Abstract
The Advanced Encryption Standard (AES) is a 128-bit block cipher with a user key of 128, 192 or 256 bits, released by NIST in 2001 as the next-generation data encryption standard for use in the USA. It was adopted as an ISO international standard in 2005. Impossible differential cryptanalysis and the boomerang attack are powerful variants of differential cryptanalysis for analysing the security of a block cipher. In this paper, building on the notions of impossible differential cryptanalysis and the boomerang attack, we propose a new cryptanalytic technique, which we call the impossible boomerang attack, and then describe an extension of this attack which applies in a related-key attack scenario. Finally, we apply the impossible boomerang attack to break 6-round AES with 128 key bits and 7-round AES with 192/256 key bits, and using two related keys we apply the related-key impossible boomerang attack to break 8-round AES with 192 key bits and 9-round AES with 256 key bits. In the two-key related-key attack scenario, our results, which were the first to achieve this amount of attacked rounds, match the best currently known results for AES with 192/256 key bits in terms of the numbers of attacked rounds. The (related-key) impossible boomerang attack is a general cryptanalytic technique, and can potentially be used to cryptanalyse other block ciphers.
Article PDF
Similar content being viewed by others
Avoid common mistakes on your manuscript.
References
Bahrak B., Aref M.R.: Impossible differential attack on seven-round AES-128. IET Inform. Secur. 2(2), 28–32 (2008)
Biham E.: New types of cryptanalytic attacks using related keys. In: EUROCRYPT 1993. Lecture Notes in Computer Science, vol. 765, pp. 398–409. Springer, Heidelberg (1993).
Biham E., Biryukov A., Shamir A.: Cryptanalysis of Skipjack reduced to 31 rounds using impossible differentials. In: EUROCRYPT 1999. Lecture Notes in Computer Science, vol. 1592, pp. 12–23. Springer, Heidelberg (1999).
Biham E., Biryukov A., Shamir A.: Miss in the middle attacks on IDEA and Khufu. In: FSE 1999. Lecture Notes in Computer Science, vol. 1636, pp. 124–138. Springer, Heidelberg (1999).
Biham E., Dunkelman O., Keller N.: The rectangle attack—rectangling the Serpent. In: EUROCRYPT 2001. Lecture Notes in Computer Science, vol. 2045, pp. 340–357. Springer, Heidelberg (2001).
Biham E., Dunkelman O., Keller N.: Enhancing differential-linear cryptanalysis. In: ASIACRYPT 2002. Lecture Notes in Computer Science, vol. 2501, pp. 254–266. Springer, Heidelberg (2002).
Biham E., Dunkelman O., Keller N.: New combined attacks on block ciphers. In: FSE 2005. Lecture Notes in Computer Science, vol. 3557, pp. 126–144. Springer, Heidelberg (2005).
Biham E., Dunkelman O., Keller N.: Related-key boomerang and rectangle attacks. In: EUROCRYPT 2005. Lecture Notes in Computer Science, vol. 3494, pp. 507–525. Springer, Heidelberg (2005).
Biham E., Dunkelman O., Keller N.: A related-key rectangle attack on the full KASUMI. In: ASIACRYPT 2005. Lecture Notes in Computer Science, vol. 3788, pp. 443–461. Springer, Heidelberg (2005).
Biham E., Dunkelman O., Keller N.: Related-key impossible differential attacks on 8-round AES-192. In: CT-RSA 2006. Lecture Notes in Computer Science, vol. 3860, pp. 21–33. Springer, Heidelberg (2006).
Biham E., Shamir A.: Differential cryptanalysis of DES-like cryptosystems. In: CRYPTO 1990. Lecture Notes in Computer Science, vol. 537, pp. 2–21. Springer, Heidelberg (1990).
Biryukov A.: The boomerang attack on 5 and 6-round reduced AES. In: AES 2004. Lecture Notes in Computer Science, vol. 3373, pp. 11–15. Springer, Heidelberg (2005).
Biryukov A., Dunkelman O., Keller N., Khovratovich D., Shamir A.: Key recovery attacks of practical complexity on AES-256 variants with up to 10 rounds. In: EUROCRYPT 2010. Lecture Notes in Computer Science, vol. 6110, pp. 299–319. Springer, Heidelberg (2010).
Biryukov A., Khovratovich D.: Related-key cryptanalysis of the full AES-192 and AES-256. In: ASIACRYPT 2009. Lecture Notes in Computer Science, vol. 5912, pp. 1–18. Springer, Heidelberg (2009).
Biryukov A., Khovratovich D, Nikolic I.: Distinguisher and related-key attack on the full AES-256. In: CRYPTO 2009. Lecture Notes in Computer Science, vol. 5677, pp. 231–249. Springer, Heidelberg (2009).
