International Association for Cryptologic Research

International Association
for Cryptologic Research

CryptoDB

On Impossible Boomerang Attacks: Application to Simon and SKINNYee

Authors:
Xavier Bonnetain , Université de Lorraine, CNRS, Inria, LORIA, Nancy, France
Margarita Cordero , Université de Lorraine, CNRS, Inria, LORIA, Nancy, France
Virginie Lallemand , Université de Lorraine, CNRS, Inria, LORIA, Nancy, France
Marine Minier , Université de Lorraine, CNRS, Inria, LORIA, Nancy, France
María Naya-Plasencia , Inria, Paris, France
Download:
DOI: 10.46586/tosc.v2024.i2.222-253
URL: https://tosc.iacr.org/index.php/ToSC/article/view/11629
Search ePrint
Search Google
Abstract: The impossible boomerang attack, introduced in 2008 by Jiqiang Lu, is an extension of the impossible differential attack that relies on a boomerang distinguisher of probability 0 for discarding incorrect key guesses. In Lu’s work, the considered impossible boomerang distinguishers were built from 4 (different) probability-1 differentials that lead to 4 differences that do not sum to 0 in the middle, in a miss-in-the-middle way.In this article, we study the possibility of extending this notion by looking at finerlevel contradictions that derive from boomerang switch constraints. We start by discussing the case of quadratic Feistel ciphers and in particular of the Simon ciphers. We exploit their very specific boomerang constraints to enforce a contradiction that creates a new type of impossible boomerang distinguisher that we search with an SMT solver. We next switch to word-oriented ciphers and study how to leverage the Boomerang Connectivity Table contradictions. We apply this idea to SKINNYee, a recent tweakable block cipher proposed at Crypto 2022 and obtain a 21-round distinguisher.After detailing the process and the complexities of an impossible boomerang attack in the single (twea)key and related (twea)key model, we extend our distinguishers into attacks and present a 23-round impossible boomerang attack on Simon-32/64 (out of 32 rounds) and a 29-round impossible boomerang attack on SKINNYee (out of 56 rounds). To the best of our knowledge our analysis covers two more rounds than the (so far, only) other third-party analysis of SKINNYee that has been published to date.
BibTeX
@article{tosc-2024-34382,
  title={On Impossible Boomerang Attacks: Application to Simon and SKINNYee},
  journal={IACR Transactions on Symmetric Cryptology},
  publisher={Ruhr-Universität Bochum},
  volume={024 No. 2},
  pages={222-253},
  url={https://tosc.iacr.org/index.php/ToSC/article/view/11629},
  doi={10.46586/tosc.v2024.i2.222-253},
  author={Xavier Bonnetain and Margarita Cordero and Virginie Lallemand and Marine Minier and María Naya-Plasencia},
  year=2024
}