{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2025,7,30]],"date-time":"2025-07-30T17:04:51Z","timestamp":1753895091681,"version":"3.41.2"},"reference-count":70,"publisher":"International Association for Cryptologic Research","license":[{"start":{"date-parts":[[2024,4,8]],"date-time":"2024-04-08T00:00:00Z","timestamp":1712534400000},"content-version":"vor","delay-in-days":0,"URL":"https:\/\/creativecommons.org\/licenses\/by\/4.0\/"}],"content-domain":{"domain":[],"crossmark-restriction":false},"short-container-title":["IACR CiC"],"accepted":{"date-parts":[[2024,6,3]]},"abstract":"<jats:p>We analyze the multi-user (mu) security of a family of nonce-based authentication encryption (nAE) schemes based on a tweakable block cipher (TBC). The starting point of our work is an analysis of the mu security of the SCT-II mode which underlies the nAE scheme Deoxys-II, winner of the CAESAR competition for the defense-in-depth category. We extend this analysis in two directions, as we detail now.<\/jats:p>\n          <jats:p>First, we investigate the mu security of several TBC-based variants of the counter encryption mode (including CTRT, the encryption mode used within SCT-II) that differ by the way a nonce, a random value, and a counter are combined as tweak and plaintext inputs to the TBC to produce the keystream blocks that will mask the plaintext blocks. Then, we consider the authentication part of SCT-II and study the mu security of the nonce-based MAC Nonce-as-Tweak (NaT) built from a TBC and an almost universal (AU) hash function. We also observe that the standard construction of an AU hash function from a (T)BC can be proven secure under the assumption that the underlying TBC is unpredictable rather than pseudorandom, allowing much better conjectures on the concrete AU advantage. This allows us to derive the mu security of the family of nAE modes obtained by combining these encryption\/MAC building blocks through the NSIV composition method.<\/jats:p>\n          <jats:p>Some of these modes require an underlying TBC with a larger tweak length than what is usually available for existing ones. We then show the practicality of our modes by instantiating them with two new TBC constructions, Deoxys-TBC-512 and Deoxys-TBC-640, which can be seen as natural extensions of the Deoxys-TBC family to larger tweak input sizes. Designing such TBCs with unusually large tweaks is prone to pitfalls: Indeed, we show that a large-tweak proposal for SKINNY published at EUROCRYPT 2020 presents an inherent construction flaw. We therefore provide a sound design strategy to construct large-tweak TBCs within the Superposition Tweakey (STK) framework, leading to new Deoxys-TBC and SKINNY variants. We provide software benchmarks indicating that while ensuring a very high security level, the performances of our proposals remain very competitive. <\/jats:p>","DOI":"10.62056\/a3qjp2fgx","type":"journal-article","created":{"date-parts":[[2024,7,8]],"date-time":"2024-07-08T15:52:04Z","timestamp":1720453924000},"update-policy":"https:\/\/doi.org\/10.62056\/adfjwm02dj","source":"Crossref","is-referenced-by-count":0,"title":["A Long Tweak Goes a Long Way: High Multi-user Security Authenticated Encryption from Tweakable Block