The Boomerang Attack - University of Haifaorrd/BlockCipherSeminar/TomerAshur.pdf · The Boomerang...
Transcript of The Boomerang Attack - University of Haifaorrd/BlockCipherSeminar/TomerAshur.pdf · The Boomerang...
![Page 1: The Boomerang Attack - University of Haifaorrd/BlockCipherSeminar/TomerAshur.pdf · The Boomerang Attack Tomer Ashur Department of Computer Science University of Haifa tashur01@campus.haifa.ac.il](https://reader034.fdocuments.us/reader034/viewer/2022051917/600971c38977d013a1223294/html5/thumbnails/1.jpg)
The Boomerang Attack
Tomer Ashur
Department of Computer ScienceUniversity of Haifa
05/05/2013
![Page 2: The Boomerang Attack - University of Haifaorrd/BlockCipherSeminar/TomerAshur.pdf · The Boomerang Attack Tomer Ashur Department of Computer Science University of Haifa tashur01@campus.haifa.ac.il](https://reader034.fdocuments.us/reader034/viewer/2022051917/600971c38977d013a1223294/html5/thumbnails/2.jpg)
What is the Boomerang Attack
I An extension of differentialcryptanalysis.
I Invented by David Wagner, andpublished in 1999.
Tomer Ashur The Boomerang Attack
![Page 3: The Boomerang Attack - University of Haifaorrd/BlockCipherSeminar/TomerAshur.pdf · The Boomerang Attack Tomer Ashur Department of Computer Science University of Haifa tashur01@campus.haifa.ac.il](https://reader034.fdocuments.us/reader034/viewer/2022051917/600971c38977d013a1223294/html5/thumbnails/3.jpg)
How Does it Work - in a Nutshell
I Instead of using one long differentialthat covers the full cipher, we use twoshorter differentials of each coveringpart of the cipher.
I We append the two differentials to builda boomarng that covers the full cipher.
P0 P1
α
5
β
C0 C1
3
C2 C3
δ δ
γ γβ
P2 P3
α
Tomer Ashur The Boomerang Attack
![Page 4: The Boomerang Attack - University of Haifaorrd/BlockCipherSeminar/TomerAshur.pdf · The Boomerang Attack Tomer Ashur Department of Computer Science University of Haifa tashur01@campus.haifa.ac.il](https://reader034.fdocuments.us/reader034/viewer/2022051917/600971c38977d013a1223294/html5/thumbnails/4.jpg)
Why don’t we Always Use it?
I The attack model is different.
I The complexity
Tomer Ashur The Boomerang Attack
![Page 5: The Boomerang Attack - University of Haifaorrd/BlockCipherSeminar/TomerAshur.pdf · The Boomerang Attack Tomer Ashur Department of Computer Science University of Haifa tashur01@campus.haifa.ac.il](https://reader034.fdocuments.us/reader034/viewer/2022051917/600971c38977d013a1223294/html5/thumbnails/5.jpg)
A Step-by-step Construction
P0 P1
α
Tomer Ashur The Boomerang Attack
![Page 6: The Boomerang Attack - University of Haifaorrd/BlockCipherSeminar/TomerAshur.pdf · The Boomerang Attack Tomer Ashur Department of Computer Science University of Haifa tashur01@campus.haifa.ac.il](https://reader034.fdocuments.us/reader034/viewer/2022051917/600971c38977d013a1223294/html5/thumbnails/6.jpg)
A Step-by-step Construction - Cont.
P0 P1
α
5
β
Tomer Ashur The Boomerang Attack
![Page 7: The Boomerang Attack - University of Haifaorrd/BlockCipherSeminar/TomerAshur.pdf · The Boomerang Attack Tomer Ashur Department of Computer Science University of Haifa tashur01@campus.haifa.ac.il](https://reader034.fdocuments.us/reader034/viewer/2022051917/600971c38977d013a1223294/html5/thumbnails/7.jpg)
A Step-by-step Construction - Cont.
