New Related-Tweakey Boomerang and Rectangle Attacks on Deoxys-BC Including BDT Eﬀect

. In the CAESAR competition, Deoxys-I and Deoxys-II are two important authenticated encryption schemes submitted by Jean et al. Recently, Deoxys-II together with Ascon, ACORN, AEGIS-128, OCB and COLM have been selected as the ﬁnal CAESAR portfolio. Notably, Deoxys-II is also the primary choice for the use case “Defense in depth”. However, Deoxys-I remains to be one of the third-round candidates of the CAESAR competition. Both Deoxys-I and Deoxys-II adopt Deoxys-BC-256 and Deoxys-BC-384 as their internal tweakable block ciphers. In this paper, we investigate the security of round-reduced Deoxys-BC-256/-384 and Deoxys-I against the related-tweakey boomerang and rectangle attacks with some new boomerang distinguishers. For Deoxys-BC-256, we present 10-round related-tweakey boomerang and rectangle attacks for the popular setting ( | tweak | , | key | ) = (128 , 128), which reach one more round than the previous attacks in this setting. Moreover, an 11-round related-tweakey rectangle attack on Deoxys-BC-256 is given for the ﬁrst time. We also put forward a 13-round related-tweakey boomerang attack in the popular setting ( | tweak | , | key | ) = (128 , 256) for Deoxys-BC-384, while the previous attacks in this setting only work for 12 rounds at most. In addition, the ﬁrst 14-round related-tweakey rectangle attack on Deoxys-BC-384 is given when ( | tweak | < 98 , | key | > 286), that attacks one more round than before. Besides, we give the ﬁrst 10-round rectangle attack on the authenticated encryption mode Deoxys-I-128-128 with one more round than before, and we also reduce the complexity of the related-tweakey rectangle attack on 12-round Deoxys-I-256-128 by a factor of 2 28 . Our attacks can not be applied to (round-reduced) Deoxys-II.


Introduction
Authenticated encryption (AE) is a form of encryption algorithm providing confidentiality, integrity and authenticity assurances on messages.The most widely used AE algorithm is AES-GCM [Nat01].However, GCM is usually seen as a not robust enough standard [NIS].Therefore, to satisfy the growing demand for AE algorithms, a new competition named 122 New Related-Tweakey Boomerang and Rectangle Attacks on Deoxys-BC CAESAR was launched in 2014 [Com14].In total, 57 candidates have been submitted to CAESAR in the first round of the competition.After three rounds of assessments from world-wide cryptographers and engineers, only six authenticated encryption algorithms survived as the final CAESAR portfolio.
Deoxys family [JNPS16] was submitted to CAESAR by Jérémy Jean et al., and is composed of two AE schemes, i.e.Deoxys-I and Deoxys-II.Deoxys-I is one of the 3rd round candidates.Deoxys-II together with Ascon [DEMS15], ACORN [Wu16], AEGIS-128 [WP13], OCB [KR16] and COLM [ABD + 16] have been selected as the final CAESAR portfolio, and Deoxys-II is the primary choice for the use case "Defense in depth".Both Deoxys-I and Deoxys-II adopt an AES-based tweakable block cipher (TBC), i.e.Deoxys-BC, as the underlying primitive.Deoxys-BC is designed based on the TWEAKEY framework [JNP14] and is composed of two versions, i.e.Deoxys-BC-256 and Deoxys-BC-384.
The design of tweakable block ciphers (TBC) was first proposed by Moses Liskov et al. [LRW02] in 2002.In addition to the secret key and a plaintext, the tweakable block cipher employs another public input named tweak.Different from the traditional block ciphers, under the same plaintext and same secret key over TBC, different ciphertexts can be obtained because of the different tweaks.Compared with usual tweakable block cipher constructions which take a known permutation as a black box and use the tweak as an independent input, Deoxys-BC follows the TWEAKEY framework [JNP14] which uses a unified view of the key and tweak, denoted by tweakey.Namely, Deoxys-BC can be a block cipher with arbitrary tweak and key size.With a (k + t)-bit tweakey, composed of a k-bit key and a t-bit tweak, and a dedicated tweakey schedule, the n-bit subtweakeys are generated for each round.For Deoxys-BC, the length of the subtweakey is 128 bits, and the length of the tweak and of the key can vary within the tweakey length as long as the key size is longer than or equal to the block size.
Cid et al. [CHP + 17] introduced the first third-party analysis of Deoxys-BC at ToSC 2017.They proposed a new method to search for related-key boomerang trails with Mixed Integer Linear Programming (MILP) by incorporating linear incompatibility, and presented a 8-round and a 9-round related-tweakey boomerang distinguisher of Deoxys-BC-256 with probability 2 −72 and 2 −122 , and a 10-round and an 11-round related-tweakey boomerang distinguishers of Deoxys-BC-384 with probability 2 −84 and 2 −120 , respectively.They gave related-key rectangle attacks against 9-round and 10-round Deoxys-BC-256, 12-round and 13-round Deoxys-BC-384.Later, based on the related-key boomerang paths proposed in [CHP + 17], Sasaki introduced improved boomerang attacks on reduced-round Deoxys-BC-256 and Deoxys-BC-384 with lower complexities in [Sas18].At EUROCRYPT 2018, Cid et al. [CHP + 18] proposed a new technique named Boomerang Connectivity Table (BCT), and increased the probability of the 10-round distinguisher of Deoxys-BC-384 by a factor of 2 0.6 .At ToSC 2019, Wang and Peyrin [WP19] and Song et al. [SQH19] revisited the BCT and proposed a generalized framework which can be applied in multiple rounds of boomerang switch.Wang and Peyrin [WP19] introduced a tool named Boomerang Difference Table (BDT), which is an improvement of the BCT and allows a systematic evaluation of the boomerang switch through multiple rounds, and hence increases the probability of the 9-round related-tweakey boomerang distinguisher of Deoxys-BC-256 by a factor of 2 1.6 .In addition, Mehrdad et al. [MMS18] and Zong et al. [ZDW18] evaluated the security of Deoxys-BC-256 against impossible differential attacks.
Our Contributions.By slightly modifying the MILP model introduced in [CHP + 17] in the search of boomerang distinguisher and increasing further the probability of the distinguisher with the BDT technique, we find a new 9-round boomerang distinguisher with probability 2 −120.4 for Deoxys-BC-256, and an 11-round boomerang distinguisher with probability 2 −122 for Deoxys-BC-384.Based on the new distinguishers, we give improved boomerang and rectangle attacks on reduced-round Deoxys-BC-256 and Deoxys-BC-384.
For Deoxys-BC-256, utilizing the 9-round boomerang distinguisher, we give a 10round related-tweakey boomerang attack with a data complexity of 2 98.4 adaptive chosen plaintexts and ciphertexts and a time complexity of 2 109.1 encryptions.Besides, we propose a related-tweakey rectangle attack on 10-round Deoxys-BC-256, which needs 2 114.2 chosen plaintexts and 2 114.2 queries.It is obvious that our two attacks on 10-round Deoxys-BC-256 work for the popular setting with (|tweak|, |key|) = (128, 128) of Deoxys-BC-256.We successfully apply the 10-round rectangle attack on Deoxys-BC-256 to the AE mode Deoxys-I-128-128 for the first time.Besides, we introduce a related-tweakey rectangle attack on 11-round Deoxys-BC-256 that covers one more round than before.
For Deoxys-BC-384, although the new 11-round boomerang distinguisher (probability 2 −122 ) has a lower probability than the one in [CHP + 17], it works more effectively in our boomerang and rectangle attacks.We present improved related-tweakey boomerang attacks on 12-round and 13-round Deoxys-BC-384.The 13-round attack needs 2 125 adaptive chosen plaintexts and ciphertexts and 2 191.3 encryptions, which works in the popular setting (|tweak|, |key|) = (128, 256) of Deoxys-BC-384.Furthermore, the related-tweakey rectangle attack on 12-round Deoxys-BC-384 is introduced with 2 115 chosen plaintexts, which can be applied to the AE mode Deoxys-I-256-128 as well.What's more, we propose the first related-tweakey rectangle attacks on 14-round Deoxys-BC-384 with 2 127 chosen plaintexts and 2 286.2 encryptions.[Sas18], by changing differential trail to truncated differential trail in one of the two pairs of the boomerang quartet, the probability of the partial differential through the Sbox in one side of the boomerang distinguisher in the first round can be saved, which increases the probability of the distinguisher.Both Sasaki's attack and ours use structures to collect plaintexts or ciphertexts, and we list some differences between our attack and Sasaki's attack [Sas18] as follows: 1.Both Sasaki's attack and ours use shortened boomerang distinguisher.For example, Sasaki [Sas18] gave a 10-round related-tweakey boomerang attack on Deoxys-BC-256 under the 9-round distinguisher, and treated the active bytes in the first round in one side as truncated differential, which increases the probability of the distinguisher.In contrast, we analyze 10-round Deoxys-BC-256 with an 8-round distinguisher, whose probability will be higher than Sasaki's.
2. Our attacks utilize more effective related-tweakey boomerang trails as described in Section 4.There will be fewer active bytes when appending one or two rounds at the end of the distinguisher than for the one introduced by [CHP + 17], which leads to fewer subtweakey bytes to be guessed and more wrong quartets to be filtered in advance.
3. In the key recovery process, instead of guessing all of the subtweakey at once, we determine whether a candidate quartet is useful by guessing only a small fraction of the unknown related subtweakey bytes.
All the three advantages help us to attack Deoxys-BC in less time complexity.

