Boomerang Connectivity Table: A New Cryptanalysis Tool

Carlos Cid; Tao Huang; Thomas Peyrin; Yu Sasaki; Ling Song

Paper 2018/161

Boomerang Connectivity Table: A New Cryptanalysis Tool

Carlos Cid, Tao Huang, Thomas Peyrin, Yu Sasaki, and Ling Song

Abstract

A boomerang attack is a cryptanalysis framework that regards a block cipher $E$ as the composition of two sub-ciphers $E_{1} \circ E_{0}$ and builds a particular characteristic for $E$ with probability $p^{2} q^{2}$ by combining differential characteristics for $E_{0}$ and $E_{1}$ with probability $p$ and $q$ , respectively. Crucially the validity of this figure is under the assumption that the characteristics for $E_{0}$ and $E_{1}$ can be chosen independently. Indeed, Murphy has shown that independently chosen characteristics may turn out to be incompatible. On the other hand, several researchers observed that the probability can be improved to $p$ or $q$ around the boundary between $E_{0}$ and $E_{1}$ by considering a positive dependency of the two characteristics, e.g.~the ladder switch and S-box switch by Biryukov and Khovratovich. This phenomenon was later formalised by Dunkelman et al.~as a sandwich attack that regards as , where satisfies some differential propagation among four texts with probability , and the entire probability is . In this paper, we revisit the issue of dependency of two characteristics in , and propose a new tool called Boomerang Connectivity Table (BCT), which evaluates in a systematic and easy-to-understand way when is composed of a single S-box layer. With the BCT, previous observations on the S-box including the incompatibility, the ladder switch and the S-box switch are represented in a unified manner. Moreover, the BCT can detect a new switching effect, which shows that the probability around the boundary may be even higher than or . To illustrate the power of the BCT-based analysis, we improve boomerang attacks against Deoxys-BC, and disclose the mechanism behind an unsolved probability amplification for generating a quartet in SKINNY. Lastly, we discuss the issue of searching for S-boxes having good BCT and extending the analysis to modular addition.

Metadata

Available format(s): PDF
Category: Secret-key cryptography
Publication info: A minor revision of an IACR publication in EUROCRYPT 2018
Contact author(s): sasaki yu @ lab ntt co jp
History: 2018-02-11: received
Short URL: https://ia.cr/2018/161
License: CC BY

BibTeX

@misc{cryptoeprint:2018/161,
      author = {Carlos Cid and Tao Huang and Thomas Peyrin and Yu Sasaki and Ling Song},
      title = {Boomerang Connectivity Table: A New Cryptanalysis Tool},
      howpublished = {Cryptology {ePrint} Archive, Paper 2018/161},
      year = {2018},
      url = {https://eprint.iacr.org/2018/161}
}