Boomerang Connectivity Table: A New Cryptanalysis Tool
A boomerang attack is a cryptanalysis framework that regards a block cipher E as the composition of two sub-ciphers \(E_1\circ E_0\) and builds a particular characteristic for E with probability \(p^2q^2\) by combining differential characteristics for \(E_0\) and \(E_1\) with probability p and q, respectively. Crucially the validity of this figure is under the assumption that the characteristics for \(E_0\) and \(E_1\) can be chosen independently. Indeed, Murphy has shown that independently chosen characteristics may turn out to be incompatible. On the other hand, several researchers observed that the probability can be improved to p or q around the boundary between \(E_0\) and \(E_1\) by considering a positive dependency of the two characteristics, e.g. the ladder switch and S-box switch by Biryukov and Khovratovich. This phenomenon was later formalised by Dunkelman et al. as a sandwich attack that regards E as \(E_1\circ E_m \circ E_0\), where \(E_m\) satisfies some differential propagation among four texts with probability r, and the entire probability is \(p^2q^2r\). In this paper, we revisit the issue of dependency of two characteristics in \(E_m\), and propose a new tool called Boomerang Connectivity Table (BCT), which evaluates r in a systematic and easy-to-understand way when \(E_m\) is composed of a single S-box layer. With the BCT, previous observations on the S-box including the incompatibility, the ladder switch and the S-box switch are represented in a unified manner. Moreover, the BCT can detect a new switching effect, which shows that the probability around the boundary may be even higher than p or q. To illustrate the power of the BCT-based analysis, we improve boomerang attacks against Deoxys-BC, and disclose the mechanism behind an unsolved probability amplification for generating a quartet in SKINNY. Lastly, we discuss the issue of searching for S-boxes having good BCT and extending the analysis to modular addition.
KeywordsBoomerang attack Differential distribution table S-box Incompatibility Ladder switch S-box switch Deoxys SKINNY
We thank the anonymous reviewers for their valuable comments. We also thank attendees of the 2018 Dagstuhl seminar for Symmetric Cryptography, who provided us with various comments. The last author is supported by the Fundamental Theory and Cutting Edge Technology Research Program of Institute of Information Engineering, CAS (Grant No. Y7Z0341103), Youth Innovation Promotion Association CAS and the National Natural Science Foundation of China (Grants No. 61472415, 61732021 and 61772519). We also thank the ASK2016 organisers for providing us an opportunity for the initial discussion.
- [AIK+00]Aoki, K., Ichikawa, T., Kanda, M., Matsui, M., Moriai, S., Nakajima, J., Tokita, T.: Camellia: a 128-bit block cipher suitable for multiple platforms — design and analysis. In: Stinson, D.R., Tavares, S. (eds.) SAC 2000. LNCS, vol. 2012, pp. 39–56. Springer, Heidelberg (2001). https://doi.org/10.1007/3-540-44983-3_4CrossRefGoogle Scholar
- [BJK+16]Beierle, C., Jean, J., Kölbl, S., Leander, G., Moradi, A., Peyrin, T., Sasaki, Y., Sasdrich, P., Sim, S.M.: The SKINNY family of block ciphers and its low-latency variant MANTIS. In: Robshaw, M., Katz, J. (eds.) CRYPTO 2016. LNCS, vol. 9815, pp. 123–153. Springer, Heidelberg (2016). https://doi.org/10.1007/978-3-662-53008-5_5CrossRefGoogle Scholar
- [BKL+07]Bogdanov, A., Knudsen, L.R., Leander, G., Paar, C., Poschmann, A., Robshaw, M.J.B., Seurin, Y., Vikkelsoe, C.: PRESENT: an ultra-lightweight block cipher. In: Paillier, P., Verbauwhede, I. (eds.) CHES 2007. LNCS, vol. 4727, pp. 450–466. Springer, Heidelberg (2007). https://doi.org/10.1007/978-3-540-74735-2_31CrossRefGoogle Scholar
- [BPP+17]Banik, S., Pandey, S.K., Peyrin, T., Sasaki, Y., Sim, S.M., Todo, Y.: GIFT: A small present - towards reaching the limit of lightweight encryption. Cryptology ePrint Archive, Report 2017/622 (2017)Google Scholar
- [BSS+13]Beaulieu, R., Shors, D., Smith, J., Treatman-Clark, S., Weeks, B., Wingers, L.: The simon and speck families of lightweight block ciphers. Cryptology ePrint Archive, Report 2013/404 (2013)Google Scholar
- [CHP+17]Cid, C., Huang, T., Peyrin, T., Sasaki, Y., Song, L.: A security analysis of deoxys and its internal tweakable block ciphers. IACR Trans. Symmetric Cryptol. 2017(3), 73–107 (2017)Google Scholar
- [CLN+17]Canteaut, A., Lambooij, E., Neves, S., Rasoolzadeh, S., Sasaki, Y., Stevens, M.: Refined probability of differential characteristics including dependency between multiple rounds. IACR Trans. Symmetric Cryptol. 2017(2), 203–227 (2017)Google Scholar
- [JNPS16]Jean, J., Nikolić, I., Peyrin, T., Seurin, Y.: Deoxys v1.41. Submitted to CAESAR, October 2016Google Scholar
- [LGL17]Liu, G., Ghosh, M., Ling, S.: Security analysis of SKINNY under related-tweakey settings (long paper). IACR Trans. Symmetric Cryptol. 2017(3), 37–72 (2017)Google Scholar
- [Nat01]National Institute of Standards and Technology. Federal Information Processing Standards Publication 197: Advanced Encryption Standard (AES). NIST, November 2001Google Scholar