Description of Deoxys and Deoxys-BC
Deoxys-BC is an ad-hoc tweakable block cipher of the Deoxys authenticated encryption scheme, conforming to the TWEAKEY framework [JNP14].Therefore, it takes a tweak T as the third input in addition to the two standard inputs, a plaintext P and a key K of a block cipher.Both Deoxys-BC-256 and Deoxys-BC-384 compose the internal primitive of Deoxys authenticated encryption scheme.Both versions of the cipher have 128-bit state and variable size key and tweak, and are defined in a standard way, i.e.E K (T, P ) = C and D K (T, C) = P .According to the TWEAKEY framework, we can use a tweakey to provide a unified view of the tweak and of the key.The length of the tweakey is the cumulative size of the key and of the tweak.The tweakey size for Deoxys-BC-n (n = 256, 384) is n.
In Deoxys, the key size and tweak size can vary according to the users as long as the size of the key is higher than 128 bits.For more details, we refer to [JNPS16].Deoxys-BC is an AES-like design, i.e., it is an iterative substitution-permutation network (SPN) that transforms the initial plaintext through series of AES round functions to a ciphertext.The number r of rounds is 14 and 16 for Deoxys-BC-256 and Deoxys-BC-384, respectively.As Deoxys uses the AES round function, the index of the 4 × 4 matrix of bytes is represented as     0 4 8 12 1 5 9 13 2 6 10 14 3 7 11 15 Similarly to AES, every round consists of the following specified transformations, for example in round i, 0 ≤ i ≤ r − 1: • AddRoundKey (AK) -XOR the 128-bit round subtweakey (i.e.ST K i defined further) to the internal state.
• SubBytes (SB) -Apply the 8-bit AES [DR02] Sbox S to the 16 bytes of the internal state separately.
• MixColumns (MC) -Multiply the internal state by the 4 × 4 constant MDS matrix M whose coefficients lie in a finite field GF (2 8 ), and the multiplication is performed modulo the irreducible polynomial x 8 + x 4 + x 3 + x + 1.
After the last round, a final AddRoundKey operation, that XORs subtweakey ST K r to the state, is performed to produce the ciphertext.
Definition of the Subtweakeys.The key schedule of Deoxys-BC is a linear transformation, which is different from AES. Similarly to [JNPS16], we denote the concatenation of the key K and the tweak T as KT , i.e.KT = K T .Then the tweakey state is divided into 128-bit words.The size of KT is 256 bits for Deoxys-BC-256, and we denote the first (most significant) 128-bit word by T K 1 and the second word by T K 2 .The size of KT for Deoxys-BC-384 is 384 bits, with the first (most significant), the second and the third 128-bit word being denoted T K 1 , T K 2 , T K 3 respectively.Finally, a 128-bit subtweakey ST K i is produced in round i (i ≥ 0) and is added to the state during the AddRoundKey process.The subtweakey ST K i is defined as for Deoxys-BC-256, and defined as The 128-bit T K 1 i , T K 2 i , T K 3 i are outputs produced by a special tweakey schedule algorithm, initialized with T K 1 0 = T K 1 , T K 2 0 = T K 2 for Deoxys-BC-256, while an extra T K 3 0 = T K 3 is initialised for Deoxys-BC-384.Then the tweakey schedule algorithm is defined as follows: , where h is a linear byte permutation defined by: h = 0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 1 6 11 12 5 10 15 0 9 14 3 4 13 2 7 8 The LF SR 2 and LF SR 3 functions are simply the applications of a linear feedback shift register to each of the 16 bytes of a 128-bit tweakey word.The two linear functions are defined in Table 2.
Besides, RC i denotes the round constant used in the tweakey schedule.For more clarity, the tweakey schedule and encryption process are illustrated in Figure 1.
• SubBytes -Apply the 8-bit AES S-box S to each of the 16 bytes of the internal state.
• MixColumns -Multiply the internal state by the 4 × 4 constant MDS matrix of AES.
After the last round, a final AddRoundTweakey operation is performed to produce the ciphertext.
i are outputs produced by a special tweakey schedule algorithm, initialised with T K 1 0 = W 1 and T K 2 0 = W 2 for Deoxys-BC-256 and with T K 1 0 = W 1 , T K 2 0 = W 2 and T K 3 0 = W 3 for Deoxys-BC-384.The tweakey schedule algorithm is defined as  [JNPS16], Deoxys uses the 4-bit prefixes for the tweak input, thus the data that attackers obtain can not exceed 2 124 blocks under the same key.For more details, we refer to [JNPS16].

