Boomeyong: Embedding Yoyo within Boomerang and its Applications to Key Recovery Attacks on AES and Pholkos

. This work investigates a generic way of combining two very eﬀective and well-studied cryptanalytic tools, proposed almost 18 years apart, namely the boomerang attack introduced by Wagner in FSE 1999 and the yoyo attack by Ronjom et al. in Asiacrypt 2017. In doing so, the s-box switch and ladder switch techniques are leveraged to embed a yoyo trail inside a boomerang trail. As an immediate application, a 6-round key recovery attack on AES -128 is mounted with time complexity of 2 78 . A 10-round key recovery attack on recently introduced AES -based tweakable block cipher Pholkos is also furnished to demonstrate the applicability of the new technique on AES -like constructions. The results on AES are experimentally veriﬁed by applying and implementing them on a small scale variant of AES . We provide arguments that draw a relation between the proposed strategy with the retracing boomerang attack devised in Eurocrypt 2020. To the best of our knowledge, this is the ﬁrst attempt to merge the yoyo and boomerang techniques to analyze SPN ciphers and warrants further attention as it has the potential of becoming an important cryptanalysis tool.


Introduction
Cryptanalysis is one of the most important ways of determining the strength of a cryptosystem.Ever since the introduction of differential cryptanalysis by Biham and Shamir [BS91], a multitude of cryptanalytic techniques that build upon the basic idea of differential cryptanalysis has been proposed.Among these, a certain class of attacks particularly aims to divide a cipher into multiple sub-ciphers and study the sub-ciphers individually often analyzing the interactions between them.These methods find high probability trails (primarily due to the lesser number of rounds) for the sub-ciphers and compose them efficiently to mount an attack on the complete cipher.Some of the prominent candidates of this class are the boomerang attack [Wag99], amplified boomerang attack (rectangle attack) [KKS01], impossible differential attack [BBS99], rebound attack [MRST09].These techniques have been widely applied to several ciphers: like the rectangle attack on Serpent [BDK01,BDK02], Kasumi [BDK05]; impossible differential attacks on AES [LDKK08, ZWF07, BDK06], CLE-FIA, Camellia, LBlock, Simon, ARIA [WZF07, WZZ09, BNPS14, BMNPS14], Rijndael-160 and Rijndael-224 [Min17], rebound attack on Whirlpool and Grøstl [MRST09,MRST10], Keccak [DGPW12] and boomerang attack on AES in single-key setting [Bir05] and in the Table 1: Comparisons of key recovery attacks on AES and Pholkos.Note that, time complexity is measured in terms of one AES and Pholkos encryption respectively (where no unit is mentioned).Memory complexity is measured in terms of memory required to store a single state of the primitive.All the attacks tabulated for AES are key recovery attacks.For 10-round Pholkos, key recovery attack using boomeyong is compared with the distinguishing attack given by the designers.CP and ACC are Chosen Plaintext and Adaptively Chosen Ciphertext respectively.Mix.Diff., Ret.Boom., and ETD refers to Mixture Differential, Retracing Boomerang and Extended Truncated Differential respectively.

Primitive Attack Type
Complexity Ref.Data Time Mem.
[ .A recent addition to the class include the retracing boomerang attack [DKRS20] and the extended truncated differential attack [BGL20] on AES.The retracing boomerang attack has been proposed in Eurocrypt 2020 by Dunkelman et al. and at the outset it tries to additionally spatially divide the sub-ciphers.The extended truncated differential attack mounts distinguishing and keyrecovery attack on 5-round and 6-round AES by prepending a round that starts from the diagonal subspaces as proposed in [GRR17].
In particular, the boomerang attack is the center of interest concerning this work as the techniques developed here extensively rely on it.Boomerang attack, introduced by Wagner, makes use of two differentials to construct a distinguisher spanning over a large number of rounds when it is not possible to devise a single differential.As stated earlier, it conceptually divides a cipher into two sub-ciphers where each differential corresponds to each sub-cipher.Though initially thought to be independent, it has been shown that the differentials can rely on each other based on their interaction at the boundary of the sub-ciphers.The dependency can either lead to an incompatibility as shown by Murphy [Mur11] or can be exploited to improve the number of rounds as shown later by the idea of s-box switch, ladder switch [BKN09,BK09] and further generalized by the sandwich attack [DKS10,DKS14].This also leads to the introduction of new tools like the boomerang connectivity table (BCT) [CHP + 18], Feistel BCT [BHL + 20] and the boomerang distribution table (BDT) [WP19].Another interesting cryptanalytic technique that is structurally similar to boomerang (though it does not divide the cipher into sub-ciphers) is the yoyo game which was introduced by Biham et  In Asiacrypt 2017, it has been used to devise a deterministic distinguisher for generic 2-round Substitution-Permutation Network (SPN) [RBH17] which leads to key recovery attacks on 5-round AES.The concept of yoyo game is further extended and applied to AES in known-key setting [SRP18] and on ForkAES [BBJ + 19] in secret-key setting.Table 1 lists the complexities of the attacks presented in this paper on 5-round AES-128 (variant of AES with key length of 128 bits), 6-round AES-128 and 10-round Pholkos respectively along with the other attacks.

Our Contribution
The work investigates the yoyo technique further to essentially extend the number of rounds that it can penetrate.The new approach can be visualized like an embedding of the yoyo game inside a boomerang trail, where the upper trail of the boomerang essentially conforms to the yoyo while the lower trail is a standard but specially crafted differential trail.It applies the concept of the s-box switch and the ladder switch in the boundary of the upper and lower trail.The primary motivation is to construct the lower trail in such a way that the difference added to the ciphertexts leads to a yoyo word-swap in the boundary of upper and lower trails.This in turn satisfies the essential criteria of the yoyo and leads to return of the yoyo with probability 1 which can be verified at the top, like the classical yoyo trick.We prove how the s-box switch and ladder switch help achieve the required word-swap (see Fig. 5).The proof idea stems from the fact that the words that swap can be mapped to an equivalent s-box switch while the words that remain unchanged make a ladder switch.The price we pay is the construction of a truncated differential trail superimposed on the yoyo which behaves like the upper trail of the boomerang.This is the motivation for using the term embedding while visualizing this setting.So in classical boomerang terms if the truncated upper trail has a complexity p and the lower trail has a complexity q, owing to the word-swap happening at the boundary, the complexity of the complete boomerang distinguisher is pq 2 .We save a factor of p while going up due to the yoyo property.
As a natural application, first of all, 5(= 4 + 1)-round AES is considered, where the yoyo covers the first 4 rounds constituting the upper trail and the lower trail covers 1 round.By embedding yoyo within boomerang, first a distinguisher is reported at the expense of 2 47 oracle queries contributing to the data complexity and 2 46 XOR operations contributing to the time complexity.The distinguisher is used further to correctly recover the secret key of AES-128 (variant of AES with key length of 128 bits) with the time complexity of 2 48 XOR operations.The next result is the application to 6-rounds which is achieved by sandwiching the yoyo in-between a classical 1-round differential on top and the lower boomerang trail developed in the 5-round attack.The result is a key recovery attack on 6-round AES-128 with the time complexity of 2 78 AES encryptions and the data complexity of 2 79.72 adaptive chosen ciphertexts.Note that, the distinguishing attack on the AES is independent of the key size whereas the key recovery attacks described in the paper are applicable on AES-128.However, the key recovery attacks can be further extended to recover the key of 6/7-round of a variant of AES with 256-bit key.In the rest of the paper, unless otherwise mentioned, AES-128 is referred to as AES.
Finally, to show the versatility of the strategy a 10-round key recovery attack is mounted on a very recently proposed AES based tweakable block cipher Pholkos.We support all our claims with theoretical arguments.The combination of the two strategies seems to be an interesting proposition and may lead to improved results for other SPN ciphers as well thereby providing better insights.One can appreciate the fact that the proposed technique bears structural similarity with some of the well-known results.For instance, the 6-round  2.

