On the Feistel Counterpart of the Boomerang Connectivity Table

At Eurocrypt 2018, Cid et al. introduced the Boomerang Connectivity Table (BCT), a tool to compute the probability of the middle round of a boomerang distinguisher from the description of the cipher’s Sbox(es). Their new table and the following works led to a refined understanding of boomerangs, and resulted in a series of improved attacks. Still, these works only addressed the case of Substitution Permutation Networks, and completely left out the case of ciphers following a Feistel construction. In this article, we address this lack by introducing the FBCT, the Feistel counterpart of the BCT. We show that the coefficient at row Δi, ∇o corresponds to the number of times the second order derivative at points Δi, ∇o) cancels out. We explore the properties of the FBCT and compare it to what is known on the BCT. Taking matters further, we show how to compute the probability of a boomerang switch over multiple rounds with a generic formula.


Introduction
Boomerang attacks date back to 1999, when David Wagner introduced them at FSE to break COCONUT98 [Wag99]. When presented, this variant of differential attacks [BS91] shook up the conventional thinking that consisted in believing that a cipher with only small probability differentials is secure. Indeed, boomerang attacks make use of two small differentials covering half of the attacked rounds each, and can beat differential cryptanalysis when no high probability differential exists for the whole cipher.
In the basic form of the distinguisher, (represented on the left in Figure 1), the attacker has access to the encryption (E) and decryption (E −1 ) oracles, and studies particular quartets of messages. First, she chooses M 1 and constructs M 2 = M 1 ⊕ α; using E, she obtains the corresponding ciphertexts C 1 and C 2 from which she deduces two additional ciphertexts by computing: C 3 = C 1 ⊕ δ and C 4 = C 2 ⊕ δ. By calling the decryption oracle she retrieves the corresponding plaintexts M 3 and M 4 and then checks if M 3 ⊕ M 4 = α. A boomerang distinguisher is obtained if the probability that M 3 ⊕ M 4 = α is higher for the cipher than for a random permutation.
In summary, a boomerang distinguisher is based on a couple of plaintext and ciphertext differences (α, δ) for which the following property among quartets of messages has a high probability: In the original approach, the attacked cipher E is written as the composition of two sub-ciphers E 0 and E 1 : E = E 1 • E 0 . If for the sub-cipher E 0 the input difference α leads to the output difference β with probability p (and similarly γ leads to δ with probability q over E 1 ) the previous event was thought to have a probability of p 2 q 2 .
Following this breakthrough some variants were proposed including a related-key version [KKH + 04, BDK05] and an impossible-differential one (see [CY09]). Improvements were also proposed on top of this, like a version that does not require access to the decryption oracle (named amplified boomerang attack [KKS01]) that was further developed into the so-called rectangle attack [BDK01].
The validity of boomerang attacks and in particular of the p 2 q 2 formula were later questioned by Murphy [Mur11] with an example of distinguisher that seemed valid but was in fact of probability zero. The opposite phenomenon, that is distinguishers that happen with probability higher than what is expected, was also presented by Biryukov and Khovratovich in [BK09], and some particular cases (termed Ladder Switch, Sbox Switch and Feistel Switch) were explained.
All these observations were later formalized in a framework called sandwich attack [DKS10] for which the cipher is divided in 3 parts instead of 2, as represented on the right of Figure 1: a middle part E m (termed boomerang switch) is introduced between E 0 and E 1 . Dunkelman et al. applied this framework to KASUMI.  Table that allows to easily evaluate the probability of the middle part E m in the case where it covers one round and when the studied ciphers follows an SPN construction. Their technique reduces the problem of computing the probability of the boomerang switch over one round function to the one of computing it over one Sbox only.
Equally as an Sbox with a Difference Distribution Table with small coefficients provides resistance against differential attacks, an Sbox with a Boomerang Connectivity Table  (BCT) with small coefficients prevents an attacker from building efficient boomerang-style attacks. A study of some important families of Sboxes has been made in [BC18], [BPT19] and [LQSL19], just to cite a few. Another interesting line of work that followed the paper of Cid et al. is the determination of the probability of a boomerang switch E m that covers more than one round, and that was addressed for SPN ciphers in [WP19,SQH19].
Still, to the best of our knowledge a similar analysis has not been provided yet for Feistel constructions [Fei74], while it cannot be denied that it is an equally important type of block cipher design, instantiated for instance by the widely used 3-DES and by CLEFIA [SSA + 07] (ISO/IEC 29192-2).
Our Contributions. In this work, we address this lack and investigate what can be said on a boomerang switch when the studied cipher follows a Feistel construction. In case the Feistel round function contains some affine layers and a single Sbox layer we introduce the FBCT, the Feistel counterpart of the Boomerang Connectivity Table and show that it is related to the second order derivative of the Sbox at play. Our model elucidates the last switch that is not explained by the BCT by showing that the Feistel Switch corresponds to the diagonal of our table.
We study the properties of the FBCT for some categories of cryptographic Sboxes (in particular APN Sboxes and Sboxes based on the inverse mapping) and investigate if the maximum in the FBCT is invariant for Sboxes that are in the same equivalence classes for an equivalence that is affine, extended-affine and CCZ.
In a bottom-up approach, we start from this notion of FBCT (that covers switches of one round) and then introduce the FBDT to deal with a 2-round switch and finally propose the FBET that treats the case of an arbitrary number of rounds. We explain the relation between all these new notions and give examples of their application.
Finally, we illustrate our approach by applying it to the cipher LBlock-s (used in the CAESAR candidate LAC), and provide a 16-round distinguisher which probability is evaluated to be higher than 2 −56.14 .