Cheon J., Kim M., Kim K., Lee J.: Improved impossible differential cryptanalysis of Rijndael and Crypton. In: ICISC 2001. Lecture Notes in Computer Science, vol. 2288, pp. 39–49. Springer, Heidelberg (2001).
Daemen J., Knudsen L.R., Rijmen V.: The block cipher Square. In: FSE 1997. Lecture Notes in Computer Science, vol. 1267, pp. 149–165. Springer, Heidelberg (1997).
Daemen J., Rijmen V.: AES proposal: rijndael. In: The First Advanced Encryption Standard Candidate Conference. NIST, Ventura, CA (1998).
Demirci H., Selcuk A.A.: A meet-in-the-middle attack on 8-round AES. In: FSE 2008. Lecture Notes in Computer Science, vol. 5086, pp. 116–126. Springer, Heidelberg (2008).
Dunkelman O., Keller N.: An improved impossible differential attack on MISTY1. In: Advances in Cryptology—ASIACRYPT 2008. Lecture Notes in Computer Science, vol. 5350, pp. 441–454. Springer, Heidelberg (2008).
Ferguson N., Kelsey J., Lucks S., Schneier B., Stay M., Wagner D., Whiting D.: Improved cryptanalysis of Rijndael. In: FSE 2000. Lecture Notes in Computer Science, vol. 1978, pp. 213–230. Springer, Heidelberg (2001).
Fleischmann E., Gorski M., Lucks S.: Attacking 9 and 10 rounds of AES-256. In: ACISP 2009. Lecture Notes in Computer Science, vol. 5594, pp. 60–72. Springer, Heidelberg (2009).
Gilbert H., Minier M.: A collision attack on 7 rounds of Rijndael. In: The Third Advanced Encryption Standard Candidate Conference, pp. 230–241. NIST, Ventura, CA (2000).
Hong S., Kim J., Lee S., Preneel B.: Related-key rectangle attacks on reduced versions of SHACAL-1 and AES-192. In: FSE 2005. Lecture Notes in Computer Science, vol. 3557, pp. 368–383. Springer, Heidelberg (2005).
International Organization for Standardization (ISO): ISO/IEC 18033-3:2005: Information technology—Security techniques—Encryption algorithms—Part 3: block ciphers. ISO, Geneva (2005).
Jakimoski G., Desmedt Y.: Related-key differential cryptanalysis of 192-bit key AES variants. In: SAC 2003. Lecture Notes in Computer Science, vol. 3006, pp. 208–221. Springer, Heidelberg (2004).
Kelsey J., Kohno T., Schneier B.: Amplified boomerang attacks against reduced-round MARS and Serpent. In: FSE 2000. Lecture Notes in Computer Science, vol. 1978, pp. 75–93. Springer, Heidelberg (2001).
Kelsey J., Schneier B., Wagner D.: Key-schedule cryptanalysis of IDEA, G-DES, GOST, SAFER, and Triple-DES. In: CRYPTO 1996. Lecture Notes in Computer Science, vol. 1109, pp. 237–251. Springer, Heidelberg (1996).
Kim J., Hong S., Preneel B.: Related-key rectangle attacks on reduced AES-192 and AES-256. In: FSE 2007. Lecture Notes in Computer Science, vol. 4593, pp. 225–241. Springer, Heidelberg (2007).
Kim J., Kim G., Hong S., Lee S., Hong D.: The related-key rectangle attack—application to SHACAL-1. In: ACISP 2004. Lecture Notes in Computer Science, vol. 3108, pp. 123–136. Springer, Heidelberg (2004).
Knudsen L.R.: Cryptanalysis of LOKI91. In: AUSCRYPT 1992. Lecture Notes in Computer Science, vol. 718, pp. 196–208. Springer, Heidelberg (1993).
Knudsen L.R.: Trucated and higher order differentials. In: FSE 1994. Lecture Notes in Computer Science, vol. 1008, pp. 196–211. Springer, Heidelberg (1995).
Knudsen L.R.: DEAL—a 128-bit block cipher. Technical report, Department of Informatics, University of Bergen, Norway (1998).
Langford S.K., Hellman M.E.: Differential-linear cryptanalysis. In: CRYPTO 1994. Lecture Notes in Computer Science, vol. 839, pp. 17–25. Springer, Heidelberg (1994).
Lu J.: Cryptanalysis of block ciphers. PhD Thesis, The University of London, UK (2008). A copy is available online as Technical Report RHUL-MA-2008-19, Department of Mathematics, Royal Holloway, University of London, UK. http://www.ma.rhul.ac.uk/static/techrep/2008/RHUL-MA-2008-19.pdf (2008).