Organization of the paper
The rest of the paper is organized as follows.In Section 2, we briefly discuss about boomerang attack, yoyo attack, AES and the significance of signal-to-noise ratio in differential cryptanalysis.The notion of embedding yoyo within boomerang is introduced and thoroughly illustrated in Section 3. In Section 4, the developed cryptanalytic technique is applied on 5-round and 6-round AES to mount key recovery attacks.As an additional application of the developed techniques, a 10-round attack on Pholkos [BLLS20] is shown in Section 5. Section 6 illustrates the close relation between retracing boomerang attack and the attacks presented in this paper.Finally, the concluding remarks are furnished in Section 7. In Appendix C, the key recovery attacks on 5-round and 6-round AES-128 are extended to recover the key of a variant of AES with key size of 256 bits.

Preliminaries
This section describes the pre-requisites for this paper.First, a brief description of AES is provided.Then, the boomerang attack and the yoyo attack are described briefly with necessary results.Finally, a short discussion on signal-to-noise ratio in the context of differential cryptanalysis is provided.−→ δ] = q and initially assume p = q = 1.The boomerang attack works in the following way.

AES: The Advanced Encryption Standard
1. Choose a pair of plaintext P 1 , P 2 such that P 1 ⊕ P 2 = α.Encrypt them using E to obtain C 1 , C 2 respectively.
As p = 1, so P 3 ⊕ P 4 = α.Note that, for any arbitary p, q, P 3 ⊕ P 4 = α with probability p 2 q 2 under the assumption that the upper and the lower trail are independent.Biryukov and Khovratovich further improved the boomerang attack by introducing the concept of s-box switch and ladder switch [BKN09,BK09].These notions add dependency between the upper and the lower trail.
S-box Switch and Ladder Switch.Assume, that the last substitution layer in E 0 partitions the state into t parts, i. e., Q In similar way, β and γ can also be partitioned.Let the last substitution layer in E 0 be S and Consider the i-th partition.
then q 2 probability needs to be paid for satisfying this trail.Now, analyze two special cases.
Therefore, in such cases probability for one side needs to be paid and other side occurs deterministically; which improves the overall probability by a factor of q .This is known as s-box switch.
The trail probability is improved by a factor of q 2 .This is referred to as ladder switch.Figure 3: Illustration of Zero Difference Pattern (ZDP) for an AES state.The gray colored bytes denotes the active ones, whereas the white ones denote the inactive bytes.In this case, if each diagonal is considered as a word, then the ZDP of Fig. 3a and Fig. 3b are (1, 0, 1, 0) and (0, 1, 0, 1) respectively; whereas if inverse diagonals are considered as a word, then the ZDP becomes (1, 1, 1, 0) and (0, 1, 0, 1).Note that, the diagonal (inverse diagonal) containing the i-th byte (0 ≤ i ≤ 3) of the first row is considered as i-th diagonal (inverse diagonal). In

Yoyo Attack
Yoyo game is a cryptanalytic technique that was first introduced by Biham et al. [BBD + 98] and was applied to analyze Skipjack [NSA98].It is an adaptive chosen ciphertext/plaintext based strategy that is used to identify pairs of texts which satisfy a certain invariant property.Later, yoyo-based technique was applied on Feistel ciphers [BLP15].In Asiacrypt 2017, Rønjom et al. used this strategy to devise a deterministic distinguisher for generic 2-Substitution Permutation rounds [RBH17].Further, this result is applied and extended to mount attacks on 5-round and 6-round AES.As the existing result on the generic 2-round substitution-permutation networks are reused, so the existing definitions and notations in [RBH17] are reviewed.

Definition 1. Zero Difference Pattern (ZDP)
and is defined as Fig. 3 illustrates the notion of ZDP for AES state.Next, the procedure of exchanging words between two states are defined.

Definition 2. Swapping of Words
Note that, the weight of a vector v is denoted by wt(v).In other words, it can be said that while constructing ρ v (α, β) from α, (n − wt(v)) words of α are swapped with β.