Ciphers"],"prefix":"10.62056","author":[{"ORCID":"https:\/\/orcid.org\/0000-0001-6445-2514","authenticated-orcid":false,"given":"Beno\u00eet","family":"Cogliati","sequence":"first","affiliation":[{"name":"Thales DIS France SAS","place":["France"]}]},{"ORCID":"https:\/\/orcid.org\/0009-0007-7340-8591","authenticated-orcid":false,"given":"J\u00e9r\u00e9my","family":"Jean","sequence":"additional","affiliation":[{"name":"ANSSI","place":["France"]}]},{"ORCID":"https:\/\/orcid.org\/0000-0002-2690-9197","authenticated-orcid":false,"given":"Thomas","family":"Peyrin","sequence":"additional","affiliation":[{"id":[{"id":"https:\/\/ror.org\/02e7b5302","id-type":"ROR","asserted-by":"publisher"}],"name":"Nanyang Technological University","place":["Singapore"]}]},{"ORCID":"https:\/\/orcid.org\/0000-0002-2948-9423","authenticated-orcid":false,"given":"Yannick","family":"Seurin","sequence":"additional","affiliation":[{"name":"Ledger","place":["France"]}]}],"member":"48349","published-online":{"date-parts":[[2024,7,8]]},"reference":[{"key":"ref1:FOCS:BelCanKra96","doi-asserted-by":"publisher","first-page":"514","DOI":"10.1109\/SFCS.1996.548510","article-title":"Pseudorandom Functions Revisited: The Cascade Construction\n  and Its Concrete Security","volume-title":"37th FOCS","author":"Mihir Bellare","year":"1996"},{"key":"ref2:EC:BelBolMic00","series-title":"LNCS","doi-asserted-by":"publisher","first-page":"259","DOI":"10.1007\/3-540-45539-6_18","article-title":"Public-Key Encryption in a Multi-user Setting: Security\n  Proofs and Improvements","volume-title":"EUROCRYPT\u00a02000","volume":"1807","author":"Mihir Bellare","year":"2000"},{"key":"ref3:add:Biham02","doi-asserted-by":"publisher","first-page":"117","DOI":"10.1016\/S0020-0190(02)00269-7","article-title":"How to decrypt or even substitute DES-encrypted messages in\n  2\\({}^{\\mbox{28}}\\) steps","volume":"84","author":"Eli Biham","year":"2002","journal-title":"Inf. Process. Lett."},{"key":"ref4:Ac:FouJouMav14","series-title":"LNCS","doi-asserted-by":"publisher","first-page":"420","DOI":"10.1007\/978-3-662-45611-8_22","article-title":"Multi-user Collisions: Applications to Discrete Logarithm,\n  Even-Mansour and PRINCE","volume-title":"ASIACRYPT\u00a02014, Part\u00a0I","volume":"8873","author":"Pierre-Alain Fouque","year":"2014"},{"key":"ref5:FSE:PatPoeSch14","series-title":"LNCS","doi-asserted-by":"publisher","first-page":"325","DOI":"10.1007\/978-3-662-46706-0_17","article-title":"Plaintext Recovery Attacks Against WPA\/TKIP","volume-title":"FSE\u00a02014","volume":"8540","author":"Kenneth G. Paterson","year":"2015"},{"key":"ref6:C:MouLuy15","series-title":"LNCS","doi-asserted-by":"publisher","first-page":"209","DOI":"10.1007\/978-3-662-47989-6_10","article-title":"Multi-key Security: The Even-Mansour Construction\n  Revisited","volume-title":"CRYPTO\u00a02015, Part\u00a0I","volume":"9215","author":"Nicky Mouha","year":"2015"},{"key":"ref7:AC:Tessaro15","series-title":"LNCS","doi-asserted-by":"publisher","first-page":"437","DOI":"10.1007\/978-3-662-48800-3_18","article-title":"Optimally Secure Block Ciphers from Ideal Primitives","volume-title":"ASIACRYPT\u00a02015, Part\u00a0II","volume":"9453","author":"Stefano Tessaro","year":"2015"},{"key":"ref8:C:HoaTes16","series-title":"LNCS","doi-asserted-by":"publisher","first-page":"3","DOI":"10.1007\/978-3-662-53018-4_1","article-title":"Key-Alternating