 Hello everyone, I'm Paul and today I'm going to be talking about boomerang attacks So more precisely, I'll present a joint work with Amidboukeru, Virginie Lallement, Bimal Mendel and Marie-Migny Which introduced the fast-to-counter part of the boomerang connectivity table So let's get to it Right, so I'll start by recalling some basic notions of boomerang attacks We'll have a look at the boomerang connectivity table which was introduced for SPNs to study a boomerang switch of one Then I'll present the FBCT, so the fast-to-counter part and I'll give some of its properties Compare them with what we know of the BCT then We'll address the cases where the boomerang switch covers multiple routes All right, so boomerang attacks they date back to 1999 They were introduced by David Wagner and they are a variant of different show-crypt analysis But instead of considering pairs of messages here you are looking at Quartets of messages and what is studied here is if a difference will come back or not So let me explain in the basic form of the distinguisher as an attacker You have access to encryption and decryption oracles and what you're going to do is First choose M0, use E, your block cipher to obtain the corresponding ciphertext C0 Then you're going to construct M1 which is the initial plaintext M0 Exord with a difference alpha and you're going to get C1 Now two additional ciphertext C2 and C3 are then computed by adding a difference delta to C0 and C1 and the corresponding plaintext M2 and M3 are retrieved So finally what we want to do is check if M2 and M3 differ by the same value alpha Now if the probability that the difference equals alpha is higher than For a random permutation, then we have a distinguisher So boomerang attacks have an advantage over standard differential attacks Which is that they remain efficient as long as there exists short high probability differential characteristics So I mean on a small number of rounds so you don't need a high probability differential on the whole cipher Usually you would use two small differentials covering half of the attack rounds each So for instance in the original approach the attack cipher E is written as the composition of two sub ciphers E0 and E1 And you need good differentials over each part So let's say that for E0 the input difference alpha leads to the output difference beta with high probability P and Gamma leads to delta with probability Q over E1 Then it was thought that with probability P square Q square the boomerang came back Now this formula was a later question because some odd cases were observed So in some cases the boomerang would come back more often For instance in the related key crypt analysis of the AES Birgakov and Krovetovic found distinguishers with probability higher than expected They also identified some particular cases that they called the ladder switch the s-box switch and the five-stall switch And sometimes the boomerang didn't come back at all. So that's what Murphy showed he He exhibited an example of distinguisher that seemed valid, but was in fact of probability zero So people realized that the junction of the two trails needed to be studied more carefully and all these observations were later formalized in a framework called the sandwich attack Now in this setting the cipher is divided into three parts instead of two So E0 and E1 are still here, but in between there is a middle part EM called the boomerang switch Now if EM satisfied the requested differential propagation among the four texts with probability R Then the probability of the boomerang distinguisher is P square Q square R So usually R would be manually computed by looking at the equations linking E0 and E1 But then at Eurocrypt 2018 a new tool was introduced to easily Evaluate the probability of the middle part for SPNs in the case where it covers one round This tool was called the boomerang connectivity table or PCT for short So what's interesting about this technique is that it reduces the problem of computing the probability R of the boomerang switch Over one round function to the one of computing it over one S box only So here's our middle switch and we want the returning difference to be equal to beta So if we just expand EM and write it as an SPN we get the following Now looking at the S box level from beta and gamma It's easy to deduce intermediate input output values that we're going to call delta i and nabla o for each S box Which gives us the following equation So now the study is simplified Instead of looking at the property of a round as a whole The problem is reduced to one we can easily study because of its small size That is examining each S box at of the S layer independently And now since the S boxes are applied in parallel The probability over one round is simply going to be the product of the probabilities over each S box So here's the BCC table for the small S box of skinny for skinny 64 So as you can see the BCT of an S box is going to give at row delta i nabla o The number of values for which a boomerang of input delta i and output difference nabla o comes back Now from this the probability of a boomerang switch over each S box can be deduced Then the probability are that a message verifies the entire EM step can be computed So this tool gave a new criterion for the choice of S boxes because naturally an S box with small BCT coefficients is going to prevent an attacker from building efficient boomerang style attacks It also gave a better understanding of the special cases observed by Murphy or Biryukov So it detects cases where the boomerang won't come back and these are the zeros in your table It also detects So the ladder switch which is one of the special cases observed by Biryukov and Krobo tovich in their related key analysis of the AES So without going into the details of it We can read this on the first row or the first column of the BCT All right, so from what we've seen the BCT is a very convenient