Related-Key Boomerang and Rectangle Attacks: Theory and Experimental Analysis
IEEE Transactions on Information Theory
The related-key differential attack and the boomerang attack are two of the classical techniques in cryptanalysis of block ciphers. In 2004, we introduced the relatedkey boomerang and related-key rectangle attacks, which allow to enjoy the benefits of these two techniques simultaneously. The new techniques proved to be very powerful, and were used to devise the best known attacks against numerous block ciphers, culminating with the first attack on the full AES presented in 2009 and a
... ime attack on KASUMI (the cipher used in GSM and 3G telephony) presented in 2010. While the claimed applications of the related-key boomerang/rectangle technique are significant, most of them have a major drawback: due to the extremely high complexity of the attacks, their validity cannot be verified experimentally. Together with the lack of rigorous justification of the probabilistic assumptions underlying the technique, it was claimed that these assumptions cannot be relied upon, and thus, attacks using the related-key boomerang/rectangle technique are not legitimate. These claims were formalized in a recent paper by Murphy  who presented scenarios in which the probabilistic assumptions fail, and questioned their validity. In this paper we present a rigorous treatment of the related-key boomerang/rectangle technique. In the first part of the paper, we devise optimal algorithms for the relatedkey boomerang/rectangle distinguishers using the Logarithmic Likelihood Ratio statistics. We study the exact independence assumptions the attacks rely upon, and compute the success probability of the attacks under these independence assumptions. In the second part of the paper, we address the claims against the validity of the related-key boomerang/rectangle technique by an extensive experimental analysis. We consider a specific case -the block cipher KASUMI -and perform an experimental verifications (with more than 2 48 encryptions) of a related-key boomerang distinguisher against it. The analysis shows that in all attacks, the overall probability of the distinguisher (when averaged over different choices of plaintexts and keys) is close to the theoretically predicted probability. However, it seems that the probability depends on the key, such that for some portion of the keys, the distinguisher holds with a higher probability than expected, while for the rest of the keys, the distinguisher fails completely. We conclude that the probability assumptions underlying the technique make sense in real-life ciphers, and thus, related-key boomerang/rectangle attacks on block ciphers are valid in general. On the other hand, due to the dependence of the probabilities on the key, it is important to verify the validity of the attack experimentally whenever possible in order to measure its success probability.