Ciphers and Key-Length Extension: Exact\n  Bounds and Multi-user Security","volume-title":"CRYPTO\u00a02016, Part\u00a0I","volume":"9814","author":"Viet Tung Hoang","year":"2016"},{"key":"ref9:EC:HoaTes17","series-title":"LNCS","doi-asserted-by":"publisher","first-page":"381","DOI":"10.1007\/978-3-319-56614-6_13","article-title":"The Multi-user Security of Double Encryption","volume-title":"EUROCRYPT\u00a02017, Part\u00a0II","volume":"10211","author":"Viet Tung Hoang","year":"2017"},{"key":"ref10:AC:GuoWan18","series-title":"LNCS","doi-asserted-by":"publisher","first-page":"213","DOI":"10.1007\/978-3-030-03326-2_8","article-title":"Revisiting Key-Alternating Feistel Ciphers for Shorter\n  Keys and Multi-user Security","volume-title":"ASIACRYPT\u00a02018, Part\u00a0I","volume":"11272","author":"Chun Guo","year":"2018"},{"key":"ref11:FSE:ADMA15","series-title":"LNCS","doi-asserted-by":"publisher","first-page":"364","DOI":"10.1007\/978-3-662-48116-5_18","article-title":"Security of Keyed Sponge Constructions Using a Modular Proof\n  Approach","volume-title":"FSE\u00a02015","volume":"9054","author":"Elena Andreeva","year":"2015"},{"key":"ref12:EC:BelBerTes16","series-title":"LNCS","doi-asserted-by":"publisher","first-page":"566","DOI":"10.1007\/978-3-662-49890-3_22","article-title":"Hash-Function Based PRFs: AMAC and Its Multi-User\n  Security","volume-title":"EUROCRYPT\u00a02016, Part\u00a0I","volume":"9665","author":"Mihir Bellare","year":"2016"},{"key":"ref13:C:SWGW21","series-title":"LNCS","doi-asserted-by":"publisher","first-page":"309","DOI":"10.1007\/978-3-030-84252-9_11","article-title":"Revisiting the Security of DbHtS MACs:\n  Beyond-Birthday-Bound in the Multi-user Setting","volume-title":"CRYPTO\u00a02021, Part\u00a0III","volume":"12827","author":"Yaobin Shen","year":"2021"},{"key":"ref14:C:BelTac16","series-title":"LNCS","doi-asserted-by":"publisher","first-page":"247","DOI":"10.1007\/978-3-662-53018-4_10","article-title":"The Multi-user Security of Authenticated Encryption:\n  AES-GCM in TLS\u00a01.3","volume-title":"CRYPTO\u00a02016, Part\u00a0I","volume":"9814","author":"Mihir Bellare","year":"2016"},{"key":"ref15:AC:LuyMenPat17","series-title":"LNCS","doi-asserted-by":"publisher","first-page":"575","DOI":"10.1007\/978-3-319-70697-9_20","article-title":"Analyzing Multi-key Security Degradation","volume-title":"ASIACRYPT\u00a02017, Part\u00a0II","volume":"10625","author":"Atul Luykx","year":"2017"},{"key":"ref16:CCS:HoaTesThi18","doi-asserted-by":"publisher","first-page":"1429","DOI":"10.1145\/3243734.3243816","article-title":"The Multi-user Security of GCM, Revisited: Tight Bounds\n  for Nonce Randomization","volume-title":"ACM CCS 2018","author":"Viet Tung Hoang","year":"2018"},{"key":"ref17:AC:DaeMenAss17","series-title":"LNCS","doi-asserted-by":"publisher","first-page":"606","DOI":"10.1007\/978-3-319-70697-9_21","article-title":"Full-State Keyed Duplex with Built-In Multi-user Support","volume-title":"ASIACRYPT\u00a02017, Part\u00a0II","volume":"10625","author":"Joan Daemen","year":"2017"},{"key":"ref18:EC:BosHoaTes18","series-title":"LNCS","doi-asserted-by":"publisher","first-page":"468","DOI":"10.1007\/978-3-319-78381-9_18","article-title":"Revisiting AES-GCM-SIV: Multi-user Security, Faster\n  Key Derivation, and Better