IEEE TRANSACTIONS ON INFORMATION THEORY, VOL. XX, NO. XX, XXX 20XX 2 The Return of the Cryptographic Boomerang S. Murphy △ Abstract—The boomerang analysis, together with its offspring Q ′ the amplified boomerang analysis and the rectangle analysis, Q are techniques that are widely used in the analysis of block 6 6 ciphers. We give realistic examples which demonstrate that the boomerang analysis can commonly give probability values that △ are highly inaccurate. Thus any complexity estimates for the P P ′ security of a block cipher based on the boomerang or rectangle −1 −1 analysis must be viewed extremely sceptically. E0 E0 Index Terms—Block Ciphers, Boomerang Analysis, Rectangle ? 6 ? 6 Analysis. E0 E0 I. INTRODUCTION ′ Y △∗ Y The boomerang analysis of [1] is an adaptation of differ- ∇∗ 6 ∇∗ 6 ential cryptanalysis [2], [3] in which quartets of encryptions and decryptions are used. Two related plaintexts are encrypted, ? △∗ ? and the resulting pair of ciphertexts is then used to generate X X′ two new related ciphertexts. These two new ciphertexts are then decrypted to give two new plaintexts. The aim of the E−1 E−1 boomerang analysis is to use such quartets of plaintexts and 1 1 of ciphertexts to find key information. Furthermore, enhanced ? 6 ? 6 versions of the boomerang analysis based on this idea have E1 E1 also been developed, such as the amplified boomerang analy- sis [4] and the rectangle analysis [5]. ′ ∇ D ∇ D There is however no a priori reason for the probabilistic argument of [1] concerning the boomerang analysis, and there- ? ? fore for the related analyses, to be correct. We demonstrate this C C′ by giving simple examples using the Data Encryption Standard (DES) [6] and the Advanced Encryption Standard (AES) [7]. Fig. 1. Schematic Diagram of the Basic Boomerang Analysis. The motivation for the use of the word boomerang to describe such an analysis of quartets is given in [1]. 0 This is why we call it the boomerang attack: when ² Encrypt P and P to obtain ciphertexts C = E(P ) and 0 0 you send it properly, it always comes back to you. C = E(P ). 0 We send a DES or an AES boomerang, but our boomerang ² Obtain two further ciphertexts D = C + r and D = 0 won’t come back. C + r. 0 ¡1 ² Decrypt D and D to obtain plaintexts Q = E (D) and Q0 = E¡1(D0). II. THE BOOMERANG ANALYSIS We describe the basic boomerang analysis in the manner The boomerang analysis is an attempt to use the ideas of differential cryptanalysis [2], [3] to analyse the plaintext of [1], and a schematic diagram of the boomerang analysis, 0 0 0 0 based on Figure 1 of [1], is given in Figure 1. We base quartet (P; P ; Q; Q ) and ciphertext quartet (C; C ; D; D ). our notation on that of [1], so we suppose that E represents To this end, we consider the encryption operation in two parts, the block cipher encryption under a fixed key. The basic so we may write E = E1 ± E0. Thus E0 represents the initial part of the encryption operation, and E1 represents the final boomerang analysis is based on a quartet of encryptions and 0 0 decryptions, and the process for generating such a quartet is part. We let (X; X ; Y; Y ) denote the intermediate result of described below. the encryption and decryption operations, so we have: ² Choose values 4 and r. ¡1 0 0 ¡1 0 X = E0(P ) = E1 (C);X = E0(P ) = E1 (C ); 0 0 ² Choose a pair of plaintexts P and P such that P +P = ¡1 0 0 ¡1 0 Y = E0(Q) = E1 (D);Y = E0(Q ) = E1 (D ): 4. The basic boomerang analysis uses two differential charac- S. Murphy is with the Information Security Group, Department of Mathe- teristics [2], [3]. The differential characteristic 4 ! 4¤ is matics, Royal Holloway, University of London, Egham, Surrey TW20 0EX, U.K. used for the initial part E0 of the overall encryption E and Manuscript received XX; revised XX. the differential characteristic r¤ ! r is used for the final IEEE TRANSACTIONS ON INFORMATION THEORY, VOL. XX, NO. XX, XXX 20XX 3 ¤ part E1 of the overall encryption E, for some values 4 and inputs to DES S-Box 2 in the fourth round of this cipher. Thus r¤. A quartet of encryptions and decryptions, or equivalently c; c0; d; d0 are a selection of six bits of C; C0; D; D0. For a right 0 0 ¤ the corresponding plaintext and ciphertext quartets, is called a quartet, we require that X + X = Y + Y = 4 = ±9 and 0 0 ¤ right