 Hi, my name is Tugetisen and I would like to present to you the research that Andreas Brassen-Kielmose and I did that resulted in the publication named a formal analysis of boomerang probabilities. For this presentation I will stick to a high level overview. For details and references please check out the paper. We will start by looking at the independence assumptions made in boomerang attacks and how making these assumptions can lead to some surprising results. We will then give a high level overview of the model we created to formulate boomerang probabilities without relying on these independence assumptions. As well as some of the results we were able to prove in this model. Finally, we will take a brief look at how the probability estimates of some classical boomerang attacks change when re-evaluated in this model. Let us start with a description of the object of our interest, the boomerang attack. The boomerang attack is a cryptanalytic technique invented in 1999 by David Wagner, in particular to break the block cipher coconut 98, but more generally to disprove the idea that the absence of high probability differentials implies security against differential cryptanalysis. The basic idea of the boomerang attack is to connect two differentials that each cover one part of the cipher, one for the top part, one for the bottom part, to create a differential structure that covers the entire cipher. We assume that we can split the block cipher into two parts, a top part E0 and a bottom part E1, and that we have a sufficiently good differential for each part. The first differential over the top part maps a difference alpha to a difference beta with probability P, while the second differential maps a difference gamma to a difference delta over the bottom part with probability Q. To create the simplest type of boomerang distinguisher, we start with a pair of plaintexts x0 and x1 that have a difference of alpha. Because of the first differential, we now expect this pair to be mapped to a difference beta after E0 with probability P. The corresponding intermediate states y0 and y1 are then mapped to the ciphertexts z0 and z1 by E1. We now construct two new ciphertexts z2 and z3 by adding the difference delta from the second differential to each of the ciphertexts and asking for the decryption. When the two new ciphertexts are now decrypted over E1, we expect the two delta differences to be mapped to gamma differences, each with a probability of Q according to our second differential. This forces the difference between the corresponding intermediate texts y2 and y3 to be beta. Now we expect this beta difference to be mapped to a difference alpha in the corresponding plaintexts with probability P. In summary, when we encrypt a pair with difference alpha, then construct a new pair of ciphertexts by adding a difference delta to each ciphertext and then asking for the decryption of those ciphertexts, we expect the resulting plaintext to have a difference alpha just like the initial pair with a probability of P squared times Q squared. A structure like this is called a Broomer-Ingl extinguisher and we call the probability to detect the difference alpha again in the second plaintext pair the probability of the Broomer-Ingl extinguisher. Now when we just estimated the probability of this Broomer-Ingl extinguisher, we made an implicit assumption, namely that we can treat the four involved differentials as independent and thereby determine the overall success probability as the product of the four differential probabilities. While it is a standard assumption in differential equipped analysis, to assume the independence of differentials in different parts of the cipher, the assumption that we can treat differentials in the same parts of the cipher as independent is specific to Broomer-Ingl attacks. Now the question is of course, is this a valid assumption? As it turns out, this assumption does not hold in general. The most famous example for this probably is the publication The Return of the Cryptographic Broomer-Ing by Sean Murphy. To add to the list of conflicting statements that result from making these independence assumptions, we prove the following theorem. If we assume that we can treat the differentials in a Broomer-Ingl extinguisher as independent, then there exists for every Broomer-Ingl extinguisher, like the one just presented, a standard differential over the entire block cipher with significantly higher probability than the Broomer-Ingl. This stands of course, in contrast with the entire idea of a Broomer-Ingl extinguisher. I want to stress here that we don't believe that this is to be true, but this is an indication of how troublesome these independence assumptions are. This leads us to the main question in our research. Can we formalize a model in which we can state Broomer-Ingl probabilities without relying on these independence assumptions? As a starting point, we looked at the standard model used to calculate differential probabilities. To be able to calculate probabilities of differential characteristics or trails efficiently, we want to treat rounds as independent, thereby allowing us to determine the trail probability as the product of the round transition probabilities. To model this, we assume that for each pair of texts, a uniformly random vector is added onto the state before every round. A result of this is that we no longer need to deal with pairs of texts, but only with their differences. Now in Broomer-Ingl attacks, we don't deal with pairs of texts, but with quartets or four tuples of texts. But apart from that, we are able to apply the same method of modeling the probabilities. In our model, we thus assume that for each four tuple of texts, a uniformly random vector is added onto the state before every round. A result of this is that we are no longer interested in the exact values in the four tuple, but only in their relative differences. Take for example this four tuple of texts, x0 to x3. The intermediate differences are uniquely determined by stating the differences that the last three texts have with the first text. We can thus describe the four tuple of texts, x0 to x3, by the three differences, delta 1, delta 2 and delta 3. Here we can see what our previously discussed Broomer-Ingl looks like from this perspective and how we can represent the different states in this formalism. If you would like to see how to precisely formulate the Broomer-Ingl attack in this model, please check out the paper. Here I would instead like to present some of the statements that we are able to prove in this model. The first one stands somewhat in contrast to the strange theorem from earlier, namely that the probability of a Broomer-Ingl with input difference alpha and output difference beta is at least as high as the corresponding differential. Another very interesting result is this. For two round Broomer-Ingls on SPNs with four uniform S-boxes, the probability deviates maximally from the classical estimate. The probability is always p times q or zero, but never p squared times q squared. A consequence is that one needs to be careful evaluating the probability of Broomer-Ingl attacks over such SPNs as they can deviate strongly from the classical estimate. We will look at some examples shortly. The last result I want to present here is somewhat redeeming for the classical Broomer-Ingl estimate. The probability that two pairs of texts follow the same trail is equal to the classical estimate when averaged over the separating distance. This has two consequences. The first is that the probability of a Broomer-Ingl distinguisher, which is made up of a large number of individual Broomer-Ingls, is likely to be close to the classical estimate. The second consequence is that the classical estimate should hold much better for those parts of a Broomer-Ingl that are further away from the middle where the separating distances are quite restricted. To put this model to a test, we re-evaluated the probabilities of some classical attacks on the block cipher serpent. The first attack we looked at was the amplified Broomer-Ingl attack by Kelsey, Kono and Schneier. That attack uses a single Broomer-Ingl where the interior two rounds have a probability of zero, rendering the entire Broomer-Ingl distinguisher impossible. The second attack we looked at was the rectangle attack on serpent by Biharm, Dunkleman and Keller. That attack uses a more refined approach where the distinguisher is made up of two to the 53.3 individual Broomer-Ingls. Evaluating the inner two rounds of those Broomer-Ingls, revealed that only 972 of those have a non-zero probability. Interestingly though, because these Broomer-Ingls have a vastly higher probability than the classical estimate suggests, our estimate of the total probability of the Broomer-Ingl ends up being even higher than the original classical estimate. To summarize, we showed that a strange result of the classical independence assumption is that it would make Broomer-Ingls superfluous. We formalized a model for stating Broomer-Ingl probabilities that works analogous to how standard differential probabilities are determined. We used this model to prove how two round Broomer-Ingls on SPNs with four uniform S-boxes deviates strongly from the classical estimate. And we showed that also the classical estimate is adhered to on average by a pair of texts when averaged over the separating distance. Finally, we re-evaluated the probabilities of some classical Broomer-Ingl attacks using our model. Thank you for listening.