Improved Rectangle Attacks on SKINNY and CRAFT

The boomerang and rectangle attacks are adaptions of differential cryptanalysis that regard the target cipher E as a composition of two sub-ciphers, i.e., E = E1 ◦ E0, to construct a distinguisher for E with probability p2q2 by concatenating two short differential trails for E0 and E1 with probability p and q respectively. According to the previous research, the dependency between these two differential characteristics has a great impact on the probability of boomerang and rectangle distinguishers. Dunkelman et al. proposed the sandwich attack to formalise such dependency that regards E as three parts, i.e., E = E1 ◦Em ◦E0, where Em contains the dependency between two differential trails, satisfying some differential propagation with probability r. Accordingly, the entire probability is p2q2r. Recently, Song et al. have proposed a general framework to identify the actual boundaries of Em and systematically evaluate the probability of Em with any number of rounds, and applied their method to accurately evaluate the probabilities of the best SKINNY’s boomerang distinguishers. In this paper, using a more advanced method to search for boomerang distinguishers, we show that the best previous boomerang distinguishers for SKINNY can be significantly improved in terms of probability and number of rounds. More precisely, we propose related-tweakey boomerang distinguishers for up to 19, 21, 23, and 25 rounds of SKINNY-64-128, SKINNY-128-256, SKINNY-64-192 and SKINNY-128-384 respectively, which improve the previous boomerang distinguishers of these variants of SKINNY by 1, 2, 1, and 1 round respectively. Based on the improved boomerang distinguishers for SKINNY, we provide related-tweakey rectangle attacks on 23 rounds of SKINNY-64-128, 24 rounds of SKINNY-128-256, 29 rounds of SKINNY-64-192, and 30 rounds of SKINNY-128-384. It is worth noting that our improved related-tweakey rectangle attacks on SKINNY-64-192, SKINNY-128-256 and SKINNY-128-384 can be directly applied for the same number of rounds of ForkSkinny-64-192, ForkSkinny-128-256 and ForkSkinny-128-384 respectively. CRAFT is another SKINNY-like tweakable block cipher for which we provide the security analysis against rectangle attack for the first time. As a result, we provide a 14-round boomerang distinguisher for CRAFT in the single-tweak model based on which we propose a single-tweak rectangle attack on 18 rounds of this cipher. Moreover, following the previous research regarding the evaluation of switching in multiple rounds of boomerang distinguishers, we also introduce new tools called Double Boomerang Connectivity Table (DBCT), LBCT , and UBCT to evaluate the boomerang switch through the multiple rounds more accurately.


Introduction
The security of the Internet of Things (IoT) and other constrained environment such as RFID systems is an emerging concern which may not be addressed using conventional solutions. To address this concern many solutions and primitives have been proposed by the designers so far. In this direction, the lightweight cryptography (LWC) competition of the National Institute of Standards and Technology (NIST) was started with the aim of standardization for such constrained environments, and candidates of the first and the second rounds have been announced in April and September 2019, respectively. While NIST-LWC aims to standardize lightweight Authenticated Encryption with Associated Data and Hash functions, during the last decade researchers have done an extensive effort to provide a strong foundation for lightweight block ciphers and as a result, a dozen elegant lightweight block ciphers have been designed, to just name some, CRAFT [ WP19], and key recovery phase [ZDM + 20] of boomerang attack which is one of the most efficient attacks on reduced SKINNY. Therefore, reevaluating the security of SKINNY against the boomerang attack is necessary. In this paper, using a better way to search for boomerang distinguishers of SKINNY in which switching, as well as the clustering effects are considered, we improve the boomerang distinguishers of SKINNY [SQH19], under the related-tweakey setting at first. Next, building upon the improved boomerang distinguishers and using the novel key recovery attack introduced in [ZDM + 20], we improve the rectangle attacks on reduced SKINNY in the related-tweakey setting.
CRAFT is among the recent tweakable block ciphers, proposed at FSE 2019 by Beierle et al. Besides the designers' extensive security analysis, independent researchers also analyzed the security of the cipher against various attacks. More precisely, Hadipour et al. [HSN + 19], extended the designers' security analysis and provided more efficient distinguishers based on differentials, zero correlations and integral attacks. Moghaddam and Ahmadian [EMA20] evaluated the security of this cipher against truncated differential cryptanalysis. Although the designers have not had any security claim against related-key attacks and even presented a full round deterministic related key distinguisher for the cipher, ElSheikh et al. [EY19] also presented new distinguishers for CRAFT in this mode and also extended it to full round key recovery attack. [GSS + 20] is the latest work on the security analysis of CRAFT which exploits the special properties of CRAFT to provide weak-tweakey truncated differential distinguishers of CRAFT in the single-key model, where they introduced a related-tweak 15-round differential characteristic with probability of 2 −54 , which can be extended to 19-round key-recovery attack. However, to the best of our knowledge, there is no publicly reported security evaluation of CRAFT against the boomerang attack. Hence, we are motivated to present the first security analysis of this cipher against the boomerang attack.

