{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2026,3,7]],"date-time":"2026-03-07T14:18:39Z","timestamp":1772893119085,"version":"3.50.1"},"reference-count":71,"publisher":"Springer Science and Business Media LLC","issue":"3","license":[{"start":{"date-parts":[[2021,6,10]],"date-time":"2021-06-10T00:00:00Z","timestamp":1623283200000},"content-version":"tdm","delay-in-days":0,"URL":"https:\/\/www.springer.com\/tdm"},{"start":{"date-parts":[[2021,6,10]],"date-time":"2021-06-10T00:00:00Z","timestamp":1623283200000},"content-version":"vor","delay-in-days":0,"URL":"https:\/\/www.springer.com\/tdm"}],"content-domain":{"domain":["link.springer.com"],"crossmark-restriction":false},"short-container-title":["J Cryptol"],"published-print":{"date-parts":[[2021,7]]},"DOI":"10.1007\/s00145-021-09397-w","type":"journal-article","created":{"date-parts":[[2021,6,10]],"date-time":"2021-06-10T17:02:52Z","timestamp":1623344572000},"update-policy":"https:\/\/doi.org\/10.1007\/springer_crossmark_policy","source":"Crossref","is-referenced-by-count":28,"title":["The Deoxys AEAD Family"],"prefix":"10.1007","volume":"34","author":[{"given":"J\u00e9r\u00e9my","family":"Jean","sequence":"first","affiliation":[]},{"given":"Ivica","family":"Nikoli\u0107","sequence":"additional","affiliation":[]},{"given":"Thomas","family":"Peyrin","sequence":"additional","affiliation":[]},{"given":"Yannick","family":"Seurin","sequence":"additional","affiliation":[]}],"member":"297","published-online":{"date-parts":[[2021,6,10]]},"reference":[{"key":"9397_CR1","doi-asserted-by":"crossref","unstructured":"M.R. Albrecht, K.G. Paterson, G.J. Watson, Plaintext recovery attacks against SSH, in 2009 IEEE Symposium on Security and Privacy (IEEE Computer Society Press, 2009), pp. 16\u201326","DOI":"10.1109\/SP.2009.5"},{"key":"9397_CR2","doi-asserted-by":"crossref","unstructured":"N.J. AlFardan, K.G. Paterson, Lucky thirteen: Breaking the TLS and DTLS record protocols, in 2013 IEEE Symposium on Security and Privacy (IEEE Computer Society Press, 2013), pp. 526\u2013540","DOI":"10.1109\/SP.2013.42"},{"key":"9397_CR3","unstructured":"E.\u00a0Andreeva, A.\u00a0Bogdanov, N.\u00a0Datta, A.\u00a0Luykx, B.\u00a0Mennink, M.\u00a0Nandi, E.\u00a0Tischhauser, K.\u00a0Yasuda COLM v1. Submission to the CAESAR competition (2015)"},{"key":"9397_CR4","doi-asserted-by":"crossref","unstructured":"E.\u00a0Andreeva, A.\u00a0Bogdanov, A.\u00a0Luykx, B.\u00a0Mennink, N.\u00a0Mouha, K.\u00a0Yasuda, How to securely release unverified plaintext in authenticated encryption, in P.\u00a0Sarkar and T.\u00a0Iwata, editors, ASIACRYPT\u00a02014, Part\u00a0I, volume 8873 of LNCS (Springer, Heidelberg, 2014), pp. 105\u2013125","DOI":"10.1007\/978-3-662-45611-8_6"},{"key":"9397_CR5","doi-asserted-by":"crossref","unstructured":"C.\u00a0Beierle, J.\u00a0Jean, S.K\u00f6lbl, G.\u00a0Leander, A.\u00a0Moradi, T.\u00a0Peyrin, Y.\u00a0Sasaki, P.\u00a0Sasdrich, S.M. Sim, The SKINNY family of block ciphers and its low-latency variant MANTIS, in M.\u00a0Robshaw and J.\u00a0Katz, editors, CRYPTO\u00a02016, Part\u00a0II, volume 9815 of LNCS (Springer, Heidelberg, 2016), pp. 123\u2013153","DOI":"10.1007\/978-3-662-53008-5_5"},{"key":"9397_CR6","unstructured":"M.\u00a0Bellare, A.\u00a0Desai, E.