The Boomerang Attack

  • David Wagner
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 1636)


This paper describes a new differential-style attack, which we call the boomerang attack. This attack has several interesting applications. First, we disprove the oft-repeated claim that eliminating all high-probability differentials for the whole cipher is suffcient to guarantee security against differential attacks. Second, we show how to break COCONUT98, a cipher designed using decorrelation techniques to ensure provable security against differential attacks, with an advanced differential-style attack that needs just 216 adaptively chosen texts. Also, to illustrate the power of boomerang techniques, we give new attacks on Khufu-16, FEAL-6, and 16 rounds of CAST-256.


Entropy Folk 


  1. [Ada98]
    C. Adams, “The CAST-256 Encryption Algorithm,” NIST AES Proposal, Jun 98.Google Scholar
  2. [Ada99]
    C. Adams, personal communication, Feb 1999.Google Scholar
  3. [BBS98]
    E. Biham, A. Biryukov, A. Shamir. “Cryptanalysis of Skipjack Reduced to 31 Rounds using Impossible Differentials,” EUROCRYPT’99, to appear.Google Scholar
  4. [BBS99]
    E. Biham, A. Biryukov, A. Shamir. “Miss in the Middle Attacks on IDEA, Khufu, and Khafre,” this volume.Google Scholar
  5. [BB+98]
    E. Biham, A. Biryukov, O. Dunkelmann, E. Richardson, A. Shamir, “Initial Observations on the Skipjack Encryption Algorithm,” SAC’98, Springer-Verlag, 1998.Google Scholar
  6. [Bih99]
    E. Biham, personal communication, Mar 1999.Google Scholar
  7. [BS93]
    E. Biham, A. Shamir, Differential Cryptanalysis of the Data Encryption Standard, Springer-Verlag, 1993.Google Scholar
  8. [BC+98]
    C. Burwick, D. Coppersmith, E. D’Avignon, R. Gennaro, S. Halevi, C. Jutla, S.M. Matyas, L. O’Connor, M. Peyravian, D. Safford, and N. Zunic, “MARS-A Candidate Cipher for AES,” NIST AES Proposal, Jun 98.Google Scholar
  9. [GG+98]
    H. Gilbert, M. Girault, P. Hoogvorst, F. Noilhan, T. Pornin, G. Poupard, J. Stern, S. Vaudenay, “Decorrelated Fast Cipher: an AES Candidate,” NIST AES Proposal, Jun 98.Google Scholar
  10. [GC94]
    H. Gilbert and P. Chauvaud, “A chosen plaintext attack of the 16-round Khufu cryptosystem,” CRYPTO’94, LNCS 839, Springer-Verlag, 1994.Google Scholar
  11. [GLC98]
    D. Georgoudis, D. Lerous, and B.S. Chaves, “The ‘Frog’ Encryption Algorithm,” NIST AES Proposal, Jun 98.Google Scholar
  12. [HL94]
    M. Hellman and S. Langford., “Differential-linear cryptanalysis,” CRYPTO’94, LNCS 839, Springer-Verlag, 1994.Google Scholar
  13. [KSW97]
    J. Kelsey, B. Schneier, D. Wagner, “Related-Key Cryptanalysis of 3-WAY, Biham-DES, CAST, DES-X, NewDES, RC2, and TEA,” ICICS’97, Springer-Verlag, 1997.Google Scholar
  14. [Knu95]
    L.R. Knudsen, “Truncated and Higher Order Differentials,” Fast Software Encryption, 2nd International Workshop Proceedings, Springer-Verlag, 1995.Google Scholar
  15. [Knu98]
    L. Knudsen, “DEAL-A 128-bit Block Cipher,” NIST AES Proposal, Jun 98.Google Scholar
  16. [Lai94]
    X. Lai, “Higher Order Derivations and Differential Cryptanalysis,” Communications and Cryptography: Two Sides of One Tapestry, Kluwer Academic Publishers, 1994, pp. 227–233.Google Scholar
  17. [Mer90]
    R. C. Merkle, “Fast Software Encryption Functions”, CRYPTO’90, Springer-Verlag, 1990.Google Scholar
  18. [NW97]
    R. Needham and D. Wheeler, “TEA Extensions,” unpublished manuscript, Mar 1997.Google Scholar
  19. [NSA98]
    NSA, “Skipjack and KEA algorithm specifications,” May 1998. Available from
  20. [Saa98]
    M._J. Saarinen, “Cryptanalysis of Block Tea,” unpublished manuscript, 20 Oct 1998.Google Scholar
  21. [SK+98]
    B. Schneier, J. Kelsey, D. Whiting, D. Wagner, C. Hall, N. Ferguson, “Performance Comparison of the AES Submissions,” Second AES Conference, 1999.Google Scholar
  22. [V97]
    S. Vaudenay, “A cheap paradigm for block cipher strengthening,” LIENS tech report 97-3, 1997.Google Scholar
  23. [V98]
    S. Vaudenay, “Provable Security for Block Ciphers by Decorrelation,” STACS’98, Springer-Verlag LNCS 1373, 1998.Google Scholar
  24. [V98b]
    S. Vaudenay, “Feistel Ciphers with L2-Decorrelation,” SAC’98, Springer-Verlag, 1998.Google Scholar
  25. [Yuv97]
    G. Yuval, “Reinventing the Travois: Encryption/ MAC in 30 ROM Bytes,”FSE’97, LNCS 1267, 1997.Google Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 1999

Authors and Affiliations

  • David Wagner
    • 1
  1. 1.U.C. Berkeley

Personalised recommendations