P0 P1
α
5
β
C0 C1
3
Tomer Ashur The Boomerang Attack
![Page 8: The Boomerang Attack - University of Haifaorrd/BlockCipherSeminar/TomerAshur.pdf · The Boomerang Attack Tomer Ashur Department of Computer Science University of Haifa tashur01@campus.haifa.ac.il](https://reader034.fdocuments.us/reader034/viewer/2022051917/600971c38977d013a1223294/html5/thumbnails/8.jpg)
A Step-by-step Construction - Cont.
P0 P1
α
5
β
C0 C1
3
C2 C3
δ δ
Tomer Ashur The Boomerang Attack
![Page 9: The Boomerang Attack - University of Haifaorrd/BlockCipherSeminar/TomerAshur.pdf · The Boomerang Attack Tomer Ashur Department of Computer Science University of Haifa tashur01@campus.haifa.ac.il](https://reader034.fdocuments.us/reader034/viewer/2022051917/600971c38977d013a1223294/html5/thumbnails/9.jpg)
A Step-by-step Construction - Cont.
P0 P1
α
5
β
C0 C1
3
C2 C3
δ δ
Tomer Ashur The Boomerang Attack
![Page 10: The Boomerang Attack - University of Haifaorrd/BlockCipherSeminar/TomerAshur.pdf · The Boomerang Attack Tomer Ashur Department of Computer Science University of Haifa tashur01@campus.haifa.ac.il](https://reader034.fdocuments.us/reader034/viewer/2022051917/600971c38977d013a1223294/html5/thumbnails/10.jpg)
A Step-by-step Construction - Cont.
P0 P1
α
5
β
C0 C1
3
C2 C3
δ δ
γ γ
Tomer Ashur The Boomerang Attack
![Page 11: The Boomerang Attack - University of Haifaorrd/BlockCipherSeminar/TomerAshur.pdf · The Boomerang Attack Tomer Ashur Department of Computer Science University of Haifa tashur01@campus.haifa.ac.il](https://reader034.fdocuments.us/reader034/viewer/2022051917/600971c38977d013a1223294/html5/thumbnails/11.jpg)
A Step-by-step Construction - Cont.
P0 P1
α
5
β
C1 C2
3
C2 C3
δ δ
γ γ
P2 P3
Tomer Ashur The Boomerang Attack
![Page 12: The Boomerang Attack - University of Haifaorrd/BlockCipherSeminar/TomerAshur.pdf · The Boomerang Attack Tomer Ashur Department of Computer Science University of Haifa tashur01@campus.haifa.ac.il](https://reader034.fdocuments.us/reader034/viewer/2022051917/600971c38977d013a1223294/html5/thumbnails/12.jpg)
A Step-by-step Construction - Cont.
P0 P1
α
5
β
C1 C2
3
C2 C3
δ δ
γ γ
P2 P3
β
Tomer Ashur The Boomerang Attack
![Page 13: The Boomerang Attack - University of Haifaorrd/BlockCipherSeminar/TomerAshur.pdf · The Boomerang Attack Tomer Ashur Department of Computer Science University of Haifa tashur01@campus.haifa.ac.il](https://reader034.fdocuments.us/reader034/viewer/2022051917/600971c38977d013a1223294/html5/thumbnails/13.jpg)
A Step-by-step Construction - Cont.
P0 P1
α
5
β
C1 C2
3
C2 C3
δ δ
γ γ
P2 P3
β
α
Tomer Ashur The Boomerang Attack
![Page 14: The Boomerang Attack - University of Haifaorrd/BlockCipherSeminar/TomerAshur.pdf · The Boomerang Attack Tomer Ashur Department of Computer Science University of Haifa tashur01@campus.haifa.ac.il](https://reader034.fdocuments.us/reader034/viewer/2022051917/600971c38977d013a1223294/html5/thumbnails/14.jpg)
What are the Odds?
I α cause β with probability p
I δ cause γ with probability q
I We need this event to happen twice.
I Finally, β cause α with probability p
I So...
I (p · q)2
Tomer Ashur The Boomerang Attack
![Page 15: The Boomerang Attack - University of Haifaorrd/BlockCipherSeminar/TomerAshur.pdf · The Boomerang Attack Tomer Ashur Department of Computer Science University of Haifa tashur01@campus.haifa.ac.il](https://reader034.fdocuments.us/reader034/viewer/2022051917/600971c38977d013a1223294/html5/thumbnails/15.jpg)
What are the Odds?
