Abstract
The boomerang attack is a cryptanalysis technique that allows an attacker to concatenate two short differential characteristics. Several research results (ladder switch, S-box switch, sandwich attack, Boomerang Connectivity Table (BCT), ...) showed that the dependency between these two characteristics at the switching round can have a significant impact on the complexity of the attack, or even potentially invalidate it. In this paper, we revisit the issue of boomerang switching effect, and exploit it in the case where multiple rounds are involved. To support our analysis, we propose a tool called Boomerang Difference Table (BDT), which can be seen as an improvement of the BCT and allows a systematic evaluation of the boomerang switch through multiple rounds. In order to illustrate the power of this technique, we propose a new related-key attack on 10-round AES-256 which requires only 2 simple related-keys and 275 computations. This is a much more realistic scenario than the state-of-the-art 10-round AES-256 attacks, where subkey oracles, or several related-keys and high computational power is needed. Furthermore, we also provide improved attacks against full AES-192 and reduced-round Deoxys.
Highlights
Differential cryptanalysis [BS91] is one of the most significant technique applicable to symmetric-key block ciphers, which exploits the high probability of a differential
Inspired by the efficient construction of the Boomerang Connectivity Table (BCT) proposed by Orr Dunkelman [Dun18], we show that the time complexity for generating the Boomerang Difference Table (BDT) for an n-bit S-box is O(22n), the algorithm is depicted in Algorithm 1
We performed an extensive analysis of the switching effect between the two differential characteristics of a boomerang distinguisher
Summary
Differential cryptanalysis [BS91] is one of the most significant technique applicable to symmetric-key block ciphers, which exploits the high probability of a differential. The boomerang attack [Wag99] is an extension of the traditional differential attack, where two differentials are combined in an elegant way to provide a distinguishing property of the cipher. The amplified boomerang attack [KKS01] was proposed, which only requires a chosen-plaintext scenario and where a right quartet is obtained with probability p2q22−n. It was pointed out in [BDK01, BDK02] that any value of β and γ is allowed as long as β = γ.
Sign-in/Register to view highlights & summary Sign-in/Register to access full text options 
Talk to us
Join us for a 30 min session where you can share your feedback and ask us any queries you have
Schedule a callDisclaimer: All third-party content on this website/platform is and will remain the property of their respective owners and is provided on "as is" basis without any warranties, express or implied. Use of third-party content does not indicate any affiliation, sponsorship with or endorsement by them. Any references to third-party content is to identify the corresponding services and shall be considered fair use under The CopyrightLaw.