\u00a0Jokipii, P.\u00a0Rogaway, A concrete security treatment of symmetric encryption, in 38th FOCS (IEEE Computer Society Press, 1997), pp. 394\u2013403"},{"key":"9397_CR7","doi-asserted-by":"crossref","unstructured":"M.\u00a0Bellare, C.\u00a0Namprempre, Authenticated encryption: Relations among notions and analysis of the generic composition paradigm, in T.\u00a0Okamoto, editor, ASIACRYPT\u00a02000, volume 1976 of LNCS (Springer, Heidelberg, 2000), pp. 531\u2013545","DOI":"10.1007\/3-540-44448-3_41"},{"key":"9397_CR8","doi-asserted-by":"crossref","unstructured":"E.\u00a0Biham, O.\u00a0Dunkelman, N.\u00a0Keller, The rectangle attack\u2014rectangling the Serpent, in B.\u00a0Pfitzmann, editor, EUROCRYPT\u00a02001, volume 2045 of LNCS (Springer, Heidelberg, 2001), pp. 340\u2013357","DOI":"10.1007\/3-540-44987-6_21"},{"key":"9397_CR9","doi-asserted-by":"crossref","unstructured":"E.\u00a0Biham, O.\u00a0Dunkelman, N.\u00a0Keller, New results on boomerang and rectangle attacks, in J.\u00a0Daemen and V.\u00a0Rijmen, editors, FSE\u00a02002, volume 2365 of LNCS (Springer, Heidelberg, 2002), pp. 1\u201316","DOI":"10.1007\/3-540-45661-9_1"},{"key":"9397_CR10","doi-asserted-by":"crossref","unstructured":"B.\u00a0Bilgin, A.\u00a0Bogdanov, M.\u00a0Kne\u017eevi\u0107, F.\u00a0Mendel, Q.\u00a0Wang, Fides: Lightweight authenticated cipher with side-channel resistance for constrained hardware, in G.\u00a0Bertoni and J.-S. Coron, editors, CHES\u00a02013, volume 8086 of LNCS (Springer, Heidelberg, 2013), pp. 142\u2013158","DOI":"10.1007\/978-3-642-40349-1_9"},{"key":"9397_CR11","doi-asserted-by":"crossref","unstructured":"A.\u00a0Biryukov, D.\u00a0Khovratovich, Related-key cryptanalysis of the full AES-192 and AES-256, in M.\u00a0Matsui, editor, ASIACRYPT\u00a02009, volume 5912 of LNCS (Springer, Heidelberg, 2009), pp. 1\u201318","DOI":"10.1007\/978-3-642-10366-7_1"},{"key":"9397_CR12","doi-asserted-by":"crossref","unstructured":"A.\u00a0Biryukov, D.\u00a0Khovratovich, I.\u00a0Nikolic, Distinguisher and related-key attack on the full AES-256, in S.\u00a0Halevi, editor, CRYPTO\u00a02009, volume 5677 of LNCS (Springer, Heidelberg, 2009), pp. 231\u2013249","DOI":"10.1007\/978-3-642-03356-8_14"},{"key":"9397_CR13","doi-asserted-by":"crossref","unstructured":"A.\u00a0Biryukov, I.\u00a0Nikolic, Automatic search for related-key differential characteristics in byte-oriented block ciphers: Application to AES, Camellia, Khazad and others, in H.\u00a0Gilbert, editor, EUROCRYPT\u00a02010, volume 6110 of LNCS (Springer, Heidelberg, 2010), pp. 322\u2013344","DOI":"10.1007\/978-3-642-13190-5_17"},{"key":"9397_CR14","doi-asserted-by":"crossref","unstructured":"A.\u00a0Biryukov, I.\u00a0Nikolic, Search for related-key differential characteristics in DES-like ciphers, in A.\u00a0Joux, editor, FSE\u00a02011, volume 6733 of LNCS (Springer, Heidelberg, 2011), pp. 18\u201334","DOI":"10.1007\/978-3-642-21702-9_2"},{"key":"9397_CR15","doi-asserted-by":"crossref","unstructured":"A.\u00a0Biryukov, D.\u00a0Wagner, Slide attacks, in L.\u00a0R. Knudsen, editor, FSE\u201999, volume 1636 of LNCS (Springer, Heidelberg, 1999), pp. 245\u2013259","DOI":"10.1007\/3-540-48519-8_18"},{"key":"9397_CR16","doi-asserted-by":"crossref","unstructured":"A.