Our contribution
Applying a heuristic approach to search for boomerang distinguishers in which we consider the ladder switch effect, we significantly improve the best previous boomerang distinguishers of SKINNY-n-2n and SKINNY-n-3n [LGS17,SQH19], for n ∈ {64, 128}. For instance, while the best-published boomerang distinguisher for 18 rounds of SKINNY-128-256 [LGS17,SQH19], has probability 2 −77.83 , we have provided a new boomerang distinguisher covering the same number of rounds with probability 2 −40.77 . Besides, our boomerang distinguishers for SKINNY-128-256, cover up to 21 rounds of this variant of SKINNY, whereas the best previous boomerang distinguisher for SKINNY-128-256 can reach up to 19 rounds of this cipher [LGS17,SQH19] 1 . In other words, we improve the boomerang distinguisher of SKINNY-128-256 by two rounds in this paper. As another example, while the best boomerang distinguisher for SKINNY-128-384 so far, reaches up to 24 rounds and has the probability of 2 −107.86 [LGS17, SQH19] 2 , we introduce a new boomerang distinguisher for the same number of rounds of SKINNY-128-384 with probability 2 −87.39 , which can be extended to provide a boomerang distinguisher for 25 rounds of this variant with probability 2 −116.59 . We also improve the boomerang distinguishers of SKINNY-64-128 and SKINNY-64-192 by one round. To the best of our knowledge, our boomerang distinguishers for SKINNY-n-2n and SKINNY-n-3n when n ∈ {64, 128}, are the best related-tweakey distinguishers so far for these variants of SKINNY in terms of probability and the number of rounds. Table 8 summarizes our results for boomerang distinguishers of SKINNY.
To demonstrate the usefulness of our searching strategy for boomerang distinguishers, we also apply it to CRAFT, and provide boomerang distinguishers for CRAFT for the first time. Interestingly, our finding shows that the boomerang attack is very promising on reduced CRAFT compared to the other statistical attacks in the single-tweak model, such as differential cryptanalysis, especially if we aim to provide a practical attack. For instance, taking advantage of the ladder switch effect, we introduce a boomerang distinguisher with the probability 1 for 6 rounds of CRAFT, which can be extended to 8 rounds with the probability of 2 −8 . As another example, while the probability of the best previously known distinguisher for 9 rounds of the cipher in the single-tweak model is 2 −40.20 , we present a practical single-tweak boomerang distinguisher for the same number of rounds with the probability of 2 −14.76 , which is much higher and can be easily verified by an ordinary personal computer. Table 2 summarizes the probability of our boomerang distinguishers for 6 to 14 rounds of CRAFT in comparison to the best previous single-tweak distinguishers. Moreover, we have experimentally verified the correctness of our boomerang distinguishers for up to 12 rounds as it can be seen in Table 2.
Based on the introduced boomerang distinguishers, we also provide related-tweakey rectangle attacks on SKINNY-n-2n and SKINNY-n-3n, for n ∈ {64, 128}, and a single-tweak rectangle attack on CRAFT. As a result, by attacking on 29, 24 and 30 rounds of SKINNY-64-192, SKINNY-128-256 and SKINNY-128-384, to the best of our knowledge, we could improve the best previous attacks on these variants of SKINNY by 2, 1 and 2 rounds respectively in terms of the number of attacked rounds. For SKINNY-64-128, we provide a 23-round related-tweakey rectangle attack with memory and time complexity of 2 60.9 and 2 120.7 , while the best previous related-tweakey rectangle attack covers the same number of rounds with memory and time complexity of 2 124 and 2 125.91 respectively. On CRAFT, our attack reaches 18 rounds in the single-tweak model, which is the first application of rectangle attack on CRAFT as well as the best attack on this cipher so far in terms of the number of attacked rounds in the single-tweak model. Table 1 summarizes our key recovery attacks on SKINNY's variants as well as CRAFT.
Furthermore, we have introduced some new tools to formulate the dependency between the upper and lower differential trails of boomerang distinguishers, including DBCT, DBCT and DBCT . We also introduce new variants of UBCT, LBCT and BCT including UBCT , LBCT , BCT and BCT which are useful to consider the clustering effect in boomerang cryptanalysis.
All of our codes to search for boomerang distinguishers of SKINNY and CRAFT and 1 The best previous boomerang distinguisher for SKINNY-128-256, is an 18-round distinguisher proposed in [LGS17,SQH19], which can be extended up to 19 rounds with probability 2 −97.53 . 2 The best previous boomerang distinguisher for SKINNY-128-384 is a 22-round distinguisher proposed in [LGS17,SQH19], which can be extended up to 24 rounds with probability 2 −107.86 . the discovered boomerang characteristics, as well as the required codes for experimental verification of our practical distinguishers, are publicly available via the following link: https://github.com/hadipourh/Boomerang Outline.
The rest of the paper is organized as follows: in Section 2, we present the required preliminaries for boomerang and rectangle attacks. Section 3 is dedicated to introducing new tools for boomerang cryptanalysis, and Section 4 describes our method to search for boomerang distinguishers. In Section 5, after giving a brief description of CRAFT, we propose boomerang distinguishers for up to 14 rounds of CRAFT, for which we apply our new tools to model the dependency between the upper and lower differentials over up to 7 rounds of CRAFT. Next, in Section 6, after giving a brief description of SKINNY, we introduce new boomerang distinguishers for SKINNY-n-2n and SKINNY-n-2n. Building upon the improved boomerang distinguishers, we mount key recovery attacks against reduced CRAFT and SKINNY in Section 7. Lastly, we conclude the paper in Section 8.

Preliminaries
In this section, we briefly review the boomerang attack.

Boomerang Attack and Sandwich Attack
The boomerang attack, proposed by David Wagner [Wag99], treats a block cipher E as the composition of two sub-ciphers E 0 and E 1 , for which there exist short differentials ∆ 1 → ∆ 2 and ∇ 2 → ∇ 3 of probabilities p and q respectively. The two differentials are then combined in a chosen plaintext and ciphertext attack setting to construct a long boomerang distinguisher as shown Figure 1(left). Let E(P ) and E −1 (C) denote the encryption of P and the decryption of C, respectively. Then the boomerang framework works as follows.
• Repeat the following steps many times.