Motivation: Disproving the Validity of a Previous Boomerang Distinguisher on LBlock
As a warm up, we study the related-key boomerang distinguisher devised by Liu et al. on LBlock [LGW12] and prove that the middle part contains a contradiction that invalidates the proposed boomerang distinguisher.

Specification of LBlock
LBlock was proposed at ACNS 2011 [WZ11] by Wenling Wu and Lei Zhang. The cipher is lightweight and works on blocks of 64 bits and requires a key of 80 bits. It follows a Feistel structure and has the particularity to rely on 10 different 4-bit Sboxes. We give a short description of its design below and refer to [WZ11] for more details and in particular for the description of the key schedule. One LBlock encryption requires to iterate 32 times a round function that follows a 2-branch balanced Feistel structure with a twist, that is the right branch is modified by a rotation of 8 bit positions (see Figure 2). The other half of the internal state is modified by the F function that takes as parameter the 32-bit round key K i . If the plaintext is denoted M = X 1 ||X 0 (where || denotes the concatenation), we have for all 33 ≥ i ≥ 2: More into details, the function F is defined as: S is an Sbox layer that transforms each nibble Y i into the nibble Z i = S i (Y i ): The Sboxes are detailed in Table 5 in Appendix A. P is a permutation given by: Figure 2: High-level description of one round of LBlock (left) and description of the F function (right).

Attack of Liu et al.
In 2012, Liu et al. [LGW12] proposed a 16-round related-key boomerang distinguishing attack on LBlock based on two 8-round related-key characteristics of low weight (that is, with very few active Sboxes). This attack is supposed to work in some (very large) weak-key class as it includes a key condition. With their parameters (that we recall in Appendix B), the probability of E 0 is p = 2 −14 , while the probability of E 1 is q = 2 −16 . They next computed the probability of the obtained distinguisher with the approximation p 2 q 2 , that gives 2 −60 . Unfortunately, next section details why the two characteristics E 0 and E 1 are in fact incompatible, meaning that the actual probability that the boomerang returns along these differential characteristics is 0.

Incompatibility in the Distinguisher Proposed by Liu et al.
To help visualize the following discussion, we provide in Figure 3 a representation of the end of E 0 and of the beginning of E 1 . In the following, we assume that the required transition happened in the key schedule (that is 0x3 → S9 0x8 in round 7). Suppose that the quartet (M 1 , M 2 , M 3 , M 4 ) follows the characteristics defining the boomerang specified by Liu et al. When looking at the beginning of the characteristic over E 1 we see that we expect a transition through the second Sbox from a difference of 0x2 to 0x2, while by extending with probability 1 the differential characteristic over E 0 we see that the entering difference for this same Sbox is 0x5 (see Figure 3). If we denote by t i the nibble that enters the Sbox number 2 of round 9 for M i , this means that By referring to S 2 , we can list the possible input nibbles that make the transition from an input difference of 0x2 to an output difference of 0x2, and we obtain that (t 1 , t 3 ) ∈ {(0x1,0x3), (0x3,0x1), (0x8,0xa), (0xa,0x8)}. Since t 2 and t 4 are separated from t 1 and t 3 by a difference of 0x5 we can deduce that their values are in the following set: (t 2 , t 4 ) ∈ {(0x4,0x6), (0x6,0x4), (0xd,0xf), (0xf,0xd)}.
This incompatibility implies that the boomerang over the middle round never returns, 1 and consequently the related-key distinguisher proposed by Liu et al. is invalid as no quartet can follow the required characteristic.

FBCT: the Feistel Counterpart of the BCT
The inconsistency found in the previous section (that is reminiscent of the examples given by Murphy in [Mur11]) calls for a tool to automatically study the behavior of the junction between E 0 and E 1 .
In fact, this problem has recently been addressed in the case of Substitution-Permutation Networks with the introduction of the Boomerang Connectivity Table ( Table: instead of looking at the property of a round as a whole (thus at a function of usually 64 or 128 bits), the problem is reduced to one we can easily study given its small size: examining each Sbox of the S-layer independently. While the DDT describes the differential properties of each Sbox from which are deduced the ones of the round, the BCT gives the probability of a boomerang switch over each Sbox from which is deduced the one of the round.

The (SPN) Boomerang Connectivity
The formal definition of the BCT is recalled below: it is a table that gives at line ∆ i , column ∇ o the number of values for which a boomerang of input ∆ i and output difference ∇ o comes back. It corresponds to the following formula, depicted in Figure 4:  Table (BCT) of S is given by a 2 n × 2 n table, in which the entry for the (∆ i , ∇ o ) position is given by:  Table. The previous definition is only valid for an Sbox that is part of an S-layer in an SPN cipher: the objective of this paper is to address the need of the counterpart for a Feistel cipher. As a hint of what we introduce below, remember that Feistel ciphers have the practical advantage that decryption is performed by executing the same function as for encryption, simply changing the order of the round keys. This change is at the heart of the Feistel counterpart of the BCT that we introduce now: here, the inverse of the Sbox is never at play.

