Impossible Differential Cryptanalysis of 8-Round Deoxys-BC-256.

Deoxys is a third-round candidate of the CAESAR authenticated encryption competition. In this paper, we present the first cryptanalysis of Deoxys in the single-key model. Specifically, we propose a multiple impossible differentials attack of 8-round Deoxys-BC-256, which can reuse the plaintexts to sieve subkeys, so that the sieving efficiency can be improved. Meanwhile, we improve the process of sieving subkeys and utilize various techniques, including tweak schedule considerations, early abort technique, the new early abort technique, and so on, which help to reduce the complexity. The time, memory, and data complexities are 2(123.9) memory accesses, 2(99.2) bytes, and 2(117) chosen plaintexts, respectively.