BCT Framework
The boomerang connectivity table (BCT) was introduced by Cid et al. in [CHP + 18] to evaluate r theoretically when E m was composed of a single S-box layer. Later, the BCT is extended and used to calculate r for E m with multiple layers [SQH19,WP19]. Here, we recall some important tables of S-boxes and relevant definitions which play a core role when calculating the probability of boomerang distinguishers.
The differences of an S-box in the boomerang distinguisher are shown in Figure 2. Alternatively, we use arrows with superscripts to denote the relationship between differences. The horizontal arrows illustrate the propagation of differences in upper and lower differential characteristics while the diagonal arrows are used to show which differences in the upper and lower trails are affected by each other. The difference distribution table (DDT) and the BCT are two basic tables of the S-box.  Table). Let S be a function from F n 2 to F n 2 . The difference distribution table (DDT) is a two-dimensional table defined by and Y DDT (∆ 1 , ∆ 2 ) denote the sets of valid inputs and outputs of differential ∆ 1 → ∆ 2 respectively. Namely, Then BCT can be calculated with X DDT or Y DDT , as studied in [BC18,SQH19]. That is where ∆ 1 and ∇ 2 are called crossing differences [SQH19]. As can be seen, whether the intersection of X DDT (∇ 1 , ∇ 2 ) and X DDT (∇ 1 , ∇ 2 )⊕∆ 1 (resp. Y DDT (∆ 1 , ∆ 2 ) and Y DDT (∆ 1 , ∆ 2 )⊕ ∇ 2 ) is empty or not depends on the crossing difference ∆ 1 (resp. ∇ 2 ). In particular, if the crossing difference ∆ 1 (resp. ∇ 2 ) for an S-box is random and uniformly distributed, the probability that the boomerang returns for this S-box is exactly ∇1 (DDT(∇ 1 , ∇ 2 )/2 n ) 2 (resp. ∆2 (DDT(∆ 1 , ∆ 2 )/2 n ) 2 ), which is identical to the probability calculation of the classical boomerang distinguisher.
To help calculate the probability of E m with multiple rounds, two more tables were introduced in the literature.
To see the counterpart of this Based on the previous works, some new tables of S-box will be proposed in the next sections and used to calculate r for boomerang distinguishers of CRAFT, and SKINNY.

New Tools for Boomerang Cryptanalysis
In this section, we introduce for S-boxes some new tables which can be used to model the dependency between upper and lower differential paths in boomerang distinguishers. When one constructs boomerang distinguishers for SPN ciphers, there may exist two S-boxes in a row (in two rounds) that are active in both trails of the boomerang. Figure 3 (middle) shows the differences of such two S-boxes, where ' * ' stands for any possible difference, ∆ 1 and ∇ 3 are known.

Our Strategy to Search for Boomerang Distinguishers
We use a heuristic approach to find a boomerang distinguisher which can be divided into the following steps: 1. The first step is searching for truncated differential characteristics with the minimum number of active S-boxes taking into account the switching effect in multiple rounds. For this step, we borrow the idea of MILP-based automated search method for truncated differential characteristic proposed in [CHP + 17], which takes into account the ladder switch effect in two middle rounds of boomerang distinguisher. However, we change it a little to consider the switch effect in more than two rounds. We also use a weighted objective function in our model to obtain a boomerang distinguisher with a higher probability.
Suppose that we are looking for a boomerang distinguisher covering r 0 + r m + r 1 rounds as illustrated in Figure 5, where the first r 0 and last r 1 rounds are represented in red and blue and denoted by E 0 and E 1 respectively. Moreover, the middle r m rounds, where the first r 0 + r m and last r 1 + r m rounds overlap, is illustrated in green and denoted by E m . Firstly, we generate a word-oriented MILP model consisting of constraints corresponding to truncated differential characteristics for the first r 0 + r m and for the last r 1 + r m rounds based on the independent binary variables respectively.
Let u 0 , . . . , u t−1 denote the activeness of S-boxes in last r m rounds of E m • E 0 and l 0 , . . . , l t−1 denote the activeness of S-boxes in first r m rounds of E 1 • E m , such that u i and l i correspond to the same S-box's position for all 0 ≤ i ≤ t − 1. In order to model the switching effect in r-round middle part E m , we introduce t new binary variables s 0 , . . . , s t−1 linking u i and l i for all 0 ≤ i ≤ t − 1 as follows: Accordingly, s i = 1 if and only if u i = l i = 1. Let binary variablesũ 0 , . . . ,ũ m−1 andl 0 , . . . ,l n−1 denote the activity of S-boxes in the first r 0 and last r 1 rounds respectively. Assuming that w 0 , w 1 and w m are positive integers, the objective is to minimize: Given that the termsũ = m−1 i=0 w 0 .ũ i andl = n−1 k=0 w 1 .l k are equally more effective than s = t−1 j=0 w m .s j in the probability of the boomerang distinguisher, w 0 , w 1 and w m , are chosen such that w 0 = w 1 ≥ w m . 2. At the second step, based on the discovered truncated differential characteristics for E 0 and E 1 , we look for the best actual differential trails satisfying the given active-cell positions for these parts which form upper and lower differential paths of boomerang distinguisher respectively. This is done using the separate bit-oriented MILP/SAT models for E 0 and E 1 . Then, by fixing the input and output differences of actual differential paths for E 0 and E 1 , and taking into account the clustering effect, we compute the differential effects for E 0 and E 1 , which are represented by p and q respectively. Note that, there might not exist an actual differential characteristic instantiating the discovered truncated differential characteristic. If so, we go to the first step and repeat the process by a new truncated differential characteristic.
3. Although the ladder switch effect is considered to obtain the upper and lower differential paths in our method, they are obtained using independent bit-oriented MILP/SAT models at step 2. Hence, the upper and lower differential paths in a discovered boomerang distinguisher might be incompatible [Mur11]. The compatibility of the upper and lower differential paths in a discovered boomerang distinguisher is checked by experimentally evaluating the probability of the r-round middle part at this step. Assume that ∆ 2 and ∇ 3 are the output and input differences of the upper and lower differential paths respectively. The compatibility of the upper and lower differential paths is checked by experimentally evaluation of the following probability: We can go to the next step if r > 0, otherwise, we return to the first step.
4. At this step, to correctly evaluate the size of E m , where contains the dependency between the upper and lower differential paths, we use the algorithm proposed by Song et al. in [SQH19]. More precisely, we extend both E 0 and E 1 with probability 1 at first. Next, to determine the correct upper boundary of E m , we prepend additional rounds to E m as long as the lower crossing differences are not uniformly distributed.
In the same way, to determine the lower boundary of E m , we append further rounds to E m as long as the upper crossing differences are not uniformly distributed. In other words, additional rounds are added to E m as long as the probability of the new E m is higher than what is estimated by p 2 q 2 r. If this is done, the formula p 2 q 2 r, will be a good estimate.
5. If the size of E m is changed at the previous step, taking into account the clustering effect, we compute the probabilities p and q corresponding to the new E 0 and E 1 respectively. To do so, by fixing the input/output differences of E 0 and E 1 , we compute the differential effects and store the results into p and q respectively. Besides the experimental value, using the BCT framework we provide a theoretical bound for r, i.e. the probability of the middle part E m , when it is possible from the computational complexity point of view. Finally, using the formula p 2 q 2 r, we compute the probability of the whole boomerang distinguisher.
To find the truncated differential characteristics in step 1, we use the MILP model and then Gurobi [GO21] as the solver. For SKINNY, given that the key schedule is linear, we use a semi-word-based MILP model to find a truncated differential characteristic where the key schedule is encoded bitwise, whereas the data path is encoded word-wise. In the second step, where we look for the real differential trails instantiating the discovered truncated trails, we use both the SMT/SAT and the MILP bit-based models. More precisely, for CRAFT and SKINNY-64-128 and SKINNY-64-192, we use CryptoSMT [Ste] 5 to instantiate the truncated pattern with the best differential trails, as well as computing the differential effect in steps 2, 4, and 5. However, concerning 128-bit block versions of SKINNY, i.e., SKINNY-128-256 and SKINNY-128-384, we would highly prefer to use the MILP-based method introduced by [AST + 17], since some probability exponents in DDT of SKINNY's 8-bit S-box are non-integer, and encoding the objective functions with non-integer coefficients and addition of non-integer numbers in MILP models are much easier and straightforward in comparison to the SMT-based or SAT-based methods. Given that Gurobi allows to find multiple solutions rather than merely one optimal solution 6 , we use it as the MILP solver to compute the differential effect for 128-bit block versions of SKINNY as well.