The Feistel Boomerang Connectivity
We start by illustrating our theory on the generic Feistel 3 cipher represented in Figure 5: it is a balanced Feistel with two branches, that we denote L and R. The output of one round is given by F (L) ⊕ R||L, where the F function is defined by a round key addition, an S-layer and a linear layer L. Note that the details of the linear layers of F play no role in our discussion, and that the only important point is that F contains one S-layer made by the concatenation of t n-bit Sboxes. We are interested in the probability of the following 1-round boomerang switch: we have an input difference equal to β L ||β R between state 1 and 2 , an output difference equal to γ L ||γ R between state 1 and 3 , and 2 and 4 , and we want that the input difference between state 3 and 4 is equal to β L ||β R .
Left part of the difference. We start by studying the cost of obtaining that the left difference between state 3 and 4 has the desired value of β L .
Given the fact that the left branch is the one that is not modified through one round of Feistel we can easily conclude that the desired difference comes for free: Right part of the difference. We now focus on obtaining a difference of β R between the right part of state number 3 and 4 . By naming G 3 and G 4 the left output after one round in state 3 and 4 (see Figure 5), we obtain the following simplification: For this difference to be equal to β R we need that We use the fact that the only non-linear function of F is an S-layer made by a concatenation of small Sboxes to rewrite this condition as a set of independent conditions on smaller parts of the states, and obtain t independent equations of the form: Where ∆ i is the difference at the input of the considered Sbox between state 1 and 2 , deduced from β L , and ∇ o is the difference at the input of the considered Sbox between state 1 and 3 and 2 and 4 , deduced from γ R .
The resulting probability of the boomerang switch over one round is then the product of the probabilities for each Sbox, that are of the form This discussion leads us to the introduction of the following definition: Definition 2 (FBCT). Let S be a function from F n 2 to F m 2 , and ∆ i , ∇ o ∈ F n 2 . The FBCT of S is given by a 2 n × 2 n table T , in which the entry for the (∆ i , ∇ o ) position is given by: Since we do not have to consider a bijective Sbox, we define FBCT S for any Sbox S from F n 2 to F m 2 with possibly n = m. In the following we leave out the S index and simply write FBCT when the Sbox we are referring to is clear from the context.
Once the table is built, the probability that a boomerang comes back over 1 round of a Feistel scheme is simply the product of the corresponding coefficients of the FBCT divided by 2 n . An example of FBCT is provided in Table 1 in the case of the Sbox 4 S 2 of LBlock.
It is easy to see that the formula of the FBCT corresponds to the number of times the order 2 derivative with respect to ∆ i and ∇ o of the vectorial Boolean function S cancels out. We formalize this and study its properties in Section 4.

Evaluation of the 1-round Boomerang Switch of Liu et al.'s Attack with the FBCT
We focus on the Sbox S 2 of round 9 of the cipher. From E 0 , the input difference of Sbox 2 is 0x5, so following previous notation we have ∆ i = 0x5. When referring to E 1 and taking into account the difference coming from the round key we have ∇ o = 0x2. The  FBCT coefficient we are interested in is then FBCT S2 (0x5, 0x2). Referring to Table 1, we see that the corresponding cell has a value equal to 0, meaning that the 1-round boomerang switch is impossible. Note that this incompatibility is even more general than the one we discussed in Section 2.3, as in Section 2.3 we fixed an additional parameter namely one Sbox output. This vision corresponds to what we introduce in Section 5.1 under the name of Feistel Boomerang Difference Table (FBDT).

Relation Between the FBCT and the Feistel Switch
While the Feistel case is not covered by the Boomerang Connectivity Table, a first step in understanding the case of boomerang distinguishers for Feistel constructions has been made by Wagner himself while analyzing Khufu [Wag99]. His observation was later referred under the name of Feistel Switch, for instance in the related-key cryptanalysis of the AES-192 and AES-256 by Biryukov and Khovratovich [BK09], in which one can read: Surprisingly, a Feistel round with an arbitrary function (e.g., an S-box) can be passed for free in the boomerang attack (this was first observed in the attack on cipher Khufu in [Wag99]). Suppose the internal state (X, Y ) is transformed to (Z = X ⊕ f (Y ), Y ) at the end of E 0 . Suppose also that the E 0 difference before this transformation is (∆X, ∆Y ), and that the E 1 difference after this transformation is (∆Z, ∆Y ). [. . .] Therefore, the decryption phase of the boomerang creates the difference ∆X in X at the end of E 0 "for free".
By analyzing this setting in the way we did in Section 3.1 we can show that an internal state (X, Y ) allows the boomerang to come back if Y verifies: (we have γ R = β L = ∆Y with our previous notation) which is always true. Moreover if the Feistel round function is made of some linear operations and an S-layer, the previous setting means that for every Sbox we are looking at coefficients that are on the diagonal of the FBCT.

Properties of the FBCT
This section gives a review of the most important properties of the Feistel boomerang connectivity table. We start by listing the constants of the table and then investigate the properties of the FBCT of two crucial classes of vectorial function, namely APN functions and functions based on the inverse mapping. We also study if the so-called Feistel boomerang uniformity is constant for Sboxes belonging to the same equivalence classes, for various definitions of equivalence. We conclude this section by giving a comparison of the BCT and FBCT properties.

Basics on vectorial Boolean Functions
for all x ∈ F n 2 . The first derivative is at the basis of the Difference Distribution Table (DDT) of a given vectorial function S, defined as: This definition is extended to higher-order derivatives as follows: Given this definition, it is direct to see that for an n × m Sbox seen as an element of B(n, m), the value of FBCT(∆ i , ∇ o ) corresponds to the number of zeroes of the function D ∆i D ∇o S extended to the cases where ∆ i and ∇ o are not linearly independent.

