Impossible Boomerang Attack for Block Cipher Structures

  • Jiali Choy
  • Huihui Yap
Part of the Lecture Notes in Computer Science book series (LNCS, volume 5824)


Impossible boomerang attack [5] (IBA) is a new variant of differential cryptanalysis against block ciphers. Evident from its name, it combines the ideas of both impossible differential cryptanalysis and boomerang attack. Though such an attack might not be the best attack available, its complexity is still less than that of the exhaustive search. In impossible boomerang attack, impossible boomerang distinguishers are used to retrieve some of the subkeys. Thus the security of a block cipher against IBA can be evaluated by impossible boomerang distinguishers. In this paper, we study the impossible boomerang distinguishers for block cipher structures whose round functions are bijective. Inspired by the \(\mathcal{U}\)-method in [3], we provide an algorithm to compute the maximum length of impossible boomerang distinguishers for general block cipher structures, and apply the algorithm to known block cipher structures such as Nyberg’s generalized Feistel network, a generalized CAST256-like structure, a generalized MARS-like structure, a generalized RC6-like structure, etc.


Block Ciphers Impossible Boomerang Attack Impossible Boomerang Distinguishers 


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    Biham, E., Dunkelman, O., Keller, N.: A related-key rectangle attack on the full KASUMI. In: Roy, B. (ed.) ASIACRYPT 2005. LNCS, vol. 3788, pp. 443–461. Springer, Heidelberg (2005)CrossRefGoogle Scholar
  2. 2.
    Dunkelman, O., Keller, N.: An improved impossible differential attack on MISTY1. In: Pieprzyk, J. (ed.) ASIACRYPT 2008. LNCS, vol. 5350, pp. 441–454. Springer, Heidelberg (2008)CrossRefGoogle Scholar
  3. 3.
    Kim, J., Hong, S., Sung, J., Lee, S., Lim, J., Sung, S.: Impossible Differential Cryptanalysis for Block Cipher Structures. In: Johansson, T., Maitra, S. (eds.) INDOCRYPT 2003. LNCS, vol. 2904, pp. 97–106. Springer, Heidelberg (2003)Google Scholar
  4. 4.
    Liu, F., Ji, W., Hu, L., Ding, J., Lv, S., Pyshkin, A., Weinmann, R.: Analysis of the SMS4 block cipher. In: Pieprzyk, J., Ghodosi, H., Dawson, E. (eds.) ACISP 2007. LNCS, vol. 4586, pp. 158–170. Springer, Heidelberg (2007)CrossRefGoogle Scholar
  5. 5.
    Lu, J.: Cryptanalysis of Block Ciphers., Technical Report RHUL-MA-2008-19 ) (July 30, 2008)
  6. 6.
    Lu, J.: Attacking reduced-round versions of the SMS4 block cipher in the chinese WAPI standard. In: Qing, S., Imai, H., Wang, G. (eds.) ICICS 2007. LNCS, vol. 4861, pp. 306–318. Springer, Heidelberg (2007)CrossRefGoogle Scholar
  7. 7.
    Moriai, S., Vaudenay, S.: On the Pseudorandomness of Top-Level Schemes of Block Ciphers. In: Okamoto, T. (ed.) ASIACRYPT 2000. LNCS, vol. 1976, pp. 289–302. Springer, Heidelberg (2000)CrossRefGoogle Scholar
  8. 8.
    Sung, J., Lee, S.-J., Lim, J.-I., Hong, S.H., Park, S.-J.: Provable Security for the Skipjack-like Structure Against Differential Cryptanalysis and Linear Cryptanalysis. In: Okamoto, T. (ed.) ASIACRYPT 2000. LNCS, vol. 1976, pp. 274–288. Springer, Heidelberg (2000)CrossRefGoogle Scholar
  9. 9.
    Tsunoo, Y., Tsujihara, E., Shigeri, M., Saito, T., Suzaki, T., Kubo, H.: Impossible Differential Cryptanalysis of CLEFIA. In: Nyberg, K. (ed.) FSE 2008. LNCS, vol. 5086, pp. 398–411. Springer, Heidelberg (2008)CrossRefGoogle Scholar
  10. 10.
    Wu, W., Zhang, W., Lin, D.: On the Security of Generalized Feistel Scheme with SP Round Function. International Journal of Network Security 3(3), 215–224 (2006)Google Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2009

Authors and Affiliations

  • Jiali Choy
    • 1
  • Huihui Yap
    • 1
  1. 1.DSO National LaboratoriesSingapore

Personalised recommendations