\gdef\block#1#2#3#4#5{ \begin{aligned} &\texttt{#1 } #4 \texttt{ #2} \\ &\enspace \left#3 \enspace \begin{aligned} #5 \end{aligned} \right. \end{aligned} } \gdef\if#1#2{\block{si}{alors}{|}{#1}{#2}} \gdef\eif#1#2{\block{si}{alors}{\lfloor}{#1}{#2}} \gdef\elif#1#2{\block{sinon si}{alors}{|}{#1}{#2}} \gdef\eelif#1#2{\block{sinon si}{alors}{\lfloor}{#1}{#2}} \gdef\else#1{\block{sinon}{}{\lfloor}{}{#1}} \gdef\for#1#2{\block{pour}{faire}{\lfloor}{#1}{#2}} \gdef\foreach#1#2{\block{pour tout}{faire}{\lfloor}{#1}{#2}}

# Automatic Search of Rectangle Attacks on Feistel Ciphers: Application to WARP

2023
Constraint Programming
Cryptanalysis
Differential
FSE
Related-Key

### Abstract

In this paper we present the first boomerang analysis of WARP, a recently proposed Generalized Feistel Network with extremely compact hardware implementations. We start by looking for boomerang characteristics that directly take into account the boomerang switch effects by showing how to adapt Delaune et al. automated tool to the case of Feistel ciphers, and propose several improvements to keep the execution time reasonable. We manage to cover 23 rounds with probability $2^{−124}$, which becomes the best distinguisher presented on WARP so far. We then look for an attack by adding the key recovery phase to our model and we obtain a 26-round rectangle attack with time and data complexities of $2^{115.9}$ and $2^{120.6}$ respectively, again resulting in the best result presented so far. Incidentally, our analysis discloses how an attacker can take advantage of the position of the key addition (put after the S-box application to avoid complementation properties), which in our case offers an improvement of a factor of $2^{75}$ of the time complexity in comparison to a variant with the key addition positioned before. Note that our findings do not threaten the security of the cipher which iterates 41 rounds.