boomerang connectivity table revisited
TRANSCRIPT
![Page 1: Boomerang Connectivity Table Revisited](https://reader033.vdocuments.us/reader033/viewer/2022042902/6269bfdec7c6595a9b20dda1/html5/thumbnails/1.jpg)
Ling Song1,2, Xianrui Qin3, Lei Hu2
Boomerang Connectivity Table Revisited
1. Nanyang Technological University, Singapore
2. Institute of Information Engineering, CAS, China
3. Shandong University, China
FSE 2019 @ Paris
![Page 2: Boomerang Connectivity Table Revisited](https://reader033.vdocuments.us/reader033/viewer/2022042902/6269bfdec7c6595a9b20dda1/html5/thumbnails/2.jpg)
/24
Boomerang Attacks
Proposed by [Wag99] to combine two diff. trails:β’ πΈ0: Pr πΌ β π½ = π
β’ πΈ1: Pr πΎ β πΏ = π
Distinguishing probability:
π2π2πΈ1 πΈ1
πΈ1πΆ1
πΆ2
πΆ3
πΆ4
πΏ
πΏ
πΈ0 πΈ0
πΈ0
π1
π2
π3
π4πΌ
πΎ
πΎπ½
π½
πΌ
πΈ0
πΈ1
2
![Page 3: Boomerang Connectivity Table Revisited](https://reader033.vdocuments.us/reader033/viewer/2022042902/6269bfdec7c6595a9b20dda1/html5/thumbnails/3.jpg)
/24
Boomerang attacks: When you
send it properly, it always
comes back to you.
Boomerang Attacks
Proposed by [Wag99] to combine two diff. trails:β’ πΈ0: Pr πΌ β π½ = π
β’ πΈ1: Pr πΎ β πΏ = π
Distinguishing probability:
π2π2πΈ1 πΈ1
πΈ1πΆ1
πΆ2
πΆ3
πΆ4
πΏ
πΏ
πΈ0 πΈ0
πΈ0
π1
π2
π3
π4πΌ
πΎ
πΎπ½
π½
πΌ
πΈ0
πΈ1
https://www.australiathegift.com.au/shop/boomerang-with-stand/
2
![Page 4: Boomerang Connectivity Table Revisited](https://reader033.vdocuments.us/reader033/viewer/2022042902/6269bfdec7c6595a9b20dda1/html5/thumbnails/4.jpg)
/24
Boomerang attacks: When you
send it properly, it always
comes back to you.
Boomerang Attacks
Proposed by [Wag99] to combine two diff. trails:β’ πΈ0: Pr πΌ β π½ = π
β’ πΈ1: Pr πΎ β πΏ = π
Distinguishing probability:
π2π2πΈ1 πΈ1
πΈ1πΆ1
πΆ2
πΆ3
πΆ4
πΏ
πΏ
πΈ0 πΈ0
πΈ0
π1
π2
π3
π4πΌ
πΎ
πΎπ½
π½
πΌ
πΈ0
πΈ1
[Wag99]: Assumed two trails are independent.
NOT always correct
https://www.australiathegift.com.au/shop/boomerang-with-stand/
2
![Page 5: Boomerang Connectivity Table Revisited](https://reader033.vdocuments.us/reader033/viewer/2022042902/6269bfdec7c6595a9b20dda1/html5/thumbnails/5.jpg)
/24
β’ [BDD03]: Middle-round S-box trick
β’ [BK09]: Boomerang switch: Ladder switch / Feistel switch / S-box switch
Dependency can help attackers
β’ [Mer09]: Incompatible trails
Dependency can spoil attacks.
Two Trails in Boomerang Attacks
3
![Page 6: Boomerang Connectivity Table Revisited](https://reader033.vdocuments.us/reader033/viewer/2022042902/6269bfdec7c6595a9b20dda1/html5/thumbnails/6.jpg)
/24
Sandwich Attacks [DKS10]
Distinguishing probability:
π2 π2π
πΏ
πΏ
πΎ
πΎ
ΰ·¨πΈ0 ΰ·¨πΈ0
ΰ·¨πΈ0
πΌ
ΰ·¨πΈ0π½
πΌ
ΰ·¨πΈ1 ΰ·¨πΈ1
ΰ·¨πΈ1
π¦1
π¦2
π¦3
π¦4
ΰ·¨πΈ1
π₯1 π₯3
π₯4πΈπ
π½
πΆ1
πΆ2
πΆ3
πΆ4
π1
π2
π3
π4
π₯2
πΈπ
πΈπ
πΈπ
Decompose the cipher into three partsβ’ πΈπ handles the dependency.