tool To automatically study the behavior of the junction between E0 and E1 However, there exists no such tool for boomerang attacks on Feistel networks So we address this in the next part by introducing the FBCT the Feistel counterpart of the BCT and As we're about to see the boomerang behavior of an S box in the Feistel case Can be quite different from the SPN case And but first let's just define our table So we start by illustrating our theory on the generic Feistel But it also works for variants of this construction like the type 1 and type 2 all right, so that's our switch and So for the sake of clarity, we're going to number our states just like that So here we consider balanced Feistel with two branches and a Feistel function F Which is defined by a round key addition an S layer and a linear layer L So at this stage, we will not focus on the details of F The only important thing is that F contains one S layer made by the concatenation of T and BDS boxes So we are interested in the probability of the following one round boomerang switch We have an input difference equal to beta between state 1 and 2 and An output difference equal to gamma between state 1 and 3 and between state 2 and 4 and we want the input between State 3 and 4 to be equal to beta So since we're going to study the left and right part we can just separate the differences into two parts Just like that. Let's just split them same for the output. All right So let's start by studying the cost of obtaining the left difference between state 3 and 4 so we want beta L and The good thing is the left branch is the one that is not modified through one round of Feistel So the left part actually comes for free All right, so moving on to the right part now We want to obtain a difference of beta R between the right part of state 3 and 4 So let's just call these branches R prime and R second I'll go through this pretty quickly the details are in the paper anyway, but Basically, it's just a matter of writing down the differences we have at each branch So right so this is what we want and by naming L prime and L second the left outputs after one round in state 3 and 4 Then we get the following equations So here I've replaced our prime and I can do the same thing for our second And then we express L and L second as functions of LR the two branches of state 1 and the differences And we get this We can simplify a bit And so in the end we end up with the following condition This entire thing right there needs to be equal to zero All right, so now we have this condition on the entire round function But now what we can do is that we can use the fact that the non-linear function of F is an S layer that is simply a Parallel application of small S boxes So meaning that we can rewrite this condition as a set of independent independent conditions on smaller parts of the states and obtain equations of this form So here Delta I is the difference at the input of the S box between state 1 and 2 it can be deduced from beta L and NABLA O is the difference at the input of the S box between state 1 and 3 and states 2 and 4 and It can be deduced from gamma R So interestingly what we're looking at here is actually the second derivative of S Canceling out right so with that we can now define our FPCT So the FPCT is going to be a table In which the entry for the Delta I and NABLA O position is given by the number of times the second derivative of S cancels out in this point And once the table is built the probability that a boomerang comes back over one round of the Feistel scheme is Simply going to be the product of the corresponding coefficients Divided by 2 to the power of N. So that's just like in the SPN case Here you're looking at the FPCT of one of the S boxes used in L block All right, so now some simple properties that are Easily deduced from the definition of the FPCT So it's symmetrical the input and output difference can be permuted The diagonal is always going to be equal to 2 to the power of N The value of the FPCT is always going to be a multiple of 4 and that's simply because If X is solutions so are X or Delta I X or NABLA O and X or Delta I X or NABLA O And finally for each row the values are the same when the column is shifted by the value of the row Let's talk about the Feistel scheme So as I mentioned earlier, this is one of the special cases identified by Biryukov and Kovratovic in Which the boomerang comes back for free for a Feistel construction and this is one Excerpt form from their paper So the setting is shown on this figure What we have here is that the left input difference and the right output difference are the same so those are in green and Using our previous analysis, we know that the internal state X Y is going to allow the boomerang to come back if This equation is verified Which in this case is always going to be true because gamma R and beta L are equal So what happens here is that if we consider the Feistel round function to be to be made of some linear operations and an S layer Then for every S box, we are actually looking at coefficients that are on the diagonal of the FBCT So we're seeing here that our table automatically gives the last special case of switch We also have properties regarding APN functions So I'll just recall that a function S is called almost perfect nonlinear or APN If the derivative of S at delta I has either zero or two solutions for any nonzero delta I Now when looking at the FBCT of such functions We can say the following so F is APN if and only if the coefficients of its FBCT Equals zero Except in the first row first column or first diagonal Here's an example of a 3-bit S box So you have the DDT, the FBCT and the PCT I think it's actually the one from Pijamas Now to conclude this part, I will now give a quick comparison of the PCT and the FBCT Regarding the boomerang uniformity of an S box for various classes of equivalents So the boomerang uniformity is a relevant parameter