Boomerang Connectivity Table: A New Cryptanalysis Tool

  • Carlos Cid
  • Tao Huang
  • Thomas Peyrin
  • Yu Sasaki
  • Ling Song
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 10821)


A boomerang attack is a cryptanalysis framework that regards a block cipher E as the composition of two sub-ciphers \(E_1\circ E_0\) and builds a particular characteristic for E with probability \(p^2q^2\) by combining differential characteristics for \(E_0\) and \(E_1\) with probability p and q, respectively. Crucially the validity of this figure is under the assumption that the characteristics for \(E_0\) and \(E_1\) can be chosen independently. Indeed, Murphy has shown that independently chosen characteristics may turn out to be incompatible. On the other hand, several researchers observed that the probability can be improved to p or q around the boundary between \(E_0\) and \(E_1\) by considering a positive dependency of the two characteristics, e.g. the ladder switch and S-box switch by Biryukov and Khovratovich. This phenomenon was later formalised by Dunkelman et al. as a sandwich attack that regards E as \(E_1\circ E_m \circ E_0\), where \(E_m\) satisfies some differential propagation among four texts with probability r, and the entire probability is \(p^2q^2r\). In this paper, we revisit the issue of dependency of two characteristics in \(E_m\), and propose a new tool called Boomerang Connectivity Table (BCT), which evaluates r in a systematic and easy-to-understand way when \(E_m\) is composed of a single S-box layer. With the BCT, previous observations on the S-box including the incompatibility, the ladder switch and the S-box switch are represented in a unified manner. Moreover, the BCT can detect a new switching effect, which shows that the probability around the boundary may be even higher than p or q. To illustrate the power of the BCT-based analysis, we improve boomerang attacks against Deoxys-BC, and disclose the mechanism behind an unsolved probability amplification for generating a quartet in SKINNY. Lastly, we discuss the issue of searching for S-boxes having good BCT and extending the analysis to modular addition.


Boomerang attack Differential distribution table S-box Incompatibility Ladder switch S-box switch Deoxys SKINNY 



We thank the anonymous reviewers for their valuable comments. We also thank attendees of the 2018 Dagstuhl seminar for Symmetric Cryptography, who provided us with various comments. The last author is supported by the Fundamental Theory and Cutting Edge Technology Research Program of Institute of Information Engineering, CAS (Grant No. Y7Z0341103), Youth Innovation Promotion Association CAS and the National Natural Science Foundation of China (Grants No. 61472415, 61732021 and 61772519). We also thank the ASK2016 organisers for providing us an opportunity for the initial discussion.

