The boomerang attack is based on differential cryptanalysis. In differential cryptanalysis, an attacker exploits how differences in the input to a cipher (the plaintext) can affect the resultant difference at the output (the ciphertext). A high-probability "differential" (that is, an input difference that will produce a likely output difference) is needed that covers all, or nearly all, of the cipher. The boomerang attack allows differentials to be used which cover only part of the cipher.
The attack attempts to generate a so-called "quartet" structure at a point halfway through the cipher. For this purpose, say that the encryption action, E, of the cipher can be split into two consecutive stages, E0 and E1, so that E(M) = E1(E0(M)), where M is some plaintext message. Suppose we have two differentials for the two stages; say,
for E0, and
for E1−1 (the decryption action of E1).
The basic attack proceeds as follows:
Choose a random plaintext and calculate .
Request the encryptions of and to obtain and
Request the decryptions of and to obtain and
Compare and ; when the differentials hold, .
Application to specific ciphers
One attack on KASUMI, a block cipher used in 3GPP, is a related-key rectangle attack which breaks the full eight rounds of the cipher faster than exhaustive search (Biham et al., 2005). The attack requires 254.6 chosen plaintexts, each of which has been encrypted under one of four related keys, and has a time complexity equivalent to 276.1 KASUMI encryptions.
Jongsung Kim; Guil Kim; Seokhie Hong; Sangjin Lee; Dowon Hong (July 2004). "The Related-Key Rectangle Attack — Application to SHACAL-1". 9th Australasian Conference on Information Security and Privacy (ACISP 2004). Sydney: Springer-Verlag. pp. 123&ndash, 136.
Seokhie Hong, Jongsung Kim, Sangjin Lee and Bart Preneel (February 2005). "Related-Key Rectangle Attacks on Reduced Versions of SHACAL-1 and AES-192". FSE '05. Paris: Springer-Verlag. pp. 368&ndash, 383.CS1 maint: Uses authors parameter (link)