\u00a0Bogdanov, F.\u00a0Mendel, F.\u00a0Regazzoni, V.\u00a0Rijmen, E.\u00a0Tischhauser, ALE: AES-based lightweight authenticated encryption, in S.\u00a0Moriai, editor, FSE\u00a02013, volume 8424 of LNCS (Springer, Heidelberg, 2014), pp. 447\u2013466","DOI":"10.1007\/978-3-662-43933-3_23"},{"issue":"3","key":"9397_CR17","doi-asserted-by":"publisher","first-page":"73","DOI":"10.46586\/tosc.v2017.i3.73-107","volume":"2017","author":"C Cid","year":"2017","unstructured":"C.\u00a0Cid, T.\u00a0Huang, T.\u00a0Peyrin, Y.\u00a0Sasaki, L.\u00a0Song, A security analysis of Deoxys and its internal tweakable block ciphers. IACR Trans. Symm. Cryptol. 2017(3), 73\u2013107 (2017)","journal-title":"IACR Trans. Symm. Cryptol."},{"key":"9397_CR18","doi-asserted-by":"crossref","unstructured":"C.\u00a0Cid, T.\u00a0Huang, T.\u00a0Peyrin, Y.\u00a0Sasaki, L.\u00a0Song, Boomerang connectivity table: A new cryptanalysis tool, in J.B. Nielsen and V.\u00a0Rijmen, editors, EUROCRYPT\u00a02018, Part\u00a0II, volume 10821 of LNCS (Springer, Heidelberg, 2018), pp. 683\u2013714","DOI":"10.1007\/978-3-319-78375-8_22"},{"issue":"2","key":"9397_CR19","doi-asserted-by":"publisher","first-page":"27","DOI":"10.46586\/tosc.v2017.i2.27-58","volume":"2017","author":"B Cogliati","year":"2017","unstructured":"B.\u00a0Cogliati, J.\u00a0Lee, Y.\u00a0Seurin, New constructions of macs from (tweakable) block ciphers. IACR Trans. Symm. Cryptol. 2017(2), 27\u201358 (2017)","journal-title":"IACR Trans. Symm. Cryptol."},{"key":"9397_CR20","unstructured":"G.\u00a0M.\u00a0U. Cryptographic Engineering Research\u00a0Group. ATHENa: Automated Tools for Hardware EvaluatioN - Deoxys-I-128 implementation, 2016. https:\/\/cryptography.gmu.edu\/athena\/."},{"key":"9397_CR21","doi-asserted-by":"crossref","unstructured":"H.\u00a0Demirci, A.A. Sel\u00e7uk, A meet-in-the-middle attack on 8-round AES, in K.\u00a0Nyberg, editor, FSE\u00a02008, volume 5086 of LNCS (Springer, Heidelberg, 2008), pp. 116\u2013126","DOI":"10.1007\/978-3-540-71039-4_7"},{"key":"9397_CR22","doi-asserted-by":"crossref","unstructured":"P.\u00a0Derbez, P.-A. Fouque, J.\u00a0Jean, Faster chosen-key distinguishers on reduced-round AES, in S.D. Galbraith and M.\u00a0Nandi, editors, INDOCRYPT\u00a02012, volume 7668 of LNCS (Springer, Heidelberg, 2012), pp. 225\u2013243","DOI":"10.1007\/978-3-642-34931-7_14"},{"key":"9397_CR23","doi-asserted-by":"crossref","unstructured":"P.\u00a0Derbez, P.-A. Fouque, J.\u00a0Jean, Improved key recovery attacks on reduced-round AES in the single-key setting, in T.\u00a0Johansson and P.\u00a0Q. Nguyen, editors, EUROCRYPT\u00a02013, volume 7881 of LNCS (Springer, Heidelberg, 2013), pp. 371\u2013387","DOI":"10.1007\/978-3-642-38348-9_23"},{"key":"9397_CR24","doi-asserted-by":"crossref","unstructured":"I.\u00a0Dinur, J.\u00a0Jean, Cryptanalysis of FIDES, in C.\u00a0Cid and C.\u00a0Rechberger, editors, FSE\u00a02014, volume 8540 of LNCS (Springer, Heidelberg, 2015), pp. 224\u2013240","DOI":"10.1007\/978-3-662-46706-0_12"},{"key":"9397_CR25","unstructured":"C.\u00a0Dobraunig, M.\u00a0Eichlseder, F.\u00a0Mendel, M.\u00a0Schl\u00e4ffer, Ascon v1.2. Submission to Round 3 of the CAESAR competition (2016)"},{"key":"9397_CR26","doi-asserted-by":"crossref","unstructured":"O.