Signal-to-Noise Ratio
While mounting a key recovery attack, situations may arrive when it is not possible to distinguish the right pair from the wrong ones.In such cases, the notion of signal-to-noise ratio is used.Signal-to-noise ratio (S/N ) is used to determine the number of right pairs required to recover the right key.The right key can be suggested by both right pairs or wrong pairs.The ones that are suggested by the right pair are called signal whereas the ones that are suggested by the wrong pair are called noise.Let M be the number of pairs queried by the adversary and p be the probability of the characteristic.Then the number of right pair is M p.As each right pair suggests the right key one time, hence the amount of signal is M p.Now the number of wrong pairs is M (1 − p).Let a filtering technique is used and a wrong pair survive the filtering with probability β.Therefore, after filtering the remaining number of wrong keys is M (1 − p)β.Consider η be the average number of key candidates suggested by the wrong pair.Note that, such suggestions consist of both right and wrong key candidates.So, the total number of keys suggested by wrong pairs is M (1 − p)βη.Under the assumption that the keys suggested by wrong pairs are uniformly distributed, the amount of noise is M (1 − p)βη2 −k , where k is the length of the guessed key in bits.Therefore signal-to-noise ratio is A counter is maintained for each key suggested by either right or wrong pairs.The value of the counter for each key depends on the signal-to-noise ratio.If S/N > 1 then the right key is suggested more than the other keys whereas for S/N < 1 the right key is suggested fewer times than the wrong ones.By analysing the counters, the right key can be detected.More details regarding the signal-to-noise ratio is provided in [KR11,SSL15].For S/N > 1, generally the candidate key with highest counter value is considered as the right candidate.But cases may arrive when the counter value for the right candidate is not maximum.Thus, as stated in [SSL15], several key candidates whose counter value is close the highest one is considered as the candidate key.This method is known as ranking test.
In the context of differential cryptanalysis, the relation between the number of right pairs required to identify the unique key, the number of key candidates whose counter value is close to the highest one and the success probability was given by Selçuk in [Sel08].Let M be the number of pairs queried to the oracle, p be the probability of the characteristic and let k be the length of the guessed key in bits.Without loss of generality, let the right key be denoted by K 0 and K 1 , • • • , K 2 k −1 denote the wrong keys.A plaintext pair suggests K i as key candidate with probability p i and the counter value for each K i is T i .Under the assumption that T i 's are independent and identically distributed (i.i.d.), the probability of any of the wrong keys being suggested as the right one is the same and is denoted by p w .For 1 ≤ i ≤ 2 k − 1, T i follows the binomial distribution B(M, p w ) and T 0 follows the binomial distribution B(M, p 0 ).For large values of M , these binomial distributions can be approximated by normal distribution N (µ w , σ 2 w ) and N (µ 0 , σ 2 0 ) where The right keys are deterministically suggested by the right pairs and probabilistically suggested by the wrong pairs; whereas wrong keys are probabilistically suggested by both the right and the wrong pairs.If a certain key is suggested as the right key candidate by a random pair with probability p r , then The attack is successfully performed if K 0 is ranked among the top r candidates on the basis of the counter values.Let φ be the probability density function and Φ be the cumulative distribution function.Then the success probability P s can be given by where . Based on this, the following propositions connect success probability, data complexity and the number of top ranked values that should be considered as right key candidate.Proposition 2. [Sel08] Let the correct key K 0 of length k is among the top r values of key counters with probability P s when a differential attack with characteristic probability p is mounted using M plaintext-ciphertext pairs and signal-to-noise ratio of S N .Under the assumptions that the counters corresponding to the wrong keys are independent and follows an identical distribution and the value of k and M is too large, then P s can be expressed as a function of the other variables by the following equation: Let the correct key K 0 of length k is among the top r values of key counters with probability P s when a differential attack with characteristic probability p is mounted using M plaintext-ciphertext pairs and signal-to-noise ratio of S N .Under the assumptions that the counters corresponding to the wrong keys are independent and follows an identical distribution, the value of k and M is too large, then M can be expressed as a function of the other variables by the following equation: These two propositions are used to estimate the success probability of the boomeyong attacks on 6-round AES and 10-round Pholkos.Now, the details regarding the process of embedding yoyo within boomerang to devise a new cryptanalytic tool boomeyong is discussed.

Boomeyong: Embedding Yoyo within Boomerang
The central notion of this work is to devise a cryptanalytic technique by combining two powerful techniques: yoyo and boomerang.The same conceptual division as used in the boomerang attack is considered for embedding yoyo within boomerang leading to a new strategy which we call boomeyong.Proposition 1 states that there is a deterministic distinguisher for S • L • S construction irrespective of the internal structure of S and L layer (Here, S corresponds to the substitution layer and L corresponds to linear layer).The trick is to use this S • L • S layer as the upper trail in devising the boomerang trail.The problem of embedding yoyo game within boomerang is that the previous is based on classical differential whereas for the latter one truncated forms are considered.Refer ws Figure 4: Embedding yoyo within boomerang.Note that, for the yoyo game E 0 corresponds to S • L • S layer, whereas for the boomerang there is no such constraints.Here, the trail superimposed on yoyo is α → β with a probability p.The words of β that are intended to be swapped are denoted by β ws .These words will be switched using corresponding words in the lower trail δ → γ which holds with probability q using the idea of s-box switch.The remaining words γ i.e. γ w l in the lower trail are zero thereby leading to a ladder switch of the corresponding words in β i.e. β w l .Note that Pr[β → α ] = 1 due to the yoyo trick.
to Fig. 4 for the attack.Let E : F n 2 k → F n 2 k be a cipher which is divided into two parts: E 0 (upper) and E 1 (lower).E 0 is comprised of initial S • L • S layers and the remaining parts of the cipher is considered as E 1 .Now, P 1 , P 2 , P 3 and P 4 be four plaintexts which are encrypted by E to obtain C 1 , C 2 , C 3 and C 4 respectively.Aim is to simulate yoyo game in the upper trail E 0 .Let Q i = E 0 (P i ) for 1 ≤ i ≤ 4. Therefore, if P 1 , P 2 is considered as initial pair, then by virtue of yoyo game ν(P 1 ⊕ P 2 ) = ν(P 3 ⊕ P 4 ).This also implies that Q 3 , Q 4 can be obtained by swapping words between The difference of boomerang with the attack developed in this work is that for the former one α = α , whereas for the latter one α = α does not hold always; instead ν(α) = ν(α ) must hold.
Constructing the lower trail is quite similar to the construction of the lower trail in the boomerang attack.Let −→ γ needs to be constructed.For realizing the 'Swapping of Words' in the middle (the boundary of E 0 and E 1 ), a special kind of relationship must exist between β and γ.
Theorem 1 states that the words in γ either should be zero or equal the value of the same word in β.This ensures that in the middle swapping of words has taken place between the initial pair and thus for E 0 yoyo game is run.Fig. 5 shows the swapping mechanism in the middle.
For the upper trail E 0 , α is not fixed; instead ν(α) is fixed.
Therefore, at the cost of pq 2 probability Q 3 , Q 4 are formed by swapping words between Q 1 , Q 2 and thus with the same probability it is expected that ν(P 3 ⊕ P 4 ) = ν(P 1 ⊕ P 2 ).Let wt(ν(P 1 ⊕ P 2 )) = t.If E is a random permutation, then this event would occur with probability 2 −tk .While embedding yoyo within the boomerang distinguishers, such upper and lower trails should be considered for which pq 2 > 2 −tk .Attack Idea.Based on the analysis, the following are the steps of devising a distinguisher by embedding yoyo within boomerang.Suppose, access to oracle O is given and the distinguisher tries to distinguish that whether O is E or a random permutation.