I α cause β with probability p
I δ cause γ with probability q
I We need this event to happen twice.
I Finally, β cause α with probability p
I So...
I (p · q)2
Tomer Ashur The Boomerang Attack
![Page 16: The Boomerang Attack - University of Haifaorrd/BlockCipherSeminar/TomerAshur.pdf · The Boomerang Attack Tomer Ashur Department of Computer Science University of Haifa tashur01@campus.haifa.ac.il](https://reader034.fdocuments.us/reader034/viewer/2022051917/600971c38977d013a1223294/html5/thumbnails/16.jpg)
What are the Odds?
I α cause β with probability p
I δ cause γ with probability q
I We need this event to happen twice.
I Finally, β cause α with probability p
I So...
I (p · q)2
Tomer Ashur The Boomerang Attack
![Page 17: The Boomerang Attack - University of Haifaorrd/BlockCipherSeminar/TomerAshur.pdf · The Boomerang Attack Tomer Ashur Department of Computer Science University of Haifa tashur01@campus.haifa.ac.il](https://reader034.fdocuments.us/reader034/viewer/2022051917/600971c38977d013a1223294/html5/thumbnails/17.jpg)
What are the Odds?
I α cause β with probability p
I δ cause γ with probability q
I We need this event to happen twice.
I Finally, β cause α with probability p
I So...
I (p · q)2
Tomer Ashur The Boomerang Attack
![Page 18: The Boomerang Attack - University of Haifaorrd/BlockCipherSeminar/TomerAshur.pdf · The Boomerang Attack Tomer Ashur Department of Computer Science University of Haifa tashur01@campus.haifa.ac.il](https://reader034.fdocuments.us/reader034/viewer/2022051917/600971c38977d013a1223294/html5/thumbnails/18.jpg)
What are the Odds?
I α cause β with probability p
I δ cause γ with probability q
I We need this event to happen twice.
I Finally, β cause α with probability p
I So...
I (p · q)2
Tomer Ashur The Boomerang Attack
![Page 19: The Boomerang Attack - University of Haifaorrd/BlockCipherSeminar/TomerAshur.pdf · The Boomerang Attack Tomer Ashur Department of Computer Science University of Haifa tashur01@campus.haifa.ac.il](https://reader034.fdocuments.us/reader034/viewer/2022051917/600971c38977d013a1223294/html5/thumbnails/19.jpg)
What are the Odds?
I α cause β with probability p
I δ cause γ with probability q
I We need this event to happen twice.
I Finally, β cause α with probability p
I So...
I (p · q)2
Tomer Ashur The Boomerang Attack
![Page 20: The Boomerang Attack - University of Haifaorrd/BlockCipherSeminar/TomerAshur.pdf · The Boomerang Attack Tomer Ashur Department of Computer Science University of Haifa tashur01@campus.haifa.ac.il](https://reader034.fdocuments.us/reader034/viewer/2022051917/600971c38977d013a1223294/html5/thumbnails/20.jpg)
What are the Odds?
I α cause β with probability p
I δ cause γ with probability q
I We need this event to happen twice.
I Finally, β cause α with probability p
I So...
I (p · q)2
Tomer Ashur The Boomerang Attack
![Page 21: The Boomerang Attack - University of Haifaorrd/BlockCipherSeminar/TomerAshur.pdf · The Boomerang Attack Tomer Ashur Department of Computer Science University of Haifa tashur01@campus.haifa.ac.il](https://reader034.fdocuments.us/reader034/viewer/2022051917/600971c38977d013a1223294/html5/thumbnails/21.jpg)
What is it Good For?