Notations and Definitions
The following notations are followed throughout the rest of the paper.

X i
: state before AddRoundKey operation in round i, 0 ≤ i ≤ r − 1 Y i : state after AddRoundKey operation in round i, 0 ≤ i ≤ r − 1 Z i : state after ShiftRows • SubBytes operation in round i, 0 ≤ i ≤ r − 1 thus the internal states of i-th round (0 ≤ i ≤ r − 1) are as follows:

The Boomerang and Rectangle Attacks
The boomerang attack is a differential attack that was proposed by Wagner [Wag99].It attempts to generate a quartet structure at an intermediate value halfway through the cipher.
The boomerang attack allows an attacker to concatenate two shorter differential paths when long differentials with probability higher than for a random permutation can not be found.That is, the adversary will split the encryption process E(•) into two shorter sub-processes E = E 1 • E 0 , where E 0 represents the first half of the cipher while E 1 represents the last half.For the sub-cipher E 0 , there is a differential characteristic α → β with probability p, and a differential characteristic γ → δ for E 1 with probability q.
If the plaintexts and ciphertexts can pass the boomerang distinguisher, a right quartet (m, m , m, m ) can be obtained.The adversary gets a correct quartet with a probability p 2 q 2 .However, when m ⊕ m = α, a pair ( m, m ) satisfies m ⊕ m = α with an average probability of 2 −n for a random permutation.Therefore, for the existing differentials, the probability of the corresponding boomerang distinguisher has to satisfy pq > 2 −n/2 .
The boomerang attack was further developed into a chosen-plaintext attack by Kelsey et al. [KKS00] called amplified boomerang attack, which was independently introduced as rectangle attack by Biham et al. in [BDK01].The rectangle attack is a chosen-plaintext attack, which gets a right quartet with a probability 2 −n p 2 q 2 .As it was pointed out, if one only fixed the values α and δ and allowed any values of β and γ as long as β = γ, the probability of obtaining a correct quartet would be increased to 2 −n p2 q2 , where p = βi P r 2 (α → β i ) and q = γj P r 2 (γ j → δ).
Related-tweakey boomerang and rectangle attacks were proposed by Biham et al. in [BDK05].Assume one has a related-tweakey differential α → β over E 0 under a key difference ∆K with a probability p and another related-tweakey differential γ → δ over E 1 under a key difference ∇K with probability q.As shown in Figure 2, if K 1 is known, the other three keys are all determined, where 3. Check whether the difference of ( m, m ) is equal to α or not.

General Strategy of Key-recovery Attacks using Structures
In this section, we briefly describe the key-recovery models of the related-tweakey boomerang attack and rectangle attack on block ciphers with linear key schedule, which are mainly based on the previous works [BDK01, BDK05, BK09], etc.

Related-tweakey Rectangle Attack
We follow the symbolic style of Liu et al. [LGS17] and denote the whole cipher E as , where E is the rectangle distinguisher and E b and E f are the rounds added at the start and at the end of the distinguisher, respectively.Denote the block size as n, the number of active bytes of the input difference of E b as r b /8, the number of subtweakey bits needed to be guessed in E b as m b .Similarly, we define r f and m f for E f .When r b /8 ≤ 15, i.e., by appending E b to the rectangle distinguisher E , there are still inactive Sboxes in the input of E b (for instance, the attacks shown in Subsection 6.4).Let k denote the master key size, we give the following general model: 2. For each structure, query the 2 r b plaintexts by the encryption oracle under K 1 , K 2 , K 3 and K 4 and obtain four plaintext-ciphertext sets denoted by L 1 , L 2 , L 3 and L 4 , where K 1 is the secret key and Insert L 2 and L 4 into hash tables H 1 and H 2 indexed by the r b bits of plaintexts.
3. Guess the m b subtweakey bits involved in E b : (a) Initialize a list of 2 m f counters, each of which corresponds to a m f -bit subtweakey guess.
(b) For each structure, partially encrypt plaintext m ∈ L 1 to the position of α by the guessed subtweakeys, and partially decrypt it to the plaintext m after xoring the known difference α.Then we look up H 1 to find the plaintext-ciphertext indexed by the r b bits.Do the same operation with m and m .We get two sets (c) y structures make the size of S 1 and S 2 be y • 2 r b .Insert S 1 into a hash table H 3 indexed by the n − r f bits of c and n − r f bits of c that set to 0 in the output difference through E f from δ. Then for each element of S 2 , we find the corresponding (m, c, m , c ) satisfying c ⊕ c = 0 and c ⊕ c = 0 in the r f bits.In total we obtain y 2 • 2 2r b −2(n−r f ) quartets.
(d) We use all the quartets obtained in step (c) to recover the subtweakeys involved in E f .This phase is just a guess and filter procedure.For details, we refer to the key-recovery phase of Subsection 5.1.We denote the time complexity in this step as ε.
(e) Select the top 2 m f −h hits in the counter to be the candidates, which delivers a h-bit or higher advantage.The data complexity is 4y • 2 r b chosen plaintexts, and do 2 m b (2y • ε encryptions in the key recovery process.The total time complexity, including data collection, key recovery and exhaustively searching the remaining unknown key bits, is 4y Success Probability.For both boomerang and rectangle attacks, with the same method as in [Sel08], the success probability is evaluated to: where S N is the signal-to-noise ratio and S N = p2 q2 /2 −n .Note that, in Subsection 6.2, all the bytes of the input of the 11-round rectangle attack on Deoxys-BC-256 are active, i.e. r b /8 = 16.In this situation, we have to tweak the data collection phase to avoid using the full codebook.As the method is dedicated to the attack on Deoxys-BC-256, we refer the readers to Subsection 6.2 to find the details.