Bounds","volume-title":"EUROCRYPT\u00a02018, Part\u00a0I","volume":"10820","author":"Priyanka Bose","year":"2018"},{"article-title":"Hasty Pudding Cipher","year":"1998","author":"R. Schroeppel","key":"ref19:HPC"},{"key":"ref20:JC:LisRivWag11","doi-asserted-by":"publisher","first-page":"588","DOI":"10.1007\/s00145-010-9073-y","article-title":"Tweakable Block Ciphers","volume":"24","author":"Moses Liskov","year":"2011","journal-title":"Journal of Cryptology"},{"key":"ref21:FSE:Crowley00","series-title":"LNCS","doi-asserted-by":"publisher","first-page":"49","DOI":"10.1007\/3-540-44706-7_4","article-title":"Mercy: A Fast Large Block Cipher for Disk Sector\n  Encryption","volume-title":"FSE\u00a02000","volume":"1978","author":"Paul Crowley","year":"2001"},{"key":"ref22:AC:JeaNikPey14","series-title":"LNCS","doi-asserted-by":"publisher","first-page":"274","DOI":"10.1007\/978-3-662-45608-8_15","article-title":"Tweaks and Keys for Block Ciphers: The TWEAKEY Framework","volume-title":"ASIACRYPT\u00a02014, Part\u00a0II","volume":"8874","author":"J\u00e9r\u00e9my Jean","year":"2014"},{"key":"ref23:C:BJKLMP16","series-title":"LNCS","doi-asserted-by":"publisher","first-page":"123","DOI":"10.1007\/978-3-662-53008-5_5","article-title":"The SKINNY Family of Block Ciphers and Its Low-Latency\n  Variant MANTIS","volume-title":"CRYPTO\u00a02016, Part\u00a0II","volume":"9815","author":"Christof Beierle","year":"2016"},{"key":"ref24:ToSC:Avanzi17","doi-asserted-by":"publisher","first-page":"4","DOI":"10.13154\/tosc.v2017.i1.4-44","article-title":"The QARMA Block Cipher Family","volume":"2017","author":"Roberto Avanzi","year":"2017","journal-title":"IACR Trans. Symm. Cryptol.","ISSN":"https:\/\/id.crossref.org\/issn\/2519-173X","issn-type":"electronic"},{"key":"ref25:RSA:BLLS22","series-title":"LNCS","doi-asserted-by":"publisher","first-page":"511","DOI":"10.1007\/978-3-030-95312-6_21","article-title":"Pholkos - Efficient Large-State Tweakable Block Ciphers from\n  the AES Round Function","volume-title":"CT-RSA\u00a02022","volume":"13161","author":"Jannis Bossert","year":"2022"},{"key":"ref26:CCS:RBBK01","doi-asserted-by":"publisher","first-page":"196","DOI":"10.1145\/501983.502011","article-title":"OCB: A Block-Cipher Mode of Operation for Efficient\n  Authenticated Encryption","volume-title":"ACM CCS 2001","author":"Phillip Rogaway","year":"2001"},{"key":"ref27:FSE:KroRog11","series-title":"LNCS","doi-asserted-by":"publisher","first-page":"306","DOI":"10.1007\/978-3-642-21702-9_18","article-title":"The Software Performance of Authenticated-Encryption Modes","volume-title":"FSE\u00a02011","volume":"6733","author":"Ted Krovetz","year":"2011"},{"key":"ref28:C:PeySeu16","series-title":"LNCS","doi-asserted-by":"publisher","first-page":"33","DOI":"10.1007\/978-3-662-53018-4_2","article-title":"Counter-in-Tweak: Authenticated Encryption Modes for\n  Tweakable Block Ciphers","volume-title":"CRYPTO\u00a02016, Part\u00a0I","volume":"9814","author":"Thomas Peyrin","year":"2016"},{"key":"ref29:C:IMPS17","series-title":"LNCS","doi-asserted-by":"publisher","first-page":"34","DOI":"10.1007\/978-3-319-63697-9_2","article-title":"ZMAC: A Fast Tweakable Block Cipher Mode for Highly\n  Secure Message Authentication","volume-title":"CRYPTO\u00a02017, Part\u00a0III","volume":"10403","author":"Tetsu