quartet if the following conditions hold: X + Y = X + Y = r = ±B. Allowing for the expansion phase of the DES round function [6], a right quartet therefore P + P 0 = Q + Q0 = 4;X + X0 = Y + Y 0 = 4¤; satisfies X + Y = X0 + Y 0 = r¤;C + D = C0 + D0 = r: A motivation for using this quartet of encryptions and c + c0 = d + d0 = 110010 and c + d = c0 + d0 = 110110; decryptions, and for the definition of a right quartet is given in [1]. which gives the following relationship between the four 6-bit We want to cover the pair P; P 0 with the char- S-Box inputs: acteristic for E0, and to cover the pairs P; Q and 0 0 ¡1 0 P ;Q with the characteristic for E1 . Then (we c = c + 110010; claim) the pair Q; Q0 is perfectly set up to use the d = c + 110110; ¤ ¡1 0 characteristic 4 ! 4 for E0 . and d = d + 110010 = c + 000100: It is the case that In the classical differential cryptanalysis of the DES, we E (Q) + E (Q0) = Y + Y 0 0 0 require that the outputs of the respective pairs of S-Boxes are = (Y + X) + (X + X0) + (X0 + Y 0) identical. Thus we have = r¤ + 4¤ + r¤ = 4¤ 0 0 is indeed a condition required to start the characteristic S2(c) = S2(d) and S2(c ) = S2(d ); ¤ ¡1 4 ! 4 for E0 , the inverse of the initial part of the 6 4 encryption operation. However, whilst this condition is a where S2 : Z2 ! Z2 is the 6-bit to 4-bit function given by necessary condition, it is not a sufficient condition, as the DES S-Box 2. For a right quartet to exist, we therefore require examples of Section III and VI demonstrate. that there exists a 6-bit value c such that The statistical reasoning of the boomerang analysis given in Section 4 of [1] states that the probability p of a right quartet S2(c) = S2(c + 110110) satisfies and S2(c + 110010) = S2(c + 000100): 2 2 p ¸ p0p1; It is easy to verify by a direct search of all 26 = 64 possibilities where p0 is the probability of the differential characteristic for c that no such value for c exists. ¤ 4 ! 4 under E0 and p1 is the probability of the differential ¤ It is is not therefore possible for a right quartet to exist in characteristic r ! r under E1. The complexity estimates this boomerang analysis. In other words, a right quartet exists for the boomerang analysis given in [1] are based on this in this boomerang analysis with probability zero, rather than p ¡ ¢4 estimate of . However, in both Sections III and VI we give than the probability of at least p2p2 ¼ 1 > 0 asserted p ; p > 0 0 1 234 examples of a boomerang analysis with 0 1 , but for by [1]. This DES boomerang never comes back. which a right quartet can never occur, that is p = 0. III. A DES BOOMERANG IV. THE AMPLIFIED BOOMERANG ANALYSIS We consider a boomerang analysis on a block cipher that consists of four rounds of the Data Encryption Standard The amplified boomerang analysis of [4] is an adaptation (DES) [6]. Thus E is the encryption under some fixed key of the basic boomerang analysis that only uses encryptions of four rounds of the DES (without IP and IP ¡1), and we and no decryptions in a chosen plaintext analysis. The idea 0 0 suppose that E0 is the initial two rounds of this encryption and is to encrypt pairs (P; P ) or (Q; Q ) of plaintexts satisfying 0 0 0 that E1 the final two rounds of this encryption. We use the P + P = Q + Q = 4. As before, we let (X; X ) = 0 0 0 two differential characteristics used in the iterated differential (E0(P );E0(P )) and (Y; Y ) = (E0(Q);E0(Q )) denote the cryptanalysis of the DES [2], [3]. Thus we define intermediate values of encryptions under E. Such intermediate values (X; X0) or (Y; Y 0) then satisfy X + X0 = 4¤ or 4 = 4¤ = 19600000 00000000 = (γ ; 0) = ± 9 9 Y + Y 0 = 4¤ with probability p . Thus if we start with and r = r¤ = 1B600000 00000000 = (γ ; 0) = ± ; 0 B B N such plaintext pairs, we expect to obtain Np intermedi- so in particular we have: ate pairs with difference 4¤, and so we expect to obtain about 1 (Np)2 intermediate quartets (X; X0; Y; Y 0) satisfying E (Z) + E (Z + 4) = 4¤ with probability p ¼ 1 ; 2 0 0 0 234 X +X0 = Y +Y 0 = 4¤. It is then asserted by [4] that such an E (Z) + E (Z + r¤) = r with probability p ¼ 1 : 1 1 1 234 intermediate quartet also satisfies X +Y = X0 +Y 0 = r¤, the The reasoning of Section 4 of [1] would now assert¡ ¢ that the other part of the boomerang condition, uniformly at random.