these 2n+15 × 255 ≈ 2n+23 suggestions are distributed over all 232 possible M 0M n+23 32 n−9 The number of pairs (x1,col(0), x 1,col(0)) that are dif- keys, we have about 2 /2 = 2 pairs for M ferent only in byte position x1 [1] and the difference each guess of w8[3, 6, 9, 12]. 0 32 is equal to the difference of two tweaks T1[1] and T1[1] (3) Similar to step 2, we initialize 2 empty lists M 8 8 (4x1 [1] = 4T1[1] 6= 0), is equal to × (2 − 1) × for each guess of w8[2, 5, 8, 15]. (28)3 ≈ 240. For all these 240 pairs, compute four bytes For each remaining pair (C,C0), and for each I 0I possible value of 4xAw[8], calculate the key [0, 5, 10, 15] of x1 and x 1: 7 0 I −1 −1 −1 M w8[2, 5, 8, 15] that leads the pair (C,C ) to x1[0, 5, 10, 15] = SB ◦ SR ◦ MC (x1,col(0)) and 4xAw , and add this pair to the list related x0I [0, 5, 10, 15] = SB−1 ◦ SR−1 ◦ MC−1(x0M ). 7,col(2) 1 1,col(0) to the guessed key. I 0I Then, store the pairs (x1, x 1) in a hash table Hp in- Due to observation I, for each pair and distinc- I dexed by (4x1 || 4T1[1]). By considering the fact tion guess, on average we have one suggested 0 that 4T0[6] = T0[6] ⊕ T0[6] = 4T1[1] the value of key. Since these 2n−9 × 255 ≈ 2n−1 suggestions I I (4x1 || 4T1[1]) is equal to (4x1 || 4T0[6]). These are distributed over all 232 possible keys, we 40 32 parameters can take 2 different values (2 distinct have about 2n−1/232 = 2n−33 pairs for each values for 4xI and 28 unequal values for 4T [6]). 1 0 guess of w8[2, 5, 8, 15]. Each value represents a row in the Hp. Since, we have (4) We use Lu et al. improvement again. Since we 240 pairs (xM , x0M ), then on average H has one pair Aw th 1 1 p want 4x6,col(2) to have an active byte in the 8 I 0I (x1, x 1) in each row; where first parameter specifies position and two of three other bytes, there are I 3 the difference 4x1, and second parameter determines 3 × 255 possible differences and only 3 × 255 of M the difference 4T0[6]. these differences lead to a difference of 4x6,col(2) M where only two bytes 4x6 [8, 11] are active. So, 4.2 Online Phase for each pair and each guess of w7[8, 15] we must check whether 4xM belongs to these 3×255 (1) We take 2n structures, which produce about 6,col(2) differences. According to observation I, when 2n × 279 = 2n+79 possible plaintext pairs. we have 4xAw[8, 15] as output and 4xM [8, 11] Then we ask for the corresponding cipher- 7 6 T i as input difference of the S-box, we can compute texts: Ci = EK (Pi). The difference of last

