Boomerang Connectivity Table: A New Cryptanalysis Tool

A boomerang attack is a cryptanalysis framework that regards a block cipher E as the composition of two sub-ciphers \(E_1\circ E_0\) and builds a particular characteristic for E with probability \(p^2q^2\) by combining differential characteristics for \(E_0\) and \(E_1\) with probability p and q, respectively. Crucially the validity of this figure is under the assumption that the characteristics for \(E_0\) and \(E_1\) can be chosen independently. Indeed, Murphy has shown that independently chosen characteristics may turn out to be incompatible. On the other hand, several researchers observed that the probability can be improved to p or q around the boundary between \(E_0\) and \(E_1\) by considering a positive dependency of the two characteristics, e.g. the ladder switch and S-box switch by Biryukov and Khovratovich. This phenomenon was later formalised by Dunkelman et al. as a sandwich attack that regards E as \(E_1\circ E_m \circ E_0\), where \(E_m\) satisfies some differential propagation among four texts with probability r, and the entire probability is \(p^2q^2r\). In this paper, we revisit the issue of dependency of two characteristics in \(E_m\), and propose a new tool called Boomerang Connectivity Table (BCT), which evaluates r in a systematic and easy-to-understand way when \(E_m\) is composed of a single S-box layer. With the BCT, previous observations on the S-box including the incompatibility, the ladder switch and the S-box switch are represented in a unified manner. Moreover, the BCT can detect a new switching effect, which shows that the probability around the boundary may be even higher than p or q. To illustrate the power of the BCT-based analysis, we improve boomerang attacks against Deoxys-BC, and disclose the mechanism behind an unsolved probability amplification for generating a quartet in SKINNY. Lastly, we discuss the issue of searching for S-boxes having good BCT and extending the analysis to modular addition.