Iwata","year":"2017"},{"key":"ref30:TCHES:NaiSug19","doi-asserted-by":"publisher","first-page":"66","DOI":"10.13154\/tches.v2020.i1.66-94","article-title":"Lightweight Authenticated Encryption Mode of Operation for\n  Tweakable Block Ciphers","volume":"2020","author":"Yusuke Naito","year":"2019","journal-title":"IACR TCHES","ISSN":"https:\/\/id.crossref.org\/issn\/2569-2925","issn-type":"electronic"},{"key":"ref31:ToSC:IKMP20","doi-asserted-by":"publisher","first-page":"43","DOI":"10.13154\/tosc.v2020.i1.43-120","article-title":"Duel of the Titans: The Romulus and Remus Families of\n  Lightweight AEAD Algorithms","volume":"2020","author":"Tetsu Iwata","year":"2020","journal-title":"IACR Trans. Symm. Cryptol.","ISSN":"https:\/\/id.crossref.org\/issn\/2519-173X","issn-type":"electronic"},{"key":"ref32:EC:NaiSasSug20","series-title":"LNCS","doi-asserted-by":"publisher","first-page":"705","DOI":"10.1007\/978-3-030-45724-2_24","article-title":"Lightweight Authenticated Encryption Mode Suitable for\n  Threshold Implementation","volume-title":"EUROCRYPT\u00a02020, Part\u00a0II","volume":"12106","author":"Yusuke Naito","year":"2020"},{"key":"ref33:ToSC:NaiSasSug20","doi-asserted-by":"publisher","first-page":"1","DOI":"10.46586\/tosc.v2020.i4.1-38","article-title":"LM-DAE: Low-Memory Deterministic Authenticated Encryption\n  for 128-bit Security","volume":"2020","author":"Yusuke Naito","year":"2020","journal-title":"IACR Trans. Symm. Cryptol.","ISSN":"https:\/\/id.crossref.org\/issn\/2519-173X","issn-type":"electronic"},{"article-title":"Collision attacks on OCB","year":"2002","author":"Niels Ferguson","key":"ref34:ferguson2002collision"},{"key":"ref35:EC:RogShr06","series-title":"LNCS","doi-asserted-by":"publisher","first-page":"373","DOI":"10.1007\/11761679_23","article-title":"A Provable-Security Treatment of the Key-Wrap Problem","volume-title":"EUROCRYPT\u00a02006","volume":"4004","author":"Phillip Rogaway","year":"2006"},{"key":"ref36:add:BockZDSJ16","article-title":"Nonce-Disrespecting Adversaries: Practical Forgery Attacks\n  on GCM in TLS","volume-title":"WOOT","author":"Hanno B\u00f6ck","year":"2016"},{"key":"ref37:CCS:VanPie17","doi-asserted-by":"publisher","first-page":"1313","DOI":"10.1145\/3133956.3134027","article-title":"Key Reinstallation Attacks: Forcing Nonce Reuse in WPA2","volume-title":"ACM CCS 2017","author":"Mathy Vanhoef","year":"2017"},{"key":"ref38:CCS:VanPie18","doi-asserted-by":"publisher","first-page":"299","DOI":"10.1145\/3243734.3243807","article-title":"Release the Kraken: New KRACKs in the 802.11 Standard","volume-title":"ACM CCS 2018","author":"Mathy Vanhoef","year":"2018"},{"key":"ref39:JC:JNPS21","doi-asserted-by":"publisher","first-page":"31","DOI":"10.1007\/s00145-021-09397-w","article-title":"The Deoxys AEAD Family","volume":"34","author":"J\u00e9r\u00e9my Jean","year":"2021","journal-title":"Journal of Cryptology"},{"key":"ref40:ToSC:ABPV21","doi-asserted-by":"publisher","first-page":"1","DOI":"10.46586\/tosc.v2021.i3.1-35","article-title":"1, 2, 3, Fork: Counter Mode Variants based on a Generalized\n  Forkcipher","volume":"2021","author":"Elena Andreeva","year":"2021","journal-title":"IACR Trans. Symm. Cryptol.","ISSN":"https:\/\/id.crossref.org\/issn\/2519-173X","issn-type":"electronic"},{"key":"ref41:ToSC:CogLeeSeu17","doi-asserted-by":"publisher","first-page":"27","DOI":"10.13154\/tosc.v2017.i2.27-58","article-title":"New