Boomeyong Attacks on AES
In the previous section, it is shown how to embed yoyo within a boomerang.The first application of this technique is mounting attacks on 5-round and 6-round AES.The main disadvantage of appending a boomerang trail under the yoyo is that it is no longer possible to swap words between ciphertexts deterministically.In this regard, first of all, a probabilistic yoyo game needs to be devised.The next two definitions define the diagonals, inverse diagonals and columns of an AES state.The notation ⊂ φ is used to denote non-null proper subset.
The following two lemmas provide the basis of devising a probabilistic yoyo game for AES.The main motivation of devising such a game is to penetrate more rounds at the expense of probability.For 5-round AES, the aim is to add such a difference in the ciphertext so that in the fourth round before mixcolumns swapping of inverse diagonals is realized.
Lemma 1.Let I, J ⊂ φ {0, 1, 2, 3} and p 1 , p 2 ∈ F 4×4 2 8 .Then the probability that a set of inverse diagonals J are swapped between p 1 , p 2 , given that a set of columns I are swapped is given by Then the probability of occurence of certain p 1 , p 2 , such that swapping of a set of inverse diagonals I ⊂ φ {0, 1, 2, 3} between c 1 , c 2 is equivalent to swapping of inverse diagonals between p 1 , p 2 is given by P swap (|I|) = 3 j=1 Proof.It is easy to visualize that due to SR, swapping of ID I between c 1 , c 2 is equivalent to swapping of C I between p 1 , p 2 .Lemma 1 states that swapping of C I is equivalent to swapping of ID J (where J ⊂ φ {0, 1, 2, 3}) when bytes in (C I ∪ ID J ) \ (C I ∩ ID J ) of (p 1 ⊕ p 2 ) are inactive.Such p 1 , p 2 occur with probability P ID (|I|, |J|).By taking sum over all possible choices of J, P swap (|I|) = 3 j=1 4 j P ID (|I|, j).
For |I| = 1, P swap ≈ 2 −46 , which is its maximum value.For a better visualization of Lemma 1 consider the case when I = {3} and J = {2, 3}.In Fig. 6 only the bytes in C {3} ∩ ID {2,3} are active.So, swapping the last column between p 1 , p 2 can also be considered as swapping of last two inverse diagonals.An example regarding Lemma 2 is described in Appendix A. Next, we apply these results to devise a yoyo game embedded within a boomerang for 5-round AES.

Distinguishing and Key Recovery Attacks on 5-round AES
The attack strategy discussed above is applied to devise a 5-round AES distinguisher, which is subsequently converted into a key recovery attack.First of all, 5-round AES is divided into two parts-before M C of the 4-th round is termed as E 0 and the remaining part of the cipher is termed as E 1 .Note that, E 0 is comprised of S • L • S layer where S and L corresponds to AES Super-Sbox and M C respectively.Fig. 7 depicts the E 0 and E 1 partition in AES.Now, Proposition 1 and Lemma 2 are combined to design a 5-round AES distinguisher by devising a probabilistic yoyo game by embedding yoyo within boomerang.Definition 6.Let α ∈ F 4×4 2 8 be a state and v ∈ F 4 2 be a vector.Then a state τ v (α) ∈ F 4×4 2 8 is constructed from α such that for 0 ≤ i ≤ 3 .
Proof.Let s 1 = E 0 (p 1 ) and s 2 = E 0 (p 2 ).Due to Lemma 2, the probability of occurence of certain s 1 , s 2 such that swapping of ID I between c 1 , c 2 is equivalent to swapping of ID J (where I, J ⊂ φ {0, 1, 2, 3}) between s 1 , s 2 is P swap (|I|).Let s 1 = E −1 1 (c 1 ) and s 2 = E −1 1 (c 2 ).Due to the existence of Super-Sbox in E 1 , the intermediate pair s 1 , s 2 can be considered as constructed from s 1 , s 2 as follows.s 1 = s 1 ⊕ γ and s 2 = s 2 ⊕ γ, where some inverse diagonals in γ are zero and some of them are exactly equal to the same inverse diagonal in s 1 ⊕ s 2 .Thus by Theorem 1, s 1 , s 2 is constructed from s 1 , s 2 using word swap.Then by Proposition 1, this new pair should preserve the zero difference property.So, the zero difference property over E 1 • E 0 (E 1 • E 0 is R 5 ) can be preserved at the expense of P swap (|I|) probability.From Definition 6 it can be concluded that |I| = 4 − wt(v).
Note that, in Lemma 3, the value of P swap 4 − wt(v) is maximum (≈ 2 −46 ) when wt(v) = 3. Next, the upper trail and the lower trail are constructed for 5-round AES distinguisher by leveraging on Lemma 3.For lower trail, v = 1110 (I = {3}) is considered and for better understanding of the upper trail, J = {3} is shown in Fig. 8. Constructing the Upper Trail.Refer to Fig. 8 for the upper trail.For α, pair of plaintexts p 1 , p 2 are chosen such that wt ν(p 1 ⊕ p 2 ) = 1.In β, at the cost of 2 −48 , 6 bytes in (C {3} ∪ ID {3} ) \ (C {3} ∩ ID {3} ) remain inactive.By considering the cases when Figure 6: Visualization of Lemma 1 when I = {3} and J = {2, 3}.As I = {3} the last column between p 1 and p 2 is swapped, which is equivalent to swapping of the third and fourth inverse diagonals between p 1 and p 2 because of the positions of inactive bytes in p 1 ⊕ p 2 .Note that, in the last column of p 1 and p 2 there are two swapped bytes.J = {0}, {1} or {2}, the probability is increased to 2 −46 .We ignore the cases when |J| > 1, as it has a negligible effect on the cumulative probability.Constructing the Lower Trail.For 5-round AES, the construction of the lower trail partially depends on the upper trail.At least one word of γ should be equal to a word in the same position of β.In Fig. 8, β 3 is equal to γ 3 ; γ 0 = γ 1 = γ 2 = 0. To generate such γ, dependency on the upper trail is required while constructing δ.Let p 1 , p 2 are encrypted to obtain c 1 , c 2 .For 0 ≤ i ≤ 3, δ is constructed as follows- Otherwise.
(b) Prepare c i = c i ⊕ δ and c j = c j ⊕ δ.Query decryption oracle with c i , c j to obtain p i , p j .
(c) Check whether ν(p i ⊕ p j ) = ν(p i ⊕ p j ).If yes, distinguish oracle as 5-round AES and refer to (p i , p j , p i , p j ) as a quartet.
4. If no quartet is found, distinguish oracle as random permutation.
Analysis.The data complexity of the attack is (2 23 encryption queries + 2 47 decryption queries) ≈ 2 47 decryption queries.The time complexity of the attack is 2 46 XOR operations.The memory complexity is 2 23 AES state which is used to store the encrypted plaintexts.
Experimental Verification.Due to high data complexity, it is quite difficult to run the complete attack.Instead, an experiment is run to verify the existence of such claimed trails.One such trail is listed in Appendix B. In addition, an experiment for the distinguishing attack is run on 64-bit AES whose details are provided in Section 4.3.

