Boomerang attacks

The attacks boomerang is a version improved of the Cryptanalyse differential, this method was invented by David Wagner in 1999. It consists in tackling the two halves of an encryption algorithm per block and share of the principle that certain properties, after disturbances of the entries, are not propagated through all the structure.

Description

Four messages in light are considered: P, P', Q and Q'. One also has the quantified versions of these messages: C, It, D and Of. One also considers a symmetrical encryption algorithm E whose coding can be broken up into two parts: E0 and E1.

First half of coding is represented by E0 and E1 is the second part. One defines two differential characteristics Δ → Δ* for E0 and ∇ → ∇* for E1-1. This notation means that modification Δ on the entries will involve a Δ* modification on the exits after passage in the algorithm. The goal is to obtain characteristics which will satisfy the data that we have.

One wants in first that the pair (P, P') is compatible with the characteristic of E0. Then, the pairs (P, Q) like (P', Q') must satisfy the characteristic of E1-1. We suppose then that the pair (Q, Q') is configured in such manner so that the differential characteristic Δ* → Δ is respected.

If the parameters are correct, the difference between Q and Q' must be equal to the difference between P and P' from where the nickname of Boomerang .

Various stages

We thus have a block P and a P' block with a difference Δ between the two. The difference is translated in the shape of exclusive-OR block P with a vector, one obtains P' then. One calculates E0 (P) and E0 (P'). These two results differ from Δ*. One applies then E1 to these two values to obtain C and It:
• C = E1 (E0 (P))

• It = E1 (E0 (P')).

One generates then D and Of from C and This thanks to exclusive-OR with ∇:

• D = C $\ oplus$

• Of = C $\ oplus$

One deciphers D and Of with the reverse of E1. One is then in a transition course with two results which vary from Δ* if the characteristics of the differences are correct. While deciphering with E0, one finds Q and Q'. Those must present a difference of Δ, the same one as between P and P'. The difference initially imposed on P and P' returned between Q and Q' like a boomerang.

Thanks to this approach, it is possible to approach the key successively by looking at if the conditions described above are observed with a great number of clear/quantified pairs.

Applications

The Boomerang attack functions effectively on several codings. In his paper, David Wagner shows how to use it within the framework of Coconut98, a simplified version of Khufu of Ralph Merkle, 6 rounds of FERROALUMINIUM and 16 rounds of CAST-256. In 2004, it was put into practice on 6 rounds of AES by Alex Biryukov.

External bonds

• original Paper of David Wagner
• detailed Explanation of the attack Boomerang
• Boomerang attack one 5 and 6 round-AES

 Random links: Ethan Hawke | Dominique Borough | SC Haubourdin | Equip with Belgium of volley ball | Association of sciences of the language | relativité_Double-spéciale