Supplementary material


  1. [AIK+00]
    Aoki, K., Ichikawa, T., Kanda, M., Matsui, M., Moriai, S., Nakajima, J., Tokita, T.: Camellia: a 128-bit block cipher suitable for multiple platforms — design and analysis. In: Stinson, D.R., Tavares, S. (eds.) SAC 2000. LNCS, vol. 2012, pp. 39–56. Springer, Heidelberg (2001). Scholar
  2. [BCD03]
    Biryukov, A., De Cannière, C., Dellkrantz, G.: Cryptanalysis of Safer++. In: Boneh, D. (ed.) CRYPTO 2003. LNCS, vol. 2729, pp. 195–211. Springer, Heidelberg (2003). Scholar
  3. [BDK01]
    Biham, E., Dunkelman, O., Keller, N.: The rectangle attack—rectangling the serpent. In: Pfitzmann, B. (ed.) EUROCRYPT 2001. LNCS, vol. 2045, pp. 340–357. Springer, Heidelberg (2001). Scholar
  4. [BDK02]
    Biham, E., Dunkelman, O., Keller, N.: New results on boomerang and rectangle attacks. In: Daemen, J., Rijmen, V. (eds.) FSE 2002. LNCS, vol. 2365, pp. 1–16. Springer, Heidelberg (2002). Scholar
  5. [BDK05]
    Biham, E., Dunkelman, O., Keller, N.: Related-key boomerang and rectangle attacks. In: Cramer, R. (ed.) EUROCRYPT 2005. LNCS, vol. 3494, pp. 507–525. Springer, Heidelberg (2005). Scholar
  6. [BFMT16]
    Berger, T.P., Francq, J., Minier, M., Thomas, G.: Extended generalized feistel networks using matrix representation to propose a new lightweight block cipher: Lilliput. IEEE Trans. Comput. 65(7), 2074–2089 (2016)MathSciNetCrossRefzbMATHGoogle Scholar
  7. [BJK+16]
    Beierle, C., Jean, J., Kölbl, S., Leander, G., Moradi, A., Peyrin, T., Sasaki, Y., Sasdrich, P., Sim, S.M.: The SKINNY family of block ciphers and its low-latency variant MANTIS. In: Robshaw, M., Katz, J. (eds.) CRYPTO 2016. LNCS, vol. 9815, pp. 123–153. Springer, Heidelberg (2016). Scholar
  8. [BK09]
    Biryukov, A., Khovratovich, D.: Related-key cryptanalysis of the full AES-192 and AES-256. In: Matsui, M. (ed.) ASIACRYPT 2009. LNCS, vol. 5912, pp. 1–18. Springer, Heidelberg (2009). Scholar
  9. [BKL+07]
    Bogdanov, A., Knudsen, L.R., Leander, G., Paar, C., Poschmann, A., Robshaw, M.J.B., Seurin, Y., Vikkelsoe, C.: PRESENT: an ultra-lightweight block cipher. In: Paillier, P., Verbauwhede, I. (eds.) CHES 2007. LNCS, vol. 4727, pp. 450–466. Springer, Heidelberg (2007). Scholar
  10. [BPP+17]
    Banik, S., Pandey, S.K., Peyrin, T., Sasaki, Y., Sim, S.M., Todo, Y.: GIFT: A small present - towards reaching the limit of lightweight encryption. Cryptology ePrint Archive, Report 2017/622 (2017)Google Scholar
  11. [BS93]
    Biham, E., Shamir, A.: Differential Cryptanalysis of the Data Encryption Standard. Springer, New York (1993). Scholar
  12. [BSS+13]
    Beaulieu, R., Shors, D., Smith, J., Treatman-Clark, S., Weeks, B., Wingers, L.: The simon and speck families of lightweight block ciphers. Cryptology ePrint Archive, Report 2013/404 (2013)Google Scholar
  13. [CHP+17]
    Cid, C., Huang, T., Peyrin, T., Sasaki, Y., Song, L.: A security analysis of deoxys and its internal tweakable block ciphers. IACR Trans. Symmetric Cryptol. 2017(3), 73–107 (2017)Google Scholar
  14. [CLN+17]
    Canteaut, A., Lambooij, E., Neves, S., Rasoolzadeh, S., Sasaki, Y., Stevens, M.: Refined probability of differential characteristics including dependency between multiple rounds. IACR Trans. Symmetric Cryptol. 2017(2), 203–227 (2017)Google Scholar
  15. [DKS10]
    Dunkelman, O., Keller, N., Shamir, A.: A practical-time related-key attack on the KASUMI cryptosystem used in GSM and 3G telephony. In: Rabin, T. (ed.) CRYPTO 2010. LNCS, vol. 6223, pp. 393–410. Springer, Heidelberg (2010). Scholar
  16. [DKS14]
    Dunkelman, O., Keller, N., Shamir, A.: A practical-time related-key attack on the KASUMI cryptosystem used in GSM and 3G telephony. J. Cryptology 27(4), 824–849 (2014)MathSciNetCrossRefzbMATHGoogle Scholar
  17. [GPPR11]
    Guo, J., Peyrin, T., Poschmann, A., Robshaw, M.: The LED block cipher. In: Preneel, B., Takagi, T. (eds.) CHES 2011. LNCS, vol. 6917, pp. 326–341. Springer, Heidelberg (2011). Scholar
  18. [JNP14]
    Jean, J., Nikolić, I., Peyrin, T.: Tweaks and keys for block ciphers: the TWEAKEY framework. In: Sarkar, P., Iwata, T. (eds.) ASIACRYPT 2014. LNCS, vol. 8874, pp. 274–288. Springer, Heidelberg (2014). Scholar
  19. [JNPS16]
    Jean, J., Nikolić, I., Peyrin, T., Seurin, Y.: Deoxys v1.41. Submitted to CAESAR, October 2016Google Scholar
  20. [KHP+12]
    Kim, J., Hong, S., Preneel, B., Biham, E., Dunkelman, O., Keller, N.: Related-key boomerang and rectangle attacks: theory and experimental analysis. IEEE Trans. Inf. Theor. 58(7), 4948–4966 (2012)MathSciNetCrossRefzbMATHGoogle Scholar
  21. [KKS00]
    Kelsey, J., Kohno, T., Schneier, B.: Amplified boomerang attacks against reduced-round MARS and serpent. In: Goos, G., Hartmanis, J., van Leeuwen, J., Schneier, B. (eds.) FSE 2000. LNCS, vol. 1978, pp. 75–93. Springer, Heidelberg (2001). Scholar
  22. [LGL17]
    Liu, G., Ghosh, M., Ling, S.: Security analysis of SKINNY under related-tweakey settings (long paper). IACR Trans. Symmetric Cryptol. 2017(3), 37–72 (2017)Google Scholar
  23. [Mur11]
    Murphy, S.: The return of the cryptographic boomerang. IEEE Trans. Inf. Theor. 57(4), 2517–2521 (2011)MathSciNetCrossRefzbMATHGoogle Scholar
  24. [Nat01]
    National Institute of Standards and Technology. Federal Information Processing Standards Publication 197: Advanced Encryption Standard (AES). NIST, November 2001Google Scholar
  25. [SMMK12]
    Suzaki, T., Minematsu, K., Morioka, S., Kobayashi, E.: \(\mathit{TWINE}\): a lightweight block cipher for multiple platforms. In: Knudsen, L.R., Wu, H. (eds.) SAC 2012. LNCS, vol. 7707, pp. 339–354. Springer, Heidelberg (2013). Scholar
  26. [Wag99]
    Wagner, D.: The boomerang attack. In: Knudsen, L. (ed.) FSE 1999. LNCS, vol. 1636, pp. 156–170. Springer, Heidelberg (1999). Scholar

Copyright information

© International Association for Cryptologic Research 2018

Authors and Affiliations

  1. 1.Information Security GroupRoyal Holloway, University of LondonEghamUK
  2. 2.School of Physical and Mathematical SciencesNanyang Technological UniversitySingaporeSingapore
  3. 3.Temasek LaboratoriesNanyang Technological UniversitySingaporeSingapore
  4. 4.School of Computer Science and EngineeringNanyang Technological UniversitySingaporeSingapore
  5. 5.NTT Secure Platform LaboratoriesTokyoJapan
  6. 6.State Key Laboratory of Information Security, Institute of Information EngineeringChinese Academy of SciencesBeijingChina

Personalised recommendations