Key Recovery Attack.
The key recovery attack is an extension of the distinguishing attack.Refer to Fig. 9 for the attack.Let's assume distinguisher has successfully found a quartet (p 1 , p 2 , p 1 , p 2 ) and its corresponding ciphertexts (c 1 , c 2 , c 1 , c 2 ).Consider the active bytes of (c 1 ⊕ c 1 ) in Z. SR −1 aligns the bytes in the last column.Guess the last column of K, invert the bytes using SB −1 .Consider the differential in Y , apply M C −1 to it and check whether it transits to a single byte or not in X.The guesses for which only a single active byte is obtained in X are right guesses.The active byte in X can have 255 different values; thus for the active diagonal 255 ≈ 2 8 right key candidates are obtained.The process is repeated for the remaining three diagonals which gives a total 2 32 right key candidates.An exhaustive search is done over these 2 32 candidates to recover the right key.
Analysis.For guessing each column, four different right pairs are required.So, the data complexity and the memory complexity is 4 × 2 47 = 2 49 adaptive chosen plaintexts and ciphertexts and 2 23 AES states respectively.Once a right pair is found using the distinguisher, 2 8 key candidates for a column can be retrieved by doing 2 32 ×2 one round AES encryption for a column.To retrieve key candidates for all the columns, 2 32 × 2 = 2 33 one round AES encryption needs to be done.Considering five such operations as 5-round AES, 2 33 /5 = 2 30.5 AES encryptions are required.For exhaustive search, 2 32 more encryptions are required.So, the total time complexity is 2 32 + 2 30.5 ≈ 2 32.4 AES encryptions and 4 × 2 46 = 2 48 XOR operations.

Key Recovery Attack on 6-round AES
The 6-round key recovery attack on AES is the extension of the 5-round attack described in this paper.The 6-round attack extensively uses the 4-to-1 property of the AES in the initial round.One round is prepended to the 5-round boomeyong attack.As shown in Fig. 10a, if a diagonal is inactive in D for a pair then it is included in the candidate set.
The main problem is that the candidate set contains right and wrong pairs as for a random pair, any one of the diagonals is inactive with probability 4 × 2 −32 = 2 −30 .However, using the boomeyong attack such a pair can be obtained with much lesser probability.Hence, to retrieve the right key candidate using the candidate pairs the notion of the signal-to-noise ratio is applied.Attack Idea.Refer to Fig. 10a for the attack.Choose pairs of plaintexts such that only 4 bytes of a diagonal of the pairs are active; the remaining bytes are inactive.Query the pairs to the encryption oracle to obtain corresponding ciphertext pairs.An inverse diagonal is swapped between the ciphertexts to obtain new pair of texts which are queried to the decryption oracle to obtain new pair of plaintexts.As already stated in Section 4.1, with probability 2 −46 swapping an inverse diagonal between the ciphertexts is equivalent to swapping an inverse diagonal between the intermediate states in the previous round.This is a base condition for the yoyo property, under which it is expected that there is one inactive Super-Sbox between the intermediate state before one round decryption (Position C in Fig. 10a).Now in C, out of 3 active bytes, one byte becomes inactive with probability 3 × 2 −8 = 2 −6.4 (The inactive diagonal in D should not be the same as the active diagonal in A, otherwise the number of candidate keys increases significantly. So, the corresponding byte in C should be active).The transition A→ B occurs with probability 4 × 2 −24 = 2 −22 .Hence, the cumulative probability of obtaining an inactive diagonal is 2 −22 × 2 −46 × 2 −6.4 =2 −74.4 .For a random pair, a pair of texts with such an inactive diagonal can be obtained with probability 3 × 2 −32 = 2 30.4 .Therefore, by this attack, a set of right and wrong pairs can be obtained and there is no way to distinguish the right ones from the wrong ones.If 2 74.4 pairs are queried then it is expected that there are around 2 74.4 × 2 −30.4 = 2 44 wrong pairs and one right pair.The right key candidate is suggested by the right pair whereas the wrong pairs can suggest both right and wrong key candidates.The diagonal of the key corresponding to the active diagonal of the initial plaintext pairs are guessed (refer to Fig. 10b).So, the size of the guessed key space is 32 bits and thus a counter for each of the 2 32 keys is maintained to count the key suggestions.
To determine the required number of right pairs, the notion of the signal-to-noise ratio is applied.
Algorithm 1: Algorithm for Key Recovery Attack on 6-round AES Result: The secret key if There is only one active byte in X and Y and its position is same in both X and Y then Include the first 2 7 key candidates with highest counter value in K m 28 end 29 K 2 and K 3 are populated with all 2 32 candidates 30 Exhaustively search for the right subkey in K 0 × K 1 × K 2 × K 3 31 Finds the secret key from the subkey Determining the required number of right pairs.By referring to Section 2.4, the values of p and k are 2 −74.4 and 32 respectively.Now, the number of keys (right and wrong) suggested by each wrong pair needs to be determined.Consider P 1 , P 2 be a pair of texts which are encrypted, diagonals are swapped between their corresponding ciphertexts and decrypted to obtain P 3 , P 4 .Let the first diagonal of the key be guessed.So, the first diagonal of P 1 , P 2 is partially encrypted for one round using the guessed key and checked whether 4-to-1 transition occurred or not.Similar experiment is done with P 3 , P 4 .If 4-to-1 occurs for both the cases, then the value of the counter corresponding to the key is incremented.After 4-to-1 the position of the active byte should be same for both cases.Hence, for a fixed wrong pair and a fixed guessed key, the counter value is incremented with probability 4 × 2 −24 × 2 −24 = 2 −46 .So, the average number of keys suggested by a wrong pair is 2 −46 × 2 32 = 2 −14 (η = 2 −14 ).Note that, if the first diagonal of P 3 , P 4 is inactive, then the pair needs to be discarded as this pair suggests 4 × 2 −24 × 2 32 = 2 10 keys and to recover the correct key the data complexity may need to be increased.Hence, with probability 3 × 2 −32 = 2 −30.4 a wrong pair survives.Therefore, S/N = 2 32 ×2 −74.4 (1−2 −74 )×2 −30.4 ×2 −14 ≈ 2 2 .Plugging in the values of r as 2 7 in Proposition 3, the number of plaintexts-ciphertexts pairs required to recover a diagonal of the correct key for various success probabilities are listed in Table 3. From Table 3, the number of plaintexts-ciphertexts pairs required for key recovery with success probability 0.85 is 2 77.72 .As p is 2 −74.4 , 2 77.72 × 2 −74.4 = 9.98 right pairs are required to recover four bytes of the right key.The process is repeated one more time for another diagonal.The remaining part of the key is recovered using exhaustive search.In order to minimize the cost of the exhaustive search, the value of r is considered as 2 7 .Hence, the cumulative success probability is 0.85 × 0.85 ≈ 0.72.Details regarding key recovery attack on 6-round AES are given in Algorithm 1.Note that, in Step 20 and Step 21 in Algorithm 1, s 4 is four parallel application of subBytes on four bytes and M C m is application of M C on m-th column.
Analysis.With reference to the Step 6, 2 77.72 pairs are required to be queried to both the encryption and the decryption oracle for the first and second diagonal.Hence, the data complexity is 2 × 2 × 2 × 2 77.72 = 2 80.72 encryption/decryption queries.Time complexity involves 2 79.72 XOR operations, computations of M C • SB • AK operations for a single column in Step 20 and Step 21 and exhaustive search for finding the right key.After filtering, the remaining number of pairs is 2 77.72 × 2 −30.4 = 2 47.32 .So, the total number of M C • SB • AK operations is 2 47.32 × 4 × 2 = 2 50.32 .As four such operations approximately constitute one round AES encryption, it is assumed that 24 such operations are equivalent to one AES (6-round) encryption.So, the total number of such operations are 2 50.32 /24 ≈ 2 45.73 AES encryptions.In Step 30, Therefore, 2 7 × 2 7 × 2 32 × 2 32 = 2 78 offline computations of AES encryptions are required to recover the right key.The cost of 2 79.72 XOR operations is lesser in comparison to the 2 78 AES encryptions (even if 6 XOR operations are considered as one encryption of 6-round AES, then the 2 79.72 XOR operations are equivalent to 2 77.14 AES encryptions).Memory requirement for this attack is the memory used for storing the counter.As a byte is sufficient for storing the value for each index of the counter, 2 32 bytes are required which is equivalent to 2 32 /16 = 2 28 AES states that constitutes the memory complexity.
Reducing the Encryption Queries.Refer to β in the upper trail in Fig. 8.Only four combinations corresponding to the position of the active byte in the last column are considered.But similar events can occur for the other columns also.Thus, instead of swapping only the last inverse diagonal, if all the inverse diagonals are swapped then it is possible to reduce the number of encryption queries by 3 4 ; as for each pair of initial plaintexts, four different pairs of ciphertexts after swapping can be constructed.Thus the number of encryption queries can be reduced.The number of decryption queries can not be decreased as all the swapped pairs need to be queried to the decryption oracle.The number of encryption queries can be further reduced by using the structure technique.Hence the modified data complexity is approximately 2 79.72 .
One may be tempted to think that instead of repeating the algorithm for two diagonals independently, reusing the set of plaintext-ciphertext pairs that suggest the top key candidates to recover the second diagonal of the key may lead to a significant reduction in the number of wrong pairs while keeping the number of right pairs the same.However, our investigation suggests that in the above modified strategy the number of right pairs corresponding to the second diagonal also reduces.It happens because the pairs whose second diagonal is inactive need to be discarded while recovering the second diagonal of the key.This claim about the ineffectiveness of the above mentioned strategy has also been supported by our experimental results.
Moreover, it can be noted that the key recovery attacks on 5/6-round AES-128 can be extended to mount key recovery attacks on 6/7-round AES-256 respectively.The details of those attacks are provided in Appendix C.

