The Return of the Cryptographic Boomerang

Murphy, Seán

doi:10.1109/tit.2011.2111091

Cited by 60 publications

(48 citation statements)

References 8 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…It has to be noted that this independence assumption is quite strong, cf. [28]. However, if this assumption holds, the expected number of solutions to (14) is 1, if we repeat the attack about 1/(p 2 0 · p 2 1 ) times.…”

Section: Choose a Random Value For X And Computementioning

confidence: 96%

See 1 more Smart Citation

Second-Order Differential Collisions for Reduced SHA-256

Biryukov

Lamberger

Mendel

et al. 2011

Lecture Notes in Computer Science

View full text Add to dashboard Cite

Abstract. In this work, we introduce a new non-random property for hash/compression functions using the theory of higher order differentials. Based on this, we show a second-order differential collision for the compression function of SHA-256 reduced to 47 out of 64 steps with practical complexity. We have implemented the attack and provide an example. Our results suggest that the security margin of SHA-256 is much lower than the security margin of most of the SHA-3 finalists in this setting. The techniques employed in this attack are based on a rectangle/boomerang approach and cover advanced search algorithms for good characteristics and message modification techniques. Our analysis also exposes flaws in all of the previously published related-key rectangle attacks on the SHACAL-2 block cipher, which is based on SHA-256. We provide valid rectangles for 48 steps of SHACAL-2.

show abstract

Section: Choose a Random Value For X And Computementioning

confidence: 96%

“…As noted before, in general, the assumption on independent characteristics is quite strong, cf. [28]. We apply a particular approach to construct differential characteristics that are used to construct second-order differential collisions for reduced SHA-256.…”

Section: Differential Characteristicsmentioning

confidence: 99%

Second-Order Differential Collisions for Reduced SHA-256

Biryukov

Lamberger

Mendel

et al. 2011

Lecture Notes in Computer Science

View full text Add to dashboard Cite

show abstract

“…In summary, in terms of the numbers of attacked rounds, the most significant results are Biryukov and Khovratovich's related-key (amplified) boomerang attacks on the full-round AES-192/256 [14], and each attack uses four related keys. (We note that Murphy [42] commented recently that the claims made in [14] by Biryukov and Khovratovich for a related key boomerang analysis of AES must be regarded as unsubstantiated). A related-key attack [2,28,31] assumes that the attacker knows or can choose the differences between two or more unknown keys; the more keys are involved, the more difficult and impractical the attack is to conduct.…”

Section: Introductionmentioning

confidence: 84%

The (related-key) impossible boomerang attack and its application to the AES block cipher

2010

Des. Codes Cryptogr.

View full text Add to dashboard Cite

The Advanced Encryption Standard (AES) is a 128-bit block cipher with a user key of 128, 192 or 256 bits, released by NIST in 2001 as the next-generation data encryption standard for use in the USA. It was adopted as an ISO international standard in 2005. Impossible differential cryptanalysis and the boomerang attack are powerful variants of differential cryptanalysis for analysing the security of a block cipher. In this paper, building on the notions of impossible differential cryptanalysis and the boomerang attack, we propose a new cryptanalytic technique, which we call the impossible boomerang attack, and then describe an extension of this attack which applies in a related-key attack scenario. Finally, we apply the impossible boomerang attack to break 6-round AES with 128 key bits and 7-round AES with 192/256 key bits, and using two related keys we apply the related-key impossible boomerang attack to break 8-round AES with 192 key bits and 9-round AES with 256 key bits. In the two-key related-key attack scenario, our results, which were the first to achieve this amount of attacked rounds, match the best currently known results for AES with 192/256 key bits in terms of the numbers of attacked rounds. The (related-key) impossible boomerang attack is a general cryptanalytic technique, and can potentially be used to cryptanalyse other block ciphers.

show abstract

“…However as opposed to assuming independence of the differentials, which does not hold in general (see [25]), we explicitly take their correlation into account and use it in our framework.…”

Section: Related Workmentioning

confidence: 99%

“…It has correctly been observed that the correlation between differentials must be taken into account to accurately determine the success probability [25]. The true probability can otherwise deviate arbitrarily from the estimated one.…”

Section: Introductionmentioning

confidence: 99%

Polytopic Cryptanalysis

Tiessen

2016

Lecture Notes in Computer Science

View full text Add to dashboard Cite

Abstract. Standard differential cryptanalysis uses statistical dependencies between the difference of two plaintexts and the difference of the respective two ciphertexts to attack a cipher. Here we introduce polytopic cryptanalysis which considers interdependencies between larger sets of texts as they traverse through the cipher. We prove that the methodology of standard differential cryptanalysis can unambiguously be extended and transferred to the polytopic case including impossible differentials. We show that impossible polytopic transitions have generic advantages over impossible differentials. To demonstrate the practical relevance of the generalization, we present new low-data attacks on round-reduced DES and AES using impossible polytopic transitions that are able to compete with existing attacks, partially outperforming these.

show abstract

The Return of the Cryptographic Boomerang

Cited by 60 publications

References 8 publications

Second-Order Differential Collisions for Reduced SHA-256

Second-Order Differential Collisions for Reduced SHA-256

The (related-key) impossible boomerang attack and its application to the AES block cipher

Polytopic Cryptanalysis

Contact Info

Product

Resources

About