Boomerang Distinguishers for Reduced-Round CRAFT
In this section, after giving a brief description of CRAFT, we introduce boomerang distinguishers for reduced rounds CRAFT covering up to 14 rounds of this cipher. Table 2 summarizes our results on boomerang distinguishers of CRAFT and Table 3 briefly describes the notations we use through this section.

A Brief Description of CRAFT
CRAFT is a lightweight tweakable block cipher which has been introduced in FSE 2019 by Beierle et al. [BLMR19]. This block cipher supports 64-bit message, 128-bit key and 64-bit tweak and its round function is composed of involutory building blocks. The input 64-bit plaintext m = m 0 m 1 · · · m 14 m 15 is used to initiate a 4 × 4 internal state IS = I 0 I 1 · · · I 14 I 15 as follows: where I i , m i ∈ F 4 2 . The internal state is then going through 32 rounds R i , i ∈ 0, · · · , 31, to generate a 64-bit ciphertext. As is depicted in Figure 6, each round, excluding the last round, includes five functions, i.e., MixColumn (MC), AddRoundConstants (ARC), AddTweakey (ATK), PermuteNibbles (PN), and S-box (SB). The last round only includes  The MC layer is the multiplication of the internal state by a 4 × 4 involutory binary matrix. In each round i, after MC, two round dependent constant nibbles are XOR-ed with I 4 and I 5 respectively, where a i 0 and b i 0 are the least significant bits. A 4-bit LFSR is used to update a and a 3-bit LFSR is used to update b. They are initialized by values (0001) and (001), respectively and updated to from i-th round to i + 1-th round. After AddRoundConstants (ARC), a 64-bit round tweakey is XOR-ed with IS. The tweakey schedule of CRAFT is rather simple. Given the secret key K = K 0 K 1 and the tweak T ∈ {0, 1} 64 , where K i ∈ {0, 1} 64 , four round tweakeys T K 0 = K 0 ⊕ T , T K 1 = K 1 ⊕ T , T K 2 = K 0 ⊕ Q(T ) and T K 3 = K 1 ⊕ Q(T ) are generated, where given T = T 0 T 1 · · · T 14 T 15 , Q(T ) = T 12 T 10 T 15 T 5 T 14 T 8 T 9 T 2 T 11 T 3 T 7 T 4 T 6 T 0 T 1 T 13 . Then at the round R i , T K i%4 is XOR-ed with the IS, where the rounds start from i = 0.
The next function is PermuteNibbles (PN) which is applying an involutory permutation P over nibbles of IS, where given IS = I 0 I 1 · · · I 14 I 15 , P (IS) = I 15 I 12 I 13 I 14 I 10 I 9 I 8 I 11 I 6 I 5 I 4 I 7 I 1 I 2 I 3 I 0 . The final function is a non-linear layer in which a 4-bit S-box which has been borrowed from MIDORI [BBI + 15] is applied on each nibble. One can refer to [BLMR19], to see more details about CRAFT's specification.