Experimental Verification on 64-bit AES
To show the validity of the attacks presented in this paper, experimental verification of the attacks are carried out on a small-scale variant of AES proposed by Cid et al. [CMR05].The variant that is considered has a block length of 64 bits and thus referred here as 64-bit AES.The bytes in the original AES are replaced with nibbles (4 bits).The round operations -SubBytes, ShiftRows, MixColumns and AddRoundKey are redefined to comply with the 64-bit version.As the design of 64-bit AES is quite similar to the original version, the analysis on AES presented in this paper applies to it.Thus it provides a framework for verifying the validity of the attacks.

Distinguishing Attack on 5-round 64-bit AES
Recall the attack in Section 4.1.In this case, the modified probability of the occurrence of β is 4 × 2 −24 = 2 −22 .Hence, by checking 2 22 pairs of plaintexts the validity of the attack can be established.Hence, a structure with 2 11 plaintexts are constructed such that only the bytes in principal diagonal differ; the remaining bytes are the same for all plaintexts.Using these states, the experiment for the 5-round attack is carried out on 64-bit AES.As expected, a pair of states with the same zero difference pattern as the initial pair of states is obtained.The code for the 5-round attack on 64-bit AES is available online1 .

Key Recovery Attack on 6-round 64-bit AES
To validate the theoretical claims, experiments have been conducted on the 6-round 64-bit AES [CMR05] where key recovery attacks could successfully recover a diagonal.Here, we detail the experimental results of the attack.One can recall from Section 4.2 that swapping an inverse diagonal between ciphertexts is equivalent to swapping an inverse diagonal between the intermediate states in the previous round with probability 6 × 2 −24 = 2 −22 .For the rest of the discussion refer to Fig. 10a.For 64-bit AES it can be seen that the transition from A → B occurs with probability 4 × 2 −12 = 2 −10 .In C, out of three active bytes one becomes inactive with probability 3 × 2 −4 = 2 −2.4 .Hence, the total probability of the characteristic is 2 −10 × 2 −22 × 2 −2.4 = 2 −34.4 .For any random pair, any one of the three diagonals become inactive with probability 3 × −16 = 2 −14.4 (this is the filtering probability).Average number of keys suggested by each wrong pair is 2 16 × 4 × 2 −12 × 2 −12 = 2 −6 .Hence, S/N = 2 16 ×2 −34.4 (1−2 −34.4 )×2 −14.4 ×2 −6 ≈ 2 2 .With reference to Proposition 3, if the values of r and P s are set to 2 7 and 0.75 respectively, then the number of plaintext-ciphertext pairs required to recover the correct key is 2 37.4 (8 right pairs are required).After the filtering, expected number of pairs (both right and wrong) is 2 37.4 × 2 −14.4 = 2 23 .As described in Section 2.4, the counter values corresponding to each key follows the normal distribution.Hence, the counter with the highest value may not be the right key (if the counter values would have followed uniform distribution, then the candidate key having the highest counter value could have been considered as the right key).
The experiment is initiated by randomly choosing a 64-bit key.The experiment is conducted to recover the nibbles corresponding to the first diagonal of the key.As expected, after the filtering 6749861 pairs (≈ 2 22.69 ) survive.After the experiment, the counter value corresponding to the first diagonal is 15; whereas the highest value for the counter is 17.The counter value corresponding to the right key is among the top 128 values (number of key candidates corresponding to the counter value 17, 16 and 15 are 4, 2 and 10 respectively).
To further validate the success probability of the proposed attack, the partial key recovery corresponding to a diagonal has been repeated 55 times.Out of which, 43 times the diagonal corresponding to the right key rank among the top 2 7 candidates.Hence, the practical success probability of the attack is 43/55 = 0.78 which is close to the theoretical value of 0.75.

Boomeyong Attack on Pholkos
Next, the boomeyong technique is applied on a tweakable block cipher Pholkos [BLLS20].Attack strategy quite similar to the 6-round attack on AES is used to mount an key recovery attack on 10-round Pholkos with the data, time and memory complexity of 2 189.8 , 2 188.8 and 2 122 .Till now, there is a distinguishing attack on 10-round Pholkos block cipher by the designers whose data, time and memory complexity is 2 260 , 2 260 and 2 32 respectively.