ISeCure July 2018, Volume 10, Number 2 (pp. 93–105) 99

M 0M the values of x6 [8, 11] and x 6 [8, 11] and there- ences for 32-bit guesses of key w8[2, 5, 8, 15]. fore determine the value of w7[8, 15]. At this step, Therefore, Step 3 requires about 255 × n−25 78+15 109 we have about 3×2 candidates for w7[8, 15]. 255 × 2 ≈ 2 memory accesses. n−33 64 From the 2 pairs and the 3×255 differences (5) For each 2 guesses of w8[2, 3, 5, 6, 8, 9, 12, 15], which are distributed over the 216 possible val- we need 278−33 × 3 × 255 ≈ 278−23.4 mem- ues of w7[8, 15]. Consequently, for a given guess ory accesses in a lookup table to achieve n−25 16 of w7[8, 15], we have about 3 × 2 /2 = the guess for w7[8, 15] from the differences 3 × 2n−41 pairs which for each guess of the con- M,col(2) 4x6 . So, step 4 requires about sidered bytes in w8 and w7, lead the input dif- 264 × 278−23.4 = 2118.6 memory accesses. ference to the impossible differential. (6) For each remaining pair, step 5 is repeated 32 80 (5) First we create a list A of all 2 4-byte keys 2 times (for each possible values of w7 STK0[0, 5, 10, 15] and for all remaining pairs and w8), and on average for each repetition, (Pi,Pj), we compute four bytes [0, 5, 10, 15] of we need to access to hash table Hp and list I 0I 80 x1 and x 1: A. So, this step requires about 2 × 2 × I 78−39.4 119.6 x1 = Pi[0, 5, 10, 15] ⊕ STK0[0, 5, 10, 15], 2 = 2 memory accesses. 0I x 1 = Pj[0, 5, 10, 15] ⊕ STK0[0, 5, 10, 15]. (7) We already have obtained eight bytes of Note that the STK0 only has one non-zero dif- the key w8 and an exhaustive search is ference byte 4STK0[6] 6= 0, and 4STK0[6] = needed to achieve the remaining key bytes 4P [6]. which cost 28×8 = 264 encryption. But the From precomputation, we know on average Hp time complexity of this step is negligible I 0I compared to the other steps. has one pair (x1, x 1) in each row. For each tuple I 0I As a rule of thumb method adopted in most (x1, x 1, 4T0[6]) which is obtained at this stage, I of the works (e.g. [12]), we assume the time we discard the P ⊕ x1 from the related indexed row of the hash table. Since with respect to the complexity of 16 memory access equals to the precomputation (offline phase), we are sure that time complexity of one round, since in each such a a key leads to an impossible differential, round the Sbox is called 16 times. Consequently, 7 resulting in a wrong key. the 8 rounds are at least equal to 16 × 8 = 2 Finally, if A is not empty, output the remain- memory accesses. So we can assume that each −7 ing value(s) in A with corresponding key guess memory access is equivalent to 1/(16×8) = 2 8-round encryption. of w7[8, 15] and w8[2, 3, 5, 6, 8, 9, 12, 15]. Totally, time complexity is about (236 + 2118)Enc + (2101 + 2109 + 2118.6 + 2119.6)MA ≈ 4.3 Complexity Analysis (2118 + 2120.2 × 2−7)Enc ≈ 2118Enc. • Data Complexity • Memory Complexity We know 2−(cin+cout) = 2−32 × 2−48 × 3 × The precomputation phase needs about −8 −86.4 40 43.2 2 ≈ 2 and we guessed 32-bit of kin and 2 × (4 + 4 + 1) ≈ 2 bytes of memory I I (64 + 16)-bit of Kout. So, we can easily compute for storing x1[0, 5, 10, 15], x1[0, 5, 10, 15] and the data complexity D: 4T0[6]. With the simple approach, we need −86.4 (1 − 2−(86.4))D < 1/2112 → e−(2 ×D) < 28×(8+2+4) bytes to store the deleted val- 112 1/2 → ues of w8[2, 3, 5, 6, 8, 9, 12, 15], w7[8, 15] and 93 n+15 → D ≈ 2 = 2 → n = 78. K0[0, 5, 10, 15]. But if we use Lu et al. improve- Since n = 78 then 278 × 240 = 2118 chosen ment, we can apply the attack individually plaintexts, are required for the attack. for each guess of the key; and for the remain- • Time Complexity ing bytes of each guess that is not discarded, (1) The precomputation requires about 2 × perform an exhaustive search. So, instead 240 × 4/16 = 239 one-round decryptions, of the simple approach, we can store about which is equal to 239/8 = 236 8-round de- 2n+23 = 2101 suggestions that remain after cryptions. step 2. Each suggestion consists of one pair. So, (2) Since we need n to be equal to 78, step the memory complexity of the attack is about 1 requires 2(78+40) = 2118 8-round encryp- 243.2 +(2101 ×2×16) ≈ 2106 bytes or 2102 states. tions. (3) Based on observation I, step 2 can be done 5 8-round Related-Tweakey by a look-up table. So, this step needs about Impossible Differential Attack 78+15 101 255 × 2 ≈ 2 memory accesses. In this section, we present a related key impossible (4) We considered 255 differences of the 32-bit differential cryptanalysis of 8-round Deoxys by ex- key guesses w8[3, 6, 9, 12] and 255 differ-

ISeCure 100 Impossible Differential Cryptanalysis on Deoxys-BC-256 — A. Mehrdad et al.