Constructions of MACs from (Tweakable) Block Ciphers","volume":"2017","author":"Beno\u00eet Cogliati","year":"2017","journal-title":"IACR Trans. Symm. Cryptol.","ISSN":"https:\/\/id.crossref.org\/issn\/2519-173X","issn-type":"electronic"},{"key":"ref42:C:BelGueRog95","series-title":"LNCS","doi-asserted-by":"publisher","first-page":"15","DOI":"10.1007\/3-540-44750-4_2","article-title":"XOR MACs: New Methods for Message Authentication Using\n  Finite Pseudorandom Functions","volume-title":"CRYPTO'95","volume":"963","author":"Mihir Bellare","year":"1995"},{"key":"ref43:JC:Bernstein99","doi-asserted-by":"publisher","first-page":"185","DOI":"10.1007\/s001459900051","article-title":"How to Stretch Random Functions: The Security of Protected\n  Counter Sums","volume":"12","author":"Daniel J. Bernstein","year":"1999","journal-title":"Journal of Cryptology"},{"key":"ref44:EC:BlaRog02","series-title":"LNCS","doi-asserted-by":"publisher","first-page":"384","DOI":"10.1007\/3-540-46035-7_25","article-title":"A Block-Cipher Mode of Operation for Parallelizable Message\n  Authentication","volume-title":"EUROCRYPT\u00a02002","volume":"2332","author":"John Black","year":"2002"},{"key":"ref45:FSE:LPTY16","series-title":"LNCS","doi-asserted-by":"publisher","first-page":"43","DOI":"10.1007\/978-3-662-52993-5_3","article-title":"A MAC Mode for Lightweight Block Ciphers","volume-title":"FSE\u00a02016","volume":"9783","author":"Atul Luykx","year":"2016"},{"article-title":"A Graduate Course in Applied Cryptography, v0.5","year":"2020","author":"Dan Boneh","key":"ref46:add:BohSho20"},{"key":"ref47:C:DeTreTul10","series-title":"LNCS","doi-asserted-by":"publisher","first-page":"649","DOI":"10.1007\/978-3-642-14623-7_35","article-title":"Time Space Tradeoffs for Attacks against One-Way Functions\n  and PRGs","volume-title":"CRYPTO\u00a02010","volume":"6223","author":"Anindya De","year":"2010"},{"key":"ref48:AC:BerLan13","series-title":"LNCS","doi-asserted-by":"publisher","first-page":"321","DOI":"10.1007\/978-3-642-42045-0_17","article-title":"Non-uniform Cracks in the Concrete: The Power of Free\n  Precomputation","volume-title":"ASIACRYPT\u00a02013, Part\u00a0II","volume":"8270","author":"Daniel J. Bernstein","year":"2013"},{"key":"ref49:C:DodSte09","series-title":"LNCS","doi-asserted-by":"publisher","first-page":"267","DOI":"10.1007\/978-3-642-03356-8_16","article-title":"Message Authentication Codes from Unpredictable Block\n  Ciphers","volume-title":"CRYPTO\u00a02009","volume":"5677","author":"Yevgeniy Dodis","year":"2009"},{"key":"ref50:ACISP:DatYas15","series-title":"LNCS","doi-asserted-by":"publisher","first-page":"433","DOI":"10.1007\/978-3-319-19962-7_25","article-title":"Generalizing PMAC Under Weaker Assumptions","volume-title":"ACISP 15","volume":"9144","author":"Nilanjan Datta","year":"2015"},{"article-title":"Deoxys v1.43","year":"2016","author":"J\u00e9r\u00e9my Jean","key":"ref51:deoxys143"},{"key":"ref52:AC:QDWHW22","series-title":"LNCS","doi-asserted-by":"publisher","first-page":"287","DOI":"10.1007\/978-3-031-22963-3_10","article-title":"Mind the TWEAKEY Schedule: Cryptanalysis on\n  SKINNYe-64-256","volume-title":"ASIACRYPT\u00a02022, Part\u00a0I","volume":"13791","author":"Lingyue