Related-tweakey Boomerang Attack
We first explain how to append one or two rounds at the end of the boomerang distinguisher E f .We express the cipher by E = E f • E .The symbols are the same as in Subsubsection 2.4.1.The process of related-tweakey boomerang attack for Deoxys-BC can be summarized as: Then we compute the set L 2 under K 3 and K 4 in a similar way: 3. Insert L 1 into a hash table H 1 indexed by the n − r f bits of c .Then for each element of L 2 , we find the corresponding (m, c, m , c ) colliding in the n − r f bits.We obtain a total of y 4. The process that recovers the subtweakeys involved in E f is the same as the one in the previous related-tweakey rectangle attack, the complexity of this step is denoted as ε.
The attack needs 4y • 2 r f adapted chosen ciphertexts and plaintexts, and y • 2 r f lookups to construct quartets.The time complexity is y • 2 3r f −n • ε encryptions in the key recovery process.The memory complexity is 2 r f + 2 m f .

Searching Truncated Differentials and Corresponding Characteristics
As described in [CHP + 17], if we want to find a boomerang distinguisher over R 1 + R 2 rounds, an MILP model including R 1 + 1 rounds for the upper part and R 2 + 1 rounds for the lower part is needed.However, when using the distinguisher to launch the key-recovery attack, the trail with fewer active Sboxes when appending certain rounds is preferred.Note that, given a (R 1 + R 2 )-round boomerang distinguisher of Deoxys-BC, when appending the first extra round behind, the first operation is the AddRoundKey, where the output difference of the (R 1 + R 2 )-round distinguisher may be canceled by the difference of the AddRoundKey.However, when appending the second extra round behind, all the differences of the internal state are in truncated form, hence, the difference of the AddRoundKey will not cancel the difference of the internal state.We list the detailed constraints below: 1.For the first extra round.This is the first round that is extended from the distinguisher, we denote the state in AddRoundKey as (x i , stk i , y i ), i.e. x i ⊕ stk i = y i , for the i-th byte.The constraints for the AddRoundKey operation in this round are identical to those in [CHP + 17], that need to exclude (x i , stk i , y i ) ∈ {(0, 0, 1), (0, 1, 0), (1, 0, 0)} as (3) The differences of the active bytes of the internal state are indeterminate after the SubBytes operation.Therefore, the constraints for the MixColumns operation are different from those in [CHP + 17] which only makes the branch number to be 5.All of the 4 bytes in one column will be active after the MC function if any byte in this column is active before the MC function.Let the Boolean variables (x i , x i+1 , x i+2 , x i+3 ) denote the activeness of the input 4-byte of MC function and (y i , y i+1 , y i+2 , y i+3 ) denote the output 4-byte, then the constraints are as follows: where d k is a dummy variable that equals zero only when x i , x i+1 , x i+2 , x i+3 are all zero.

For the second extra round.
The state differences at the start of the second round are all in truncated form, therefore cancelation can not occur in the AddRoundKey operation.For (x i , stk i , y i ) with x i ⊕ stk i = y i , y i must be active if x i or stk i is active.The constraints are different from Equation 3 and are expressed as Since we do not consider the last MixColumns operation in the key recovery attacks, there are no constraints for it.
At the end of the MILP model, we add an extra constraint to restrict the number of active bytes in the difference of the ciphertext.If y i (0 ≤ i ≤ 15), denote the differences of the 16 bytes of ciphertext, we can add 15 0 y i ≤ l, where l can be tested from 0 to 15.By running the MILP model, we find a 9-round truncated boomerang differential with 9 active Sboxes and 9 active bytes in the difference of the ciphertext when extending one round for Deoxys-BC-256, as well as a 11-round truncated boomerang differential with 9 active Sboxes and 12 active bytes in the difference of the ciphertext when extending two rounds for Deoxys-BC-384.Deduce all the master tweakey difference.With the truncated boomerang differential, we can easily deduce the space of the master tweakey difference, and leave out the difference that is not compatible with the difference distribution table of the Sbox, the method is the same as the one in [CHP + 17] but we maintain all the right trails.Then check whether the probability of these trails can be increased by the BDT technique [WP19].

Increase the Probability Further
4. Ask for the decryption of C 3 and C 4 with K 3 and K 4 separately, denote the new plaintexts P 3 and P 4 respectively.