Some Direct Properties of any FBCT
We start with a series of simple properties that are easily observable from the definition: Property 1. The coefficients of the FBCT of S ∈ B(n, m) verify the following:

Fixed values:
Proof. All the properties are easily deduced from Definition 2: (1) and (4) are proven by writing the expressions of the coefficients at play. Note that from symmetry we also have FBCT( (2)a. and (2)b. correspond to the ladder switch proposed in [BK09] that works the same way for Feistel and SPN ciphers: if either ∆ i or ∇ o is zero, it means that two pairs of messages inside the quartet share the same Sbox input, and the boomerang comes back with probability 1. This is formally shown as follows: and similarly FBCT(∆ i , 0) = 2 n . The Feistel switch recalled in Section 3.3 is also easily proven: (3) The property is verified for the case ∆ i = ∇ o (since we can reasonably assume n > 1), so we focus on the case where also are, which proves the multiplicity.
Given that the coefficients in the first line, first column and diagonal of the FBCT are always equal to the maximum that is 2 n , we define the boomerang uniformity a bit differently from what has been done for the BCT 5 : Definition 3 (F-Boomerang Uniformity). The F-Boomerang uniformity corresponds to the highest value in the FBCT without considering the first row, the first column and the diagonal: From the designer point of view, it is preferable to use an Sbox with a small Fboomerang uniformity. This goal can be reached by opting for an APN function, as we show below.

On the FBCT of APN Functions
A function S ∈ B(n, n) is called almost perfect nonlinear (APN) if for any ∆ i , δ ∈ F n 2 with ∆ i = 0 the equation S(x) ⊕ S(x ⊕ ∆ i ) = δ has either 0 or 2 solutions. Alternatively, we know (refer for instance to [Car10], page 417) that S is APN if and only if for any non-zero This directly implies the following theorem:

n). S is an APN function if and only if its FBCT verifies
A direct implication of this theorem is that any non-APN function has a non-zero coefficient at a position that is not in the first row, first column or diagonal of its FBCT, so in particular a Feistel boomerang uniformity higher or equal to 4.

On the FBCT of Sboxes based on the Inverse Mapping
Another important and widely used set of Sboxes are the ones based on the inverse mapping, which include (among others) the 8-bit Sboxes of CAMELLIA [AIK + 01], Clefia [SSA + 07] and SMS4 [Dt08] and the 4-bit Sbox of Twine [SMMK13].
We know that F n 2 and F 2 n are vector isomorphic over F 2 , i.e., with respect to a fixed basis α i , 1 ≤ i ≤ n, of F 2 n , any element of x ∈ F 2 n can be uniquely written as The importance of this family of functions comes from its very good cryptographic properties (that lead to it being selected to build the AES [AES01] Sbox for instance). Indeed, Nyberg [Nyb94] showed that if n is odd, then the inverse function over F 2 n is APN, and if n is even, then each row of its DDT has exactly one 4 and (2 n−1 − 2) occurrences of the number 2 (and in particular that the Sbox is differentially 4-uniform). Given that we already discussed the case of APN functions in Section 4.3, we focus here on the case where n is even.
Property 2. In each row (except the first) of the FBCT of the inverse mapping over an even number of bits, the values 2 n , 4 and 0 occur 2, 2 and 2 n − 4 times, respectively.
Proof. Using a reductio ad absurdum argument, we start by showing that the only possible values in the FBCT of the inverse mapping over an even number of bits are 0, 4 and 2 n . Since for every FBCT the coefficients in the first line, first column and diagonal are equal to 2 n , we focus on the other positions.
Suppose that for given non-zero Given that the coefficients of the FBCT are multiple of 4 this implies that we have at least This can be rewritten as: The first line indicates that the equation There are two possibilities: if δ 1 = δ 2 we obtain that DDT(∆ i , δ 1 ) ≥ 8 which contradicts that the differential uniformity of the considered Sbox is 4, while if δ 1 = δ 2 we obtain that there are two coefficients in the same line of the DDT with a coefficient higher or equal to 4. In both cases we obtain a contradiction, so we conclude that the only possible values in the FBCT are 0, 4 and 2 n .
To conclude on the number of occurrences of each coefficient we need to prove that there are only 2 coefficients equal to 4 in each line. We consider ∆ i , δ ∈ F n 2 so that DDT(∆ i , δ) = 4. There exist x, x ⊕ ∆ i , y, y ⊕ ∆ i ∈ F n 2 with x = y and x = y ⊕ ∆ i such that: We have: FBCT(∆ i , c) = 4 yields c = ∆ i and c = 0 and thus DDT(∆ i , δ ) = 4 = DDT(∆ i , δ). Since each row of the considered Sbox DDT has exactly one entry that equals 4, it follows that δ = δ and that z, w ∈ {x, x ⊕ ∆ i , y, y ⊕ ∆ i }, which leads to the contradiction that

On the FBCT of Equivalent Sboxes
Various notions of equivalence are frequently used when studying Sboxes, among which linear, affine, extended-affine and CCZ equivalence [CCZ98]. These various concepts play an important role to categorize sets of Sboxes since central cryptographic properties (differential, linear and sometimes algebraic degree) are constant for equivalent Sboxes. In this section we investigate if the F-boomerang uniformity is preserved under these various notions of equivalence.
Linear, Affine and Extended-Affine Equivalence. As their names suggest, the three first flavors we start with are related as follows: linear equivalence is a sub-case of affine equivalence, and affine equivalence is a particular case of extended-affine equivalence.
Definition 4 (Linear, Affine and Extended-Affine Equivalence). Two vectorial Boolean functions F, G ∈ B(n, m) are called extended-affine equivalent if there exist two nonsingular matrices A ∈ GL(n, F 2 ), B ∈ GL(m, F 2 ), (a, b) ∈ F n 2 × F m 2 and an affine function C : where GL(n, F 2 ) is the set of all nonsingular binary matrices of order n. If C = 0, then F and G are affine equivalent, and if in addition a and b are equal to zero then they are linear equivalent.

