The (related-key) impossible boomerang attack and its application to the AES block cipher

BM123-64 block cipher, which was proposed by Minh, N.H. and Bac, D.T. in 2014, was designed for high speed communication applications factors. It was constructed in hybrid controlled substitution–permutation network (CSPN) models with two types of basic controlled elements (CE) in distinctive designs. This cipher is based on switchable data-dependent operations (SDDO) and covers dependent-operations suitable for efficient primitive approaches for cipher constructions that can generate key schedule in a simple way. The BM123-64 cipher has advantages including high applicability, flexibility, and portability with different algorithm selection for various application targets with internet of things (IoT) as well as secure protection against common types of attacks, for instance, differential attacks and linear attacks. However, in this paper, we propose methods to possibly exploit the BM123-64 structure using related-key attacks. We have constructed a high probability related-key differential characteristics (DCs) on a full eight rounds of BM123-64 cipher. The related-key amplified boomerang attack is then proposed on all three different cases of operation-specific designs with effective results in complexity of data and time consumptions. This study can be considered as the first cryptographic results on BM123-64 cipher.

Download Full-text

Boomeyong: Embedding Yoyo within Boomerang and its Applications to Key Recovery Attacks on AES and Pholkos

IACR Transactions on Symmetric Cryptology ◽

10.46586/tosc.v2021.i3.137-169 ◽

2021 ◽

pp. 137-169

Author(s):

Mostafizar Rahman ◽

Dhiman Saha ◽

Goutam Paul

Keyword(s):

Time Complexity ◽

Block Cipher ◽

New Technique ◽

Small Scale ◽

Key Recovery ◽

Boomerang Attack ◽

Tweakable Block Cipher ◽

Key Recovery Attack ◽

Key Recovery Attacks

This work investigates a generic way of combining two very effective and well-studied cryptanalytic tools, proposed almost 18 years apart, namely the boomerang attack introduced by Wagner in FSE 1999 and the yoyo attack by Ronjom et al. in Asiacrypt 2017. In doing so, the s-box switch and ladder switch techniques are leveraged to embed a yoyo trail inside a boomerang trail. As an immediate application, a 6-round key recovery attack on AES-128 is mounted with time complexity of 278. A 10-round key recovery attack on recently introduced AES-based tweakable block cipher Pholkos is also furnished to demonstrate the applicability of the new technique on AES-like constructions. The results on AES are experimentally verified by applying and implementing them on a small scale variant of AES. We provide arguments that draw a relation between the proposed strategy with the retracing boomerang attack devised in Eurocrypt 2020. To the best of our knowledge, this is the first attempt to merge the yoyo and boomerang techniques to analyze SPN ciphers and warrants further attention as it has the potential of becoming an important cryptanalysis tool.

Download Full-text

Related-Key Boomerang Attack on Block Cipher SQUARE

IEICE Transactions on Fundamentals of Electronics Communications and Computer Sciences ◽

10.1587/transfun.e94.a.3 ◽

2011 ◽

Vol E94-A (1) ◽

pp. 3-9 ◽

Cited By ~ 3

Author(s):

Bonwook KOO ◽

Yongjin YEOM ◽

Junghwan SONG

Keyword(s):

Block Cipher ◽

Boomerang Attack

Download Full-text

Impossible Boomerang Attack for Block Cipher Structures

Advances in Information and Computer Security - Lecture Notes in Computer Science ◽

10.1007/978-3-642-04846-3_3 ◽

2009 ◽

pp. 22-37 ◽

Cited By ~ 4

Author(s):

Jiali Choy ◽

Huihui Yap

Keyword(s):

Block Cipher ◽

Boomerang Attack

Download Full-text

A Practical Related-Key Boomerang Attack for the Full MMB Block Cipher

Cryptology and Network Security - Lecture Notes in Computer Science ◽

10.1007/978-3-319-02937-5_15 ◽

2013 ◽

pp. 271-290 ◽

Cited By ~ 1

Author(s):

Tomer Ashur ◽

Orr Dunkelman

Keyword(s):

Block Cipher ◽

Boomerang Attack

Download Full-text

NEW KEY EXPANSION FUNCTION OF RIJNDAEL 128-BIT RESISTANCE TO THE RELATED-KEY ATTACKS

Journal of Information and Communication Technology ◽

10.32890/jict2018.17.3.2802 ◽

2018 ◽

Author(s):

Hassan Mansur Hussien ◽

Zaiton Muda ◽

Sharifah Md Yasin

Keyword(s):