β’ ΰ·¨πΈ0 β πΈ0 \πΈπ: Pr πΌ β π½ = π
β’ ΰ·¨πΈ1 β πΈ1 \πΈπ: Pr πΎ β πΏ = π
4
![Page 7: Boomerang Connectivity Table Revisited](https://reader033.vdocuments.us/reader033/viewer/2022042902/6269bfdec7c6595a9b20dda1/html5/thumbnails/7.jpg)
/24
Sandwich Attacks [DKS10]
Distinguishing probability:
π2 π2π
πΏ
πΏ
πΎ
πΎ
ΰ·¨πΈ0 ΰ·¨πΈ0
ΰ·¨πΈ0
πΌ
ΰ·¨πΈ0π½
πΌ
ΰ·¨πΈ1 ΰ·¨πΈ1
ΰ·¨πΈ1
π¦1
π¦2
π¦3
π¦4
ΰ·¨πΈ1
π₯1 π₯3
π₯4πΈπ
π·?
πΆ1
πΆ2
πΆ3
πΆ4
π1
π2
π3
π4
π₯2
πΈπ
πΈπ
πΈπ
π = Pr[π₯3 βπ₯4 = π½|(π₯1 βπ₯2 = π½)β(π¦1 βπ¦3 = πΎ)β(π¦2 βπ¦4 = πΎ)]
Decompose the cipher into three partsβ’ πΈπ handles the dependency.
β’ ΰ·¨πΈ0 β πΈ0 \πΈπ: Pr πΌ β π½ = π
β’ ΰ·¨πΈ1 β πΈ1 \πΈπ: Pr πΎ β πΏ = π
4
![Page 8: Boomerang Connectivity Table Revisited](https://reader033.vdocuments.us/reader033/viewer/2022042902/6269bfdec7c6595a9b20dda1/html5/thumbnails/8.jpg)
/24
BCT [CHP+18]
Boomerang Connectivity Table (BCT)β’ Calculate π theoretically when πΈπ is composed of a
single Sβbox layer.β’ Unify previous observations on the S-box (incompa-
tibilities and switches)
π
π
π
π
π₯1
π₯2
π₯3
π₯4
π¦1
π¦2
π¦3
π¦4
πΌ
π½
π½
πΌ
5
![Page 9: Boomerang Connectivity Table Revisited](https://reader033.vdocuments.us/reader033/viewer/2022042902/6269bfdec7c6595a9b20dda1/html5/thumbnails/9.jpg)
/24
Our Work
β’ The actual boundaries of πΈπ which contains dependency
β’ How to calculate π when πΈπ contains multiple rounds?
β’ Generalized framework of BCTβ Determine the boundaries of πΈπ
β Calculate π of πΈπ in the sandwich attack
Motivation
Contribution
6
![Page 10: Boomerang Connectivity Table Revisited](https://reader033.vdocuments.us/reader033/viewer/2022042902/6269bfdec7c6595a9b20dda1/html5/thumbnails/10.jpg)
/24
DDT: Difference Distribution Table
π·π·π πΌ, π½ = #{π₯ β {0,1}π|π π₯ β¨π π₯β¨πΌ = π½}
SKINNYβs 4-bit S-box
πΌ
π½
7
![Page 11: Boomerang Connectivity Table Revisited](https://reader033.vdocuments.us/reader033/viewer/2022042902/6269bfdec7c6595a9b20dda1/html5/thumbnails/11.jpg)
/24
BCT: Boomerang Connectivity Table
π΅πΆπ πΌ, π½ = #{π₯ β {0,1}π|πβ1(π π₯ β π½)β¨πβ1(π π₯β¨πΌ β π½) = πΌ}
π π
π
π₯1
π₯2
π₯3
π¦1
π¦2
π¦3
π¦4
πΌ
π½π
π½
π₯4
πΌ
SKINNYβs 4-bit S-box
πΌ
π½
8
![Page 12: Boomerang Connectivity Table Revisited](https://reader033.vdocuments.us/reader033/viewer/2022042902/6269bfdec7c6595a9b20dda1/html5/thumbnails/12.jpg)
/24
Relation between DDT and BCT
Let
9
![Page 13: Boomerang Connectivity Table Revisited](https://reader033.vdocuments.us/reader033/viewer/2022042902/6269bfdec7c6595a9b20dda1/html5/thumbnails/13.jpg)
/24
Relation between DDT and BCT
Let
9
![Page 14: Boomerang Connectivity Table Revisited](https://reader033.vdocuments.us/reader033/viewer/2022042902/6269bfdec7c6595a9b20dda1/html5/thumbnails/14.jpg)
/24
Relation between DDT and BCT
Let
Eq. 1 can be re-written as
9
![Page 15: Boomerang Connectivity Table Revisited](https://reader033.vdocuments.us/reader033/viewer/2022042902/6269bfdec7c6595a9b20dda1/html5/thumbnails/15.jpg)
/24
New Explanation of BCT