Theorem 2. The multi-set composed of all values in the FBCT is preserved under extendedaffine nonsingular transformation. Namely, we have that FBCT
Proof. Suppose that G(x) = B(F (A(x)⊕a))⊕C(x)⊕b for all x ∈ F n 2 , where A ∈ GL(n, F 2 ), B ∈ GL(m, F 2 ), (a, b) ∈ F n 2 × F m 2 and C ∈ B(n, m) is an affine function. Using the fact that for all x ∈ F n 2 and u, v ∈ F n 2 , we obtain the following relations: In particular, the F-boomerang uniformity is constant among Sboxes in the same linear, affine or extended-affine equivalence class. CCZ Equivalence. The last equivalent relation we discuss here is the CCZ equivalence [CCZ98]. Concluding on this case is rather easy: it is known that every permutation is CCZ-equivalent to its inverse, and we show in next subsection that Feistel boomerang uniformity is not necessarily the same for an Sbox and its inverse. Consequently, Sboxes that are CCZ equivalent might not share the same boomerang uniformity.

FBCT and Inversion
In the case of the BCT, it has been shown that the boomerang uniformity of S and its inverse are the same [BC18]. Before studying the case of the FBCT, let us recall that since we are looking at Feistel constructions the Sboxes at play do not have to be invertible (the most famous example in this category being the DES [DES77]).
The F-boomerang uniformity of SS 0 is equal to 8, while the one of its inverse is 4.

Set-based Formulation of the FBCT
In this section, we identify the set 6 with the union for all δ ∈ F n 2 of the intersection of χ DDT (∆ i , δ) and its coset χ DDT (∆ i , δ)⊕ ∇ o . First, we recall the definition of χ DDT (∆ i , δ), a notion that has been introduced in [CLN + 17] and used in the context of boomerang attacks in [SQH19] and that corresponds to the set of all x ∈ F n 2 that make a given Sbox transition possible: The alternative formulation is given in the following theorem: Theorem 3. For any ∆ i , ∇ o ∈ F n 2 and S ∈ B(n, n), Note here that for any fixed ∆ i the equality {x, This reformulation leads to the following rewriting of the FBCT coefficient: Proof. This comes directly from the previous theorem by remarking that once ∆ i is fixed we have χ DDT (∆ i , δ) ∩ χ DDT (∆ i , δ ) = ∅ for all δ = δ , which justifies that the unions in Theorem 3 are disjoint and hence that we have a sum.
Let us again stress the parallel with a similar reformulation of the BCT: ). Let S ∈ B(n, n). We define Y DDT as the set of all Sbox outputs that make a given transition possible, that is:

Comparison of the properties of the BCT and of the FBCT
We conclude this section by comparing in Table 2 the main properties explored by Boura and Canteaut [BC18] regarding the BCT with what we proved in the case of the FBCT. Note that another family of Sboxes was studied by Boura and Canteaut, namely the set of quadratic permutations. In the case of the FBCT this instance is rather easy to solve: for any non-zero ∆ i , ∇ o ∈ F n 2 with ∆ i = ∇ o , D ∆i D ∇o S is constant. If this constant is not equal to zero we have that FBCT(∆ i , ∇ o ) = 0, otherwise FBCT(∆ i , ∇ o ) = 2 n . We can conclude that either the quadratic permutation is APN and then its Feistel boomerang uniformity is equal to 0, or the quadratic permutation is not APN (this is the case of all the quadratic permutations on an even number of variables) and then its Feistel boomerang uniformity is equal to 2 n .
In Appendix D, we provide a (rather intricate) formula linking the FBCT and the recently introduced Differential-Linear Connectivity Table (DLCT) [BDKW19]. We expect that other relations can be obtained.

Extending our Analysis to Two Rounds
Similarly to what has been done in [WP19, SQH19] for SPN constructions, this section discusses the probability of a boomerang switch E m that covers two rounds.

The Feistel counterpart of the BDT
When studying how to extend the BCT theory to boomerang switches on more rounds, Wang and Peyrin [WP19] introduced the BDT (standing for Boomerang Difference Table), a variant of the BCT with one supplementary variable fixed, namely the Sbox output difference: Definition 5 (Boomerang Difference Table [WP19]). Let S be an invertible function in F n 2 , and (∆ i , δ, ∇ o ) be elements of (F n 2 ) 3 . The boomerang difference table (BDT) of S is a three-dimensional table, in which the entry for (∆ i , δ, ∇ o ) is computed by: As we show next, the counterpart of this table for the Feistel case turns out to be useful to study a switch over two rounds. Following the idea of [WP19], we define it as follows (it can be visualized in Figure 6): Definition 6 (FBDT). Let S be a function from F n 2 to itself, and (∆ i , δ, ∇ o ) be elements of (F n 2 ) 3 . The Feistel boomerang difference table (FBDT) of S is a three-dimensional table, in which the entry for (∆ i , δ, ∇ o ) is computed by: · · · · · · · · · · · · 1 2 3 4 δ x ∇ o Figure 6: View of the parameters of the FBDT: ∆ i is the input difference and δ is the output difference of S when looking at the difference between state 1 and 2 . ∇ o is the input difference of the same Sbox S when looking at the difference between state 1 and 3 (which is the same as the one between state 2 and 4 ).
Given the discussion made in Section 4.7, we can rewrite the FBDT as: This is rather straightforward to see that the FBDT follows similar relations as the BDT does, namely: Property 3 (Relations between the DDT, FBCT and FBDT).

