Related-key boomerang attacks on two larger variants of HALFLOOP

Kangkang SHI; Jiongjiong REN; Shaozhen CHEN

doi:10.1007/s11704-025-40755-0

Front. Comput. Sci. ›› 2026, Vol. 20 ›› Issue (4) :2004801 DOI: 10.1007/s11704-025-40755-0

Information Security

RESEARCH ARTICLE

Related-key boomerang attacks on two larger variants of HALFLOOP

Author information +

History +

PDF (3438KB)

Abstract

As a family of tweakable block ciphers, HALFLOOP is standardized in the interoperability and performance standards for medium and high-frequency radio systems published by the United States Department of Defense. Although HALFLOOP-24 has been destroyed in real-world practical attacks, seeking stronger attacks from the structure of ciphers against two larger variants of HALFLOOP is to be further explored. Since HALFLOOP has a property of smaller internal states compared to master keys, it leads to a low diffusion in the key schedule. Considering that related-key boomerang attacks have a significant effect on such ciphers and can even achieve full-round attacks, we evaluate the resistance of two larger variants of HALFLOOP against related-key boomerang attacks in the paper. First, we propose a more efficient model to search for sandwich distinguishers of ciphers with non-linear key schedules. Specifically, we derive more constraints rather than simple relationships in the internal linear layer to further restrict the appropriate distinguishers into a smaller space. In addition, we utilize the ladder switch effect in the related-key model to guarantee the differential transition with probability one among the master key quartet, thereby avoiding possible weak-key attacks or invalid trails. Second, applying the model to HALFLOOP, we propose a full-round related-key boomerang attack on HALFLOOP-48 and nearly full-round related-key attacks on HALFLOOP-96. The relevant results demonstrate that the security of two larger variants of HALFLOOP is weak in related-key scenario. Therefore, in addition to the serious flaw brought by the tweak, the low diffusion in the key schedule algorithm is also worthy of attention.

Graphical abstract

Keywords

tweakable block cipher / HALFLOOP / MILP / related-key setting / boomerang attacks / rectangle attacks

Cite this article

Download citation ▾

Kangkang SHI, Jiongjiong REN, Shaozhen CHEN. Related-key boomerang attacks on two larger variants of HALFLOOP. Front. Comput. Sci., 2026, 20(4): 2004801 DOI:10.1007/s11704-025-40755-0

登录浏览全文

4963

注册一个新账户忘记密码

References

Publishing order | Descend order by publishing year | Descend order by cited within

[1]	U.S. Department of Defense Interface Standard. MIL-STD-188-141D: Interoperability and performance standards for medium and high frequency radio systems. U.S. Department of Defense, 2017

[2]	Dansarie M, Derbez P, Leander G, Stennes L . Breaking HALFLOOP-24. IACR Transactions on Symmetric Cryptology, 2022, 2022( 3): 217–238

[3]	Leander G, Rasoolzadeh S, Stennes L . Cryptanalysis of HALFLOOP block ciphers: destroying HALFLOOP-24. IACR Transactions on Symmetric Cryptology, 2023, 2023( 4): 58–82

[4]	Liu J, Sun L. Distinguisher and related-key attack on HALFLOOP-96. In: Proceedings of the 26th International Conference on Information Security and Cryptology. 2023, 19−40

[5]	Lin Y, Sun L. Related-tweak and related-key differential attacks on HALFLOOP-48. In: Proceedings of the 22nd International Conference on Applied Cryptography and Network Security. 2024, 355−377

[6]	Biryukov A, Khovratovich D. Related-key cryptanalysis of the full AES-192 and AES-256. In: Proceedings of the 15th International Conference on the Theory and Application of Cryptology and Information Security. 2009, 1−18

[7]	Biham E, Dunkelman O, Keller N. A related-key rectangle attack on the full KASUMI. In: Proceedings of the 11th International Conference on the Theory and Application of Cryptology and Information Security. 2005, 443−461

[8]	Delaune S, Derbez P, Vavrille M . Catching the fastest boomerangs: application to SKINNY. IACR Transactions on Symmetric Cryptology, 2020, 2020( 4): 104–129

