Related-Key Boomerang and Rectangle Attacks: Theory and Experimental Analysis

Abstract

In 2004, we introduced the related-key boomerang/rectangle attacks, which allow us to enjoy the benefits of the boomerang attack and the related-key technique, simultaneously. The new attacks were used since then to attack numerous block ciphers. While the claimed applications are significant, most of them have a major drawback. Their validity cannot be verified experimentally due to their high complexity. Together with the lack of rigorous justification of the probabilistic assumptions underlying the technique, this lead Murphy to claim that attacks using the related-key boomerang/rectangle technique are not legitimate. This paper contains two contributions. The first is a rigorous analysis of the related-key boomerang/rectangle attacks, including devising provably optimal distinguishers and computing their success rate, and discussing the underlying independence assumptions. The second contribution is an extensive experimental verification of the related-key boomerang attack against the GSM block cipher, KASUMI. Our experiments reveal that the success probability of the distinguisher, when averaged over different choices of the keys, is close to the theoretical prediction. However, the exact probability depends on the key, such that for some portion of the keys, the distinguisher holds with a higher probability than expected, while for the rest of the keys, the distinguisher fails completely.