Related-key boomerang and rectangle attacks

Theory and experimental analysis

Jongsung Kim, Seokhie Hong, Bart Preneel, Eli Biham, Orr Dunkelman, Nathan Keller

Research output: Contribution to journalArticle

13 Citations (Scopus)

Abstract

In 2004, we introduced the related-key boomerang/rectangle attacks, which allow us to enjoy the benefits of the boomerang attack and the related-key technique, simultaneously. The new attacks were used since then to attack numerous block ciphers. While the claimed applications are significant, most of them have a major drawback. Their validity cannot be verified experimentally due to their high complexity. Together with the lack of rigorous justification of the probabilistic assumptions underlying the technique, this lead Murphy to claim that attacks using the related-key boomerang/rectangle technique are not legitimate. This paper contains two contributions. The first is a rigorous analysis of the related-key boomerang/rectangle attacks, including devising provably optimal distinguishers and computing their success rate, and discussing the underlying independence assumptions. The second contribution is an extensive experimental verification of the related-key boomerang attack against the GSM block cipher, KASUMI. Our experiments reveal that the success probability of the distinguisher, when averaged over different choices of the keys, is close to the theoretical prediction. However, the exact probability depends on the key, such that for some portion of the keys, the distinguisher holds with a higher probability than expected, while for the rest of the keys, the distinguisher fails completely.

Original languageEnglish
Article number6172578
Pages (from-to)4948-4966
Number of pages19
JournalIEEE Transactions on Information Theory
Volume58
Issue number7
DOIs
Publication statusPublished - 2012 Jun 25

Fingerprint

Global system for mobile communications
lack
experiment
Experiments

Keywords

  • Experimental analysis
  • KASUMI
  • related-key boomerang attack
  • related-key rectangle attack

ASJC Scopus subject areas

  • Information Systems
  • Computer Science Applications
  • Library and Information Sciences

Cite this

Related-key boomerang and rectangle attacks : Theory and experimental analysis. / Kim, Jongsung; Hong, Seokhie; Preneel, Bart; Biham, Eli; Dunkelman, Orr; Keller, Nathan.

In: IEEE Transactions on Information Theory, Vol. 58, No. 7, 6172578, 25.06.2012, p. 4948-4966.

Research output: Contribution to journalArticle

Kim, Jongsung ; Hong, Seokhie ; Preneel, Bart ; Biham, Eli ; Dunkelman, Orr ; Keller, Nathan. / Related-key boomerang and rectangle attacks : Theory and experimental analysis. In: IEEE Transactions on Information Theory. 2012 ; Vol. 58, No. 7. pp. 4948-4966.
@article{61a6f2a640734046aefb396d3a4f7e2b,
title = "Related-key boomerang and rectangle attacks: Theory and experimental analysis",
abstract = "In 2004, we introduced the related-key boomerang/rectangle attacks, which allow us to enjoy the benefits of the boomerang attack and the related-key technique, simultaneously. The new attacks were used since then to attack numerous block ciphers. While the claimed applications are significant, most of them have a major drawback. Their validity cannot be verified experimentally due to their high complexity. Together with the lack of rigorous justification of the probabilistic assumptions underlying the technique, this lead Murphy to claim that attacks using the related-key boomerang/rectangle technique are not legitimate. This paper contains two contributions. The first is a rigorous analysis of the related-key boomerang/rectangle attacks, including devising provably optimal distinguishers and computing their success rate, and discussing the underlying independence assumptions. The second contribution is an extensive experimental verification of the related-key boomerang attack against the GSM block cipher, KASUMI. Our experiments reveal that the success probability of the distinguisher, when averaged over different choices of the keys, is close to the theoretical prediction. However, the exact probability depends on the key, such that for some portion of the keys, the distinguisher holds with a higher probability than expected, while for the rest of the keys, the distinguisher fails completely.",
keywords = "Experimental analysis, KASUMI, related-key boomerang attack, related-key rectangle attack",
author = "Jongsung Kim and Seokhie Hong and Bart Preneel and Eli Biham and Orr Dunkelman and Nathan Keller",
year = "2012",
month = "6",
day = "25",
doi = "10.1109/TIT.2012.2191655",
language = "English",
volume = "58",
pages = "4948--4966",
journal = "IEEE Transactions on Information Theory",
issn = "0018-9448",
publisher = "Institute of Electrical and Electronics Engineers Inc.",
number = "7",

}

TY - JOUR

T1 - Related-key boomerang and rectangle attacks

T2 - Theory and experimental analysis

AU - Kim, Jongsung

AU - Hong, Seokhie

AU - Preneel, Bart

AU - Biham, Eli

AU - Dunkelman, Orr

AU - Keller, Nathan

PY - 2012/6/25

Y1 - 2012/6/25

N2 - In 2004, we introduced the related-key boomerang/rectangle attacks, which allow us to enjoy the benefits of the boomerang attack and the related-key technique, simultaneously. The new attacks were used since then to attack numerous block ciphers. While the claimed applications are significant, most of them have a major drawback. Their validity cannot be verified experimentally due to their high complexity. Together with the lack of rigorous justification of the probabilistic assumptions underlying the technique, this lead Murphy to claim that attacks using the related-key boomerang/rectangle technique are not legitimate. This paper contains two contributions. The first is a rigorous analysis of the related-key boomerang/rectangle attacks, including devising provably optimal distinguishers and computing their success rate, and discussing the underlying independence assumptions. The second contribution is an extensive experimental verification of the related-key boomerang attack against the GSM block cipher, KASUMI. Our experiments reveal that the success probability of the distinguisher, when averaged over different choices of the keys, is close to the theoretical prediction. However, the exact probability depends on the key, such that for some portion of the keys, the distinguisher holds with a higher probability than expected, while for the rest of the keys, the distinguisher fails completely.

AB - In 2004, we introduced the related-key boomerang/rectangle attacks, which allow us to enjoy the benefits of the boomerang attack and the related-key technique, simultaneously. The new attacks were used since then to attack numerous block ciphers. While the claimed applications are significant, most of them have a major drawback. Their validity cannot be verified experimentally due to their high complexity. Together with the lack of rigorous justification of the probabilistic assumptions underlying the technique, this lead Murphy to claim that attacks using the related-key boomerang/rectangle technique are not legitimate. This paper contains two contributions. The first is a rigorous analysis of the related-key boomerang/rectangle attacks, including devising provably optimal distinguishers and computing their success rate, and discussing the underlying independence assumptions. The second contribution is an extensive experimental verification of the related-key boomerang attack against the GSM block cipher, KASUMI. Our experiments reveal that the success probability of the distinguisher, when averaged over different choices of the keys, is close to the theoretical prediction. However, the exact probability depends on the key, such that for some portion of the keys, the distinguisher holds with a higher probability than expected, while for the rest of the keys, the distinguisher fails completely.

KW - Experimental analysis

KW - KASUMI

KW - related-key boomerang attack

KW - related-key rectangle attack

UR - http://www.scopus.com/inward/record.url?scp=84862529500&partnerID=8YFLogxK

UR - http://www.scopus.com/inward/citedby.url?scp=84862529500&partnerID=8YFLogxK

U2 - 10.1109/TIT.2012.2191655

DO - 10.1109/TIT.2012.2191655

M3 - Article

VL - 58

SP - 4948

EP - 4966

JO - IEEE Transactions on Information Theory

JF - IEEE Transactions on Information Theory

SN - 0018-9448

IS - 7

M1 - 6172578

ER -