[9]	Hadipour H, Bagheri N, Song L . Improved rectangle attacks on SKINNY and CRAFT. IACR Transactions on Symmetric Cryptology, 2021, 2021( 2): 140–198

[10]	Hadipour H, Nageler M, Eichlseder M . Throwing boomerangs into Feistel structures: application to CLEFIA, WARP, LBlock, LBlock-s and TWINE. IACR Transactions on Symmetric Cryptology, 2022, 2022( 3): 271–302

[11]	Derbez P, Euler M, Fouque P A, Nguyen P H. Revisiting related-key boomerang attacks on AES using computer-aided tool. In: Proceedings of the 28th International Conference on the Theory and Application of Cryptology and Information Security. 2022, 68−88

[12]	Jean J, Nikolić I, Peyrin T. Tweaks and keys for block ciphers: the TWEAKEY framework. In: Proceedings of the 20th International Conference on the Theory and Application of Cryptology and Information Security. 2014, 274−288

[13]	Daemen J, Rijmen V. The Design of Rijndael: AES-The Advanced Encryption Standard. Berlin: Springer, 2002

[14]	Wagner D. The boomerang attack. In: Proceedings of the 6th International Conference on Fast Software Encryption. 1999, 156−170

[15]	Kelsey J, Kohno T, Schneier B. Amplified boomerang attacks against reduced-round MARS and Serpent. In: Proceedings of the 7th International Workshop. 2000, 75−93

[16]	Biham E, Dunkelman O, Keller N. The rectangle attack—rectangling the Serpent. In: Proceedings of International Conference on the Theory and Application of Cryptographic Techniques. 2001, 340−357

[17]	Dunkelman O, Keller N, Shamir A. A practical-time related-key attack on the KASUMI cryptosystem used in GSM and 3G telephony. In: Proceedings of the 30th Annual International Cryptology Conference. 2010, 393−410

[18]	Biham E, Dunkelman O, Keller N. Related-key boomerang and rectangle attacks. In: Proceedings of the 24th Annual International Conference on the Theory and Applications of Cryptographic Techniques. 2005, 507−525

[19]	Boura C, Derbez P, Funk M . Related-key differential analysis of the AES. IACR Transactions on Symmetric Cryptology, 2023, 2023( 4): 215–243

[20]	Gurobi Optimization, LLC. Gurobi optimizer reference manual. , See gurobi.com website, 2021

[21]	Boura C, Coggia D . Efficient MILP modelings for Sboxes and linear layers of SPN ciphers. IACR Transactions on Symmetric Cryptology, 2020, 2020( 3): 327–361

[22]	Li T, Sun Y . SuperBall: a new approach for MILP modelings of Boolean functions. IACR Transactions on Symmetric Cryptology, 2022, 2022( 3): 341–367

[23]	Sasaki Y, Todo Y. New algorithm for modeling S-box in MILP based differential and division trail search. In: Proceedings of the 10th International Conference on Information Technology and Communications Security. 2017, 150−165

[24]	Sun L, Wang W, Wang M Q . MILP-aided bit-based division property for primitives with non-bit-permutation linear layers. IET Information Security, 2020, 14( 1): 12–20

[25]	Cid C, Huang T, Peyrin T, Sasak Y, Song L. Boomerang connectivity table: a new cryptanalysis tool. In: Proceedings of the 37th Annual International Conference on the Theory and Applications of Cryptographic Techniques. 2018, 683−714

[26]	Wang H, Peyrin T . Boomerang switch in multiple rounds. Application to AES variants and Deoxys. IACR Transactions on Symmetric Cryptology, 2019, 2019( 1): 142–169

[27]	Yang Q, Song L, Sun S, Shi D, Hu L . New properties of the double boomerang connectivity table. IACR Transactions on Symmetric Cryptology, 2022, 2022( 4): 208–242

[28]	Song L, Qin X, Hu L . Boomerang connectivity table revisited. Application to SKINNY and AES. IACR Transactions on Symmetric Cryptology, 2019, 2019( 1): 118–141

[29]	Bouillaguet C, Derbez P, Fouque P A. Automatic search of attacks on round-reduced AES and applications. In: Proceedings of the 31st Annual International Cryptology Conference. 2011, 169−187