π for πΈπ with one S-box layer at the boundary of E0 and E1
10
![Page 16: Boomerang Connectivity Table Revisited](https://reader033.vdocuments.us/reader033/viewer/2022042902/6269bfdec7c6595a9b20dda1/html5/thumbnails/16.jpg)
/24
New Explanation of BCT
π for πΈπ with one S-box layer at the boundary of E0 and E1
Similarly,
10
![Page 17: Boomerang Connectivity Table Revisited](https://reader033.vdocuments.us/reader033/viewer/2022042902/6269bfdec7c6595a9b20dda1/html5/thumbnails/17.jpg)
/24
New Explanation of BCT
π for πΈπ with one S-box layer at the boundary of E0 and E1
Similarly,
In this case, πΌ and π½ are regarded as fixed.10
![Page 18: Boomerang Connectivity Table Revisited](https://reader033.vdocuments.us/reader033/viewer/2022042902/6269bfdec7c6595a9b20dda1/html5/thumbnails/18.jpg)
/24
Generalization: S-box in E0 or E1
Lower crossing difference
Upper crossing difference
S-box in E0 S-box in E1
11
![Page 19: Boomerang Connectivity Table Revisited](https://reader033.vdocuments.us/reader033/viewer/2022042902/6269bfdec7c6595a9b20dda1/html5/thumbnails/19.jpg)
/24
Generalization: S-box in E0 or E1
11
What if πΌ or π½ (crossing differences) are not fixed?
S-box in E0 S-box in E1
Upper crossing difference
Lower crossing difference
![Page 20: Boomerang Connectivity Table Revisited](https://reader033.vdocuments.us/reader033/viewer/2022042902/6269bfdec7c6595a9b20dda1/html5/thumbnails/20.jpg)
/24
Generalization: S-box in E0
12
![Page 21: Boomerang Connectivity Table Revisited](https://reader033.vdocuments.us/reader033/viewer/2022042902/6269bfdec7c6595a9b20dda1/html5/thumbnails/21.jpg)
/24
Generalization: S-box in E0
(1) π½ is independent of the upper trail
12
![Page 22: Boomerang Connectivity Table Revisited](https://reader033.vdocuments.us/reader033/viewer/2022042902/6269bfdec7c6595a9b20dda1/html5/thumbnails/22.jpg)
/24
Generalization: S-box in E0
(1) π½ is independent of the upper trail
which becomes identical to π2π2 in the classical boomerang attack.
(2) π½ is uniformly distributed
12
![Page 23: Boomerang Connectivity Table Revisited](https://reader033.vdocuments.us/reader033/viewer/2022042902/6269bfdec7c6595a9b20dda1/html5/thumbnails/23.jpg)
/24
Generalization: S-box in E1
(1) πΌ is independent of the lower trail
which becomes identical to π2π2 in the classical boomerang attack.
(2) πΌ is uniformly distributed
13
![Page 24: Boomerang Connectivity Table Revisited](https://reader033.vdocuments.us/reader033/viewer/2022042902/6269bfdec7c6595a9b20dda1/html5/thumbnails/24.jpg)
/24
Generalization: Interrelated S-boxes
S-boxes A and B are interrelated.
Lower crossing diff. (π½) of A comes from B.
Upper crossing diff. (πΌβ²) of B comes from A.
14
![Page 25: Boomerang Connectivity Table Revisited](https://reader033.vdocuments.us/reader033/viewer/2022042902/6269bfdec7c6595a9b20dda1/html5/thumbnails/25.jpg)
/24
Generalization: Interrelated S-boxes
S-boxes A and B are interrelated.
Lower crossing diff. (π½) of A comes from B.
