Boomerang uniformity of popular S-box constructions

Abstract

In order to study the resistance of a block cipher against boomerang attacks, a tool called the Boomerang Connectivity Table (BCT) for S-boxes was recently introduced. Very little is known today about the properties of this table especially for bijective S-boxes defined for n variables with $$n\equiv 0 \mod 4$$ . In this work we study the boomerang uniformity of some popular constructions used for building large S-boxes, e.g. for eight variables, from smaller ones. We show that the BCTs of all the studied constructions have abnormally high values in some positions. This remark permits us in some cases to link the boomerang properties of an S-box with other well-known cryptanalytic techniques on such constructions while in other cases it leads to the discovery of new ones. A surprising outcome concerns notably the Feistel and MISTY networks. While these two structures are very similar, their boomerang uniformity can be very different. Indeed, we show that the boomerang uniformity of a Feistel network is always the worst one possible, while for a MISTY construction this quantity depends on its inner building blocks. In the second part, we investigate the boomerang uniformity under EA-equivalence for Gold and the inverse function (as used respectively in MPC-friendly ciphers and the AES) and we prove that the boomerang uniformity is EA-invariant in these cases. Finally, we present an algorithm for inverting a given BCT and provide experimental results on the size of the BCT-equivalence classes for some 4 and 8-bit S-boxes.