\u00a0Dunkelman, N.\u00a0Keller, A.\u00a0Shamir, Improved single-key attacks on 8-round AES-192 and AES-256, in M.\u00a0Abe, editor, ASIACRYPT\u00a02010, volume 6477 of LNCS (Springer, Heidelberg, 2010), pp. 158\u2013176","DOI":"10.1007\/978-3-642-17373-8_10"},{"issue":"3","key":"9397_CR27","doi-asserted-by":"publisher","first-page":"171","DOI":"10.1007\/s12095-013-0096-8","volume":"6","author":"S Emami","year":"2014","unstructured":"S.\u00a0Emami, S.\u00a0Ling, I.\u00a0Nikolic, J.\u00a0Pieprzyk, H.\u00a0Wang, The resistance of PRESENT-80 against related-key differential attacks. Cryptogr. Commun. 6(3), 171\u2013187 (2014)","journal-title":"Cryptogr. Commun."},{"key":"9397_CR28","doi-asserted-by":"crossref","unstructured":"E.\u00a0Fleischmann, C.\u00a0Forler, S.\u00a0Lucks, McOE: A family of almost foolproof on-line authenticated encryption schemes, in A.\u00a0Canteaut, editor, FSE\u00a02012, volume 7549 of LNCS (Springer, Heidelberg, 2012), pp. 196\u2013215","DOI":"10.1007\/978-3-642-34047-5_12"},{"key":"9397_CR29","doi-asserted-by":"crossref","unstructured":"P.-A. Fouque, J.\u00a0Jean, T.\u00a0Peyrin, Structural evaluation of AES and chosen-key distinguisher of 9-round AES-128, in R.\u00a0Canetti and J.A. Garay, editors, CRYPTO\u00a02013, Part\u00a0I, volume 8042 of LNCS (Springer, Heidelberg, 2013), pp. 183\u2013203","DOI":"10.1007\/978-3-642-40041-4_11"},{"key":"9397_CR30","first-page":"414","volume":"2010","author":"K Gaj","year":"2010","unstructured":"K.\u00a0Gaj, J.\u00a0Kaps, V.\u00a0Amirineni, M.\u00a0Rogawski, E.\u00a0Homsirikamol, B.Y. Brewster, ATHENa - Automated Tool for Hardware EvaluatioN: Toward Fair and Comprehensive Benchmarking of Cryptographic Hardware Using FPGAs, in International Conference on Field Programmable Logic and Applications - FPL 2010 (2010), pp. 414\u2013421","journal-title":"International Conference on Field Programmable Logic and Applications - FPL"},{"key":"9397_CR31","doi-asserted-by":"crossref","unstructured":"H.\u00a0Gilbert, T.\u00a0Peyrin, Super-sbox cryptanalysis: Improved attacks for AES-like permutations, in S.\u00a0Hong and T.\u00a0Iwata, editors, FSE\u00a02010, volume 6147 of LNCS (Springer, Heidelberg, 2010), pp. 365\u2013383","DOI":"10.1007\/978-3-642-13858-4_21"},{"key":"9397_CR32","unstructured":"S.\u00a0Gueron, A.\u00a0Langley, Y.\u00a0Lindell, AES-GCM-SIV: Specification and Analysis. IACR Cryptology ePrint Archive, Report 2017\/168, 2017. Available at http:\/\/eprint.iacr.org\/2017\/168"},{"key":"9397_CR33","doi-asserted-by":"crossref","unstructured":"V.\u00a0T. Hoang, T.\u00a0Krovetz, P.\u00a0Rogaway, Robust authenticated-encryption AEZ and the problem that it solves, in E.\u00a0Oswald and M.\u00a0Fischlin, editors, EUROCRYPT\u00a02015, Part\u00a0I, volume 9056 of LNCS (Springer, Heidelberg, 2015), pp. 15\u201344","DOI":"10.1007\/978-3-662-46800-5_2"},{"key":"9397_CR34","doi-asserted-by":"crossref","unstructured":"T.\u00a0Iwata, K.\u00a0Minematsu, T.\u00a0Peyrin, Y.\u00a0Seurin, ZMAC: A fast tweakable block cipher mode for highly secure message authentication, in J.\u00a0Katz and H.\u00a0Shacham, editors, CRYPTO\u00a02017, Part\u00a0III, volume 10403 of LNCS (Springer, Heidelberg, 2017), pp. 34\u201365","DOI":"10.1007\/978-3-319-63697-9_2"},{"key":"9397_CR35","doi-asserted-by":"crossref","unstructured":"J.