Boomerang attack

Lua error in package.lua at line 80: module 'strict' not found.

Boomerang attack

In cryptography, the boomerang attack is a method for the cryptanalysis of block ciphers based on differential cryptanalysis. The attack was published in 1999 by David Wagner, who used it to break the COCONUT98 cipher.

The boomerang attack has allowed new avenues of attack for many ciphers previously deemed safe from differential cryptanalysis.

Refinements on the boomerang attack have been published: the amplified boomerang attack, then the rectangle attack.

The attack

The boomerang attack is based on differential cryptanalysis. In differential cryptanalysis, an attacker exploits how differences in the input to a cipher (the plaintext) can affect the resultant difference at the output (the ciphertext). A high-probability "differential" (that is, an input difference that will produce a likely output difference) is needed that covers all, or nearly all, of the cipher. The boomerang attack allows differentials to be used which cover only part of the cipher.

The attack attempts to generate a so-called "quartet" structure at a point halfway through the cipher. For this purpose, say that the encryption action, E, of the cipher can be split into two consecutive stages, E₀ and E₁, so that E(M) = E₁(E₀(M)), where M is some plaintext message. Suppose we have two differentials for the two stages; say,

\Delta\to\Delta^*

for E₀, and

\nabla\to\nabla^*

for E₁⁻¹ (the decryption action of E₁).

The basic attack proceeds as follows:

Choose a random plaintext $P$ and calculate $P' = P \oplus \Delta$ .
Request the encryptions of $P$ and $P'$ to obtain $C = E(P)$ and $C' = E(P')$
Calculate $D = C \oplus \nabla$ and $D' = C' \oplus \nabla^*$
Request the decryptions of $D$ and $D'$ to obtain $Q = E^{-1}(D)$ and $Q' = E^{-1}(D')$
Compare $Q$ and $Q'$ ; when the differentials hold, $Q \oplus Q' = \Delta$ .

Application to specific ciphers

One attack on KASUMI, a block cipher used in 3GPP, is a related-key rectangle attack which breaks the full eight rounds of the cipher faster than exhaustive search (Biham et al., 2005). The attack requires 2^54.6 chosen plaintexts, each of which has been encrypted under one of four related keys, and has a time complexity equivalent to 2^76.1 KASUMI encryptions.

References

Lua error in package.lua at line 80: module 'strict' not found. (Slides in PostScript)
Lua error in package.lua at line 80: module 'strict' not found.
Lua error in package.lua at line 80: module 'strict' not found.
Lua error in package.lua at line 80: module 'strict' not found.
Lua error in package.lua at line 80: module 'strict' not found.
Lua error in package.lua at line 80: module 'strict' not found.
Lua error in package.lua at line 80: module 'strict' not found.
Lua error in package.lua at line 80: module 'strict' not found.
Lua error in package.lua at line 80: module 'strict' not found.
Lua error in package.lua at line 80: module 'strict' not found.
Lua error in package.lua at line 80: module 'strict' not found.

External links

Boomerang attack — explained by John Savard
Nathan Keller's homepage

Boomerang attack

Contents

The attack

Application to specific ciphers

References

External links

Navigation menu

Personal tools

Namespaces

Variants

Views

More

Search

Navigation

Tools