The Retracing Boomerang Attack

Boomerang attacks are extensions of differential attacks, that make it possible to combine two unrelated differential properties of the first and second part of a cryptosystem with probabilities p and q into a new differential-like property of the whole cryptosystem with probability \(p^2q^2\) (since each one of the properties has to be satisfied twice). In this paper we describe a new version of boomerang attacks which uses the counterintuitive idea of throwing out most of the data in order to force equalities between certain values on the ciphertext side. In certain cases, this creates a correlation between the four probabilistic events, which increases the probability of the combined property to \(p^2q\) and increases the signal to noise ratio of the resultant distinguisher. We call this variant a retracing boomerang attack since we make sure that the boomerang we throw follows the same path on its forward and backward directions. To demonstrate the power of the new technique, we apply it to the case of 5-round AES. This version of AES was repeatedly attacked by a large variety of techniques, but for twenty years its complexity had remained stuck at \(2^{32}\). At Crypto’18 it was finally reduced to \(2^{24}\) (for full key recovery), and with our new technique we can further reduce the complexity of full key recovery to the surprisingly low value of \(2^{16.5}\) (i.e., only 90, 000 encryption/decryption operations are required for a full key recovery on half the rounds of AES).

[1]  Kai Hu,et al.  Towards Key-Dependent Integral and Impossible Differential Distinguishers on 5-Round AES , 2018, IACR Cryptol. ePrint Arch..

[2]  Bruce Schneier,et al.  Amplified Boomerang Attacks Against Reduced-Round MARS and Serpent , 2000, FSE.

[3]  Adi Shamir,et al.  Efficient Dissection of Composite Problems, with Applications to Cryptanalysis, Knapsacks, and Combinatorial Search Problems , 2012, CRYPTO.

[4]  Gregory V. Bard Achieving a log(n) Speed Up for Boolean Matrix Operations and Calculating the Complexity of the Dense Linear Algebra step of Algebraic Stream Cipher Attacks and of Integer Factorization Methods , 2006, IACR Cryptol. ePrint Arch..

[5]  Eli Biham,et al.  Efficient Slide Attacks , 2017, Journal of Cryptology.

[6]  Nicholas F. Polys Of Standards and Herrings : Tales of Technology and Tumult , 2017 .

[7]  Alex Biryukov,et al.  Related-Key Cryptanalysis of the Full AES-192 and AES-256 , 2009, ASIACRYPT.

[8]  Eli Biham,et al.  New Results on Boomerang and Rectangle Attacks , 2002, FSE.

[9]  Pulak Mishra,et al.  Mergers, Acquisitions and Export Competitive- ness: Experience of Indian Manufacturing Sector , 2012 .

[10]  Eli Biham,et al.  Initial Observations on Skipjack: Cryptanalysis of Skipjack-3XOR , 1998, Selected Areas in Cryptography.

[11]  Alex Biryukov,et al.  Cryptanalysis of SAFER++ , 2003, CRYPTO.

[12]  Vincent Rijmen,et al.  The Design of Rijndael: AES - The Advanced Encryption Standard , 2002 .

[13]  Eli Biham,et al.  The Rectangle Attack - Rectangling the Serpent , 2001, EUROCRYPT.

[14]  David A. Wagner,et al.  The Boomerang Attack , 1999, FSE.

[15]  Christian Rechberger,et al.  Subspace Trail Cryptanalysis and its Applications to AES , 2017, IACR Trans. Symmetric Cryptol..

[16]  Adi Shamir,et al.  A Practical-Time Related-Key Attack on the KASUMI Cryptosystem Used in GSM and 3G Telephony , 2010, CRYPTO.

[17]  Vincent Rijmen,et al.  New Insights on AES-Like SPN Ciphers , 2016, CRYPTO.

[18]  Mitsuru Matsui,et al.  Linear Cryptanalysis Method for DES Cipher , 1994, EUROCRYPT.

[19]  Adi Shamir,et al.  Improved Key Recovery Attacks on Reduced-Round AES with Practical Data and Memory Complexities , 2019, Journal of Cryptology.

[20]  Orr Dunkelman,et al.  Treatment of the initial value in Time-Memory-Data Tradeoff attacks on stream ciphers , 2008, Inf. Process. Lett..

[21]  Jongsung Kim,et al.  The Related-Key Rectangle Attack - Application to SHACAL-1 , 2004, ACISP.

[22]  Alex Biryukov,et al.  Cryptanalysis of Feistel Networks with Secret Round Functions , 2015, SAC.

[23]  Sihem Mesnager,et al.  Statistical integral distinguisher with multi-structure and its application on AES-like ciphers , 2018, Cryptography and Communications.

[24]  Tor Helleseth,et al.  Yoyo Tricks with AES , 2017, ASIACRYPT.

[25]  Michael Tunstall,et al.  Improved "Partial Sums"-based Square Attack on AES , 2012, SECRYPT.

[26]  Lorenzo Grassi,et al.  MixColumns Properties and Attacks on (round-reduced) AES with a Single Secret S-Box , 2018, IACR Cryptol. ePrint Arch..

[27]  Sean Murphy,et al.  The Return of the Cryptographic Boomerang , 2011, IEEE Transactions on Information Theory.

[28]  Lorenzo Grassi,et al.  Probabilistic Mixture Differential Cryptanalysis on Round-Reduced AES , 2019, SAC.

[29]  Tao Huang,et al.  Boomerang Connectivity Table: A New Cryptanalysis Tool , 2018, IACR Cryptol. ePrint Arch..

[30]  Eli Biham,et al.  New Types of Cryptanalytic Attacks Using related Keys (Extended Abstract) , 1994, EUROCRYPT.

[31]  Bruce Schneier,et al.  Improved Cryptanalysis of Rijndael , 2000, FSE.

[32]  Eli Biham,et al.  Conditional Linear Cryptanalysis - Cryptanalysis of DES with Less Than 242 Complexity , 2018, IACR Trans. Symmetric Cryptol..

[33]  Alex Biryukov,et al.  The Boomerang Attack on 5 and 6-Round Reduced AES , 2004, AES Conference.

[34]  Jongsung Kim,et al.  Related-Key Boomerang and Rectangle Attacks: Theory and Experimental Analysis , 2012, IEEE Transactions on Information Theory.

[35]  Lorenzo Grassi,et al.  Mixture Differential Cryptanalysis: New Approaches for Distinguishers and Attacks on round-reduced AES , 2018, IACR Cryptol. ePrint Arch..

[36]  Lars R. Knudsen,et al.  Truncated and Higher Order Differentials , 1994, FSE.

[37]  Sondre Rønjom,et al.  Practical Attacks on Reduced-Round AES , 2019, AFRICACRYPT.

[38]  Anne Canteaut,et al.  On the Boomerang Uniformity of Cryptographic Sboxes , 2018, IACR Trans. Symmetric Cryptol..

[39]  Eli Biham,et al.  Differential cryptanalysis of DES-like cryptosystems , 1990, Journal of Cryptology.

[40]  Alex Biryukov,et al.  Structural Cryptanalysis of SASAS , 2001, Journal of Cryptology.

[41]  H. Schwitajewski [On standards]. , 1969, Die Agnes Karll-Schwester, der Krankenpfleger.

[42]  Vincent Rijmen,et al.  The Design of Rijndael , 2002, Information Security and Cryptography.

[43]  Eli Biham,et al.  Related-Key Boomerang and Rectangle Attacks , 2005, EUROCRYPT.

[44]  Stefan Kölbl,et al.  Security of the AES with a Secret S-Box , 2015, FSE.