5.1 Attack Procedure Algorithm2 illustrates a high level of the attack procedure. In what follows, we describe the attack procedure in details: Algorithm 2 8-round Related-Key Attack on Deoxys-BC 0 0 for all K2[1] = T2[1] & K2[1] = T2[1] do for all 2116.5 chosen plaintexts do keep corresponding ciphertexts which have only two active last columns. for all 291.5 remaining ciphertext pairs do R check if only two bytes x8 [8, 15] are active. 16 for all 2 possible values of w8[8, 15] do O compute x7,col(2). for all 243.5 remaining pairs do R check if x7,col(2) have only one passive R R R byte at x7 [9] or x7 [10] or x7 [11]. Figure 5. 8-round related key impossible differential trail for all remaining pairs do discard each STK0[3, 4, 9, 14] leads O to passive x1 . tending our impossible differential characteristic by end for two rounds at the beginning and 1.5-round at the end. end for This attack on the reduced 8-round Deoxys requires end for about 2116.5 chosen plaintexts, 248 words of memory 116.5 end for and 2 8-round Deoxys encryptions. Figure 5 illus- end for trates this attack. end for For our analysis, we consider a situation in which Do exhaustive search for all remaining subkey bits. the value of the key difference in round 2 is exactly equal to the value of the tweak difference in the second (1) We take 2n × 279 = 2n+79 possible plaintext round (4K2[1] = 4T2[1]). In other words, we assume pairs. Then we ask for the corresponding cipher- i texts: C = ET (P ). We just select the pairs, that two users encrypt data with two different keys, i Ki i and that these two keys have a non-zero difference of M 0M so that corresponding pairs (x8 , x 8 ), have one byte, 4K0[15]. In this case, we select the tweaks just eight active bytes in the last two columns. in a way that the value of the 4K2[1] exactly matches So the expected number of remaining pairs is the value of the 4T2[1]. Considering this condition, 2n+79 × 2−64 = 2n+15. the definition of structure and set of plaintexts is a M 0M (2) For all pairs (x8 , x 8 ) that passed step 1, we little different from what described in Section 4. Aw Aw −1 M compute 4x8,col(2,3): 4x8 = MC ◦(4x8 ). 40 Aw A structure L consists of 2 plaintexts Pi all of We keep pairs where only 4x8 [8, 12, 13, 14, 15] which are different in bytes Pi[3, 4, 9, 14, 15] and equal are active bytes and also the differences of 32 Aw at other bytes. Each 2 plaintexts Pi of one structure bytes in the positions 4x8 [12, 13, 14] are th that have equal 15 byte value of plaintexts Pi, form equal to the differences of bytes in the positions i a set S. The value of STK0[15] is equal to Pi[15], so a 4w8[12, 13, 14]. Since we must have three zero- i Aw dedicated STK0[15] (and Pi[15]) is assigned to each difference bytes, 4x8 [9, 10, 11] = 0 and three 8 Aw set. Clearly, there exist 2 sets in each structure. In special difference bytes 4x8 [12, 13, 14] = our attack procedure, we need the pair of plaintext- 4w8[12, 13, 14], the number of remaining pairs tweakeys ((P,STK), (P 0,STK0)) such that P ⊕P 0 has is 2n+15 × (2−8)3 × (2−8)3 = 2n−33. an active byte in positions [3, 4, 9, 14, 15] and P [15] ⊕ (3) We guess the 16-bit values of w8[8, 15]. Since P 0[15] = STK[15] ⊕ STK0[15]. We can build about we know the relation of subtweakeys, we can 32 8 4 64 0 2 ×(2 −1) ≈ 2 distinct pairs that have four active compute w8[15] easily. Then for each pairs 28 0 0 bytes [3, 4, 9, 14]. Also, we can choose different sets (C, w8), (C , w8) that has passed step 2, com- 2 O th O 0 from a structure to be sure that the 15 byte is active pute four bytes of x7,col(2) and x 7,col(2): 28 32 8 4 xO = SB−1◦SR−1◦(w ⊕(MC−1◦(TR ⊕C))), too. Totally, we can build about 2 ×2 ×(2 −1) ≈ 7 8 8 79 0O −1 −1 0 −1 0 2 pairs per structure, that have five active bytes in x 7 = SB ◦ SR ◦ (w8 ⊕ (MC ◦ (TR8 ⊕ positions [3, 4, 9, 14, 15]. C0))).