Upper crossing diff. (πΌβ²) of B comes from A.
14
![Page 26: Boomerang Connectivity Table Revisited](https://reader033.vdocuments.us/reader033/viewer/2022042902/6269bfdec7c6595a9b20dda1/html5/thumbnails/26.jpg)
/24
Generalization: Interrelated S-boxes
S-boxes A and B are interrelated.
Lower crossing diff. (π½) of A comes from B.
Upper crossing diff. (πΌβ²) of B comes from A.
14
![Page 27: Boomerang Connectivity Table Revisited](https://reader033.vdocuments.us/reader033/viewer/2022042902/6269bfdec7c6595a9b20dda1/html5/thumbnails/27.jpg)
/24
Generalized Framework of BCT
Boundaries of πΈπ: where crossing differences are distributed (almost) uniformly.
1. Initialization: πΈπ β πΈ1ππππ π‘
||πΈ0πππ π‘ .
2. Extend both trails: πΌβπΈ0π½ ββ’, β β(πΎβ
πΈ1πΏ).
3. Prepend πΈπ with one more rounda) If the lower crossing differences are distributed uni
formly, peel off the first round and go to Step 4.b) Go to Step 3
4. Append πΈπ with one more rounda) If the upper crossing differences are distributed uni
formly, peel off the last round and go to Step 5.b) Go to Step 4.
5. Calculate r using formulas in the previous slides
πΈ1 πΈ0Pr = 1Pr = 1
15
![Page 28: Boomerang Connectivity Table Revisited](https://reader033.vdocuments.us/reader033/viewer/2022042902/6269bfdec7c6595a9b20dda1/html5/thumbnails/28.jpg)
/24
Re-evaluate prob of four BM dist. of SKINNY
β’ Prev: prob evaluated by ΖΈπ2 ΰ·π2
β’ New: prob evaluated by the generalized BCT
Construct related-subkey BM dist. Of AES-128
β’ Prev: related-subkey BM dist. Of AES-192/256
β’ New: 6-round related-subkey BM dist. Of AES-128 with 2β109.42
Applications
16
![Page 29: Boomerang Connectivity Table Revisited](https://reader033.vdocuments.us/reader033/viewer/2022042902/6269bfdec7c6595a9b20dda1/html5/thumbnails/29.jpg)
/24
SKINNY [BJK+16] is an SPN cipher, with a linear key schedule.
β’ SKINNY-n-t where n is block size and t tweakey size
Example πΈπ of SKINNY-64-128 in the related-tweakey setting
β’ Upper trail: 2 rounds, 2β8
β’ Lower trail: 4 rounds, 2β14
β’ π2π2 = 2β44
SKINNY
17
![Page 30: Boomerang Connectivity Table Revisited](https://reader033.vdocuments.us/reader033/viewer/2022042902/6269bfdec7c6595a9b20dda1/html5/thumbnails/30.jpg)
/24
π¬π with 6 Middle Rounds
Rd Diff before and after SB βK βK Pr.
R1 0,0,0,0, 0,0,0,0, 0,0,0,b, 0,0,0,00,0,0,0, 0,0,0,0, 0,0,0,1, 0,0,0,0
0,0,0,0, 0,0,0,0 b,0,0,0, 0,0,0,0 2β2
R2 0,1,0,0, 0,0,0,0, 0,1,0,0, 0,1,0,00,8,0,0, 0,0,0,0, 0,8,0,0, 0,8,0,0
0,0,0,0, 0,c,0,0 0,0,0,0, 5,0,0,0 2β2β3
R3 0,0,0,0, 0,0,0,0, 0,0,0,0, 0,0,0,20,0,0,0, 0,0,0,0, 0,0,0,0, 0,0,0,3
0,0,0,0, 0,0,0,0 0,0,3,0, 0,0,0,0 2β2
R4 0,0,0,0, 0,0,3,0, 0,0,0,0, 0,0,3,00,0,0,0, 0,0,d,0, 0,0,0,0, 0,0,c,0
0,0,0,3, 0,0,0,0 0,0,0,0, 0,0,9,0 2β3β2
R5 0,c,0,0, 0,0,0,0, 0,0,0,4, 0,0,0,00,2,0,0, 0,0,0,0, 0,0,0,2, 0,0,0,0
0,0,0,0, 0,0,0,0 0,0,0,0, 2,0,0,0 2β2β2
R6 0,0,0,0, 0,2,0,0, 0,0,0,0, 0,0,0,00,0,0,0, 0,1,0,0, 0,0,0,0, 0,0,0,0
0,0,0,0, 0,0,0,d 0,0,0,0, 0,1,0,0 2β2
18
![Page 31: Boomerang Connectivity Table Revisited](https://reader033.vdocuments.us/reader033/viewer/2022042902/6269bfdec7c6595a9b20dda1/html5/thumbnails/31.jpg)
/24
Evaluation of π
Rounds ππππ ΰ·ππΰ·ππ π (new)
1+1 2β16 2β8.41 2β2
2+1 2β20 β¦ 2β2.79
2+2 2β32 β¦ 2β5.69
2+3 2β40 β¦ 2β10.56
2+4 2β44 2β29.91 2β12.96
Experiments confirm the results of π.