Probability of a 2-round Boomerang Switch
The theorem we discuss next gives the probability that a boomerang comes back over 2 rounds of a classic Feistel cipher, that is a balanced one with 2 branches. We consider that the input difference between state 1 and 2 is (∆ L i , ∆ R i ), that the output difference between state 2 and 4 and 1 and 3 is equal to (∇ L o , ∇ R o ), and we want that the input difference between state 3 and 4 is again (∆ L i , ∆ R i ). Again, we consider a very generic case where the round function is composed of one Sbox layer made of t parallel n-bit Sboxes and of some linear or affine operations, which implies in particular that if the input difference of one round is known together with the output difference of the Sbox layer, then the difference at the input of the next round Sbox layer can be computed. To keep our explanation as generic as possible we introduce the following notations, that can be visualized in Figure 7: • ∆ i represents the difference at the input of the first round Sbox layer, between state 1 and 2 . It is fixed to a certain value since it can be deduced from the first round input difference ∆ L i .
• δ denotes the corresponding output difference of this Sbox layer, but is not specified.
• ∆ i corresponds to the difference at the input of the second Sbox layer (again with respect to state 1 and 2 ). Its value is deduced from δ and from ∆ R i .
• In a similar way, the difference at the input of the second round Sbox layer, between state 2 and 4 is set to a certain value denoted ∇ o , deduced from ∇ R o .
• The corresponding output difference is denoted α, but again is not fixed.
• ∇ o represents the input difference of the first round Sbox layer for these states, and is computed from ∇ L o and α.
Sbox layer The differences denoted with straight lines are imposed and fixed.
Given this notation we can find a formula for the probability of a 2-round boomerang switch over a Feistel, see Theorem 4. Note that to simplify its writing we extended the definition of the FBDT to the case of the Sbox layer (instead of one Sbox only). Naturally, this simply corresponds to the product of the FBDT of each Sbox that composes the Sbox layer.
Theorem 4 (Probability of a 2-round Switch). With the previous notation, the probability that a boomerang comes back over 2 rounds is equal to: (3) Proof. In order to cover most constructions, in what follows we consider a Feistel cipher as depicted in Figure 7, that is with a round function made of one linear (or affine) layer L 1 , followed by one Sbox layer of t n-bit Sboxes and again a linear (or affine) layer L 2 .
We start by observing that if the second round Sbox layer output difference between state 2 and 4 is equal to a given value α then the same difference is required between state 1 and 3 for the boomerang to return.
Denote by α the second Sbox layer output difference between state 1 and 3 . Given that the output difference between 1 and 3 and 2 and 4 is equal to (∇ L o , ∇ R o ) we deduce that the input difference in the left branch between states 1 and 3 and 2 and 4 are respectively equal to ∇ L o ⊕ L 2 (α ) and ∇ L o ⊕ L 2 (α). The input difference between the left branches of state 1 and 2 is equal to ∆ L i so we deduce that the left branch difference between state 3 and 4 is equal to: . For the boomerang to return this has to be equal to ∆ L i , which proves that we must have α = α.
We now demonstrate the formula by first looking at the case where the values of α and δ are fixed. The theorem is deduced by summing over all their possible values.
We focus on the second round of the switch, and more precisely on the difference between state 2 and 4 . To obtain the required output difference, the Sbox layer must transition from ∇ o = L 1 (∇ R o ) to α, an event that is of probability 7 : If we denote by X the input value of the second round Sbox layer of state 2 , We know that the corresponding value of state 1 has to be equal to X ⊕ ∆ i , value that should also allow the transition from ∇ o to α according to the previous discussion. The probability that it is the case is: Assuming that the previous conditions are fulfilled, the boomerang returns in the first round if the Sbox layer transitions from ∆ i to δ given that the input difference of this Sbox layer between state 2 and 4 and 1 and 3 is equal to ∇ o . The probability of this event is FBDT( Putting things together, we obtain , we obtain the required expression.
Note that our formula is very reminiscent of what is used in the SPN case, as Wang and Peyrin [WP19] proposed to use the product of the BDT and BDT' coefficients to cover the case of a 2-round switch where the same Sbox is active with respect to E 0 and E 1 . As a side note, we also remark here that the somewhat more intricate formulation proposed by Song et al. can be rewritten as the product of the BDT and BDT' in the case of 2 rounds, as in particular the D BCT coefficient of [SQH19] is in fact equal to the BDT' coefficient.
We show a concrete example of application of this 2-round formula on LBlock in Appendix E.