ISeCure July 2018, Volume 10, Number 2 (pp. 93–105) 101

From step 1 we are sure that only two bytes O 4x7 [8, 11] are active. So we have no filtering here. (4) Consider the value of 4STK7[8], check that R 4x7,col(2) has three active bytes in positions [8, 9, 11] or [8, 9, 11] or [8, 10, 11]. At the end of this step, the expected number of remaining pairs is about 2n−33 × 2−8 × 3 ≈ 2n−39.4. (5) We guess 32-bit values of STK0[3, 4, 9, 14] and for all remaining pairs from the above steps, we M 0M compute four-bytes x1,col(1) and x 1,col(1): M x1 = MC ◦ SR ◦ SB ◦ (P ⊕ STK0), 0M 0 0 x 1 = MC ◦ SR ◦ SB ◦ (P ⊕ STK0). M We only consider the pairs that 4x1,col(1) = 4STK1,col(1). So, we only choose pairs in which M M 4x1 [6] = 4STK1[6] and 4x1 [4, 5, 7] = 0. In other word, we only choose pairs that at the end of round one, we are sure that there is no active O byte at 4x1,col(1). Since, we must have four O zero-difference bytes 4x1,col(1) = 0, the number of remaining pairs is about 2n−39.4 × (2−8)4 = 2n−71.4. Figure 6. 9-round related key impossible differential trail Since we initially considered the difference (3) Step 5 needs about 2 × 216 × 232 × 4K2[1] equal to 4T2[1], then we are sure that 276.5−39.4 = 286.1 one-round 4/16 encryp- the differential characteristic passes the forward tions, which is equal to 286.1 ×4/16×1/8 = path correctly. 281.1 8-round encryptions. The keys that pass all the above steps and Consequently, total complexity is about lead such a difference (that is impossible), are (2116.5 + 255.5 + 281.1)Enc ≈ 2116.5Enc. wrong keys and must be discarded. We remove • Memory Complexity such a key K0 for each 16-bit guess of output For storing the list of discard keys, we need corresponding key w8. Since only one of the 28×(2+4) = 248 bytes of memory for storing keys is the correct key, if we choose proper data the deleted values of w8[8, 15] and K0[3, 4, 9, 14]. complexity and perform the above operation for Therefore, memory complexity is 248 bytes or all remaining pairs of step 4, we can be sure we 244 states. have reached the correct key. 6 9-round Related-Tweakey 5.2 Complexity Analysis Impossible Differential Attack • Data Complexity Similar to the attack that was applied to the 8-round The bit conditions are about 2−(cin+cout) = Deoxys, we can analyse the 9-round Deoxys, using −32 −48 −8 −86.4 S 2 ×2 ×3×2 ≈ 2 and | kin kout | impossible differential characteristic of 4.5-round De- is equal to 32 + 16 = 48 so the data complexity oxys as shown in Figure 3. We extend our impossible D is: differential by two rounds at the beginning and 2.5- −86.4 (1 − 2−(86.4))D < 1/248 → e−(2 ×D) < round at the end. Figure 6 shows this attack. In this 1/248 → section, we use observation I again. → D ≈ 291.5 = 2n+15 → n = 76.5. The attack procedure has two phases, online phase Since n = 76.5 then 276.5 × 240 = 2116.5 chosen and precomputation (offline phase). Algorithm3 illus- plaintexts, are required for the attack. trates a high level of the attack procedure. The details • Time Complexity of the attack are as follows. (1) Step 1 requires 2(76.5+40) = 2116.5 8-round encryptions. (2) Complexity of step 3 is about 2 × 216 × 6.1 Precomputation Phase 2(76.5−33) = 260.5 one-round 4/16 decryp- The number of pairs (xM , x0M ) that are dif- tions, which means 260.5 × 4/16 × 1/8 = 1,col(1) 1,col(1) M 255.5 8-round encryptions. ferent only in byte position x1 [6] and the difference is equal to the difference of two subtweakeys STK1[6]

ISeCure 102 Impossible Differential Cryptanalysis on Deoxys-BC-256 — A. Mehrdad et al.