19
![Page 32: Boomerang Connectivity Table Revisited](https://reader033.vdocuments.us/reader033/viewer/2022042902/6269bfdec7c6595a9b20dda1/html5/thumbnails/32.jpg)
/24
Summary of the results on SKINNY
Ver. nπ¬π π¬ = ΰ·©π¬π β π¬π β ΰ·©π¬π
|π¬π| π |πΈ| π2 π2π ΖΈπ2 ΰ·π2[LGS17]
n-2n64 6(13) 2β12.96 17 2β29.78 2β48.72
128 5(12) 2β11.45 18 2β77.83 2β103.84
n-3n64 5(17) 2β10.50 22 2β42.98 2β54.94
128 5(17) 2β9.88 22 2β48.30 2β76.84
Prob. of BM dist. and comparison
β’ Take seconds to calculate π
20
![Page 33: Boomerang Connectivity Table Revisited](https://reader033.vdocuments.us/reader033/viewer/2022042902/6269bfdec7c6595a9b20dda1/html5/thumbnails/33.jpg)
/24
Summary of the results on SKINNY
Ver. nπ¬π π¬ = ΰ·©π¬π β π¬π β ΰ·©π¬π
|π¬π| π |πΈ| π2 π2π ΖΈπ2 ΰ·π2[LGS17]
n-2n64 6(13) 2β12.96 17 2β29.78 2β48.72
128 5(12) 2β11.45 18 2β77.83 2β103.84
n-3n64 5(17) 2β10.50 22 2β42.98 2β54.94
128 5(17) 2β9.88 22 2β48.30 2β76.84
Prob. of BM dist. and comparison
β’ Take seconds to calculate πβ’ Experiments confirm the results of π and the
17-round dist. of SKINNY-64-128 20
![Page 34: Boomerang Connectivity Table Revisited](https://reader033.vdocuments.us/reader033/viewer/2022042902/6269bfdec7c6595a9b20dda1/html5/thumbnails/34.jpg)
/24
6-round related-subkey BM dist. Of AES-128
3-round related-key differential trails:β’ 2 trails, 5 active S-boxes, 2β31
β’ 18 trails, 6 active S-boxes, 2β36, 2β37, 2β38
2β31
2β37
πΈπ, π = 2β33.42
π2 π2π= 2β109.42
21
![Page 35: Boomerang Connectivity Table Revisited](https://reader033.vdocuments.us/reader033/viewer/2022042902/6269bfdec7c6595a9b20dda1/html5/thumbnails/35.jpg)
/24
Discussion
Length of πΈπ:
β’ Mainly determined by the diffusion effect of the linear layer
β’ Density of active cells of the trails
r:Strongly affected by the DDT and BCT of the S-box
Limitation of the generalized BCT:
For a long πΈπ with large and strong S-boxes, calculating r might be a time-consuming task, e.g., T>235.
22
![Page 36: Boomerang Connectivity Table Revisited](https://reader033.vdocuments.us/reader033/viewer/2022042902/6269bfdec7c6595a9b20dda1/html5/thumbnails/36.jpg)
/24
Generalized BCT: for calculating π in the sandwich attack
1: identify the boundaries of dependency
2: calculate π
Problems to investigate:β Extension to non S-box based ciphers
β Improving previous boomerang attacks
Concluding Remarks
23
![Page 37: Boomerang Connectivity Table Revisited](https://reader033.vdocuments.us/reader033/viewer/2022042902/6269bfdec7c6595a9b20dda1/html5/thumbnails/37.jpg)
Slides credit to Yu Sasaki
Thank you for your attention!!