International Association
for Cryptologic Research

Boomerang and rectangle cryptanalysis are powerful cryptanalytic techniques for security evaluation of block ciphers. Automated search for boomerang distinguishers is an important area of research. In FSE 2023, Hadipour et al. proposed a MILP model of searching boomerang distinguishers for Feistel structure, and applied their model to obtain the best known boomerang distinguishers to date for many generalized Feistel ciphers including WARP. In this paper, we focus on improving Hadipour et al.’s model for generalized Feistel structure and boomerang distinguishers on WARP. We show that a boomerang distinguisher with more active S-boxes may have a higher probability. It is caused by the semi-active S-boxes active only in one of the upper and lower differential trails, which are not considered in Hadipour et al.’s model. We classify the active S-boxes in the middle part Em in more detail, according to the associated tables of DDT, DDT2, FBCT and its variants in the computation formula of boomerang probability for Em. Then, we propose an improved MILP model to search boomerang distinguishers for generalized Feistel structure. Applying our model to WARP, we find better boomerang distinguishers for all rounds than those found by Hadipour et al.’s model. For 15-round boomerang distinguisher on WARP, the probability is improved by a factor of 25.78. For the longest 23-round boomerang distinguisher, the probability is improved by a factor of 24.23, resulting in the best result presented on WARP so far. Exploiting the properties of two local structures and the probabilistic extension technique, we improve the 26-round rectangle attack and give the first 27-round rectangle attack on WARP, which extends the best previous rectangle attack by one round. Note that our findings do not threaten the security of WARP which iterates 41 rounds.

ChaCha is a well-known stream cipher that has been used in many network protocols and software. In this paper, we study the security of reduced round ChaCha. First, by considering the differential-linear hull effect, we improve the correlation of a four-round differential-linear distinguisher proposed at FSE 2023 by providing other intermediate linear masks. Then, based on the four-round differential-linear distinguisher and the PNB method, by using the assignment 100 ··· 00 for consecutive PNBs, higher backward correlation is obtained and improved key recovery attacks of 7-round and 7.25-round ChaCha are obtained with time complexity 2189.7 and 2223.9, which improve the previously best-known attacks by 217.1 and 214.44, respectively. Finally, we consider the equivalence of the security between (R + 0.25)-round and (R + 0.5)⊕-round ChaCha, and show that (R + 0.25)-round and (R + 0.5)⊕-round ChaCha provide the same security against chosen(known) plaintext attacks. As a result, improved differential-linear cryptanalysis of 7.5⊕-round ChaCha can also be obtained similarly to that of 7.25-round ChaCha, which improves the previously best-known attack by 219.

AES is the most used block cipher, and its round-reduced variants are popular underlying components to design cryptographic schemes. How to effectively distinguish round-reduced AES from random permutations has always been a hot research topic. Currently, the longest rounds of AES can be distinguished is 6 rounds, where the best result is the 6-round exchange distinguisher with the data complexity 2^{84}. In this paper, we extend the classical boomerang distinguisher which uses only one boomerang property to use two or more related boomerangs and the technique of `friend pairs' to enhance the distinguishing effect. We propose the frameworks of the re-boomerang and boomerang chain distinguishers and apply to 6-round AES. The re-boomerang distinguisher uses two related boomerangs sequentially, which have the same upper truncated differential trail in the forward direction. A plaintext pair is called a right pair if it follows this truncated differential trail. By the first boomerang, a target set of plaintext pairs containing one right pair can be obtained. Then for each pair in the target set, construct its `friend pairs' as the input of the second boomerang to distinguish the cipher. Due to the dependence of the two boomerangs, all `friend pairs' of the right pair are right pairs, so the probability of the second boomerang is increased. To further improve the complexity, we insert a new boomerang in the middle of the re-boomerang and repeat it to reduce the target set. Combining the strategies of using more data in each boomerang and repeating the distinguishing process several times, we give a boomerang chain distinguisher on 6-round AES with success probability 60% and complexity 2^{76.57}, reduced by a factor of 172 compared with the previous best result. This is a new record for the secret-key distinguisher on 6-round AES.