Algorithm 3 9-round Related-Key Attack on sitions [0,1,4,7,10,11,13,14], the expected num- Deoxys-BC ber of remaining pairs is 2n+79 × 2−64 = 2n+15. 40 0 Precomputation Phase make a list Hp of 2 valid (2) Since we know the value of (C,C ) and 4STK9, S ﬁrst round constructions. the difference 4x9,col(3) can be determined. Aw Online Phase Thus, by knowing the value of 4x8,col(3), we for all K [1] = T [1] & K0 [1] = T 0[1] do S 0S 2 2 2 2 can obtain the values of x and x 9,col(3) 118 9,col(3) for all 2 chosen plaintexts do according to observation I. Since we have 28 − 1 keep corresponding ciphertexts which have different values of 4xR[15], because of fix sub- I 8 only two active last columns x9,col(2,3). key difference notice to the tweak difference, 8 Aw 8 for all 2 possible values of 4x8 [15] that finally we have only 2 − 1 different values of leads to 4xR[3, 6, 9, 12] do Aw 9 4x8,col(3). Therefore, this step can be done as compute w9[3, 6, 9, 12]. follows: 8 Aw 32 for all 2 possible values of 4x8 [8] that Initialize 2 empty lists, for each guess R leads to 4x9 [2, 5, 8, 15] do of w9[3, 6, 9, 12] we can easily obtain the compute w [2, 5, 8, 15]. 0 9 value of w9[3, 6, 9, 12], which is different from Aw for all 3×255 possible values of 4x7,col(2) w9[3, 6, 9, 12] only at w9[6] due to the sub- R that leads to 4x8 [8, 15] do tweakey difference schedule. 0 compute w8[8, 15]. For each remaining pair (C,C ), and for each 37 Aw for all 2 remaining pairs do possible value of 4x8,col(3), calculate the key 0 discard each STK0[3, 4, 9, 14] that is w9[3, 6, 9, 12] that leads the pair (C,C ) to Aw in Hp. 4x8,col(3) and add this pair to the list related end for to the guessed key. end for Due to observation I, for each pair and dis- end for tinction guess, on average we have one key end for suggestion. Since these 2n+15 × 28 = 2n+23 end for suggestions are distributed over all 232 possible end for keys, we have about 2n+23/232 = 2n−9 pairs for Do exhaustive search for all remaining subkey bits. each guess of w9[3, 6, 9, 12]. (3) Similar to step 2, we initialize 232 empty lists 0 M and STK1[6] (4x1 [6] = 4STK1[6] 6= 0), is equal to for each guess of w9[2, 5, 8, 15]. 28 × (28 − 1) × (28)3 ≈ 240. For all these 240 pairs, For each remaining pair (C,C0), and for each I 0I possible value of 4xAw[8], calculate the key compute four bytes [0, 5, 10, 15] of x1 and x 1: 8 0 I −1 −1 −1 M w9[2, 5, 8, 15] that leads the pair (C,C ) to x1[3, 4, 9, 14] = SB ◦ SR ◦ MC (x1,col(1)) and 4xAw , and add this pair to the list related x0I [3, 4, 9, 14] = SB−1 ◦ SR−1 ◦ MC−1(x0M ). 8,col(2) 1 1,col(1) to the guessed key. Since the 4STK1[6] leads to a special 4STK0[15], I 0I Due to observation I, for each pair and distinc- we can store the pairs (x1, x 1) in a hash table Hp I tion guess, on average, we have one suggested indexed by (4x1 || 4STK0[15]). These parameters n−9 n−1 40 32 key. Since these 2 × 255 ≈ 2 suggestions can take 2 different values (2 distinct values for 32 I 8 are distributed over all 2 possible keys, we 4x1 and 2 unequal values for 4STK0[15]). Each n−1 32 n−33 40 have about 2 /2 = 2 pairs for each value represents a row in Hp. Since, we have 2 pairs guess of w9[2, 5, 8, 15]. M 0M I 0I (x1 , x 1 ), then on average Hp has one pair (x1, x 1) (4) We use Lu et al. improvement again. Since we in each row. In which the first parameter specifies the want 4xR to have an active byte in the 8th I 7,col(2) value of 4x1, and the second parameter determines position and two of other three bytes and also the value of 4STK0[15]. the subkey difference is fix, there are 3 × 2553 Aw possible differences for 4x7,col(2) and only 3 × 6.2 Online Phase 2553/2552 = 3 × 255 of these differences lead M (1) We take 2n structures, which produce about to a difference 4x7,col(2) so that only two bytes n 79 n+79 M 2 × 2 = 2 possible plaintext pairs. Then 4x7 [8, 11] are active. we ask for the corresponding ciphertexts: Ci = So, for each pair and each guess of w8[8, 15] T i M EK (Pi). We can invert the final subtweaky XoR we must check whether 4x7,col(2) belongs to R −1 and compute 4x9 = MC ◦ (4C ⊕ 4STK9). these 3 × 255 differences. According to obser- R R We just select the pairs that corresponding 4x9 , vation I, when we have 4x8 [8, 15] as output M have eight active bytes [2, 3, 5, 6, 8, 9, 12, 15]. and 4x7 [8, 11] as input difference of the S- R M Since we must have eight equal bytes 4x9 in po- box, we can compute the values of x7 [8, 11]

