This paper describes a new differential-style attack, which we call the boomerang attack. This attack has several interesting applications. First, we disprove the oft-repeated claim that eliminating all high-probability differentials for the whole cipher is sufficient to guarantee security against differential attacks. Second, we show how to break COCONUT98, a cipher designed using decorrelation techniques to ensure provable security against differential attacks, with an advanced

more »

... yle attack that needs just 2 16 adaptively chosen texts. Also, to illustrate the power of boomerang techniques, we give new attacks on Khufu-16, FEAL-6, and 16 rounds of CAST-256. 1 Note that Biham et al.'s impossible differentials [BBS98,BBS99] also disprove the folk theorem. They show that if one can find a differential of sufficiently low probability, the cipher can be broken. However, the boomerang attack in fact lets us make an sharper statement: even if no differential for the whole cipher has probability that is too high or too low, the cipher might still be vulnerable to differential-style attacks.