Boomerang Switch and Boomerang Connectivity Table.
The boomerang switch, proposed in [BK09], was used to obtain free rounds in the middle of the cipher in the attacks against full AES-192 and AES-256.The idea was to optimize the transition between the sub-paths of E 0 and E 1 in order to minimize the overall complexity of the distinguisher.In [BK09], two S-box based switches were introduced: the ladder switch, and the S-box switch.The idea of the ladder switch is to realize that instead of necessarily decomposing the cipher into rounds, one can decompose it into smaller parallel transformations and this may lead to better distinguishers.The idea of the S-box switch is that when a same S-box is activated in both E 0 and E 1 , and when the output difference in E 0 is identical to the input difference in E 1 , then the differential transition through the S-box is free in one of the two directions.These switches were further generalized with the boomerang connectivity table [CHP + 18] and we provide here the definition.
Definition 1 ( [CHP + 18]).Let S be an invertible function from F n 2 to F n 2 , and ∆ 0 , ∇ 0 ∈ F n 2 .The boomerang connectivity table (BCT) of S is defined by a 2 n × 2 n table, in which the entry for (∆ 0 , ∇ 0 ) is computed by: The generation of the BCT can be visualized in Figure 3.The ladder switch is captured by the BCT in the case where at least one of the index equals to zero.The S-box switch is captured by the BCT in the case where ∇ 0 equals ∆ 1 .Moreover, the incompatibility pointed out by Murphy [Mur11] simply corresponds to zero entries in the BCT.The process of generating a right quartet in the S level is visualized in Figure 3.The BDT reveals the probability of generating a boomerang quartet with a certain differential trail at the Sbox level.When the boomerang comes back, ∇ 1 determines the differential characteristic in the backward rounds.So similarly to BDT, there is a definition for BDT .Definition 2. (BDT ) [WP19].BDT takes into account (∇ 0 , ∇ 1 , ∆ 0 ), and is defined as Increase the probability by BDT and BDT .For each differential trail obtained in Subsection 3.1, we check whether the BDT and BDT can be applied to increase its probability.We take the 9-round distinguisher of Deoxys-BC-256 listed in Table 4 as an example to describe the process.In the two-round boomerang switch, BDT is used in the first Sbox layer and BDT is applied in the second Sbox layer.
For the known master tweakey difference, the values of ∆Y 6 and ∇Z 6 can be deduced.Therefore, ∆ 0 used in BDT and ∇ 0 used in BDT are known, i.e. ∆ 0 = ∆Y 5 [9] = 0x80 and ∇ 0 = ∇Z 6 [1] = 0x32.We follow the steps below to determine the exact probability of the trail.
2. For each 3-tuple obtained in step 1, since ∆Z 5 [5] = ∆ 1 is known, the value of ∆Y 6 [5], which will be used to be ∆ 0 in the BDT , can be computed with the MC function, and we can construct the BDT with the fixed ∆ 0 = ∆Y 6 [5].
3. Output all the 3-tuple (0x32, ∇ 1 , ∆ 0 ) whose entry in the BDT is greater than 0, With the above process, we find a total of two differential characteristics for the two-round switch, which are listed in Table 4 and Table 5.In Table 4, the entry of (0x80, 0xae, 0x00) is 4 in the BDT and (0x32, 0x47, 0x47) is 2 in the BDT which contribute a probability of 2 −6 and 2 −7 respectively, and the probability of the two-round switch is 2 −13 .In Table 5, the entry of (0x80, 0x96, 0x96) is 2 in the BDT and (0x32, 0x37, 0x37) is 2 in the BDT which makes the probability of the two-round switch be 2 −14 .Therefore, the probability of the two-round switch is 2 −13 +2 −14 = 2 −12.4 and the 9-round related-tweakey boomerang distinguisher for Deoxys-BC-256 is 2 −120.4 .For the other trails in the truncated differential, there are no trails with a probability greater than 2 −120.4 .
For the 11-round distinguisher of Deoxys-BC-384, we do not find trails with a probability greater than 2 −122 with the help of the BDT technique.
Experimental Verification.Similar to [WP19], we use 2 20 randomly chosen plaintexts and tweakeys for the 2-round boomerang switch and iterate it for 1000 times.The results show that the average probability of getting a right quartet for Deoxys-BC-256 is 2 −12.4 and for Deoxys-BC-384 is 2 14 , which verifies the correctness of our characteristics.

Advantages of the New Distinguishers
We construct two more effective related-tweakey boomerang distinguishers including a 9-round distinguisher of Deoxys-BC-256 and an 11-round distinguisher of Deoxys-BC-384, respectively.For all the distinguishers of Deoxys-BC-256 and Deoxys-BC-384, we only modify the lower part of the trails compared with those in [CHP + 17].
It is obvious that the 9-round related-tweakey boomerang distinguisher can be transformed into a 9-round related-tweakey rectangle distinguisher, whose probability is p2

New 11-round Related-tweakey Boomerang Distinguisher of Deoxys-BC-384.
We search an 11-round related-tweakey boomerang distinguisher of Deoxys-BC-384 illustrated in Table 7.The probability of the 11-round boomerang distinguisher is p2 • q2 = 2 −122 .Note that the last column in the last round at the end of the boomerang trail is (d9, 00, 00, 38), which leads to (91, e1, 91, 00) after MixColumns operation.If we extend the trails of E 1 forward for two rounds, there are only 12 active bytes after SubBytes operation in the last round shown in Figure 6, while there will be 16 active bytes using Cid et al.'s distinguisher [CHP + 17] which is listed in Table 6 shown in Figure 7. Making use of the new distinguisher, we can attack reduced-round Deoxys-BC-384 for one more round than before, though the probability of the boomerang distinguisher is a little lower than the one in [CHP + 17].

New Related-tweakey Boomerang Attacks on Round-Reduced Deoxys-BC
Deoxys-BC includes MixColumns operation in the last round, but it is well known that the last MixColumns is a linear operation which does not impact the differential cryptanalysis.Indeed, attackers can analyze M C −1 (∆c) instead of (∆c), where c is the ciphertext.To simplify the discussion, we omit the last MixColumns operation and the effect of the key difference, and denote M C −1 (c) (i.e.state Z) by c in the last round.
The attack process includes data collection phase and key recovery phase, and following the general process in Subsubsection 2.4.2 r f = 72 and m f = 88.Data Collection.This boomerang attack is an adaptive chosen plaintexts and ciphertexts attack.We construct structures of ciphertexts, which traverse all the possible values of the 9 active bytes Z 9 [j], j = 1, 2, 4, 5, 6, 8, 11, 14, 15, while the other 7 bytes are fixed to a constant.For each structure S, we query the corresponding sets L 1 , L 2 under the two related keys K 1 and K 3 , i.e.
Then we compute m = m ⊕ α, ∀m ∈ L 1 and query the new ciphertexts c under the key K 2 and update and query the new ciphertexts c under the key K 4 and update Insert the elements of L 1 into a hash table H 1 indexed by 7 bytes c [j] (j = 0, 3, 7, 9, 10, 12, 13) of L 1 (note that ciphertexts c, c here are equivalent to Z 9 for simplicity).Then for elements of L 2 , we check H 1 to find the elements of L 1 , where c ⊕ c ∈ η.Each structure provides 2 72 ciphertext pairs (c, c ) and (c, c ), there are 2 72 • 2 72 • 2 −56 = 2 88 quartets whose differences satisfy c ⊕ c ∈ η and c ⊕ c ∈ η.There are 2 88 • 2 t = 2 t+88 quartets remaining for 2 t structures.Key Recovery.As illustrated in Figure 8, 9 bytes of equivalent subtweakeys of ST K 10 and 2 bytes of equivalent subtweakeys of ST K 9 are involved in the partial decryption process from ciphertexts to ∆Y 8 .For the sake of clearness, we denote the equivalent subtweakeys Take the example of IK 9 [4] in round 9 in Figure 8.To get the value of Y 9 [4], we need the value of Z 9 [4], which equals (note that c[i] is the i-th byte of ciphertext): as a byte of the equivalent subtweakey.
We optimize the complexity of the key recovery phase by guessing some equivalent key bytes separately.We initialize a list of 2 88 counters, each of which corresponds to a 88-bit subtweakey guess.For the 2 t+88 remaining quartets (c, c , c, c ), we use the following attack process to recover the key.
1.The input difference of Sboxes ∆Y 9 [14] is known and the corresponding output difference is obtained from ciphertext pairs, therefore we get a 8-bit subtweakey from the ciphertexts pair (c, c) on average.Then decrypt (c , c ) to Y 9 [14] using the corresponding 8-bit subtweakey.If the difference is not equal to the known difference, we eliminate the quartet.Otherwise, we keep the quartet and the 8-bit subtweakey.There are about 2 t+80 remaining quartets.and h = 19, the total complexity is 2 114.2 queries and 2 109.1 + 2 128−19 ≈ 2 110.05 encryptions, the memory complexity is bounded by the data volume in hash table H 1 , which is 2 112.2 , and the success probability is 74.75%.

