Abstract
The boomerang attack is a variant of differential cryptanalysis which regards a block cipher E as the composition of two sub-ciphers, i.e., E = E1 o E0, and which constructs distinguishers for E with probability p2q2 by combining differential trails for E0 and E1 with probability p and q respectively. However, the validity of this attack relies on the dependency between the two differential trails. Murphy has shown cases where probabilities calculated by p2q2 turn out to be zero, while techniques such as boomerang switches proposed by Biryukov and Khovratovich give rise to probabilities greater than p2q2. To formalize such dependency to obtain a more accurate estimation of the probability of the distinguisher, Dunkelman et al. proposed the sandwich framework that regards E as Ẽ1 o Em o Ẽ0, where the dependency between the two differential trails is handled by a careful analysis of the probability of the middle part Em. Recently, Cid et al. proposed the Boomerang Connectivity Table (BCT) which unifies the previous switch techniques and incompatibility together and evaluates the probability of Em theoretically when Em is composed of a single S-box layer. In this paper, we revisit the BCT and propose a generalized framework which is able to identify the actual boundaries of Em which contains dependency of the two differential trails and systematically evaluate the probability of Em with any number of rounds. To demonstrate the power of this new framework, we apply it to two block ciphers SKINNY and AES. In the application to SKINNY, the probabilities of four boomerang distinguishers are re-evaluated. It turns out that Em involves5 or 6 rounds and the probabilities of the full distinguishers are much higher than previously evaluated. In the application to AES, the new framework is used to exclude incompatibility and find high probability distinguishers of AES-128 under the related-subkey setting. As a result, a 6-round distinguisher with probability 2−109.42 is constructed. Lastly, we discuss the relation between the dependency of two differential trails in boomerang distinguishers and the properties of components of the cipher.
Highlights
Differential cryptanalysis, proposed by Biham and Shamir [BS93], is one of the most powerful approaches to assess the security of block ciphers
In the remainder of this section, we first give a brief description of SKINNY, followed by a review of boomerang distinguishers proposed in [LGS17], for which we show how the generalized framework of Boomerang Connectivity Table (BCT) helps to evaluate the probability r
We revisited the boomerang connectivity table (BCT) and provided a generalized framework of BCT which systematically handles the dependency of two differential trails in boomerang distinguishers
Summary
Differential cryptanalysis, proposed by Biham and Shamir [BS93], is one of the most powerful approaches to assess the security of block ciphers. Our new framework is able to find the actual boundaries of Em which contains dependency of two differential trails in the setting of boomerang attacks, and systematically calculate the probability r of Em with any number of rounds. In the case of AES, we propose a 6-round related-subkey boomerang distinguisher of probability 2−109.42 by combining two 3-round differential trails. We discuss the relation between the dependency of two differential trails in boomerang distinguishers and the properties of the round function It is deduced from our generalized framework that the length of Em is mainly determined by the diffusion effect of the linear layer, and the probability r is strongly affected by differential properties of the non-linear layer.
Sign-in/Register to view highlights & summary Sign-in/Register to access full text options 
Free) 
Talk to us
Join us for a 30 min session where you can share your feedback and ask us any queries you have
Schedule a call