Generic Formula for a Feistel Boomerang Switch over Multiple Rounds
To obtain an accurate estimation of the probability of a boomerang distinguisher, an attacker has to correctly evaluate the size of E m , that is the number of middle rounds for which there exists a dependency between the characteristic on E 0 and the one on E 1 . Once this is done, the formula introduced with the sandwich attack theory [DKS10] can be applied and the value of p 2 q 2 r (where r is the probability of E m , p the one of E 0 and q the one of E 1 ) gives a good estimate (under the usual assumptions). The problem of evaluating the size of E m has already been discussed in two papers in the case of SPN ciphers: by Song et al. in [SQH19] and by Wang and Peyrin in [WP19]. The algorithm proposed in [SQH19] (that we recall in Appendix F) is rather natural: additional rounds are added to E m as long as the probability of the newly added round is higher than the probability that would have been obtained if they were no dependencies. Since this technique directly applies to boomerang distinguishers on Feistel constructions we do not elaborate more on this.
The remaining problem in the case of Feistel ciphers is to compute the probability of a boomerang switch over more than 2 rounds. We address this now, with a setting and notation given in Figure 8 and that is a direct generalization of the one in Figure 7. Figure 8: Setting for a boomerang Switch over more than two rounds of a balanced Feistel with two branches. The differences denoted with straight lines are imposed and fixed.
As depicted in the figure, we introduce new variables to represent all the intermediate differences. As we did when discussing the 2-round switch, the idea will be to iterate over all the possible values for these, to compute the probability of the obtained settings and finally to sum together the probabilities.
We introduce a coefficient that corresponds to the situation where an active Sbox in E 0 is in front of an active Sbox in E 1 , and for which both Sbox outputs (when looking at state 1 and 2 and state 2 and 4 ) are fixed. We obtain the following formula: Definition 7 (FBET). Let S be a function from F n 2 , and (∆ i , δ, ∇ o , α) be elements of (F n 2 ) 4 . The Feistel boomerang extended table (FBET) of S is a four-dimensional table, in which the entry for (∆ i , δ, ∇ o , α) is computed by: The probability of a switch is then estimated to be 8 the sum over all the possible intermediate differences of the product of the FBET coefficient (divided by 2 n ) of each Sbox. For instance, the probability of the 3-round boomerang switch depicted in Figure 7 can be approximated by: where again by abuse of notation the FBET coefficient is the one of the full S-layer, but should be replaced by the ones of the individual Sboxes. Note that ∆ i and ∇ o are determined by ( , the input and output differences of the switch. Also, the values of ∆ i , ∆ i , ∇ o and ∇ o are deduced from the other parameters on which we iterate (for instance ∆ i = L 1 (L 2 (δ) ⊕ ∆ R i )). As we show in the following property, the obtained formula can be simplified when we sum coefficients over all the possible values of some variables. Further simplifications are obtained with Property 3.
Property 4 (Relations between the FBET and the previous tables).
It is rather easy to show that the FBET view covers the previous formula for the 2-round switch (given in Theorem 4): we use the notation of Figure 7 and additionally denote by δ the output difference between state 1 and 2 of the second-round S-layer, and by α the output difference between state 2 and 4 of the first-round S-layer. The sum we have to compute is: 8 Note that this approximation considers that the same characteristic is followed between state 1 and 2 and between state 3 and 4 . For 3 rounds and more it is not apparent that this is always the only possible case.
Since α and δ have no impact on the other values we can rewrite the previous sum as: In a similar way, if we focus on one round only, we have to compute Since both δ and α have no impact on the other variables it can be rewritten as: So the FBET coefficient allows to recover our previous formulas.
Note that when looking at a switch covering many rounds the application of this formula may require too much time if many Sboxes are involved, so it might be preferable to evaluate the probability of E m experimentally.
Short Discussion on the SPN Case. While we focused on the Feistel case, it seems that a similar technique can be used to get the probability of a multiple-round boomerang switch on an SPN cipher. In particular, the counterpart of the FBET would be: and we have the following direct properties: Property 5 (Relation between the BET and the previous tables).
Our bet is that it provides a generic formula covering the previous particular cases discussed in [SQH19] and [WP19].

Application to LBlock-s
We propose here to study the case of LBlock-s, the Feistel cipher used in LAC, in order to illustrate the way our formula can be used to estimate the probability of a boomerang distinguisher.
LAC was a first-round candidate to the CAESAR competition submitted by Lei Zhang et al. [ZWW + 14]. It is a lightweight authenticated encryption scheme that relies on a modified version of LBlock called LBlock-s. In this version, the 10 different 4-bit Sboxes are replaced with one unique Sbox, which corresponds to the one called S 0 in LBlock. The block cipher also includes a modified key schedule algorithm that we do not detail here since it plays no role in the following discussion. The LAC algorithm uses both full 32-round LBlock-s as well as a round-reduced LBlock-s iterating 16 rounds.
In this section, we evaluate with the p 2 q 2 r formula the probability of a 16-round boomerang distinguisher on LBlock-s when the size of E m varies from 2 to 8 rounds. We found out that when E m covers 8 rounds the expected probability of the resulting distinguisher is 2 −56.14 .
This value is higher than the probability of the distinguisher that was proposed by Leurent in [Leu15]. In this paper, the author showed the existence of collections of differential characteristics with probability as high as 2 −61.52 . Still, our distinguisher cannot be used for forgery contrary to what is done in [Leu15].