Rectangle Attack on 11-Round Deoxys-BC-256
We mount an 11-round rectangle attack on Deoxys-BC-256 by prefixing a round at the beginning and appending two rounds at the end of the 8-round rectangle distinguisher used in Subsection 6.1, which is illustrated in Figure 9.It is obviously that α propagates 16 active bytes in ∆Y 0 of the first round, which leads to the fact that 16 bytes of subtweakeys ST K 0 are involved.Choose 2 112+t plaintexts by traversing the first 14 bytes of plaintext and choosing 2 t values of the 14-th and 15-th bytes at random, and query their corresponding ciphertexts under key K 1 , K 2 , K 3 and K 4 , respectively.We denote the 4 plaintext-ciphertext sets as L 1 , L 2 , L 3 and L 4 .Obviously, the size of L i (i = 1, 2, 3, 4) is 2 112+t .We insert L 2 and L 4 in the hash tables H 1 and H 2 indexed by bytes of plaintexts, i.e., m[j] (j = 0, • • • , 13), respectively.So under each index in H 1 or H 2 , there are 2 t elements.Then, carry out the following process to recover key.
3. Recover 11 bytes of equivalent subtweakeys with a method similar to the one in the rectangle attack on 10-round Deoxys-BC-256, and exhaustively search the unknown remaining subtweakeys under the guessing ST K 0 and verify the key by two plaintexts and ciphertexts pairs.If the key is wrong, we start another guess of Complexity Computation.The complexity of data collection is 4 • 2 112+t queries.In key recovery phase, the complexity of step 1 is about • 2/16 one round encryptions and 2 112 • 2 4t+96 one round encryptions in step 2 and step 3, respectively, which is equivalent to about 2 4t+221 /11 = 2 4t+217.5 encryptions.There are 2 112+2t • 2 112+2t • 2 −32 • 2 −96.4 • 2 −128 = 2 4t−32.4right quartets.The expected counter of the right key is 2 4t−32.4, and the expected counter of the wrong key is 2 4t−62.4 for each guessed ST K 0 [0, • • • , 13].When t = 8.1 and h = 19, the data complexity is 2 122.1 chosen plaintexts, the total complexity is 2 122.1 queries, 2 249.9 + 2 256−19 ≈ 2 249.9 encryptions and 2 240.2 table lookups, the memory complexity is 2 128.2 which corresponds to the size of the set S 1 , and the success probability is 74.75%.

Related-tweakey Rectangle Attack on 12-round Deoxys-BC-384
We extract the first 10 rounds of the trail in Table 7 to construct a 10-round related-tweakey rectangle distinguisher with probability of p2 • q2 • 2 −128 = 2 −224 .We append two rounds at the end of the 10-round trail to mount a 12-round related-tweakey rectangle attack on Deoxys-BC-384, the differences propagation is shown in Figure 12 in Appendix A. The data collection process is similar to that in Subsection 6.1, so we omit it here.Note that there are 10 zero-difference bytes in ∆Z 11 , therefore, we obtain 2 2t • (2 −80 ) 2 = 2 2t−160 quartets remaining.In summary, 2 t+2 queries are made and the complexity of key recovery is 2 2t−160 one round encryptions, which is about 2 2t−160 /12 = 2 2t−163.6encryptions.Because the probability of the 10-round related-tweakey rectangle distinguisher is 2 −224 , there are 2 2t • 2 −224 = 2 2t−224 right quartets in data collection in total.When the key size is k = 128, we choose t = 112 and h = 20, we need 2 114 queries and 2 60.4 + 2 128−20 ≈ 2 108 encryptions in key recovery process, the memory complexity is 2 112 , and the success probability is 65.60%.When the key size is k = 256, we choose t = 113, the total complexity is 2 115 queries, the memory complexity is 2 113 , and the success probability is 84.60%,where h = 48, the time complexity is bounded by the 2 k−h = 2 208 encryptions.

Related-tweakey Rectangle Attack on 14-round Deoxys-BC-384
Making use of the 11-round trails in Table 7, we construct a 11-round related-tweakey rectangle distinguisher with probability of p2 • q2 • 2 −128 = 2 −250 .We prefix one round at the beginning of the 11-round related-tweakey rectangle distinguisher and append two rounds at the end to attack 14-round of Deoxys-BC-384, which is illustrated in Figure 10.Note that 12 active bytes will appear in ∆Y 0 in the first round, leading to the fact that 12 bytes of ST K 0 are involved.
As a result, 2 t structures make the size of S 1 and S 2 be 2 96+t .Then we insert S 1 in a hash table H 3 indexed by 8 bytes c[j] (j = 0, 7, 10, 13) and c [j] (j = 0, 7, 10, 13).For each guess, we make use of 2 2t+128 quartets obtained above to recover the 17-byte involved equivalent subtweakeys with a procedure similar to the one in Subsection 6.3, exhaustively search the unknown remaining subtweakeys and verify the key by encrypting two plaintexts and ciphertexts pairs.If the key is wrong, we start another guess of ST K 0 [0, 2, 3, 4, 5, 7, 8, 9, 10, 13, 14, 15].