ISeCure July 2018, Volume 10, Number 2 (pp. 93–105) 103

0M and x 7 [8, 11] and therefore determine the value accesses. 78+15 of w8[8, 15]. At this step, we have about 3 × (4) Step 3 requires about 255×255×2 ≈ −33 n−25 109 255 × 2 = 3 × 2 candidates for w8[8, 15]. 2 memory accesses. n−33 64 From the 2 pairs and the 3×255 differences (5) For each 2 guesses of w9[2, 3, 5, 6, 8, 9, 12, 15], which are distributed over the 216 possible val- we need 278−33 × 3 × 255 ≈ 278−23.4 mem- ues of w8[8, 15]. Consequently, for a given guess ory accesses in a lookup table to achieve n−25 16 of w8[8, 15], we have about 3 × 2 /2 = the guess for w8[8, 15] from the differences 3 × 2n−41 pairs which for each guess of the con- M,col(2) 4x7 . So, step 4 requires about sidered bytes in w9 and w8, lead the input dif- 264 × 278−23.4 = 2118.6 memory accesses. ference to the impossible differential. (6) For each remaining pair, step 5 is repeated 32 80 (5) First we create a list A of all 2 4-byte keys 2 times (for each possible values of w8 STK0[3, 4, 9, 14] and for all remaining pairs and w9), and on average for each repetition, (Pi,Pj), we compute four bytes [3, 4, 9, 14] of we need to access to hash table Hp and list I 0I 80 x1 and x 1: A. So, this step require about 2 × 2 × I 78−39.4 119.6 x1 = Pi[3, 4, 9, 14] ⊕ STK0[3, 4, 9, 14], 2 = 2 memory accesses. 0I x 1 = Pj[3, 4, 9, 14] ⊕ STK0[3, 4, 9, 14]. (7) Exhaustive search is negligible. Note that the STK0 only has one non- As it is mentioned before in Section 4, the time zero difference byte 4STK0[15] 6= 0, which complexity of 9 rounds is equal to at least 16 × 9 4STK0[15] = 4P [15]. memory access. So we can estimate each memory −7 From precomputation, we know on average Hp access as 1/(16 × 9) ≈ 2 9-round encryption. 35.9 has one pair (xI , x0I ) in each row. For each Totally, time complexity is about (2 + 1 1 118 101 109 118.6 119.6 tuple (xI , x0I , 4STK [15]), which is obtained 2 )Enc + (2 + 2 + 2 + 2 )MA ≈ 1 1 0 118 120.2 −7 118 I (2 + 2 × 2 )Enc ≈ 2 Enc. at this stage, we discard the P ⊕ x1 from the related indexed row of the hash table. Since • Memory Complexity with respect to the precomputation (offline The precomputation phase needs about 40 43.2 phase), we are sure that such a key leads to the 2 × (4 + 4 + 1) ≈ 2 bytes of memory I I impossible differential, resulting in a wrong key. for storing x1[3, 4, 9, 14], x1[3, 4, 9, 14] and Since we initially considered the difference 4STK0[15]. we apply the attack individually for each guess of the key and for the remaining 4K2[1] to be equal to 4T2[1], then we are sure that the differential characteristic passes the bytes of each guess that is not discarded, per- forward path correctly. form an exhaustive search. So, we store about n+31 109 Finally, if A is not empty, output the remain- 2 = 2 suggestions that remain after ing value(s) in A with corresponding key guess Step 2. Each suggestion consists of one pair. So, the memory complexity of the attack is about of w8[8, 15] and w9[2, 3, 5, 6, 8, 9, 12, 15]. 243.2 + 2114 ≈ 2114 bytes or 2110 states. 6.3 Complexity Analysis 7 Conclusion • Data Complexity This paper describes several impossible differential The data complexity D is: −86.4 cryptanalysis on the round-reduced variants of Deoxys- (1 − 2−(86.4))D < 1/2112 → e−(2 ×D) < BC-256. As a possible direction for future research, 1/2112 → one can investigate the security of Deoxys-BC-256 → D ≈ 293 = 2n+15 → n = 78. against impossible differential by considering a beyond Where 2−(cin+cout) = 2−32 ×2−48 ×3×2−8 ≈ full-codebook scenario, since the tweak in Deoxys- −86.4 S 2 and | kin kout | is equal to 32+64+16 = BC can provide extra plaintext-ciphertext pairs in 112. Since n = 78 then 278 × 240 = 2118 chosen contradiction to the classical model. plaintexts, are required for the attack. • Time Complexity This paper describes several impossible differential (1) The precomputation requires about 2 × cryptanalysis on the round-reduced variants of Deoxys- 240 × 4/16 = 239 one-round decryptions, BC-256. This work presents the first third-party crypt- which is equal to 239/9 ≈ 235.9 9-round analysis of the tweakable block cipher Deoxys-BC-256 decryptions. in the single-key model. We also propose impossible (2) Since n was considered to be 78, step 1 re- differential attacks up to the 9-round Deoxys-BC-256 quires 2(78+40) = 2118 9-round encryptions. in the related-tweak related-key model which has a (3) Based on Lu et al. method, step 2 can lower memory complexity than the best previous at- be done by a look-up table. So, this step tack. needs about 255 × 278+15 ≈ 2101 memory