Specification of Pholkos
Pholkos is a recently proposed family of tweakable block cipher which is based on AES round functions.It follows the design strategy of AESQ [BK14] and Haraka [KLMR16].An instance of Pholkos with a block size of n bits and a key size of k bits is denoted by Pholkos-n-k.The tweak size in Pholkos is 128 bits for all variants.The secret key variants of Pholkos are Pholkos-256-256, Pholkos-512-256 and Pholkos-512-512.n-bit Pholkos state is considered as n/128 parallel AES substates where each substate goes through 2 rounds of AES operations followed by a columnwise permutation of words between substates.
The substates are indexed from 0 to n 128 − 1 with the leftmost substate indexed as 0. The AddRoundKey (AK) operation in AES is substituted by AddRoundTweakey (ATK) in Pholkos.Like AES, MC is also omitted in the last round of Pholkos.The total number of rounds in Pholkos variants with a block size of 256 and 512 are 16 and 20 respectively.The details regarding key expansion and tweakey generation is omitted here; for more details refer to [BLLS20].The notations are here.
• P i [j]: Denotes the j-th substate in the i th round of Pholkos state P .
• X P i : Denotes the state before M C in the i th round for an initial state P .• X P i [j]: Denotes the j th substate before M C in the i th round for an initial state P .As the attacks discussed here are independent of the key size, an instance of Pholkos with block size b is denoted by Pholkos-b.Fig. 11a shows round operations for Pholkos-512 and Pholkos-256.In Pholkos, there is a group of 128 bits which is independent of other bits in the Pholkos state over a certain number of rounds.This is called MegaSbox (cf. in [DLP + 09]) and details regarding this are now discussed.
MegaSbox.Refer to Fig. 11b for the MegaSbox construction in Pholkos.Four diagonals in four AES substates are aligned to a column in each substate due to the effect of R i−1 j for 0 ≤ j ≤ 3 in i − 1 round.The subsequent π 512 combines these columns in a single substate where they go through two rounds of AES.The following π 512 breaks the substate by moving the columns to different substates and SR • SB aligns the bytes in inverse diagonals.The MegaSbox in Pholkos-512 spans over 3.5 rounds.3.5 rounds Pholkos-512 can be considered as four parallel operations of MegaSbox.This MegaSbox is exploited while mounting the key recovery attack on Pholkos.

Key Recovery Attack on 10-round Pholkos
The key recovery attack on 10-round Pholkos is similar to the 6-round key recovery attack on AES.For the upper trail, the S • L • S layer needs to be identified.Here, S and L refers to the MegaSbox and MC respectively.As MegaSbox spans over 3.5 rounds, S • L • S layer starting from round 2 covers 7.5 rounds in total.The strategy remains the same-at the end of 10-round, such a δ to be added so that the inverse diagonals are swapped between the intermediate states in the previous round.Contrary to AES, here four different inverse diagonals in four substates need to be swapped and they should be a part of the same MegaSbox.Suppose, P 1 , P 2 be two Pholkos states which are encrypted to obtain C 1 , C 2 respectively.By Lemma 2, swapping of ID {3} between C 1 [3] and C 2 [3] is equivalent to swapping of ID J for J ⊂ φ {0, 1, 2, 3}, between X P 1 9 [3] and X P 2 9 [3] with probability 2 −46 (approx).If all other inverse diagonals corresponding to a MegaSbox in the remaining substates are inactive in the difference X P 1 9 ⊕ X P 9 , then swapping of and thus a right pair can be uniquely distinguished; but it requires a data complexity around 2 206.5 .To reduce the data complexity, instead of using a unique right pair, a set of right and wrong pairs are used and then by using the ranking test the right key candidate is guessed.Note that, as t diagonals are inactive in P 3 ⊕ P 4 , a wrong pair survives the filtering with probability 16 t × 2 −32t .Now, 128 bits of the key are guessed corresponding to four active diagonals in P 3 ⊕ P 4 .For a wrong pair, out of 2 32 key guesses for each diagonal, 2 32 × 2 −22 = 2 10 guesses conforms to the 4-to-1 transition.So, a wrong pair suggests 2 40 key guesses.Therefore, Now, S/N > 1 when t ≥ 4. As the probability of the trail is 2 −164−8t × 16 t , so with the increasing value of t, the trail probability decreases significantly.Hence, t = 4 is considered.For t = 4, the trail probability is 2 −185.2 , S/N = 2 20 .With reference to Proposition 3, if r = 2 7 is considered, then the success probability is 0.92 if 2 186.2 plaintext-ciphertext pairs are used for recovering a diagonal of the key.As in Algorithm 2, this step is repeated three times, so the overall success probability of recovering the correct key is 0.78.Therefore, collecting two right pairs is enough for guessing the right key.As 128 bits of the key are guessed at a time, the size of the counter is 2 128 .Algorithm 2 in Appendix D gives the details of the key recovery mechanism.Analysis.Referring to Step 8 in Algorithm 2, 2 186.2 pairs are required for encryption and decryption in each iteration.So, total data complexity is 3 × 2 186.2 × 4 = 2 189.8 encryption/decryption queries.Time complexity involves 3 × 2 186.2 × 2 = 2 188.8 XOR operations, computations of partial encryptions and cost of exhaustive search in Step 37. Out of 2 186.2 pairs, after the filtering 2 58.2 pairs remain.Each pair suggests around 2 40 candidate keys.So, for 2 58.2 pairs, 2 × 2 40 × 2 58.2 = 2 99.2 partial encryptions are computed.As this process is repeated for three different sets of diagonals, total number of

Conclusion
In the current work, we concentrated on devising a generic strategy for embedding the yoyo trick inside a boomerang trail.In doing so, we take a fresh look at the word-swap operation of the yoyo trick that is fundamental to the deterministic nature of the basic yoyo game.Our investigations lead to proving that the word-swap operation is a combination of s-box switch and ladder switch if we geometrically visualize the yoyo to be on top of the lower boomerang trail.The core idea here is to devise the lower boomerang trail in such a way that the intended s-box and ladder switches happen at the boundary thereby fulfilling the condition of the yoyo game which then leads to a deterministic transition In both the attacks, a part of the state is exchanged between the ciphertexts.Here, on the way back to the top.The proposed strategy leads to new key recovery attacks on AES reduced to 5 and 6 rounds.The 5-round attack has a time complexity of 2 48 XOR operations.The 6-round attack reaches a time complexity of 2 78 AES encryptions.The attack is further adapted on 10 out of 20 rounds of Pholkos-512 showcasing its versatility.
To the best of our knowledge, this is the first-ever third-party cryptanalysis of Pholkos.While mounting the key recovery attacks, the notion of signal-to-noise ratio is employed.The attacks on AES are experimentally verified by employing them on a 64-bit variant of AES (code is available online 2 ).We also establish a relation of the proposed strategy with the retracing boomerang attack.It is worth mentioning that the boomeyong strategy performs better than most of the recent attacks reported on 6-round AES like extended truncated differential attack, exchange attack, yoyo attack in time/data complexity or both.Finally, the embedded yoyo-boomerang strategy helps to increase the understanding of AES and other AES-like designs and may be used as an effective cryptanalysis tool for other SPN and non-SPN ciphers as well.