Boomerang Distinguishers for 6 to 8 Rounds of CRAFT
Applying our searching method for boomerang distinguishers of CRAFT, we discovered that up to 6 rounds of this cipher can be distinguished from a random permutation using a boomerang distinguisher with probability one. For instance, let the input and output differences of 6-round boomerang distinguisher of CRAFT be chosen as follows: ∆X 0 = 000α 0000 000α 0000, ∇X 6 = 0000 0000 0β000 0000, Figure 7 represents the forward and backward propagation of ∆X 0 , and ∇X 6 over 6 rounds of CRAFT respectively, where yellow and green squares denote the nonzero and any differences respectively. It can be seen that there is not any interaction between the active S-boxes of upper and lower differential trails in Figure 7. Therefore, due to the switching effect, the boomerang returns with probability 1. Next, by extending the discovered 6-round boomerang distinguisher one round backward, we construct a 7-round boomerang distinguisher, which is illustrated in Figure 17. Table 4 specifies the input and output differences of our 7-round boomerang distinguisher for CRAFT. Table 4: Specification of boomerang distinguisher for 7 rounds of CRAFT r 0 = 0, r m = 7, r 1 = 0, p = 1, q = 1, r = 2 −4 , p 2 · q 2 · r = 2 −4 ∆X 0 00A0 00AA 0000 00A0 ∇X 7 0000 0000 0A00 0000 As it can be seen in Figure 17, the upper differential path depends on whether γ = γ , and there are still some nonzero upper and lower crossing differences even after 7 rounds which reveals that there is dependency between the upper and lower differential paths throughout the 7 rounds in Figure 17. Let r 1 and r 2 be the probability of boomerang distinguisher in cases where γ = γ , and γ = γ respectively. Consequently, the probability of the provided 7-round boomerang distinguisher is r = r 1 · Pr(γ = γ ) + r 2 · Pr(γ = γ ).
If γ = γ , as illustrated in Figure 17, the upper and lower differential trails have only one active S-box in common. Let γ and β denote the output differences of the common active S-box in upper and lower differential paths respectively. The red frames in Figure 17 represent the propagation of difference β to show where this difference is originated from. As it is visible, the difference β has not been affected by the upper differential path. On the other hand, β is almost uniformly distributed. In conclusion, we have and r 1 · Pr(γ = γ ) = 2 −2 · 2 −2 = 2 −4 . Due to the fact that 0 ≤ r 2 · Pr(γ = γ ) ≤ 1, we can conclude that r ≥ 2 −4 . According to the experimental evaluation, r = 2 −3.97 , which validates the provided lower bound and also confirms that r 2 , contributes less in the total probability r in comparison to r 1 .
By extending the discovered 7-round boomerang distinguisher one round forwards, we construct an 8-round boomerang distinguisher whose specification is provided by Table 5. Figure 18 represents the propagation of the input/output differences in our 8-round boomerang distinguisher. As illustrated, the propagation of the input difference depends on whether (γ = γ ) ∧ (δ = δ ). In the Figure 18, it is supposed that (γ = γ ) ∧ (δ = δ ). It can be seen that nonzero differences exist even after 8 rounds in both forward and backward propagation of input and output differences respectively, which means the whole of these 8 rounds contain dependency.
Let r 1 and r 2 be the probability of the 8-round boomerang distinguisher, when (γ = γ ) ∧ (δ = δ ), and (γ = γ ) ∨ (δ = δ ) respectively. Hence, the entire probability of the 8round boomerang distinguisher is r = r 1 ·Pr((γ = γ )∧(δ = δ ))+r 2 ·Pr((γ = γ )∨(δ = δ )). Since, two relations γ = γ , and δ = δ are statistically independent, we have: On the other hand, the upper and lower differential trails in Figure 18, have only two active cells in common, and there is not any interaction between other active cells in upper and lower differential trails, and the lower crossing difference β is almost uniformly distributed. The red frames depict where the difference β is originated from. It can be seen that it has not been affected by the upper differential trail. The upper crossing difference α, is also uniformly distributed, and as it's depicted by blue frames, it is also independent of the lower differential trail. Therefore, the probability that the boomerang returns when (γ = γ ) ∧ (δ = δ ) is: Besides, Pr(γ = γ ) = Pr(δ = δ ) = 2 −2 . Consequently, r ≥ 2 −8 . The experimental evaluation shows that the boomerang returns with probability r = 2 −7.92 , which confirms the provided lower bound and also shows that the total probability r is almost determined by r 1 . The experimental evaluation follows the pseudo-code in Subsection 2.1. More precisely, we firstly choose a key as well as a tweak at random and perform 2 15 boomerang queries and count the number of right quartets. We repeat this test for 1000 randomly generated keys and tweaks and compute the average number of right quartets.