\u00a0Jean, M.\u00a0Naya-Plasencia, T.\u00a0Peyrin, Improved rebound attack on the finalist Gr\u00f8stl, in A.\u00a0Canteaut, editor, FSE\u00a02012, volume 7549 of LNCS (Springer, Heidelberg, 2012), pp. 110\u2013126","DOI":"10.1007\/978-3-642-34047-5_7"},{"key":"9397_CR36","doi-asserted-by":"crossref","unstructured":"J.\u00a0Jean, I.\u00a0Nikolic, T.\u00a0Peyrin, Tweaks and keys for block ciphers: The TWEAKEY framework, in P.\u00a0Sarkar and T.\u00a0Iwata, editors, ASIACRYPT\u00a02014, Part\u00a0II, volume 8874 of LNCS (Springer, Heidelberg, 2014), pp. 274\u2013288","DOI":"10.1007\/978-3-662-45608-8_15"},{"key":"9397_CR37","unstructured":"J.\u00a0Jean, I.\u00a0Nikoli\u0107, T.\u00a0Peyrin, Y.\u00a0Seurin, Deoxys v1.41. Submitted to CAESAR (October 2016)"},{"key":"9397_CR38","doi-asserted-by":"crossref","unstructured":"J.\u00a0Kelsey, T.\u00a0Kohno, B.\u00a0Schneier, Amplified boomerang attacks against reduced-round MARS and Serpent, in B.\u00a0Schneier, editor, FSE\u00a02000, volume 1978 of LNCS (Springer, Heidelberg, 2001), pp. 75\u201393","DOI":"10.1007\/3-540-44706-7_6"},{"key":"9397_CR39","doi-asserted-by":"crossref","unstructured":"M.\u00a0Khairallah, A.\u00a0Chattopadhyay, T.\u00a0Peyrin, Looting the LUTs: FPGA optimization of AES and AES-like ciphers for authenticated encryption, in A.\u00a0Patra and N.\u00a0P. Smart, editors, INDOCRYPT\u00a02017, volume 10698 of LNCS (Springer, Heidelberg, 2017), pp. 282\u2013301","DOI":"10.1007\/978-3-319-71667-1_15"},{"key":"9397_CR40","doi-asserted-by":"crossref","unstructured":"D.\u00a0Khovratovich, I.\u00a0Nikolic, Rotational cryptanalysis of ARX, in S.\u00a0Hong and T.\u00a0Iwata, editors, FSE\u00a02010, volume 6147 of LNCS (Springer, Heidelberg, 2010), pp. 333\u2013346","DOI":"10.1007\/978-3-642-13858-4_19"},{"key":"9397_CR41","doi-asserted-by":"crossref","unstructured":"D.\u00a0Khovratovich, C.\u00a0Rechberger, The LOCAL attack: Cryptanalysis of the authenticated encryption scheme ALE, in T.\u00a0Lange, K.\u00a0Lauter, and P.\u00a0Lisonek, editors, SAC 2013, volume 8282 of LNCS (Springer, Heidelberg, 2014), pp. 174\u2013184","DOI":"10.1007\/978-3-662-43414-7_9"},{"issue":"1","key":"9397_CR42","doi-asserted-by":"publisher","first-page":"474","DOI":"10.46586\/tosc.v2017.i1.474-505","volume":"2017","author":"T Kranz","year":"2017","unstructured":"T.\u00a0Kranz, G.\u00a0Leander, F.\u00a0Wiemer, Linear cryptanalysis: Key schedules and tweakable block ciphers. IACR Trans. Symm. Cryptol. 2017(1), 474\u2013505 (2017)","journal-title":"IACR Trans. Symm. Cryptol."},{"key":"9397_CR43","doi-asserted-by":"crossref","unstructured":"H.\u00a0Krawczyk, The order of encryption and authentication for protecting communications (or: How secure is SSL?), in J.\u00a0Kilian, editor, CRYPTO\u00a02001, volume 2139 of LNCS (Springer, Heidelberg, 2001), pp. 310\u2013331","DOI":"10.1007\/3-540-44647-8_19"},{"key":"9397_CR44","doi-asserted-by":"crossref","unstructured":"T.\u00a0Krovetz, P.\u00a0Rogaway, The software performance of authenticated-encryption modes, in A.\u00a0Joux, editor, FSE\u00a02011, volume 6733 of LNCS (Springer, Heidelberg, 2011), pp. 306\u2013327","DOI":"10.1007\/978-3-642-21702-9_18"},{"key":"9397_CR45","unstructured":"S.