Boomerang connectivity table revisited. Application to SKINNY and AES
The boomerang attack is a variant of differential cryptanalysis which regards a block cipher E as the composition of two sub-ciphers, i.e., E = E1o E0, and which constructs distinguishers for E with probability p2q2 by combining differential trails for E0 and E1 with probability p and q respectively...
Saved in:
| Main Authors: | , , |
|---|---|
| Other Authors: | |
| Format: | Article |
| Language: | English |
| Published: |
2019
|
| Subjects: | |
| Online Access: | https://hdl.handle.net/10356/104754 http://hdl.handle.net/10220/49464 |
| Tags: |
Add Tag
No Tags, Be the first to tag this record!
|
| Institution: | Nanyang Technological University |
| Language: | English |
| id |
sg-ntu-dr.10356-104754 |
|---|---|
| record_format |
dspace |
| spelling |
sg-ntu-dr.10356-1047542023-02-28T19:41:49Z Boomerang connectivity table revisited. Application to SKINNY and AES Hu, Lei Song, Ling Qin, Xianrui School of Physical and Mathematical Sciences Strategic Centre for Research in Privacy-Preserving Technologies and Systems Block Cipher DRNTU::Science::Mathematics Boomerang Attack The boomerang attack is a variant of differential cryptanalysis which regards a block cipher E as the composition of two sub-ciphers, i.e., E = E1o E0, and which constructs distinguishers for E with probability p2q2 by combining differential trails for E0 and E1 with probability p and q respectively. However, the validity of this attack relies on the dependency between the two differential trails. Murphy has shown cases where probabilities calculated by p2q2 turn out to be zero, while techniques such as boomerang switches proposed by Biryukov and Khovratovich give rise to probabilities greater than p2q2. To formalize such dependency to obtain a more accurate estimation of the probability of the distinguisher, Dunkelman et al. proposed the sandwich framework that regards E as Ẽ1o Em o Ẽ0, where the dependency between the two differential trails is handled by a careful analysis of the probability of the middle part Em. Recently, Cid et al. proposed the Boomerang Connectivity Table (BCT) which unifies the previous switch techniques and incompatibility together and evaluates the probability of Em theoretically when Em is composed of a single S-box layer. In this paper, we revisit the BCT and propose a generalized framework which is able to identify the actual boundaries of Em which contains dependency of the two differential trails and systematically evaluate the probability of Em with any number of rounds. To demonstrate the power of this new framework, we apply it to two block ciphers SKINNY and AES. In the application to SKINNY, the probabilities of four boomerang distinguishers are re-evaluated. It turns out that Em involves5 or 6 rounds and the probabilities of the full distinguishers are much higher than previously evaluated. In the application to AES, the new framework is used to exclude incompatibility and find high probability distinguishers of AES-128 under the related-subkey setting. As a result, a 6-round distinguisher with probability 2−109.42 is constructed. Lastly, we discuss the relation between the dependency of two differential trails in boomerang distinguishers and the properties of components of the cipher. NRF (Natl Research Foundation, S’pore) Published version 2019-07-25T01:26:08Z 2019-12-06T21:38:58Z 2019-07-25T01:26:08Z 2019-12-06T21:38:58Z 2019 Journal Article Song, L., Qin, X., & Hu, L. (2019). Boomerang connectivity table revisited. Application to SKINNY and AES. IACR Transactions on Symmetric Cryptology, 2019(1), 118-141. doi:10.13154/tosc.v2019.i1.118-141 https://hdl.handle.net/10356/104754 http://hdl.handle.net/10220/49464 10.13154/tosc.v2019.i1.118-141 en IACR Transactions on Symmetric Cryptology © 2019 The Author(s). All rights reserved. This paper was published by Ruhr University Bochum in IACR Transactions on Symmetric Cryptology and is made available with permission of The Author(s). 24 p. application/pdf |
| institution |
Nanyang Technological University |
| building |
NTU Library |
| continent |
Asia |
| country |
Singapore Singapore |
| content_provider |
NTU Library |
| collection |
DR-NTU |
| language |
English |
| topic |
Block Cipher DRNTU::Science::Mathematics Boomerang Attack |
| spellingShingle |
Block Cipher DRNTU::Science::Mathematics Boomerang Attack Hu, Lei Song, Ling Qin, Xianrui Boomerang connectivity table revisited. Application to SKINNY and AES |
| description |
The boomerang attack is a variant of differential cryptanalysis which regards a block cipher E as the composition of two sub-ciphers, i.e., E = E1o E0, and which constructs distinguishers for E with probability p2q2 by combining differential trails for E0 and E1 with probability p and q respectively. However, the validity of this attack relies on the dependency between the two differential trails. Murphy has shown cases where probabilities calculated by p2q2 turn out to be zero, while techniques such as boomerang switches proposed by Biryukov and Khovratovich give rise to probabilities greater than p2q2. To formalize such dependency to obtain a more accurate estimation of the probability of the distinguisher, Dunkelman et al. proposed the sandwich framework that regards E as Ẽ1o Em o Ẽ0, where the dependency between the two differential trails is handled by a careful analysis of the probability of the middle part Em. Recently, Cid et al. proposed the Boomerang Connectivity Table (BCT) which unifies the previous switch techniques and incompatibility together and evaluates the probability of Em theoretically when Em is composed of a single S-box layer. In this paper, we revisit the BCT and propose a generalized framework which is able to identify the actual boundaries of Em which contains dependency of the two differential trails and systematically evaluate the probability of Em with any number of rounds. To demonstrate the power of this new framework, we apply it to two block ciphers SKINNY and AES. In the application to SKINNY, the probabilities of four boomerang distinguishers are re-evaluated. It turns out that Em involves5 or 6 rounds and the probabilities of the full distinguishers are much higher than previously evaluated. In the application to AES, the new framework is used to exclude incompatibility and find high probability distinguishers of AES-128 under the related-subkey setting. As a result, a 6-round distinguisher with probability 2−109.42 is constructed. Lastly, we discuss the relation between the dependency of two differential trails in boomerang distinguishers and the properties of components of the cipher. |
| author2 |
School of Physical and Mathematical Sciences |
| author_facet |
School of Physical and Mathematical Sciences Hu, Lei Song, Ling Qin, Xianrui |
| format |
Article |
| author |
Hu, Lei Song, Ling Qin, Xianrui |
| author_sort |
Hu, Lei |
| title |
Boomerang connectivity table revisited. Application to SKINNY and AES |
| title_short |
Boomerang connectivity table revisited. Application to SKINNY and AES |
| title_full |
Boomerang connectivity table revisited. Application to SKINNY and AES |
| title_fullStr |
Boomerang connectivity table revisited. Application to SKINNY and AES |
| title_full_unstemmed |
Boomerang connectivity table revisited. Application to SKINNY and AES |
| title_sort |
boomerang connectivity table revisited. application to skinny and aes |
| publishDate |
2019 |
| url |
https://hdl.handle.net/10356/104754 http://hdl.handle.net/10220/49464 |
| _version_ |
1759857300976173056 |