[Resource Topic] 2024/977: Improved Boomerang Attacks on 6-Round AES

Welcome to the resource topic for 2024/977

Improved Boomerang Attacks on 6-Round AES

Authors: Augustin Bariant, Orr Dunkelman, Nathan Keller, Gaëtan Leurent, Victor Mollimard


The boomerang attack is a cryptanalytic technique which allows combining two short high-probability differentials into a distinguisher for a large number of rounds. Since its introduction by Wagner in 1999, it has been applied to many ciphers. One of the best-studied targets is a 6-round variant of AES, on which the boomerang attack is outperformed only by the dedicated Square attack. Recently, two new variants of the boomerang attack were presented: retracing boomerang (Eurocrypt’20) and truncated boomerang (Eurocrypt’23). These variants seem incompatible: the former achieves lower memory complexity by throwing away most of the data in order to force dependencies, while the latter achieves lower time complexity by using large structures, which inevitably leads to a large memory complexity.

In this paper we show that elements of the two techniques can be combined to get `the best of the two worlds’ – the practical memory complexity of the retracing attack and the lower time complexity of the truncated attack. We obtain an attack with data complexity of 2^{57} (compared to 2^{59} and 2^{55} of truncated and retracing boomerang, respectively), memory complexity of 2^{33} (compared to 2^{59} and 2^{31}), and time complexity of 2^{61} (compared to 2^{61} and 2^{80}). This is the second-best attack on 6-round AES, after the Square attack.

ePrint: https://eprint.iacr.org/2024/977

See all topics related to this paper.

Feel free to post resources that are related to this paper below.

Example resources include: implementations, explanation materials, talks, slides, links to previous discussions on other websites.

For more information, see the rules for Resource Topics .