ISeCure 104 Impossible Differential Cryptanalysis on Deoxys-BC-256 — A. Mehrdad et al.

The cryptanalysis presented in this paper cannot be Techniques, 1999, pp. 12-23. exploited to mount a key-recovery attack on Deoxys- [9] M. Minier and M. Naya-Plasencia, “A related key II authenticated encryption scheme. However, as it is impossible differential attack against 22 rounds discussed in Section 6 of [1] the results can be applied of the lightweight block cipher LBlock”, In Infor- on the Deoxys-I authenticated encryption. mation Processing Letters, Volume 112, Issue 16, 2012, Pages 624-629, ISSN 0020-0190. As a possible direction for future research, one can [10] J. Chen, Y. Wei, Y. Hu, “A New Method for investigate the security of Deoxys-BC-256 against Impossible Differential Cryptanalysis of 7-round impossible differential by considering a beyond full- Advanced Encryption Standard”, Proceedings of codebook scenario, since the tweak in Deoxys-BC can International Conference on Communications, Cir- provide extra plaintext-ciphertext pairs in contradic- cuits and Systems Proceedings 2006, Vol. 3, pp. tion to the classical model. 1577-1579, IEEE, 2006. 8 Acknowledgement [11] C. Boura, M. Naya-Plasencia, and V. Suder,“Scrutinizing and Improving Impossible The work of Hadi Soleimany is partly supported by Differential Attacks: Applications to CLEFIA, grants from Shahid Beheshti University and by the Camellia, LBlock and Simon”, In ASIACRYPT Iranian National Science Foundation (grant number 2014, Lecture Notes in Computer Science , volume 95835673). 8873, pages 179-199, Springer, 2014. References [12] B. Bahrak and M. R. Aref, “Impossible differential attack on seven-round AES-128”, IET In- [1] C. Cid, T. Huang, T. Peyrin, Y. Sasaki, and formation Security journal, Vol. 2, Number 2, pp. L. Song, “A security analysis of Deoxys and its 2832, IET, 2008. internal tweakable block ciphers”, IACR Trans- [13] B. Bahrak and M. R. Aref, “A Novel Impossible actions on Symmetric Cryptology, 2017(3):73107, Differential Cryptanalysis of AES”, proceedings 2017. of the Western European Workshop on Research [2] Z. Jiang and C. Jin, “Impossible Differential Crypt- in Cryptology 2007, Bochum, Germany, 2007. analysis of 8-Round Deoxys-BC-256”, IEEE Ac- [14] J. Lu, O. Dunkelman, N. Keller, and J. Kim, cess, Vol. 6, pp. 8890–8895, 2018. “New Impossible Differential Attacks on AES”, IN- [3] R. Zong, X. Dong, X. Wang, “Related-Tweakey DOCRYPT 2008. LNCS, vol. 5365, pp. 279293. Impossible Differential Attack on Reduced-Round Springer, Berlin, 2008. Deoxys-BC-256”, SCIENCE CHINA Information [15] C. Dobraunig and E. List, “Impossible- Sciences. Differential and Boomerang Cryptanalysis of [4] J. Jean, I. Nikolic, T. Peyrin, and Y. Seurin, “De- Round-Reduced Kiasu-BC”, pp. 207222. Cham: oxys v1.41”, Submitted to CAESAR, October Springer International Publishing, 2017. 