Qin","year":"2022"},{"key":"ref53:EC:CheSte14","series-title":"LNCS","doi-asserted-by":"publisher","first-page":"327","DOI":"10.1007\/978-3-642-55220-5_19","article-title":"Tight Security Bounds for Key-Alternating Ciphers","volume-title":"EUROCRYPT\u00a02014","volume":"8441","author":"Shan Chen","year":"2014"},{"key":"ref54:SAC:Patarin08","series-title":"LNCS","doi-asserted-by":"publisher","first-page":"328","DOI":"10.1007\/978-3-642-04159-4_21","article-title":"The \u201cCoefficients H\u201d Technique (Invited Talk)","volume-title":"SAC 2008","volume":"5381","author":"Jacques Patarin","year":"2009"},{"key":"ref55:AC:ALPRRV19","series-title":"LNCS","doi-asserted-by":"publisher","first-page":"153","DOI":"10.1007\/978-3-030-34621-8_6","article-title":"Forkcipher: A New Primitive for Authenticated Encryption\n  of Very Short Messages","volume-title":"ASIACRYPT\u00a02019, Part\u00a0II","volume":"11922","author":"Elena Andreeva","year":"2019"},{"key":"ref56:AC:Rogaway04","series-title":"LNCS","doi-asserted-by":"publisher","first-page":"16","DOI":"10.1007\/978-3-540-30539-2_2","article-title":"Efficient Instantiations of Tweakable Blockciphers and\n  Refinements to Modes OCB and PMAC","volume-title":"ASIACRYPT\u00a02004","volume":"3329","author":"Phillip Rogaway","year":"2004"},{"key":"ref57:C:Bellare06","series-title":"LNCS","doi-asserted-by":"publisher","first-page":"602","DOI":"10.1007\/11818175_36","article-title":"New Proofs for NMAC and HMAC: Security without\n  Collision-Resistance","volume-title":"CRYPTO\u00a02006","volume":"4117","author":"Mihir Bellare","year":"2006"},{"key":"ref58:ToSC:CHPSS17","doi-asserted-by":"publisher","first-page":"73","DOI":"10.13154\/tosc.v2017.i3.73-107","article-title":"A Security Analysis of Deoxys and its Internal Tweakable\n  Block Ciphers","volume":"2017","author":"Carlos Cid","year":"2017","journal-title":"IACR Trans. Symm. Cryptol.","ISSN":"https:\/\/id.crossref.org\/issn\/2519-173X","issn-type":"electronic"},{"key":"ref59:AFRICACRYPT:Sasaki18","series-title":"LNCS","doi-asserted-by":"publisher","first-page":"87","DOI":"10.1007\/978-3-319-89339-6_6","article-title":"Improved Related-Tweakey Boomerang Attacks on Deoxys-BC","volume-title":"AFRICACRYPT 18","volume":"10831","author":"Yu Sasaki","year":"2018"},{"key":"ref60:add:MoazamiMS18","doi-asserted-by":"publisher","first-page":"93","DOI":"10.22042\/isecure.2018.114245.405","article-title":"Impossible Differential Cryptanalysis on Deoxys-BC-256","volume":"10","author":"Farokhlagha Moazami","year":"2018","journal-title":"ISC Int. J. Inf. Secur."},{"key":"ref61:add:ZongDW19","doi-asserted-by":"publisher","DOI":"10.1007\/s11432-017-9382-2","article-title":"Related-tweakey impossible differential attack on\n  reduced-round Deoxys-BC-256","volume":"62","author":"Rui Zong","year":"2019","journal-title":"Sci. China Inf. Sci."