Note that the E 1 -1 characteristic works from the ciphertext to the intermediate ciphertext (outside inwards). The

differentials are used in the following relations:

Using these two characteristics, we can then derive a new characteristic for the intermediate encryption of Q 0

and Q 1 :

Hence, we have derived a new characteristic for the Q values:

This characteristic can then be measured by calculating Q 0 ⊕ Q 1 = Ω. Figure 7-3 shows a graphical repres-

entation of how this characteristic occurs.

Figure 7-3 Derivation of the boomerang differential P 0 ⊕ P 1 = Ω leading to Q 0 ⊕ Q 1 = Ω based on a diagram

in Reference [20]. (Light gray lines) XOR's; (dark gray lines) how the differentials propagate from the P 's to

the Q 's; (black lines) encryption.

From the diagram and the derivation above, we can see why this is called the boomerang attack: If we con-

struct the differentials correctly, the differential Ω will come back and hit us in Q 0 ⊕ Q 1 .

We construct the boomerang differential by taking a seed plaintext P 0 with our Ω differential and creating

P 1 = P 0 ⊕ Ω. We then encrypt P 0 and P 1 to obtain C 0 and C 1 , respectively. Next, we calculate new ciphertexts

with our ω differential, so that D 0 = C 0 ⊕ ω and D 1 = C 1 ⊕ ω. We then decrypt D 0 and D 1 to obtain Q 0 and Q 1 .

Some percentage of the time, the moons will align and the differentials will all line up, allowing us to measure

to see if Q 0 ⊕ Q 1 = Ω. When all four differentials hold, we refer to this as a right quartet .

What is the significance of this attack? Well, many algorithms have been deemed to be “secure” against dif-

ferential cryptanalysis because of the lack of any good characteristics on the full cipher. Normally, as the num-

ber of rounds increases, the probability of the differential decreases, thereby requiring more and more plain-

text-ciphertext pairs.