Probability of the Middle Part in Boomerang Distinguishers for 9 to 14 Rounds of CRAFT
During the search for boomerang distinguishers covering 9 to 14 rounds of CRAFT, we observed that many boomerang distinguishers for these number of rounds have a common active pattern in the 7-round middle part. In other words, there are many boomerang distinguishers for 9 to 14 rounds of CRAFT that can be constructed by extending a 7-round boomerang distinguisher, such that the dependency between the upper and lower differential trails doesn't exist outside the 7-round middle part. Therefore, for the sake of simplicity, we chose a 7-round middle part and then constructed the boomerang distinguishers for 9 to 14 rounds based on it. Figure 9 shows the 7-round boomerang distinguisher with the following input/output differences, which is expandable to construct 9-/10-/11-/12-/13-/14-round boomerang distinguishers of CRAFT.
Next, let us calculate the probability of this 7-round boomerang distinguisher. In Figure 9, the input difference of the upper trail and the output difference of the lower trail is given; green squares denote any possible difference while yellow squares denote nonzero differences. Due to the weak diffusion of the linear layer of CRAFT, it can be seen that the difference after 7 rounds is not random enough as there are still nonzero differences in state a and H (see Figure 9). That is, the crossing differences throughout the whole distinguisher are not random enough, which means there is a strong dependency between the upper trail and the lower trail.
We further investigate the dependency of the two trails with the help of notations DDT − − → and BCT − − →. As can be seen from Figure 9, the dependency of the two trails can be modularized into two DBCT and two DBCT which affect each other.
Let DBCT total be the product of the four DBCT, i.e., where the variables are differences depicted in Figure 9 and particularly the each color denotes any variable marked by the box of that color. Let then the probability of the 7-round boomerang distinguisher for a fixed pair (A 5 , h 5 ) is: If (A 5 , h 5 ) = (A, A), then r = 2 −10.39 . Based on Equation 2, we evaluate r for all To evaluate the accuracy of the lower bound expressed by Equation 2, we also carried out experiments on the 7-round boomerang distinguisher in Figure 9 and arranged the experimental probabilities in matrix R 7r e which is displayed in Appendix C. To experimentally evaluate the probability for each input/output difference we follow the pseudo-code in Subsection 2.1 such that we choose a random key and master tweak at first and then perform 2 28 boomerang queries. We repeat this test for 100 random keys and master tweaks and compute the average of returned boomerangs. Comparing the theoretical and the empirical probabilities for all (i, j) ∈ F 4 2 × F 4 2 , confirms the high accuracy of the derived formula. Figure 8 visualizes the matrix R 7r . It is visible that the maximum value of r i,j is obtained when (i, j) = (A, A). Another interesting information obtained from Figure 8, is that after A four other difference values including 5, 7, D, and F give a much better probability compared to other difference values. This observation is not by chance and can be explained by referring to the DDT and BCT of CRAFT's S-box. According to the DDT of CRAFT's S-box which is described in Figure 19, the set S = {5, 7, A, D, F} has a special property as follows: Hence, given that CRAFT's S-box is 4-uniform, we expect that the differences from S result in a higher clustering effect. On the other hand, as it can be seen in Figure 8 (left), BCT(A, A) = 16. Therefore, it is expected that a boomerang returns with a higher probability when the nonzero entries of input and output differences are chosen from S, especially when they are all equal to A. As another interesting observation, comparing the visual representations for BCT of CRAFT's S-box Figure 8 (left) and R 7r Figure 8 (right) reveals that there is a high similarity between the positions of maximum entries in BCT of CRAFT's S-box and R 7r , which reflects the influence of CRAFT's S-box on the boomerang behavior of several rounds. In the next sections, we extend the 7-round boomerang distinguisher E 7r m , to construct a longer boomerang distinguisher up to 14 rounds of CRAFT.

9-Round Boomerang Distinguisher
In order to construct a 9-round boomerang distinguisher for CRAFT, we extend the 7-round distinguisher E 7r m in Subsection 5.3, by one round in both directions. Accordingly, as represented in Figure 9, the input and output differences of the 9-round distinguisher are chosen as follows: ∆X 0 = 0A00 0000 0A00 0000, ∇X 9 = 0000 0000 0A00 0000, 000000000A000000 000000000A000000 00AA000A0AA0000A A000AA000000A000 A000AA000000A000 0A0000000A000000 0A0000000A000000 0A0000000A000000 00000A0000000000 00000A0000000000 0A0000000AA0000A 0A0000000AA0000A 00000A000000A000 00000A000000A000 A000AA00000A0AA0 A000AA00000A0AA0 000000000A000000 00000A0000000000 Figure 9: A 7-round Em where two DBCT and two DBCT are involved to maximize the differential effect for the extended parts which are included in E 0 and E 1 . Given that the lower and the upper crossing differences in E 7r m , can be seen as uniform after 7 rounds, we consider the extended parts including the one round ahead and the one round behind, as E 0 and E 1 respectively. Let ∆X i 1 = 0000 0i00 0000 0000, and ∇X j 8 = 0000 0j00 0000 0000, denote the input and output differences of the 7-round 10,10 = 2 −18.39 , where R 7r is the matrix defined in Subsection 5.3. Taking into account the clustering effect, gives a more accurate lower bound for the probability of the 9-round boomerang distinguisher. However, according to the experimental evaluation, p 9r bm = 2 −14.50 . To empirically evaluate the probability we choose a random key as well as a random tweak and then perform 2 28 boomerang queries. After repeating this test for 1000 random keys and tweaks we compute the average of right quartets. The main reason for this gap between the theoretical bound and the empirical approximation of p 9r bm , is assuming that the differences are equal in two sides of boomerang distinguisher, whereas they can take different values indeed.
More precisely, the differences at positions A 5 , and h 5 , can take different values in two faces of boomerang. Accordingly, using the UBCT and LBCT , we provide a more accurate theoretical bound for the probability of 9-round boomerang distinguisher as follows: (3) where n = 4, and BCT t and Pr t are defined as follows: · LBCT(B 9 , c 5 , b 9 ) · UBCT(B 9 , c 12 , C 12 ) · LBCT(C 12 , d 1 , c 12 ) · UBCT(E 1 , f 12 , F 12 ) · LBCT(F 12 , g 9 , f 12 ) · UBCT(F 5 , g 9 , G 9 ) · LBCT (G 9 , h 51 , h 52 , g 9 ) · DDT(h 51 , v 9 ) · DDT(h 52 , v 9 ), (A 51 , A 52 ) and (h 51 , h 52 ) denote the differences at position A 5 and h 5 in the two faces of boomerang distinguisher respectively. Evaluation of p 9r bm (U 9 , v 9 ), when (U 9 , v 9 ) = (A, A), yields p 9r bm = 2 −14.76 , which is very close to the experimental value of p 9r bm . One can see that, the experimental values of p 9r bm and the theoretical value which is obtained using Equation 3, are also close for other values of (U 9 , v 9 ) ∈ (F n 2 \ {0}, F n 2 \ {0}) . It confirms our assumption that there is no dependency out of the 7-round middle part, as Equation 3 has been derived based on the assumption that the upper and lower crossing differences H 5 and a 5 , are both uniformly distributed.
The above observation, motivated us to model the 7-round middle part by a fourdimensional matrix instead of a two dimensional matrix, using two new S-box tables UBCT , and LBCT . Let A 51 , and A 52 , be the differences in two sides of boomerang at position A 5 . Similarly h 51 , and h 52 , denote the differences in two sides of boomerang at position h 5 . To obtain a more accurate bound for the boomerang distinguishers that are constructed by extending our 7-round boomerang distinguisher, we define the 4-dimensional matrix R 7r i,j,k,l , as follows: where n = 4, A 51 = i, A 52 = j, h 51 = k, and h 52 = l. Hereafter, we use this matrix to provide a lower bound for the probability of the extended distinguishers based on E 7r m . Appendix G gives a more efficient formula to evaluate R 7r [i, j, k, l].
Let E 1r 0 and E 2r 1 , depict the extended parts corresponding to one round ahead and two rounds behind respectively. Furthermore, we consider rounds 2 to 8 as E m . Let where ∆X i 1 = 0000 0i00 0000 0000, and ∇X j 8 = 0000 0j00 0000 0000, for i, j ∈ F 4 2 \ {0}. Then, a lower bound for the probability of our 10-round boomerang distinguisher is: However, based on the experimental evaluation, p 10r bm = 2 −18.17 . In the experiments, we choose a random key as well as a random master tweak at first and perform 2 29 boomerang queries. We repeat this test for 100 randomly generated keys and tweaks and compute the average number of successes. As it can be seen there is a gap between the theoretical bound and the empirical value of p 10r bm , which is originated from the assumption v 1 = v 9 , for the lower differential trail in Figure 9. As it can be seen in Figure 9, it is supposed that v 1 = v 9 , whereas the differences v 1 and v 9 , should not necessarily be the same in the 10-round boomerang distinguisher. Given that the output differences of active S-boxes in the last round of the 10-round boomerang distinguisher are equal to A, the input differences, i.e. v 1 and v 9 , can take an arbitrary value from {5, A, D, F}. As a result, in theoretical evaluation of p 10r bm , we have considered only 4 possible cases out of 16 possible cases for v = 0000 0v 9 00 0000 v 1 000. Hence, applying the theoretical formulas provided for the 7-round middle part E 7r m , i.e. Equation 2 or Equation 4, to compute the probability of longer boomerang distinguishers, only gives a lower bound for the probability of boomerang distinguisher covering more than 9 rounds.
One may construct a 10-round boomerang distinguisher by extending the 7-round boomerang distinguisher E 7r m , two rounds backward and one round forwards. However, as it can be seen in Figure 9, due to the symmetry between the upper and lower differential trails, the total probability of this distinguisher, is the same as the probability of the former one.

