International Association
for Cryptologic Research

This paper explores the possibility of using different bases in Beyne's geometric approach, a flexibility that was theoretically proposed in Beyne's doctoral thesis but has not been adopted in real cryptanalytic attacks despite its potential to unify multiple attack paradigms. We revisit three bases from previous geometric approach papers and extend them to four extra ones determined by simple rules. With the final seven bases, we can obtain $7^{2d}$ different basis-based attacks in the $d$-th-order spaces, where the \textit{order} is defined as the number of messages used in one sample during the attack. All these attacks can be studied in unified automatic search methods. We provide several demonstrative applications of this framework. First, we show that by choosing an alternative pair of bases, the divisibility property analyzed by Beyne and Verbauwhede with ultrametric integral cryptanalysis (ASIACRYPT 2024) can be interpreted as a single element rather than as a linear combination of elements of the transition matrix; thus, the property can be studied in a unified way as other geometric approach applications. Second, we revisit the multiple-of-$2^t$ property (EUROCRYPT 2017) under our new framework and present new multiple-of-$2^t$ distinguishers for \skinny-64 that surpass the state-of-the-art results, from the perspectives of both first-order and second-order attacks. Finally, we give a closed formula for differential-linear approximations without any assumptions, even confirming that the two differential-linear approximations of \simeck-32 and \simeck-48 found by Hadipour \textit{et al.} are deterministic independently of concrete key values.

Differential cryptanalysis relies on assumptions like Markov ciphers and hypothesis of stochastic equivalence. The probability of a differential characteristic estimated by classical methods is the key-averaged probability under the two assumptions. However, the real probability can vary significantly between keys. Hence, tools for differential cryptanalysis in the fixed-key model are desirable. Recently, Beyne and Rijmen applied the geometric approach to differential cryptanalysis and proposed a systematic framework called quasi-differential (CRYPTO 2022).As a variant of differential cryptanalysis, boomerang attacks rely on similar assumptions, so it is important to study their probability in the fixed-key model as well. A direct extension of the quasi-differential for boomerang attacks leads to the quasi-3- differential framework (IEEE-IT 2024). However, such a straightforward approach is difficult in practical applications as there are too many quasi-3-differential trails.We tackle this problem by applying the mix-basis style geometric approach (CRYPTO 2025) to the boomerang attacks and construct the quasi-boomerang framework. By choosing a suitable pair of bases, the boomerang probability can be computed by summing correlations of quasi-boomerang characteristics. The transition matrix of the key-XOR operation is also a diagonal matrix; thus, the influence of keys can be analyzed in a similar way to the quasi-differential framework.We apply the quasi-boomerang framework to SKINNY-64 and GIFT-64. For SKINNY- 64, we check and confirm 4 boomerang distinguishers with high probability (2 with probability 1 and 2 with probability 2−4) generated from Hadipour, Bagheri, and Song’s tool (ToSC 2021/1), through the analysis of key dependencies and the probability calculation from quasi-boomerang characteristics. We also propose a divide-and-conquer approach following the sandwich framework for boomerangs with small probability or long rounds to apply the quasi-boomerang framework. After checking 2/1 boomerang distinguisher(s) of SKINNY-64/GIFT-64, we find that the previously considered invalid 19-round distinguisher of GIFT-64 is valid.In addition, as a contribution of independent interest, we revisit Boura, Derbez, and Germon’s work by extending the quasi-differential framework to the related-key scenario (ToSC 2025/1), and show an alternative way to derive the same formulas in their paper by regarding the key-XOR as a normal cipher component.