},{"key":"ref62:ToSC:WanPey19","doi-asserted-by":"publisher","first-page":"142","DOI":"10.13154\/tosc.v2019.i1.142-169","article-title":"Boomerang Switch in Multiple Rounds","volume":"2019","author":"Haoyang Wang","year":"2019","journal-title":"IACR Trans. Symm. Cryptol.","ISSN":"https:\/\/id.crossref.org\/issn\/2519-173X","issn-type":"electronic"},{"key":"ref63:ToSC:ZhaDonJia19","doi-asserted-by":"publisher","first-page":"121","DOI":"10.13154\/tosc.v2019.i3.121-151","article-title":"New Related-Tweakey Boomerang and Rectangle Attacks on\n  Deoxys-BC Including BDT Effect","volume":"2019","author":"Boxin Zhao","year":"2019","journal-title":"IACR Trans. Symm. Cryptol.","ISSN":"https:\/\/id.crossref.org\/issn\/2519-173X","issn-type":"electronic"},{"key":"ref64:INDOCRYPT:ZDJM19","series-title":"LNCS","doi-asserted-by":"publisher","first-page":"139","DOI":"10.1007\/978-3-030-35423-7_7","article-title":"Improved Related-Tweakey Rectangle Attacks on Reduced-Round\n  Deoxys-BC-384 and Deoxys-I-256-128","volume-title":"INDOCRYPT\u00a02019","volume":"11898","author":"Boxin Zhao","year":"2019"},{"key":"ref65:EC:DQSW22","series-title":"LNCS","doi-asserted-by":"publisher","first-page":"3","DOI":"10.1007\/978-3-031-07082-2_1","article-title":"Key Guessing Strategies for Linear Key-Schedule Algorithms\n  in Rectangle Attacks","volume-title":"EUROCRYPT\u00a02022, Part\u00a0III","volume":"13277","author":"Xiaoyang Dong","year":"2022"},{"key":"ref66:EC:HadSadEic23","series-title":"LNCS","doi-asserted-by":"publisher","first-page":"128","DOI":"10.1007\/978-3-031-30634-1_5","article-title":"Finding the Impossible: Automated Search for Full\n  Impossible-Differential, Zero-Correlation, and Integral Attacks","volume-title":"EUROCRYPT\u00a02023, Part\u00a0IV","volume":"14007","author":"Hosein Hadipour","year":"2023"},{"key":"ref67:EC:SYCHW24","series-title":"LNCS","doi-asserted-by":"publisher","first-page":"339","DOI":"10.1007\/978-3-031-58716-0_12","article-title":"Probabilistic Extensions: A One-Step Framework for Finding\n  Rectangle Attacks and Beyond","volume-title":"EUROCRYPT\u00a02024, Part\u00a0I","volume":"14651","author":"Ling Song","year":"2024"},{"key":"ref68:add:LiJ19","doi-asserted-by":"publisher","first-page":"70","DOI":"10.1049\/iet-ifs.2018.5091","article-title":"Meet-in-the-middle attacks on round-reduced tweakable block\n  cipher Deoxys-BC","volume":"13","author":"Rongjia Li","year":"2019","journal-title":"IET Inf. Secur."},{"article-title":"AES-GCM-SIV: Specification and Analysis","year":"2017","author":"Shay Gueron","key":"ref69:EPRINT:GueLanLin17"},{"key":"ref70:KavunMY18","doi-asserted-by":"publisher","DOI":"10.1145\/3131276","article-title":"A Survey on Authenticated Encryption-ASIC Designer's\n  Perspective","volume":"50","author":"Elif Bilge Kavun","year":"2018","journal-title":"ACM Comput. Surv."}],"container-title":["IACR Communications in Cryptology"],"original-title":[],"language":"en","deposited":{"date-parts":[[2024,12,10]],"date-time":"2024-12-10T21:26:58Z","timestamp":1733866018000},"score":1,"resource":{"primary":{"URL":"https:\/\/cic.iacr.org\/p\/1\/2\/17"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2024,7,8]]},"references-count":70,"URL":"https:\/\/doi.org\/10.62056\/a3qjp2fgx","archive":["Internet Archive","Internet Archive"],"relation":{},"ISSN":["3006-5496"],"issn-type":[{"type":"electronic","value":"3006-5496"}],"subject":[],"published":{"date-parts":[[2024,7,8]]},"assertion":[{"value":"2024-04-08","order":0,"name":"received","label":"Received","group":{"name":"publication_history","label":"Publication History"}},{"value":"2024-06-03","order":1,"name":"accepted","label":"Accepted","group":{"name":"publication_history","label":"Publication History"}}],"article-number":"cc1-2-52"}}