for an S box In an SPN, it's the highest value that is neither on the first row nor the first column And its properties were already investigated by Cristina Burra and Alcanto About two years ago Now for the Feistel scheme The diagonal is also always equal to 2 to the power of n so we have to exclude these values as well So here we compared the boomerang uniformity for the Affine, Extended Affine and CCZ equivalences So those are classes that tend to preserve some cryptographic properties for equivalent S boxes And what we can see here is that the set composed of all values in the FBCT Is preserved under Affine and Extended Affine transformations But not for CCZ equivalence or for inversion So the key point here is that A good S box for an SPN is going to be a good S box for a Feistel scheme Regarding many usual criteria such as differential, linear or algebraic degree However The behavior can be different regarding boomerang switches If we use it in an SPN or in a Feistel All right, so in the last part of this talk, we're going to focus on boomerang switches over more rounds So this has already been done for SPN constructions There are two paper that investigated these cases So for instance, Wang and Beren introduced the BDT standing for boomerang difference table Which is a variant of the BCT with an additional variable fixed, which is the S box output difference So here's the BDT, there's also the BDT prime for the invert operation And so Wang and Beren proposed to use the product of the BDT and BDT prime coefficients To cover the case of a two-round switch So first, you're going to apply the BDT on the S box layer of the upper round And then the BDT prime on the lower S box layer So in our analysis, we found a similar table for the Feistel case So we introduced the Feistel boomerang difference table, the FBDT Which is a three-dimensional array In which the entry for delta i, small delta, number o is computed by the formula appearing on the screen So for a two-round switch, again here we consider a very generic case where the round function is composed of one S box layer Made of T parallel and BDT boxes and of some linear or affine operations So this implies that if the input difference of one round is known, together with the other two round switches And the output difference of the S box layer, then the difference at the input of the next round S box layer can be computed Alright, so for instance here, let's look at the upper round, so the first round And we're going to focus on the difference between state one and two, so the one in blue So delta i is going to represent the difference at the input of the first round S box layer And this value can be deduced from the left input difference of the first round, delta i L Then we have small delta, which denotes the corresponding output difference of the same S box layer But it's not specified Then finally we have delta i prime, which corresponds to the difference at the input of the second S box layer So again, with respect to state one and two And its value can be deduced from delta and from delta i R Now in a similar way, the difference at the input of the second round S box layer between state two and four So now we're looking at the red differences So this difference is going to be set to a value that we're going to denote by nabla O Which can be deduced from the right output difference nabla O R Then the corresponding output difference is going to be denoted by alpha, but again we're not going to fix it And finally, nabla O prime represents the input difference of the first round S box layer for the state And it can be computed from nabla O L and alpha So now having defined those new variables, the probability that a boomerang comes back over two rounds Can be computed by applying the FBDT on the S boxes of the first round And the FBDT on the S boxes of the second round Then you're going to sum all the probabilities over all possible S box outputs So here delta and alpha So sometimes we want to go even further, so let's talk about three round switches As depicted in the figure, we introduce new variables to represent all the intermediate differences And the idea will be to iterate over all the possible values for these Compute the probability of the obtained settings and finally sum together the probabilities Just like we saw for the two round switch So for that we're going to need a new table, that's going to be the FBDT, five-still boomerang extended table Which is a four-dimensional table for which the each entry is going to be computed according to the formula appearing on the screen Now with this table the probability of a switch can then be estimated to be the sum over all the possible intermediate differences of the product of the FBDT coefficient for each S box Now in this approximation we consider that the same characteristic is used between state 1 and 2 and between state 3 and 4 So the new table that we've introduced here, the FBDT treats the case of an arbitrary number of rounds and recovers the previous formulas The problem is when you're looking at a switch covering many rounds Applying this formula can require too much time if many S boxes are involved So it might be better to evaluate the probability of EM experimentally Alright, so to wrap it up, we have developed a new theory that explains the behavior of boomerang switches for five-still ciphers We've introduced the notion of FBDT and we gave its main properties and relations with other well-known cryptographic tables And we saw that it could easily evaluate the probability of a one-round switch We also provided an expression of the probability of a boomerang switch over two rounds And gave a more general expression of the one over multiple rounds But this leads to many parameters, so switching to experiments to evaluate the probability might be better Thank you for your attention and if you have any questions, I will see you at the live session