Impact on Deoxys Authenticated Encryption
We have presented related-tweakey boomerang and rectangle attacks on Deoxys-BC in previous sections, where there is no restriction for tweak and key differences and we can make queries to both encryption and decryption oracles.However, the AE model Deoxys-I employing Deoxys-BC as its internal primitive has more restrictions to the input parameters.Therefore, we make some extra analyses for Deoxys-I.
An AE scheme will return a null character and no decryption process proceeds when a tag is invalid.Therefore, the boomerang attack on the internal primitive can not be applied to the corresponding AE scheme since the chosen ciphertexts process is not permitted.However, this restriction is not problematic for the rectangle attack, where only chosen plaintexts are required.
Use Case 1 -Lightweight applications (resource constrained environments) critical fits into small hardware area and/or small code for 8-bit CPUs desirable natural ability to protect against side-channel attacks desirable hardware performance, especially energy/bit desirable speed on 8-bit CPUs message sizes usually short (can be under 16 bytes), sometimes longer Use Case 2 -High-performance applications critical efficiency on 64-bit CPUs (servers) and/or dedicated hardware desirable efficiency on 32-bit CPUs (small smartphones) desirable constant time when the message length is constant message sizes usually long (more than 1024 bytes), sometimes shorter Use Case 3 -Defense in depth critical authenticity despite nonce misuse desirable limited privacy damage from nonce misuse desirable authenticity despite release of unverified plaintexts desirable limited privacy damage from release of unverified plaintexts desirable robustness in more scenarios; e.g., huge amounts of data  The encryption algorithm E I is depicted in Figures 2.1, 2.2 and 2.3, and an algorithmic description is given in Algorithm 1.The verification/decryption algorithmic description of D I is given in Algorithm 2. We note that our scheme follows the framework from ΘCB3 [27] and therefore directly benefits from the security proof regarding authentication and privacy.For Deoxys-I, there is a 4-bit prefix in the tweak input to separate the various types, hence, the differential characteristic used to analyze Deoxys-I can not contain any difference in these 4 bits, and we have checked that there is no difference on the 4 bits in our relatedtweakey rectangle attacks that are applied to Deoxys-I.The other 124-bit tweak input is composed of a nonce N and a block counter l.The ciphertexts are generated by the process as illustrated in Figure 11, where E is Deoxys-BC.
When using the recommended parameters, the maximum of encryption blocks has to be no more than 2 124 under the same key when the length of tweak is 128 bits [JNPS16].Since the nonce N and the block counter l can be controlled, attackers can make queries in advance and do rectangle attack on the internal TBC.Therefore, the rectangle attack with the maximal data complexity ≤ 2 124 under the same key and time complexity ≤ 2 128 for Deoxys-BC-256 and ≤ 2 256 for Deoxys-BC-384 can be applied to the Deoxys-I.
The rectangle attack on 10-round Deoxys-BC-256 has a data complexity of 2 114.2 chosen plaintexts and time complexity of 2 114.2 queries, which is applicable for cryptanalysis of Deoxys-I-128-128.For Deoxys-BC-384, the 12-round rectangle attack with a data complexity 2 115 chosen plaintexts and 2 115 queries is available to analyse Deoxys-I-256-128 as well.

Conclusion
In this paper, we find new related-tweakey boomerang and rectangle to attack reduced-round Deoxys-BC-256 and Deoxys-BC-384, and improve the related-tweakey boomerang and rectangle attacks on 10-round Deoxys-BC-256 and 12/13-round Deoxys-BC-384 with lower time complexity.Especially, we give related-tweakey rectangle attacks on 11-round Deoxys-BC-256 and 14-round Deoxys-BC-384 for the first time.Our cryptanalysis results show that not only the probability of the boomerang distinguisher plays an important role in the key recovery, but also the differential propagation of the distinguisher.Some cryptanalysis results not only apply to the block cipher Deoxys-BC, but also are compliant with the Deoxys authenticated encryption scheme.The attack process includes data collection phase and key recovery phase.
1.There are 6 active bytes in ∆Z 11 in Round 11, so we choose structures of ciphertexts taking all possible values of the 6 active bytes with the other bytes as constants.We apply a method similar to the one in Subsection 5.1 to collect the quartets, and get 2 96−80 • 2 t = 2 t+16 quartets (c, c , c, c ) satisfying c ⊕ c ∈ η and c ⊕ c ∈ η, where η = (00 00 00 * 00 00 * * 00 * * 00 * 00 00 00).11,12] for the remaining quartets.There are about 2 t−16 remaining quartets with 8 bytes of subtweakeys.We count the 64-bit corresponding subtweakey.

For
Complexity Computation: In the process above, r f = 48 and m f = 64.The complexity of data collection is 4 • 2 t+48 queries.The complexity of key recovery is about 2 t+16 one round encryptions, which is equivalent to about 2 t+16 /12 = 2 t+12.4 encryptions.Because the probability of the difference η propagating to δ is 2 −48 and the probability of boomerang distinguisher is 2 −96 , there are 2 t • 2 96 • 2 −48 • 2 −96 = 2 t−48 right quartets in data collection in total.Once a right quartet is obtained, the right key is counted.The expected counter of the right key is 2 t−48 , and the expected counter of the wrong key is 2 t−16−64 = 2 t−80 .When the master key size is k = 128 and t = 48, the total complexity is 2 98 queries and 2 60.4 + 2 128−32 ≈ 2 96 encryptions, the memory complexity is bounded by the size of the key-counter, which is 2 64 , and the success probability is 58.68%,where h = 32.When t = 49, the total complexity is 2 99 queries and 2 61.4 + 2 128−32 ≈ 2 96 encryptions, and the success probability is 73.58%,where h = 32.Based on the 11-round boomerang distinguisher in Table 7, we mount a 13-round keyrecovery attack by appending 2 rounds at the end of the distinguisher illustrated in Figure 13.Note that there are 12 active bytes in ∆Z 12 in the last round, here we redefine the difference that form η by η = (00 * * * * * * 00 * * 00 * * 00 * * ).Here, r f = 96 and m f = 136.The 13-round key recovery attack process is as follows.

Data Collection.
Choose structures of ciphertexts taking all the possible values of the 12 active bytes in η, and all of the remaining bytes are fixed to some arbitrary values.We apply a method similar to the one in Subsection 5.1 to collect the quartets satisfying c⊕ c ∈ η and c ⊕ c ∈ η.Note that there are 4 zero-differences in ∆Z 12 , so there are about 2 96•2 × 2 −32 = 2 160 quartets for each structure.There are 2 160 • 2 t = 2 t+160 quartets remaining for 2 t structures.Key Recovery.
There are 12 bytes of equivalent subtweakeys of ST K 13 and 5 bytes of equivalent subtweakeys of ST K 12 involved in the partial decryption process from ciphertext to ∆Y 11 .Use similar process as the attack on 12-round on Deoxys-BC-384, we give a simple description of the key-recovery process.For each of the 2 t+160 remaining quartets (c, c , c, c ), we do the following steps.
1. We guess the subtweakey byte IK 12 [12] and deduce the value and difference of Y 12 [12].
There are three zero-difference bytes in the last column of ∆Z 11 , so the differences ∆Y 12 [13, 14, 15] are deduced utilizing the MixColumns operation.Then we get the corresponding subtweakeys IK 12 [13, 14, 15] because the input and output differences of the Sboxes are known.Then partially decrypt (c , c ) to get the last column of ∆Z 11 .If ∆Z 11 [13, 14, 15] = 0, we keep the quartets and corresponding 32-bit subtweakey.Otherwise, we eliminate the quartets.There are about 2 t+144 remaining quartets.Then we compute ∆Z 11 [12], deduce the corresponding subtweakey IK 11 [12] for pairs (c, c) and verify the subtweakey using the corresponding pair (c , c ).There are about 2 t+136 remaining quartets with 5 bytes subtweakeys.

