There and back again: a tale of boomerang attacks Paul HUYNH Advisor: Marine MINIER Team Caramba, LORIA, Université de Lorraine Block Ciphers The Sandwich Attack Family of n-bit permutations parameterized by a key K used for A Practical-Time Attack on the A5/3 Cryptosystem Used in Third Generation GSM Telephony: Dunkelman, Keller, Shamir, 2010 data encryption i.e. turning a message M into a ciphertext C. Iterative structure Basic distinguisher The sandwich attack Rewrite E = E ◦ E E = E1◦Em◦E0 EK(M) = Fkr−1 ◦ Fkr−2 ◦ · · · ◦ Fk0(M) = C 1 0 Find good differentials over E0 and E1: Em of 1 round K P(α −→E0 β) = p 1 3 P(γ −→E1 δ) = q M1 M3 Key Schedule 2 2 2 Expected probability of p q α α 4 M1 M3 M2 M4 k0 k1 ··· kr−2 kr−1 E0 E0 α α M F F ··· F F C M2 M4 x1 β x3 β E0 E0 E0 E0 Em Em x2 x4 E0 E0 β γ β y1 y3 Two major constructions for F γ Em Em E1 E1 γ E1 E1 y2 y4 Feistel SPN γ E1 E1 k ki L i R C1 δ C3 E1 E1 i i C1 C3 ··· δ f S S S S ··· S C2 δ C4 C2 C4 ··· δ L Incompatibilities can occur → probability 0 instead of p2q2 2 2 L R Distinguisher in p q r i+1 i+1 The problems come from interactions at the junction of the two Both constructions include non-linear components. In most cases, trails → how to compute r ? boolean mappings called substitution boxes (or Sboxes) are used. The BCT: Automation of the Analysis of 1-round Em for SPN A good block cipher must behave like a random permutation ! Boomerang Connectivity Table: A New Cryptanalysis Tool: Cid, Huang, Peyrin, Sasaki, Song, 2018. Probability over 1 round of Em = product of the probabilities over each Sbox S Attacking block ciphers Differential Cryptanalysis of DES-like Cryptosystems, Biham and Shamir, 1990 S S S ··· S S S S S ··· S S ∇o ∆i ∆i n L L For a random permutation π of F2 and for any differences n δ, ∆ ∈ F2 \{0} S S S ··· S S S S S ··· S S ∇ 1 o P r [π(X + δ) + π(X) = ∆] = X 2n − 1 L L Core idea Exploiting a bias in the difference distribution of the cipher −1 −1 BCT(∆i,∇o) #{x|S (S(x)⊕∇o)⊕S (S(x⊕∆i)⊕∇o)=∆i} p = 2s = 2s K M E C The problem we have solved [1] δ = M ⊕ M 0 K ∆ = C ⊕ C0 The theory of Cid et al. is only valid for SPN ciphers, quid of Feistel constructions? M 0 E C0 Introduction of the FBCT (Feistel Boomerang Connectivity Table) The cipher is weak if one can exhibit a path from an input differ- Generic formula for a middle part made of an arbitrary number of rounds: the FBET Proof that a former boomerang attack on LBlock was incorrect ence δ to an output difference ∆ (i.e. a differential characteristic) −56.14 with high probability. 16-round boomerang distinguisher on LBlock-s with Em variying from 2 to 8 rounds Interesting probability of 2 found in the 8-round case. Consequences Defending against differential cryptanalysis becomes a design The FBCT: overview goal: no differentials of high probability must exist in the designs R L R L ⊕ γ R′ But... R βL||βR ∇o = βL||βR? S SS SS L R S SS SS R L ··· L ⊕ β R ⊕ β ··· L ⊕ γ ⊕ β R′′ The Boomerang Attack, David Wagner, FSE 1999: L L ∆L R No need of high-probability differentials on the cipher to i ∇o attack it, only on both halves ofit S SS··· SS S SS··· SS F (L) ⊕ R G′ γL||γR L L γL||γR Basic Boomerang Distinguisher L R F (L ⊕ β ) ⊕ R ⊕ β G′′ Pick M1 at random, ask for its ciphertext C1 L R L R L R Ask for C2, the ciphertext of M2 = M1 ⊕ α FBCT(∆i , ∇o ) = #{x|S(x) ⊕ S(x ⊕ ∆i ) ⊕ S(x ⊕ ∇o ) ⊕ S(x ⊕ ∆i ⊕ ∇o ) = 0} Compute C3 = C1 ⊕ δ, C4 = C2 ⊕ δ → Number of times the second order derivative at points (∆i, ∇o) cancels out Ask for their decryptionM ( 3, M4) Properties Check if M3 ⊕ M4 = α. Symmetry FBCT(∆i, ∇o) = FBCT(∇o, ∆i) M M n 1 3 Diagonal FBCT(∆i, ∆i) = 2 α =α? Multiplicity FBCT(∆i, ∇o) ≡ 0 mod 4 M2 M4 Equalities FBCT(∆i, ∇o) = FBCT(∆i, ∆i ⊕ ∇o) E E−1 E E−1 What’s next ? References Automation of the search of the best parameters for a Boomerang C1 δ C3 attack taking into account the FBET [1] On the Feistel Counterpart of the Boomerang Connectivity Table C2 δ C4 Application to DES and other important Feistel ciphers: CLEFIA, - Introduction and Analysis of the FBCT Twine ... Hamid Boukerrou, Paul Huynh, Virginie Lallemand, Bimal Mandal We have a distinguisher if α ’comes back’ more often than for a Related-key case (differences in the key as well) and Marine Minier random permutation. Submitted to FSE 2020.