11-Round Boomerang Distinguisher
An 11-round boomerang distinguisher for CRAFT can be constructed by extending the 7-round boomerang distinguisher E 7r m , two rounds forwards and backward. As it can be seen in Figure 9, the input and output differences of this 11-round boomerang distinguisher, are as follows: ∆X 0 = A000 AA00 0000 A000, ∇X 11 = 0000 0A00 0000 A000.
Let E 2r 0 and E 2r 1 , denote the extended parts ahead and behind respectively, and E m includes the 7-round at the middle. Assuming that the input/output differences of E m are ∆X i 2 = 0000 0i00 0000 0000, and ∇X j 9 = 0000 0j00 0000 0000, respectively, and , for all i, j ∈ F 4 2 , a lower bound for the probability of the 11-round boomerang distinguisher is: We also accomplished experiments to verify the above bound. To do so, we chose a random key and tweak at first and performed 2 33 boomerang queries. We iterated this test for 100 randomly chosen keys and tweaks and observed that 1509.65 boomerangs return on average. Hence, the empirical probability is p 11r bm = 2 −22.44 . To find the reason of this gap between the theoretical bound and the experimental approximation, note that in Figure 9, it is supposed that U 1 = U 9 , whereas U 1 and U 9 can take different values. In addition, it is supposed that v 1 = v 9 , while v 1 and v 9 should not necessarily be the same.

to 14-Round Boomerang Distinguisher
One can extend the 7-round boomerang distinguisher E 7r m , 3 rounds backward and 2 rounds forwards to obtain a 12-round boomerang distinguisher for CRAFT. The input/output differences of the 12-round boomerang distinguisher are shown in Table 16, and the input and output differences of the 7-round middle part are assumed to be ∆X i 3 = 0000 0i00 0000 0000, and ∇X j 10 = 0000 0j00 0000 0000, respectively, where i, j ∈ F 4 2 \{0}.
, and q j = Pr(∇X j 10 E 2r 1 −−→ ∇X 12 ), a lower bound for the probability of the 12-round boomerang distinguisher is . Taking into account that the input and output differences of the middle part should not necessarily be the same in two sides of boomerang distinguisher, the following formula gives a more accurate lower bound for the probability of the 12-round boomerang distinguisher: According to the experimental evaluations, the probability that the boomerang returns, is 2 −32.11 , which validates the provided lower bound. To empirically approximate the probability we choose a random key and tweak at first and perform 2 37 boomerang queries. We iterate this experiment for 100 random keys and tweaks and count the average number of right quartets. Table 16 provides a right quartet for the 12-round boomerang distinguisher. Similarly, we can extend the 7-round boomerang distinguisher E 7r m to build 13 and 14 rounds boomerang distinguishers with probabilities p 13r bm = 2 −44.89 , and p 14r bm = 2 −60.33 respectively. Table 14 and Table 15 express the specification of the extended boomerang distinguishers based on E 7r m for 13 and 14 rounds of CRAFT respectively. Although due to the restricted computing power we have not evaluated the experimental probability of the extended boomerang distinguishers for 13 and 14 rounds of CRAFT, we expect that the boomerang returns with a probability higher than what is estimated above as we have not considered the entire clustering effect inside the boomerang distinguisher.

