User:Decrypt3/WIP
|
|
Coming soon: Boomerang attack. I hope to have it done by the 20th. (Hah - that's gone all to hell. No idea when I'm going to finish, actually.)
In cryptanalysis, the boomerang attack is a new form of differential cryptanalysis introduced in 1999 by David Wagner. It approached the problem of finding differential characteristics for a cipher from a different angle than conventional differential cryptanalysis, opening up new avenues of attack for many ciphers deemed safe from differential cryptanalysis.
The attack
- Before reading this section, the reader is advised to be familiar with differential cryptanalysis.
Designers of modern ciphers, before even publishing a new design, make sure that the design is resistant to differential and linear cryptanalysis. To defend against differential cryptanalysis, the designer makes sure that there are no high-probability differential characteristics (approximations to the action of a cipher in terms of input and output differences) in the cipher. This will make conventional differential cryptanalysis very difficult, if not impossible. (Incidentally, a lack of high-probability differential characteristics also opens up an avenue of attack; see impossible differential cryptanalysis.) The boomerang attack functions even without high-probability differential characteristics.
The attack attempts to generate a quartet structure (two plaintexts with a known difference and their corresponding ciphertexts) at a point halfway through the cipher. For this purpose, say that the encryption action of the cipher is C = E1(E0(M)), where the E's are halves of the cipher. It is easier to get good differential characteristics for half of the cipher than for the whole cipher, so we should fairly easily be able to get differential characteristics
- <math>\Delta\to\Delta^*<math>
for E0 and
- <math>\nabla\to\nabla^*<math>
for E1-1 (the decryption action of the last half of the cipher).