Finding the Best 7-round Differential Characteristics for E 0 and E 1
As a starting point, we look at the setting where E m covers 2 rounds and search the best characteristics over 7 rounds for E 0 and E 1 . To find these, we use the two-step strategy described in [GLMS18]: • In the first step, we abstract all the nibble differences by Boolean variables (if a nibble is active then its associated Boolean value is 1, else it is 0) and we look for the truncated differentials with the minimum number of active Sboxes. We implement this step using a high-level modeling language called MiniZinc [NSB + 07]. MiniZinc models are translated into a simple subset of MiniZinc called FlatZinc, using a compiler provided by MiniZinc. Most existing constraint programming solvers (including SAT solvers and MILP solvers) have developed FlatZinc interfaces (there are currently fifteen solvers with FlatZinc interfaces). Using the PICAT SAT solver we found 8 possible optimal truncated differential characteristics that are valid for both E 0 and E 1 .
• In the second step, we look for the best differential characteristics (in terms of probability) that follow the previous truncated differential paths. To do so, we use the constraint programming language Choco [PFL16]. For each possible truncated differential characteristics on 7 rounds we obtain 2766 solutions with an optimal probability equal to 2 −16 . We tried several combinations and picked the one that gave the best probability for the 2-round E m . We present it in Table 3.

Choosing a Switch E m
To obtain an accurate evaluation of the boomerang distinguisher, we evaluate the size and probability of E m with the algorithm recalled in Appendix F. When E m covers few rounds we were able to apply our formulas to compute its probability but we then switched to experiments to avoid intricate expressions with many parameters. As detailed in Table 4, we were able to apply the algorithm for an E m covering up to 8 rounds, thus obtaining an estimation of the probability of the distinguisher of 2 −56.14 . Our observation is that E m covers more than 8 rounds, but we were limited by computational power to get its exact size. Table 4: Theoretical and practical values of r for various sizes of E m and corresponding probability of the 16-round distinguisher when applying the p 2 q 2 r formula. We detail the theoretical computation for 3 rounds in Appendix G.

Deriving a Boomerang Distinguisher
The previous discussion indicates that the 16-round boomerang distinguisher we are looking at has a probability higher than 2 −56.14 . It can be used as follows: The attacker randomly chooses M 1 i (0 ≤ i < m) and compute M 2 i = M 1 i ⊕ α with α = (20400000, 00001460). She encrypts these plaintexts over 16 rounds of LBlock-s to obtain the ciphertexts C 1 i and C 2 i from which she deduces C 3 i = C 1 i ⊕ δ and C 4 i = C 2 i ⊕ δ with δ = (0x42000004, 0x00060040) and asks for their corresponding plaintexts M 3 i and M 4 i . Finally she checks if the boomerang comes back by testing if M 3 i ⊕ M 4 i = α. Given our estimate, m = 2 56.14 quartets are sufficient to expect one boomerang to return (using 2 58.14 ciphering/deciphering operations).

C Some Variants of Feistel Constructions for which the FBCT Apply
We show here that the FBCT tool covers more constructions than the classical Feistel cipher, by providing three examples: the type I and II variants introduced by Zheng, Matsumoto and Imai in [ZMI90] and the source-heavy (also called contracting) construction as implemented in SMS4 [Dt08]. A representation of the round structure of these types is given in Figure 10 in the case of 4-branch networks. The only assumption we make is that the F and F functions used in theses constructions are composed of some linear or affine operations (like for instance matrix multiplication, permutations, Xor of constants or of round keys) and of one S-layer. We show below that the relations that need to be fulfilled in these cases can also be expressed as a product of FBCT coefficients.
Type I: Referring to Figure 10, one round of type I can be seen as one round of classic Feistel with some (2 in the picture) additional branches that are independent and not affected by a F function. Thus, the reasoning made in Section 3.1 can be extended to the case of type I construction and the probability that the boomerang switch over one round happens as required is the product of the FBCT coefficients corresponding to the Sboxes contained in F .

Type II:
In a similar way, one round of type II can be seen as the concatenation of several (2 in the picture) classical Feistels that are independent one from the others. The reasoning made in Section 3.1 applies to this case and the probability of the boomerang switch is made by the product of the FBCT coefficients of the Sboxes of the F functions at play.

Source-Heavy:
This case can also easily be treated with the FBCT. It can be shown that the one-round boomerang switch represented in Figure 11 comes back if the following condition is fulfilled: = 0 Which can be rewritten as a product of the FBCT coefficients of the Sbox of F , with the two parameters depending on A, B, and C for one, and a, b and d for the other.
Note that the discussion above has to be nuanced as the application of the FBCT to other cases (as for instance type III construction) might not be straightforward.

D A Relation Between the DLCT and the FBCT
As before, we consider n, m two positive integers and S ∈ B(n, m). The set of all non-zero elements of F n 2 is denoted by F n * 2 . For x and λ ∈ F n 2 we denote by λ · x the canonical inner product. The Differential-Linear Connectivity Table (DLCT) was introduced by Achiya Bar-On et al. in [BDKW19] and is defined as follows:

Definition 8 ([BDKW19]
). For a vectorial Boolean function S : F n 2 → F m 2 , the differentiallinear connectivity table (DLCT) of S is an 2 n × 2 m table whose rows correspond to input differences to S and whose columns correspond to bit masks of outputs of S. The DLCT entry (∆, λ), where ∆ ∈ F n 2 is a difference and λ ∈ F m 2 is a mask, is Recall that the autocorrelation of an n-variable Boolean function f at point ∆ ∈ F n 2 , denoted C f (∆), is defined as: It can be easily proven that DLCT S (∆, λ) = 1 2 C λ·S (∆). In the following, we consider a vectorial Boolean function S and derive a relation between its FBCT and the autocorrelation of its component functions. Using this relation, we provide a relation between the FBCT and the DLCT of S.
Proof. For any non-zero ∆ ∈ F n * 2 , we have