This article includes a list ofgeneral references, butit lacks sufficient correspondinginline citations. Please help toimprove this article byintroducing more precise citations.(March 2009) (Learn how and when to remove this message)

Incryptography, theboomerang attack is a method for thecryptanalysis ofblock ciphers based ondifferential cryptanalysis. The attack was published in 1999 byDavid Wagner, who used it to break theCOCONUT98 cipher.

The boomerang attack has allowed new avenues of attack for many ciphers previously deemed safe from differential cryptanalysis.

Refinements on the boomerang attack have been published: theamplified boomerang attack, and therectangle attack.

Due to the similarity of aMerkle–Damgård construction with a block cipher, this attack may also be applicable to certain hash functions such asMD5.^[1]

The boomerang attack is based ondifferential cryptanalysis. In differential cryptanalysis, an attacker exploits how differences in the input to a cipher (the plaintext) can affect the resultant difference at the output (the ciphertext). A high probability "differential" (that is, an input difference that will produce a likely output difference) is needed that covers all, or nearly all, of the cipher. The boomerang attack allows differentials to be used which cover only part of the cipher.

The attack attempts to generate a so-called "quartet" structure at a point halfway through the cipher. For this purpose, say that the encryption action,E, of the cipher can be split into two consecutive stages,E₀ andE₁, so thatE(M) =E₁(E₀(M)), whereM is some plaintext message. Suppose we have two differentials for the two stages; say,

${\displaystyle \mathrm{\Delta }\to {\mathrm{\Delta }}^{\ast }}$

forE₀, and

${\displaystyle \mathrm{\nabla }\to {\mathrm{\nabla }}^{\ast }}$ forE₁⁻¹ (the decryption action ofE₁).

The basic attack proceeds as follows:

• Choose a random plaintext${\displaystyle P}$ and calculate${\displaystyle P^{\prime }=P\oplus \mathrm{\Delta }}$.
• Request the encryptions of${\displaystyle P}$ and${\displaystyle P^{\prime }}$ to obtain${\displaystyle C=E(P)}$ and${\displaystyle C^{\prime }=E(P^{\prime })}$
• Calculate${\displaystyle D=C\oplus \mathrm{\nabla }}$ and${\displaystyle D^{\prime }=C^{\prime }\oplus \mathrm{\nabla }}$
• Request the decryptions of${\displaystyle D}$ and${\displaystyle D^{\prime }}$ to obtain${\displaystyle Q=E^{-1}(D)}$ and${\displaystyle Q^{\prime }=E^{-1}(D^{\prime })}$
• Compare${\displaystyle Q}$ and${\displaystyle Q^{\prime }}$; when the differentials hold,${\displaystyle Q\oplus Q^{\prime }=\mathrm{\Delta }}$.

One attack onKASUMI, a block cipher used in3GPP, is arelated-key rectangle attack which breaks the full eight rounds of the cipher faster than exhaustive search (Biham et al., 2005). The attack requires 2^54.6 chosen plaintexts, each of which has been encrypted under one of four related keys and has a time complexity equivalent to 2^76.1 KASUMI encryptions.

• Boomerang attack — explained by John Savard

• Cryptographic attacks

• Articles with short description
• Short description matches Wikidata
• Articles lacking in-text citations from March 2009
• All articles lacking in-text citations
• All articles with dead external links
• Articles with dead external links from July 2017
• Articles with permanently dead external links