The Deoxys
Authenticated Encryption
** NEWS ** : Deoxys-II has been selected as first choice for the "in-depth security" portfolio of the CAESAR competition
Deoxys is an authenticated encryption scheme based on a 128-bit lightweight ad-hoc tweakable block cipher. It may be used in two modes to handle nonce-respecting users (Deoxys-I) or nonce-reusing user (Deoxys-II).
It has been designed by Jérémy Jean, Ivica Nikolić, Thomas Peyrin and Yannick Seurin.
News
(February 2021) Our extended document "The Deoxys AEAD Family" has been accepted to the Journal of Cryptology, Special CAESAR competition edition.
(February 2019) Deoxys-II has been selected as winner for the "in-depth security" portfolio of the CAESAR competition for authenticated encryption
(March 2018) Deoxys-II has been selected as finalist of the CAESAR competition for authenticated encryption
(October 2017) Optimised FPGA implementations of Deoxys, ePrint
(July 2017) Optimised software implementations of Deoxys, available in the latest SUPERCOP package
(August 2016) Deoxys has been selected as 3rd round candidate of the CAESAR competition for authenticated encryption
(July 2015) Deoxys has been selected as 2nd round candidate of the CAESAR competition for authenticated encryption
(March 2014) Deoxys has been submitted to the CAESAR competition for authenticated encryption
Features
Deoxys achieves very good performances for software implementations (less than a cycle per byte on AES-NI enabled processors)
Deoxys provides full 128-bit security for both privacy and authenticity
Deoxys has a nonce-misuse mode, Deoxys-II, that resists scenarios where the nonce is reused by the user
Deoxys has a good security margin for all the recommended parameters
Deoxys is very easy to analyze
Deoxys can be lightweight and behaves very good for small messages
Deoxys internal primitive is an ad-hoc AES-based tweakable block cipher, an instantiation of the more general so-called TWEAKEY framework
Downloads and implementations
The last version of the Deoxys document, presentation slides, reference and table implementations, test vectors can be found below. You can also find some more Deoxys-II implementations on Oasis Labs' GitHub repository (JavaScript, Rust, Go )
Related articles
H. Wang, T. Peyrin, "Boomerang Switch in Multiple Rounds Application to AES Variants and Deoxys", ToSC/FSE 2019
Y. Sasaki, "Improved Related-Tweakey Boomerang Attacks on Deoxys-BC", AFRICACRYPT 2018
C. Cid, T. Huang, T. Peyrin, Y. Sasaki and L. Song, "Boomerang Connectivity Table: A New Cryptanalysis Tool", EUROCRYPT 2018
C. Cid, T. Huang, T. Peyrin, Y. Sasaki and L. Song, "Cryptanalysis of Deoxys and its Internal Tweakable Block Ciphers", FSE 2018
A. Mehrdad, F. Moazami and H. Soleimany, "Impossible Differential Cryptanalysis on Deoxys-BC-256", ePrint 2018/048
M. Khairallah, A. Chattopadhyay and T. Peyrin, "Looting the LUTs : FPGA Optimization of AES and AES-like Ciphers for Authenticated Encryption", INDOCRYPT 2017
S. Koteshwara, A. Das and K. K. Parhi, "FPGA implementation and comparison of AES-GCM and Deoxys authenticated encryption schemes", ISCAS 2017
T. Peyrin and Y. Seurin, "Counter-in-Tweak: Authenticated Encryption Modes for Tweakable Block Ciphers", CRYPTO 2016
J. Jean, I. Nikolić, T. Peyrin, "Tweaks and Keys for Block Ciphers: the TWEAKEY Framework" - ASIACRYPT 2014