Lu J., Dunkelman O., Keller N., Kim J.: New impossible differential attacks on AES, In: INDOCRYPT 2008. Lecture Notes in Computer Science, vol. 5365, pp. 279–293. Springer, Heidelberg (2008).
Lu J., Kim J.: Attacking 44 rounds of the SHACAL-2 block cipher using related-key rectangle cryptanalysis. IEICE Trans. Fundam. Electron. Commun. Comput. Sci. 91(A), 2588–2596 (2008)
Lu J., Kim J., Keller N., Dunkelman O.: Related-key rectangle attack on 42-round SHACAL-2. In: ISC 2006. Lecture Notes in Computer Science, vol. 4176, pp. 85–100. Springer, Heidelberg (2006).
Lu J., Kim J., Keller N., Dunkelman O.: Improving the efficiency of impossible differential cryptanalysis of reduced Camellia and MISTY1. In: CT-RSA 2008. Lecture Notes in Computer Science, vol. 4964, pp. 370–386. Springer, Heidelberg (2008).
Lucks S.: Attacking seven rounds of Rijndael under 192-bit and 256-bit keys. In: The Third Advanced Encryption Standard Candidate Conference, pp. 215–229. NIST, Ventura, CA (2000).
Matsui M.: Linear cryptanalysis method for DES cipher. In: EUROCRYPT 1993. Lecture Notes in Computer Science, vol. 765, pp. 386–397. Springer, Heidelberg (1994).
Murphy S.: The return of the boomerang. Technical Report RHUL-MA-2009-20, Department of Mathematics, Royal Holloway, University of London, UK. http://www.ma.rhul.ac.uk/static/techrep/2009/RHUL-MA-2009-20.pdf (2009).
National Institute of Standards and Technology (NIST). Advanced Encryption Standard (AES). FIPS-197 (2001).
NIST: National Institute of Standards and Technology. http://www.nist.gov.
Phan R.: Impossible differential cryptanalysis of 7-round advanced encryption standard (AES). Inform. Process. Lett. 91(1), 33–38 (2004)
Wagner D.: The boomerang attack. In: FSE 1999. Lecture Notes in Computer Science, vol. 1636, pp. 156–170. Springer, Heidelberg (1999).
Wang G., Keller N., Dunkelman O.: The delicate issues of addition with respect to XOR differences. In: SAC 2007. Lecture Notes in Computer Science, vol. 4876, pp. 212–231. Springer, Heidelberg (2007).
Zhang W., Wu W., Zhang L., Feng D.: Improved related-key impossible differential attacks on reduced-round AES-192. In: SAC 2006. Lecture Notes in Computer Science, vol. 4356, pp. 15–27. Springer, Heidelberg (2007).
Zhang W., Wu W., Zhang L.: Related-key impossible differential attacks on reduced-round AES-256. J. Softw. 18(11), 2893–2901. http://www.lois.cn/LOIS-AES/data/AES-256.pdf (2007).
Zhang W., Wu W., Feng D.: New results on impossible differential cryptanalysis of reduced AES. In: ICISC 2007. Lecture Notes in Computer Science, vol. 4817, pp. 239–250. Springer, Heidelberg (2007).
Zhang W., Zhang L., Wu W., Feng D.: Related-key differential-linear attacks on reduced AES-192. In: INDOCRYPT 2007. Lecture Notes in Computer Science, vol. 4859, pp. 73–85. Springer, Heidelberg (2007).
Acknowledgments
The author is very grateful to Prof. Chris Mitchell and the anonymous referees for their comments on earlier versions of this paper, and also very grateful to the editor for his/her editorial efforts during the review of this paper.
Open Access
This article is distributed under the terms of the Creative Commons Attribution Noncommercial License which permits any noncommercial use, distribution, and reproduction in any medium, provided the original author(s) and source are credited.
Author information
Authors and Affiliations
Corresponding author
Additional information
Communicated by Vincent van Rijmen.
An earlier version appeared in 2008 in the PhD thesis [35] of the author.
Rights and permissions
Open Access This is an open access article distributed under the terms of the Creative Commons Attribution Noncommercial License (https://creativecommons.org/licenses/by-nc/2.0), which permits any noncommercial use, distribution, and reproduction in any medium, provided the original author(s) and source are credited.
About this article
Cite this article
Lu, J. The (related-key) impossible boomerang attack and its application to the AES block cipher. Des. Codes Cryptogr. 60, 123–143 (2011). https://doi.org/10.1007/s10623-010-9421-9
Received:
Revised:
Accepted:
Published:
Issue Date:
DOI: https://doi.org/10.1007/s10623-010-9421-9