On the Feistel Counterpart of the Boomerang Connectivity Table

Hamid Boukerrou,Virginie Lallemand,Paul Huynh,Bimal Mandal,Marine Minier

doi:10.46586/tosc.v2020.i1.331-362

Abstract

At Eurocrypt 2018, Cid et al. introduced the Boomerang Connectivity Table (BCT), a tool to compute the probability of the middle round of a boomerang distinguisher from the description of the cipher’s Sbox(es). Their new table and the following works led to a refined understanding of boomerangs, and resulted in a series of improved attacks. Still, these works only addressed the case of Substitution Permutation Networks, and completely left out the case of ciphers following a Feistel construction. In this article, we address this lack by introducing the FBCT, the Feistel counterpart of the BCT. We show that the coefficient at row Δi, ∇o corresponds to the number of times the second order derivative at points Δi, ∇o) cancels out. We explore the properties of the FBCT and compare it to what is known on the BCT. Taking matters further, we show how to compute the probability of a boomerang switch over multiple rounds with a generic formula.

Highlights

Introduction and Analysis of the FBCTHamid Boukerrou, Paul Huynh, Virginie Lallemand, Bimal Mandal and Marine Minier AbstractAt Eurocrypt 2018, Cid et al introduced the Boomerang ConnectivityTable (BCT), a tool to compute the probability of the middle round of a boomerang distinguisher from the description of the cipher’s Sbox(es)
We show how to compute the probability of a boomerang switch over multiple rounds with a generic formula
In case the Feistel round function contains some affine layers and a single Sbox layer we introduce the FBCT, the Feistel counterpart of the Boomerang Connectivity Table and show that it is related to the second order derivative of the Sbox at play

Summary

Introduction

Boomerang attacks date back to 1999, when David Wagner introduced them at FSE to break COCONUT98 [Wag99]. Note that this incompatibility is even more general than the one we discussed, as in Section 2.3 we fixed an additional parameter namely one Sbox output. While the Feistel case is not covered by the Boomerang Connectivity Table, a first step in understanding the case of boomerang distinguishers for Feistel constructions has been made by Wagner himself while analyzing Khufu [Wag99] His observation was later referred under the name of Feistel Switch, for instance in the related-key cryptanalysis of the AES-192 and AES-256 by Biryukov and Khovratovich [BK09], in which one can read: Surprisingly, a Feistel round with an arbitrary function (e.g., an S-box) can be passed for free in the boomerang attack (this was first observed in the attack on cipher Khufu in [Wag99]).

Fixed values:

Conclusion

A Relation Between the DLCT and the FBCT