\u00a0Kumar, J.\u00a0Haj-Yahya, M.\u00a0Khairallah, M.A. Elmohr, A.\u00a0Chattopadhyay, A comprehensive performance analysis of hardware implementations of CAESAR candidates. Cryptology ePrint Archive, Report 2017\/1261, 2017. https:\/\/eprint.iacr.org\/2017\/1261"},{"issue":"1","key":"9397_CR46","doi-asserted-by":"publisher","first-page":"70","DOI":"10.1049\/iet-ifs.2018.5091","volume":"13","author":"R Li","year":"2019","unstructured":"R.\u00a0Li, C.\u00a0Jin, Meet-in-the-middle attacks on round-reduced tweakable block cipher Deoxys-BC. IET Inf. Secur. 13(1), 70\u201375 (2019)","journal-title":"IET Inf. Secur."},{"issue":"3","key":"9397_CR47","doi-asserted-by":"publisher","first-page":"588","DOI":"10.1007\/s00145-010-9073-y","volume":"24","author":"M Liskov","year":"2011","unstructured":"M.\u00a0Liskov, R.L. Rivest, D.\u00a0Wagner, Tweakable block ciphers. J. Cryptol. 24(3), 588\u2013613 (2011)","journal-title":"J. Cryptol."},{"key":"9397_CR48","doi-asserted-by":"crossref","unstructured":"D.\u00a0A. McGrew, J.\u00a0Viega, The security and performance of the Galois\/counter mode (GCM) of operation, in A.\u00a0Canteaut and K.\u00a0Viswanathan, editors, INDOCRYPT\u00a02004, volume 3348 of LNCS (Springer, Heidelberg, 2004), pp. 343\u2013355","DOI":"10.1007\/978-3-540-30556-9_27"},{"issue":"3","key":"9397_CR49","doi-asserted-by":"publisher","first-page":"87","DOI":"10.46586\/tosc.v2020.i3.87-118","volume":"2020","author":"K Minematsu","year":"2020","unstructured":"K.\u00a0Minematsu, Fast decryption: a new feature of misuse-resistant AE. IACR Trans. Symm. Cryptol. 2020(3), 87\u2013118 (2020)","journal-title":"IACR Trans. Symm. Cryptol."},{"issue":"2","key":"9397_CR50","first-page":"93","volume":"10","author":"F Moazami","year":"2018","unstructured":"F.\u00a0Moazami, A.\u00a0Mehrdad, H.\u00a0Soleimany, Impossible differential cryptanalysis on Deoxys-BC-256. ISeCure 10(2), 93\u2013105 (2018)","journal-title":"ISeCure"},{"key":"9397_CR51","doi-asserted-by":"crossref","unstructured":"N.\u00a0Mouha, Q.\u00a0Wang, D.\u00a0Gu, B.\u00a0Preneel, Differential and linear cryptanalysis using mixed-integer linear programming, in Information Security and Cryptology - Inscrypt 2011 (2011), pp. 57\u201376","DOI":"10.1007\/978-3-642-34704-7_5"},{"key":"9397_CR52","doi-asserted-by":"crossref","unstructured":"C.\u00a0Namprempre, P.\u00a0Rogaway, T.\u00a0Shrimpton, Reconsidering generic composition, in P.\u00a0Q. Nguyen and E.\u00a0Oswald, editors, EUROCRYPT\u00a02014, volume 8441 of LNCS (Springer, Heidelberg, 2014), pp. 257\u2013274","DOI":"10.1007\/978-3-642-55220-5_15"},{"key":"9397_CR53","doi-asserted-by":"crossref","unstructured":"I.\u00a0Nikolic, How to use metaheuristics for design of symmetric-key primitives, in T.\u00a0Takagi and T.\u00a0Peyrin, editors, ASIACRYPT\u00a02017, Part\u00a0III, volume 10626 of LNCS (Springer, Heidelberg, 2017), pp. 369\u2013391","DOI":"10.1007\/978-3-319-70700-6_13"},{"key":"9397_CR54","doi-asserted-by":"crossref","unstructured":"T.\u00a0Peyrin, Improved differential attacks for ECHO and Gr\u00f8stl, in T.\u00a0Rabin, editor, CRYPTO\u00a02010, volume 6223 of LNCS (Springer, Heidelberg, 2010), pp. 370\u2013392","DOI":"10.1007\/978-3-642-14623-7_20"},{"key":"9397_CR55","doi-asserted-by":"crossref","unstructured":"T.