Mixed Integer Linear Programming ◽

Block Cipher ◽

Statistical Tests ◽

Mixed Integer ◽

Differential Attack ◽

Key Schedule ◽

Strict Avalanche Criterion ◽

Boomerang Attack ◽

Common Block ◽

Provably Secure

A master key of special length is manipulated based on the key schedule to create round sub-keys in most block ciphers. A strong key schedule is described as a cipher that will be more resistant to various forms of attacks, especially in related-key model attacks. Rijndael is the most common block cipher, and it was adopted by the National Institute of Standards and Technology, USA in 2001 as an Advance Encryption Standard. However, a few studies on cryptanalysis revealed that a security weakness of Rijndael refers to its vulnerability to related-key differential attack as well as the related-key boomerang attack, which is mainly caused by the lack of nonlinearity in the key schedule of Rijndael. In relation to this, constructing a key schedule that is both efficient and provably secure has been an ongoing open problem. Hence, this paper presents a method to improve the key schedule of Rijndael 128-bit for the purpose of making it more resistance to the related-key differential and boomerang attacks. In this study, two statistical tests, namely the Frequency test and the Strict Avalanche Criterion test were employed to respectively evaluate the properties of bit confusion and bit diffusion. The results showed that the proposed key expansion function has excellent statistical properties and agrees with the concept of Shannon’s diffusion and confusion bits. Meanwhile, the Mixed Integer Linear Programming based approach was adopted to evaluate the resistance of the proposed approach towards the related-key differential and boomerang attacks. The proposed approach was also found to be resistant against the two attacks discovered in the original Rijndael. Overall, these results proved that the proposed approach is able to perform better compared to the original Rijndael key expansion function and that of the previous research.

Download Full-text

Boomerang Connectivity Table Revisited. Application to SKINNY and AES

IACR Transactions on Symmetric Cryptology ◽

10.46586/tosc.v2019.i1.118-141 ◽

2019 ◽

pp. 118-141

Author(s):

Ling Song ◽

Xianrui Qin ◽

Lei Hu

Keyword(s):

High Probability ◽

Block Cipher ◽

Careful Analysis ◽

Block Ciphers ◽

Middle Part ◽

Differential Cryptanalysis ◽

Accurate Estimation ◽

Generalized Framework ◽

Boomerang Attack ◽

New Framework

The boomerang attack is a variant of differential cryptanalysis which regards a block cipher E as the composition of two sub-ciphers, i.e., E = E1 o E0, and which constructs distinguishers for E with probability p2q2 by combining differential trails for E0 and E1 with probability p and q respectively. However, the validity of this attack relies on the dependency between the two differential trails. Murphy has shown cases where probabilities calculated by p2q2 turn out to be zero, while techniques such as boomerang switches proposed by Biryukov and Khovratovich give rise to probabilities greater than p2q2. To formalize such dependency to obtain a more accurate estimation of the probability of the distinguisher, Dunkelman et al. proposed the sandwich framework that regards E as Ẽ1 o Em o Ẽ0, where the dependency between the two differential trails is handled by a careful analysis of the probability of the middle part Em. Recently, Cid et al. proposed the Boomerang Connectivity Table (BCT) which unifies the previous switch techniques and incompatibility together and evaluates the probability of Em theoretically when Em is composed of a single S-box layer. In this paper, we revisit the BCT and propose a generalized framework which is able to identify the actual boundaries of Em which contains dependency of the two differential trails and systematically evaluate the probability of Em with any number of rounds. To demonstrate the power of this new framework, we apply it to two block ciphers SKINNY and AES. In the application to SKINNY, the probabilities of four boomerang distinguishers are re-evaluated. It turns out that Em involves5 or 6 rounds and the probabilities of the full distinguishers are much higher than previously evaluated. In the application to AES, the new framework is used to exclude incompatibility and find high probability distinguishers of AES-128 under the related-subkey setting. As a result, a 6-round distinguisher with probability 2−109.42 is constructed. Lastly, we discuss the relation between the dependency of two differential trails in boomerang distinguishers and the properties of components of the cipher.

Download Full-text

A novel cryptosystem based on abstract automata and Latin cubes

Studia Scientiarum Mathematicarum Hungarica ◽

10.1556/012.2015.52.2.1309 ◽

2015 ◽

Vol 52 (2) ◽

pp. 221-232

Author(s):

Pál Dömösi ◽

Géza Horváth

Keyword(s):

Block Cipher ◽

Finite Automata ◽

Theoretical Background ◽

Point Of View ◽

Theoretical Point ◽

Transition Matrices ◽

Encryption And Decryption ◽

Secret Keys ◽

Automata Network ◽

Fully Functioning

In this paper we introduce a novel block cipher based on the composition of abstract finite automata and Latin cubes. For information encryption and decryption the apparatus uses the same secret keys, which consist of key-automata based on composition of abstract finite automata such that the transition matrices of the component automata form Latin cubes. The aim of the paper is to show the essence of our algorithms not only for specialists working in compositions of abstract automata but also for all researchers interested in cryptosystems. Therefore, automata theoretical background of our results is not emphasized. The introduced cryptosystem is important also from a theoretical point of view, because it is the first fully functioning block cipher based on automata network.

Download Full-text