Boomerang connectivity table: A new cryptanalysis tool

Abstract

A boomerang attack is a cryptanalysis framework that regards a block cipher E as the composition of two sub-ciphers E1∘ E0 and builds a particular characteristic for E with probability p2q2 by combining differential characteristics for E0 and E1 with probability p and q, respectively. Crucially the validity of this figure is under the assumption that the characteristics for E0 and E1 can be chosen independently. Indeed, Murphy has shown that independently chosen characteristics may turn out to be incompatible. On the other hand, several researchers observed that the probability can be improved to p or q around the boundary between E0 and E1 by considering a positive dependency of the two characteristics, e.g. the ladder switch and S-box switch by Biryukov and Khovratovich. This phenomenon was later formalised by Dunkelman et al. as a sandwich attack that regards E as E1∘ Em∘ E0, where Em satisfies some differential propagation among four texts with probability r, and the entire probability is p2q2r. In this paper, we revisit the issue of dependency of two characteristics in Em, and propose a new tool called Boomerang Connectivity Table (BCT), which evaluates r in a systematic and easy-to-understand way when Em is composed of a single S-box layer. With the BCT, previous observations on the S-box including the incompatibility, the ladder switch and the S-box switch are represented in a unified manner. Moreover, the BCT can detect a new switching effect, which shows that the probability around the boundary may be even higher than p or q. To illustrate the power of the BCT-based analysis, we improve boomerang attacks against Deoxys-BC, and disclose the mechanism behind an unsolved probability amplification for generating a quartet in SKINNY. Lastly, we discuss the issue of searching for S-boxes having good BCT and extending the analysis to modular addition.