Tomer Ashur The Boomerang Attack
![Page 22: The Boomerang Attack - University of Haifaorrd/BlockCipherSeminar/TomerAshur.pdf · The Boomerang Attack Tomer Ashur Department of Computer Science University of Haifa tashur01@campus.haifa.ac.il](https://reader034.fdocuments.us/reader034/viewer/2022051917/600971c38977d013a1223294/html5/thumbnails/22.jpg)
The Key Recovery
I Just do the Usual Trick
I E(4x) = 10x
I S1(10x ⊕ k0) = Ax
I k0 ∈ {000001, 010001, 100001, 110001, 101111, 011111}
Tomer Ashur The Boomerang Attack
![Page 23: The Boomerang Attack - University of Haifaorrd/BlockCipherSeminar/TomerAshur.pdf · The Boomerang Attack Tomer Ashur Department of Computer Science University of Haifa tashur01@campus.haifa.ac.il](https://reader034.fdocuments.us/reader034/viewer/2022051917/600971c38977d013a1223294/html5/thumbnails/23.jpg)
The Key Recovery
I Just do the Usual Trick
I E(4x) = 10x
I S1(10x ⊕ k0) = Ax
I k0 ∈ {000001, 010001, 100001, 110001, 101111, 011111}
Tomer Ashur The Boomerang Attack
![Page 24: The Boomerang Attack - University of Haifaorrd/BlockCipherSeminar/TomerAshur.pdf · The Boomerang Attack Tomer Ashur Department of Computer Science University of Haifa tashur01@campus.haifa.ac.il](https://reader034.fdocuments.us/reader034/viewer/2022051917/600971c38977d013a1223294/html5/thumbnails/24.jpg)
The Key Recovery
I Just do the Usual Trick
I E(4x) = 10x
I S1(10x ⊕ k0) = Ax
I k0 ∈ {000001, 010001, 100001, 110001, 101111, 011111}
Tomer Ashur The Boomerang Attack
![Page 25: The Boomerang Attack - University of Haifaorrd/BlockCipherSeminar/TomerAshur.pdf · The Boomerang Attack Tomer Ashur Department of Computer Science University of Haifa tashur01@campus.haifa.ac.il](https://reader034.fdocuments.us/reader034/viewer/2022051917/600971c38977d013a1223294/html5/thumbnails/25.jpg)
The Key Recovery
I Just do the Usual Trick
I E(4x) = 10x
I S1(10x ⊕ k0) = Ax
I k0 ∈ {000001, 010001, 100001, 110001, 101111, 011111}
Tomer Ashur The Boomerang Attack
![Page 26: The Boomerang Attack - University of Haifaorrd/BlockCipherSeminar/TomerAshur.pdf · The Boomerang Attack Tomer Ashur Department of Computer Science University of Haifa tashur01@campus.haifa.ac.il](https://reader034.fdocuments.us/reader034/viewer/2022051917/600971c38977d013a1223294/html5/thumbnails/26.jpg)
The Inside-out Attack
I Use truncated differentials.
I Use the birthday paradox to make thedifferentials collide, having the reqiureddifference.
CC-BY-SA 2.0 QuinnDombrowski
Tomer Ashur The Boomerang Attack
![Page 27: The Boomerang Attack - University of Haifaorrd/BlockCipherSeminar/TomerAshur.pdf · The Boomerang Attack Tomer Ashur Department of Computer Science University of Haifa tashur01@campus.haifa.ac.il](https://reader034.fdocuments.us/reader034/viewer/2022051917/600971c38977d013a1223294/html5/thumbnails/27.jpg)
*R-attacks
Tomer Ashur The Boomerang Attack
![Page 28: The Boomerang Attack - University of Haifaorrd/BlockCipherSeminar/TomerAshur.pdf · The Boomerang Attack Tomer Ashur Department of Computer Science University of Haifa tashur01@campus.haifa.ac.il](https://reader034.fdocuments.us/reader034/viewer/2022051917/600971c38977d013a1223294/html5/thumbnails/28.jpg)
Related-key Differentials
Tomer Ashur The Boomerang Attack
![Page 29: The Boomerang Attack - University of Haifaorrd/BlockCipherSeminar/TomerAshur.pdf · The Boomerang Attack Tomer Ashur Department of Computer Science University of Haifa tashur01@campus.haifa.ac.il](https://reader034.fdocuments.us/reader034/viewer/2022051917/600971c38977d013a1223294/html5/thumbnails/29.jpg)
Questions
Tomer Ashur The Boomerang Attack