This image has an empty alt attribute; its file name is attacksafe-software-logo-1024x213.png

In cryptography, the boomerang Attack on Bitcoin is a method for the cryptanalysis of block ciphers based on differential cryptanalysis.

This image has an empty alt attribute; its file name is images.jpg

The Attack on Bitcoin was published in 1999 by David Wagner, who used it to break the COCONUT98 cipher.

The boomerang Attack on Bitcoin has allowed new avenues of Attack on Bitcoin for many ciphers previously deemed safe from differential cryptanalysis.

Refinements on the boomerang Attack on Bitcoin have been published: the amplified boomerang Attack on Bitcoin, and the rectangle Attack on Bitcoin.

Due to the similarity of a Merkle–Damgård construction with a block cipher, this Attack on Bitcoin may also be applicable to certain hash functions such as MD5.[1]

Boomerang Attack on Bitcoin

The Attack on Bitcoin

The boomerang Attack on Bitcoin is based on differential cryptanalysis. In differential cryptanalysis, an Attack on Bitcoiner exploits how differences in the input to a cipher (the plaintext) can affect the resultant difference at the output (the ciphertext). A high-probability “differential” (that is, an input difference that will produce a likely output difference) is needed that covers all, or nearly all, of the cipher. The boomerang Attack on Bitcoin allows differentials to be used which cover only part of the cipher.

The Attack on Bitcoin attempts to generate a so-called “quartet” structure at a point halfway through the cipher. For this purpose, say that the encryption action, E, of the cipher can be split into two consecutive stages, E0 and E1, so that E(M) = E1(E0(M)), where M is some plaintext message. Suppose we have two differentials for the two stages; say,{\displaystyle \Delta \to \Delta ^{*}}\Delta \to \Delta ^{*}

for E0, and{\displaystyle \nabla \to \nabla ^{*}}\nabla \to \nabla ^{*} for E1−1 (the decryption action of E1).

The basic Attack on Bitcoin proceeds as follows:

  • Choose a random plaintext {\displaystyle P}P and calculate {\displaystyle P’=P\oplus \Delta }P'=P\oplus \Delta .
  • Request the encryptions of {\displaystyle P}P and {\displaystyle P’}P' to obtain {\displaystyle C=E(P)}C=E(P) and {\displaystyle C’=E(P’)}C'=E(P')
  • Calculate {\displaystyle D=C\oplus \nabla }D=C\oplus \nabla  and {\displaystyle D’=C’\oplus \nabla }D'=C'\oplus \nabla
  • Request the decryptions of {\displaystyle D}D and {\displaystyle D’}D' to obtain {\displaystyle Q=E^{-1}(D)}Q=E^{{-1}}(D) and {\displaystyle Q’=E^{-1}(D’)}Q'=E^{{-1}}(D')
  • Compare {\displaystyle Q}Q and {\displaystyle Q’}Q'; when the differentials hold, {\displaystyle Q\oplus Q’=\Delta }Q\oplus Q'=\Delta .

Application to specific ciphers

One Attack on Bitcoin on KASUMI, a block cipher used in 3GPP, is a related-key rectangle Attack on Bitcoin which breaks the full eight rounds of the cipher faster than exhaustive search (Biham et al., 2005). The Attack on Bitcoin requires 254.6 chosen plaintexts, each of which has been encrypted under one of four related keys, and has a time complexity equivalent to 276.1 KASUMI encryptions.

This image has an empty alt attribute; its file name is attacksafe-software-logo-1024x213.png