\u00a0Peyrin, Y.\u00a0Seurin, Counter-in-tweak: Authenticated encryption modes for tweakable block ciphers, in M.\u00a0Robshaw and J.\u00a0Katz, editors, CRYPTO\u00a02016, Part\u00a0I, volume 9814 of LNCS (Springer, Heidelberg, 2016), pp. 33\u201363","DOI":"10.1007\/978-3-662-53018-4_2"},{"key":"9397_CR56","unstructured":"A.\u00a0Poschmann, M.\u00a0St\u00f6ttinger, Personal communication"},{"key":"9397_CR57","unstructured":"A.\u00a0Poschmann, M.\u00a0Stottinger, ATHENa: Automated Tools for Hardware EvaluatioN - Deoxys-I-128 implementation (2016). https:\/\/cryptography.gmu.edu\/athena\/"},{"key":"9397_CR58","doi-asserted-by":"crossref","unstructured":"P.\u00a0Rogaway, Efficient instantiations of tweakable blockciphers and refinements to modes OCB and PMAC, in P.\u00a0J. Lee, editor, ASIACRYPT\u00a02004, volume 3329 of LNCS (Springer, Heidelberg, 2004), pp. 16\u201331","DOI":"10.1007\/978-3-540-30539-2_2"},{"key":"9397_CR59","doi-asserted-by":"crossref","unstructured":"P.\u00a0Rogaway, Nonce-based symmetric encryption, in B.\u00a0K. Roy and W.\u00a0Meier, editors, FSE\u00a02004, volume 3017 of LNCS (Springer, Heidelberg, 2004), pp. 348\u2013359","DOI":"10.1007\/978-3-540-25937-4_22"},{"key":"9397_CR60","doi-asserted-by":"crossref","unstructured":"P.\u00a0Rogaway, T.\u00a0Shrimpton, A provable-security treatment of the key-wrap problem, in S.\u00a0Vaudenay, editor, EUROCRYPT\u00a02006, volume 4004 of LNCS (Springer, Heidelberg, 2006), pp. 373\u2013390","DOI":"10.1007\/11761679_23"},{"key":"9397_CR61","doi-asserted-by":"crossref","unstructured":"Y.\u00a0Sasaki, Improved related-tweakey boomerang attacks on deoxys-BC, in A.\u00a0Joux, A.\u00a0Nitaj, and T.\u00a0Rachidi, editors, AFRICACRYPT 18, volume 10831 of LNCS (Springer, Heidelberg, 2018), pp. 87\u2013106","DOI":"10.1007\/978-3-319-89339-6_6"},{"key":"9397_CR62","doi-asserted-by":"crossref","unstructured":"S.\u00a0Sun, L.\u00a0Hu, P.\u00a0Wang, K.\u00a0Qiao, X.\u00a0Ma, L.\u00a0Song, Automatic security evaluation and (related-key) differential characteristic search: Application to SIMON, PRESENT, LBlock, DES(L) and other bit-oriented block ciphers, in P.\u00a0Sarkar and T.\u00a0Iwata, editors, ASIACRYPT\u00a02014, Part\u00a0I, volume 8873 of LNCS (Springer, Heidelberg, 2014), pp. 158\u2013178","DOI":"10.1007\/978-3-662-45611-8_9"},{"key":"9397_CR63","doi-asserted-by":"crossref","unstructured":"S.\u00a0Vaudenay, Security flaws induced by CBC padding\u2014applications to SSL, IPSEC, WTLS, in L.R. Knudsen, editor, EUROCRYPT\u00a02002, volume 2332 of LNCS (Springer, Heidelberg, 2002), pp. 534\u2013546","DOI":"10.1007\/3-540-46035-7_35"},{"key":"9397_CR64","unstructured":"Virtual Silicon Inc. 0.18 $$\\mu $$m VIP Standard Cell Library Tape Out Ready, Part Number: UMCL18G212T3, Process: UMC Logic 0.18 $$\\mu $$m Generic II Technology: 0.18$$\\mu $$m, July 2004"},{"key":"9397_CR65","doi-asserted-by":"crossref","unstructured":"D.\u00a0Wagner, The boomerang attack, in L.\u00a0R. Knudsen, editor, FSE\u201999, volume 1636 of LNCS (Springer, Heidelberg, 1999), pp. 156\u2013170","DOI":"10.1007\/3-540-48519-8_12"},{"issue":"1","key":"9397_CR66","doi-asserted-by":"publisher","first-page":"142","DOI":"10.46586\/tosc.v2019.i1.142-169","volume":"2019","author":"H Wang","year":"2019","unstructured":"H.