Complexity Computation:
The complexity of data collection is 4 • 2 t+96 queries.The complexity of key recovery is about 2 t+160+8 one round encryptions, which is equivalent to about 2 t+160 • 2 8 /13 = 2 t+164.3encryptions.Because the probability of the difference η propagating to δ is 2 −96 and the probability of boomerang distinguisher is 2 −122 , there are 2 t • 2 192 • 2 −96 • 2 −122 = 2 t−26 right quartets in data collection in total.Once a right quartet is obtained, the right key is counting.The expected counter of the right key is 2 t−26 , and the expected counter of the wrong key is 2 t+104−136 = 2 t−32 .The memory complexity is bounded to the size of the key-counter, which is 2 136 .When t = 27 and h = 70, the total complexity is 2 125 queries and 2 191.3 + 2 256−70 ≈ 2 191.3 encryptions, the memory complexity is bounded by the size of the key-counter, which is 2 136 , and the success probability is about 42%.

B Related-tweakey Boomerang Distinguishers of Deoxys-BC
Then a right quartet over a related-tweakey boomerang distinguisher can be obtained with the following steps: 1. Randomly choose a plaintext pair (m, m ) with difference m ⊕ m = α, and encrypt it over E to get the ciphertext pair (c, c ) with two chosen-plaintext queries, where c = E K1 (m), c = E K2 (m ). 2. Generate another ciphertext pair (c, c ) by c = c ⊕ δ and c = c ⊕ δ, then decrypt (c, c ) to obtain their plaintexts ( m, m ) with two adaptive chosen-ciphertext queries under key K 3 , K 4 respectively.
pq structures of 2 r b plaintexts each, where s is the expected number of right quartets, each structure takes all the possible values of the r b /8 active bytes with the other 16 − r b /8 bytes as some constant.

4.
Exhaustively search the remaining k − m b − m f unknown key bits cooperating the key schedule algorithm.
where s is the expected number of right quartets.Each structure takes all the possible values for the r f /8 active bytes while the other 16 − r f /8 bytes are fixed to some constant.2. For each structure, we can obtain the plaintext m for each ciphertext c by calling the decryption oracle under K 1 , computing m by m = m ⊕ α, and obtaining the ciphertext c by E K2 (m ).Here we can obtain a set

Figure 3 :Figure 3 :
Figure 3: Generation of a right quartet at the S-box levelFigure 3: Generation of a right quartet at the S level[WP19].
For each element ( m, c, m , c ) of S 2 , we find the corresponding (m, c, m , c ) by c and c that satisfy c ⊕ c ∈ η and c ⊕ c ∈ η.Then we obtain a quartet (c, c , c, c ).There are about 2 4t+112 quartets (c, c , c, c ) satisfying c ⊕ c ∈ η and c ⊕ c ∈ η.
For each element ( m, c, m , c ) of S 2 , we find the corresponding (m, c, m , c ) by c and c satisfying c ⊕ c ∈ η and c ⊕ c ∈ η.Totally, there are about 2 2t+128 quartets (c, c , c, c ) satisfying c ⊕ c ∈ η and c ⊕ c ∈ η.
2.3.1 Nonce-Respecting Mode: E I and D I

Figure 2 . 1 :
Figure 2.1: Handling of the associated data for the nonce-respecting mode: in the case where the associated data is a multiple of the block size, no padding is needed.

Figure 2 . 2 :
Figure2.2: Message processing for the nonce-respecting mode: in the case where the messagelength is a multiple of the block size, no padding is needed.

Table 1 :
The cryptanalysis results on Deoxys-BC-256, Deoxys-BC-384 and Deoxys-I AE schemes are listed in Table 1.The tweak size and master key size satisfy |tweak| + |key| = 256 for Deoxys-BC-256 and |tweak| + |key| = 384 for Deoxys-BC-384.Summary of analysis results of Deoxys, where RK denotes related-tweakey.All of the analyses are key recovery attacks.

Definition of the Subtweakeys.
We denote the concatenation of the key K and the tweak T as KT , i.e.KT = K||T .The tweakey state is then divided into 128-bit words.More precisely, in Deoxys-BC-256 the size of KT is 256 bits with the first (most significant) 128 bits of KT being denoted W 2 ; the second word is denoted by W 1 .For Deoxys-BC-384, the size of KT is 384 bits, and we denote the first (most significant), second and third 128-bit words of KT by W 3 , W 2 and W 1 , respectively.Finally, we denote by ST K i the 128-bit subtweakey that is added to the state at round i during the AddRoundTweakey operation.For Deoxys-BC-256, a subtweakey is defined as New Related-Tweakey Boomerang and Rectangle Attacks on Deoxys-BC Therefore, we add such conditions for two extra rounds behind the (R 1 + R 2 )-round boomerang distinguisher to Cid et al.'s model [CHP + 17] and keep other constraints in Cid et al.'s model unchanged.
At ToSC 2019, Wang and Peyrin [WP19] and Song et al. [SQH19] considered the BCT effect in multiple rounds of boomerang switch.Wang and Peyrin [WP19] introduced a general tool named Boomerang Difference Table (BDT) to evaluate the boomerang switch through multiple rounds.We first briefly recall the BDT technique.Definition 1. (Boomerang Difference Table (BDT))[WP19].Let S be an invertible function from F n 2 to F n 2 , and (∆ 0 , ∆ 1 , ∇ 0 ) ∈ F n 2 .The boomerang difference table (BDT) of S is a three-dimensional table, in which the entry for (∆ 0 , ∆ 1 , ∇ 0 ) is computed by:

Table 2 . 2 :
List of typical AE use-cases selected by the CAESAR committee.