2016. [5] J. Jean, I. Nikoli´c,and T. Peyrin, “Tweaks and Alireza Mehrdad is a master of Keys for Block Ciphers : the TWEAKEY Frame- science. He received his M.S. in se- work”, Advances in Cryptology - ASIACRYPT cure communications and cryptogra- 2014 - 20th International Conference on the Theory phy from Shahid Beheshti University, and Application of Cryptology and Information Tehran, Iran, in 2018. He had received Security, Kaoshiung, Taiwan, R.O.C., December his bachelor in communication from 7-11, 2014, Proceedings, Part II, volume 8874 of Noshirvani Institute of Technology, Lecture Notes in Computer Science, pages 274288. Babol, Iran, in 2015. His main research interests are Springer, 2014. symmetric cryptography, post-quantum cryptography, [6] J. Daemen, V. Rijmen, “AES Proposal : Rijndael”, and authenticated encryption. NIST AES proposal, 1998. [7] E. Biham, A. Biryukov, A. Shamir, “Miss in the middle attacks on IDEA and Khufu”, In L. Knud- sen, editor, Fast Software Encryption, 6th international Workshop, Volume 1636 of Lecture Notes in Computer Science, pages 124138, Rome, Italy, Springer-Verlag 1999. [8] E. Biham, A. Biryukov, A. Shamir, “Cryptanalysis of Skipjack Reduced to 31 Rounds using Impos- sible Differentials”, in International Conference on the Theory and Applications of Cryptographic

ISeCure July 2018, Volume 10, Number 2 (pp. 93–105) 105

Farokhlagha Moazami is an assis- Hadi Soleimany is an assistant pro- tant professor at the Cyber Space Re- fessor at Cyberspace Research Insti- search Institute at Shahid Beheshti tute at Shahid Beheshti University, University, Iran, Tehran, since 2013. Iran, since 2015. He received his Ph.D. She received B.S. and Ph.D. degrees in theoretical computer science from in mathematics from Alzahra Univer- Aalto University, Finland, in 2015. sity, Tehran, Iran, in 2004 and 2012, He was a postdoctoral researcher at respectively and M.S. degree in mathematics from Technical University of Denmark (DTU), Denmark, Sharif University of Technology, Iran, Tehran, in 2006. in summer 2016 and 2017. His main research interests She was a postdoctoral at Sharif University of Tech- are practical aspects of cryptography. nology, Iran, Tehran, from 2012 to 2013. Her main research interests is theoretical and practical aspects of cryptography.

ISeCure