B Sample Trail for 5-round AES-128
Here, a trail for 5-round AES-128 as claimed in Section 4.1 is provided as an illustration.Note that, the trail is searched using only 2 23 encryptions and checking whether the six specific bytes in the intermediate state after 4 rounds of encryption are inactive or not.The existence of such trails strengthens the validity of the attacks on 5-round and 6-round AES discussed in this paper.The pair of plaintexts p 1 , p 2 , the key and other intermediate states are stipulated in hexadecimal form.

C Attacks on AES-256
The key recovery attacks on 5-round and 6-round AES-128 can be extended to mount attacks on 6-round and 7-round AES-256.This variant of AES is composed of 14 rounds and 15 subkeys are used where the first two subkeys are part of the master key.The remaining keys are derived from the master key using a key scheduling algorithm.Let K 0 and K 1 denote the first two subkeys.The attack idea is that if K 0 is correctly guessed then K 1 for 6/7-round AES-256 can be recovered following strategies similar to the one proposed in this work for AES-128.
To mount an attack on 6/7-round AES-256, first K 0 needs to be guessed.Then intermediate states similar to the ones used for attacking AES-128 are constructed.These states are inverted one round by using the guessed value of key K 0 .These inverted states form the input of AES-256, which are then queried to the encryption oracle.The states that are obtained from the decryption oracle are encrypted one round using the same guessed value of K 0 to obtain the intermediate states.It can be noted that for 6/7-round AES-256, these intermediate states along with the initially constructed ones reduce the attack to recover K 1 to a setting analogous to 5/6-round AES-128 respectively (as described in Section 4).
The attack depends on the guess of the key K 0 .Brute-force attack is applied to recover the 128-bit key K 0 and thus 2 128 try-outs are required.Hence, the data complexity is 2 128 encryption queries and the time complexity is 2 128 times of the corresponding values of the attacks on AES-128.However, the memory complexity remains the same as two independent key guesses has no effect on one another, i. e., the data obtained for one key guess have no use for another key guess.Therefore, the data, time and memory complexity of the key recovery attack on 6-round AES-256 are 2 49 × 2 128 = 2 177 adaptive chosen ciphertexts, 2 48 × 2 128 = 2 176 XOR operations and 2 23 AES states respectively.The corresponding complexities of the attack on 7-round AES-256 are 2 79.72 × 2 128 = 2 207.72 adaptive chosen ciphertexts, 2 78 × 2 128 = 2 208 AES encryptions and 2 28 AES states respectively.

Figure 5 :
Figure 5: Visualizing Yoyo Word-Swap as a combination of S-box switch and Ladder switch operations Among all these C I ∪ ID J bytes, if the bytes only in C I ∩ ID J are active between p 1 , p 2 then column swap is equivalent to inverse diagonal swap.Therefore, bytes in (C I ∪ ID J ) \ (C I ∩ ID J ) needs to be inactive.|(C I ∪ ID J ) \ (C I ∩ ID J )| = 4(|I| + |J|) − 2|I||J|.Hence, the required probability P ID (|I|, |J|) = 2 −8× 4(|I|+|J|)−2|I||J| is achieved.

Figure 8 :
Figure 8: Upper and Lower Trail of 5-round AES.In this trail, the red-colored byte should be equal in β and γ in order to realize the inverse diagonal swap in the boundary of E 0 and E 1 .

Figure 12 :
Figure12: Relationship of boomeyong on AES with mixing retracing boomerang attack[DKRS20].In the left, framework for mixing retracing boomerang attack is shown; whereas on the right, lower trail of the boomeyong attack on 5-round AES is shown.In both the attacks, a part of the state is exchanged between the ciphertexts.Here,Y i L ← E L

••••
Initial difference of p 1 and p 2 .Difference of intermediate states after 4 rounds encryption (excluding the last mixcolumns operation).Difference of ciphertexts after 5 rounds of encryption.Difference of states after swapping the last column between ciphertexts and subsequent 5 rounds of decryption.

Table 2 :
Key recovery attacks reported in this work.ACC is adaptive chosen ciphertexts.† 512-bit key attack can easily be seen in the framework of the sandwich attack where 4 rounds of AES form the middle layer.In that sense, this work reports the first result where the middle layer consists of 4 rounds of AES.On the other hand, the attack can also be shown to have a close relation to the retracing attack, a discussion on which is furnished later (See Section 6).The contributions of the current work are summarized in Table [BKN09, BK09], these two notions were exploited to mount related key boomerang attacks on AES-192 and AES-256.Later on, Dunkelman et al. formalized these notions by dividing the cipher into E 0 , E m and E 1 [DKS10].Cid et al. considered the E m as a S-box layer and developed a tool Boomerang Connectivity Table in order to unify the s-box switch and the ladder switch [CHP + 18].Further, to realize the switching effect on multiple rounds Boomerang Difference Table was proposed [WP19].

Table 3 :
Required number of plaintext-ciphertext pairs versus the success probability for key recovery attack on 6-round AES.The value of r is considered 2 7 for all the cases.
Thus for the lower trail of the boomerang, δ is constructed by taking ID {3} from the last substate of C 1 ⊕ C 2 and setting all other bytes to zero.Then, with probability 2 −142 it is known that swapping of MegaSbox has occurred in the middle.Attack Idea.Choose a pair of plaintext P 1 , P 2 such that only the four bytes inD {0} (P 1 [0]⊕P 2 [0])are active.P 1 , P 2 are queried to the encryption oracle to obtain C 1 , C 2 .After one round of partial encryption only one byte becomes active with probability 2 −22 (i.e. in P 1 1 [0]⊕P 2 1 [0] only one byte is active) which implies that only one MegaSbox is active.Now, a inverse diagonal is swapped between C 1 , C 2 and the new states are queried to the decryption oracle to obtain P 3 , P 4 .Now, with probability 2 −142 only one MegaSbox should be active in P 3 1 [0]⊕P 4 1 [0].t bytes out of the 16 bytes of the active MegaSbox are inactive with probability 16 t ×2 −8t .Hence, with probability 2 −22 ×2 −142 × 16 t ×2 −8t = 2 −164−8t × 16 t , t diagonals are inactive in P 3 ⊕ P 4 .For a random pair of texts, t diagonals are inactive with probability 16 t × 2 −32t .Note that, for 7 ≤ t ≤ 16, 2 −164−8t × 16 t > 16 t × 2 −32t