\u00a0Wang, T.\u00a0Peyrin, Boomerang switch in multiple rounds. IACR Trans. Symm. Cryptol. 2019(1), 142\u2013169 (2019)","journal-title":"IACR Trans. Symm. Cryptol."},{"key":"9397_CR67","doi-asserted-by":"crossref","unstructured":"H.\u00a0Wu, Related-cipher attacks. in R.\u00a0H. Deng, S.\u00a0Qing, F.\u00a0Bao, and J.\u00a0Zhou, editors, ICICS 02, volume 2513 of LNCS (Springer, Heidelberg, 2002), pp. 447\u2013455","DOI":"10.1007\/3-540-36159-6_38"},{"key":"9397_CR68","unstructured":"H.\u00a0Wu, ACORN v3. Submission to Round 3 of the CAESAR competition (2016)"},{"key":"9397_CR69","unstructured":"H.\u00a0Wu, AEGIS v1.1. Submission to Round 3 of the CAESAR competition (2016)"},{"key":"9397_CR70","doi-asserted-by":"crossref","unstructured":"B.\u00a0Zhao, X.\u00a0Dong, K.\u00a0Jia, New Related-Tweakey Boomerang and Rectangle Attacks on Deoxys-BC Including BDT Effect. Cryptology ePrint Archive, Report 2020\/102, 2020. https:\/\/eprint.iacr.org\/2020\/102","DOI":"10.46586\/tosc.v2019.i3.121-151"},{"key":"9397_CR71","doi-asserted-by":"crossref","unstructured":"B.\u00a0Zhao, X.\u00a0Dong, K.\u00a0Jia, W.\u00a0Meier, Improved Related-Tweakey Rectangle Attacks on Reduced-round Deoxys-BC-384 and Deoxys-I-256-128. Cryptology ePrint Archive, Report 2020\/103, 2020. https:\/\/eprint.iacr.org\/2020\/103","DOI":"10.1007\/978-3-030-35423-7_7"}],"container-title":["Journal of Cryptology"],"original-title":[],"language":"en","link":[{"URL":"https:\/\/link.springer.com\/content\/pdf\/10.1007\/s00145-021-09397-w.pdf","content-type":"application\/pdf","content-version":"vor","intended-application":"text-mining"},{"URL":"https:\/\/link.springer.com\/article\/10.1007\/s00145-021-09397-w\/fulltext.html","content-type":"text\/html","content-version":"vor","intended-application":"text-mining"},{"URL":"https:\/\/link.springer.com\/content\/pdf\/10.1007\/s00145-021-09397-w.pdf","content-type":"application\/pdf","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2022,12,30]],"date-time":"2022-12-30T16:46:22Z","timestamp":1672418782000},"score":1,"resource":{"primary":{"URL":"https:\/\/link.springer.com\/10.1007\/s00145-021-09397-w"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2021,6,10]]},"references-count":71,"journal-issue":{"issue":"3","published-print":{"date-parts":[[2021,7]]}},"alternative-id":["9397"],"URL":"https:\/\/doi.org\/10.1007\/s00145-021-09397-w","relation":{},"ISSN":["0933-2790","1432-1378"],"issn-type":[{"value":"0933-2790","type":"print"},{"value":"1432-1378","type":"electronic"}],"subject":[],"published":{"date-parts":[[2021,6,10]]},"assertion":[{"value":"14 February 2020","order":1,"name":"received","label":"Received","group":{"name":"ArticleHistory","label":"Article History"}},{"value":"29 January 2021","order":2,"name":"revised","label":"Revised","group":{"name":"ArticleHistory","label":"Article History"}},{"value":"19 February 2021","order":3,"name":"accepted","label":"Accepted","group":{"name":"ArticleHistory","label":"Article History"}},{"value":"10 June 2021","order":4,"name":"first_online","label":"First Online","group":{"name":"ArticleHistory","label":"Article History"}}],"article-number":"31"}}