Paper 2022/725

Revisiting Related-Key Boomerang attacks on AES using computer-aided tool

Patrick Derbez, Univ Rennes, CNRS, IRISA
Marie Euler, Univ Rennes, CNRS, IRISA, Direction Générale de l'Armement
Pierre-Alain Fouque, Univ Rennes, CNRS, IRISA
Phuong Hoa Nguyen, Univ Rennes, CNRS, IRISA

In recent years, several MILP models were introduced to search automatically for boomerang distinguishers and boomerang attacks on block ciphers. However, they can only be used when the key schedule is linear. Here, a new model is introduced to deal with nonlinear key schedules as it is the case for AES. This model is more complex and actually it is too slow for exhaustive search. However, when some hints are added to the solver, it found the current best related-key boomerang attack on AES 192 with $2^{136.4}$ time, $2^{126.2}$ data, and $2^{94.4}$ memory complexities, which is better than the one presented by Biryukov and Khovratovich at ASIACRYPT 2009 with complexities $2^{176}/2^{123}/2^{152}$ respectively. This represents a huge improvement for the time and memory complexity, illustrating the power of MILP in cryptanalysis.

Available format(s)
Attacks and cryptanalysis
Publication info
Boomerang AES MILP
Contact author(s)
patrick derbez @ irisa fr
marie euler @ m4x org
pierre-alain fouque @ irisa fr
phuong-hoa nguyen @ irisa fr
2022-06-08: approved
2022-06-07: received
See all versions
Short URL
Creative Commons Attribution


      author = {Patrick Derbez and Marie Euler and Pierre-Alain Fouque and Phuong Hoa Nguyen},
      title = {Revisiting Related-Key Boomerang attacks on AES using computer-aided tool},
      howpublished = {Cryptology ePrint Archive, Paper 2022/725},
      year = {2022},
      note = {\url{}},
      url = {}
Note: In order to protect the privacy of readers, does not use cookies or embedded third party content.