A Dedicated Boomerang Distinguisher for 14 Rounds of CRAFT
In the previous section, we showed that there exists a 7-round boomerang distinguisher for CRAFT that can be extended up to 14 rounds. However, for convenience, we used a common middle part to construct the boomerang distinguishers covering 9 to 14 rounds of CRAFT. Thus, it may be possible to find a better distinguisher in terms of probability if we search for a dedicated boomerang distinguisher for each case. Here, we provide a dedicated boomerang distinguisher with a higher probability for 14 rounds of CRAFT. Table 6 describes the specification of a dedicated boomerang distinguisher for 14 rounds of CRAFT, and Figure 10 illustrates three different parts of this distinguisher, i.e., E 0 , E 1 and E m .
As shown in Figure 10, the upper and lower differential paths are strongly interrelated and there are many common active S-boxes in the middle part. Hence, to avoid the complicated formulas we switch to the experimental approach to provide a lower bound for the probability of this boomerang distinguisher. Let consider the 8-round middle part including rounds 4 to 11 as E m . As it can be seen in Figure 10, there exist only one active cell in both input and output differences of E m . On the other hand, each of the input and output differences can take different values in two faces of boomerang. Consequently, there are in total 15 4 = 50625 possible combinations for the input/output differences of E m in two sides of boomerang distinguisher. However, due to the restricted computing power, we let the differences in active input and output cells of E m , to be different in two sides of boomerang only if they are taken from S = {5, 7, A, D, F}, otherwise, we assume that they are the same in two faces of boomerang. Thus, we consider only 5 4 + 10 2 = 725 cases out of 50625 possible combinations for the input/output differences of E m . Let ∆X i 3 = 0000 00i0 0000 0000, and ∇X j 11 = 0000 j000 0000 0000, for all i, j ∈ F 4 2 \ {0}. For each of 725 possible combinations, the input and output differences of E m in two sides of boomerang are fixed, and the probability that the boomerang returns is experimentally evaluated. Then, for all i, j, k, l ∈ S, the results are arranged into: , and for all i, j ∈ F 4 2 \ S ∪ {0}, the results are stored into R i,j , such that: Next, we show that the dependency doesn't exist outside E m . To this end, we firstly assume that the lower and upper crossing differences are uniformly distributed outside E m . Based on this assumption, the following formula: i∈S j∈S k∈S l∈S , and ∆X 2 = A000 0000 A000 0000, and ∇X 12 = 0000 A000 0000 0000, must give the same value as the experimental probability of the 10-round boomerang distinguisher that is constructed by appending one round before and after the E m , in Figure 10. we empirically assessed the probability of the 10-round boomerang distinguisher composing of rounds 3 to 12 in Figure 10. To this end, we firstly chose a random key and tweak and perform 2 28 boomerang queries. This test was iterated for 1000 randomly chosen keys and tweaks and 4.93 boomerang returned on average. Hence the experimental probability is 2 −25.70 , which is very close to the above approximation and therefore confirms our assumption. Consequently, a lower bound for the probability of the 14-round boomerang distinguisher is: . It is visible that the total probability is almost determined by the first term.

Boomerang Distinguishers of CRAFT in the Related-Tweak Model
We have investigated the boomerang behavior of CRAFT in the related-tweak model also. In contrast to the single tweak model where the boomerang distinguishers have significant advantages against the basic differential distinguishers, the outcome was not promising in terms of the number of rounds compared to the current best differential distinguishers in the related tweak model. It shows that the boomerang attack is less efficient than the basic differential attack for CRAFT in the related tweak model. It is worth noting, we expected this behavior and it is not surprising. More precisely, on one hand, the differences that are introduced by the tweakey schedule accelerate the diffusion of uniformly distributed differences which reduces the number of rounds that can be covered by the middle part. On the other hand, the clustering effect in the related-tweak model is weaker in comparison with the single tweak model for CRAFT. Hence, the outcome is not promising in this model compared to the previous related tweak differential cryptanalysis [BLMR19].

Boomerang Distinguishers for Reduced-Round SKINNY
In this section, we first briefly review the specification of SKINNY and its previous boomerang distinguishers, and then present improved boomerang distinguishers for different variants of SKINNY. Table 7 briefly describes the notations we use through this section of the paper.
The internal state of SKINNY is considered as a 4 × 4 matrix, where each entry is a nibble in the n = 64 case, or a byte in the n = 128 case. In both cases, the internal state IS = I 0 I 1 · · · I 14 I 15 is arranged row-wise into a 4 × 4 array, where I i ∈ F 4 2 (or F 8 2 ). As illustrated in Figure 11, each round of SKINNY performs five basic operations on the cipher internal state, including SubCells (SC), AddConstants (AC), AddRoundTweakey (ART), ShiftRows (SR), and MixColumns (MC). The first operation which is performed on the internal state in each round is SubCells (SC), in which depending on the block size, a 4-bit Sbox (for 64-bit block size) or a 8-bit Sbox (for 128-bit block size) is applied on each cell of the internal state. The next operation is AddConstant (AC) where some round-dependent constants are XORed to the first column of the cipher internal state. Then, in AddRoundTweakey (ART), as represented in Figure 11, the first and second rows of the tweakey state are XORed with the corresponding rows of the internal state. In ShiftRows (SR) layer, each cell in row j is rotated to the right by j cells.
In the MixColumns (MC) layer, each column of the internal state is multiplied by 4 × 4 binary matrix. The tweakey state of SKINNY can contain both key and tweak materials and it is arranged as a collection of z 4 × 4 array of nibbles (for 64-bit block size) or bytes (for 128-bit block size), where z = t/n. The tweakey state arrays are denoted by  accurately evaluate the probability of generating the right quartet for two middle rounds of boomerang distinguishers proposed in [LGS17]. At FSE 2019, Song et al. proposed a generalized framework to identify the actual boundaries of E m which contains dependency of the two differential paths of boomerang distinguisher and systematically evaluate the probability of E m with any number of rounds. Using their method, Song et al. proved that the probability of four boomerang distinguishers proposed in [LGS17] are much higher than previously evaluated. To the best of our knowledge, the results of Song et al. in [SQH19] 7 , are the best-published results for boomerang distinguishers of SKINNY so far. In this section we introduce new boomerang distinguishers for SKINNY-64-128, SKINNY-64-192, SKINNY-128-256, and SKINNY-128-284, which are remarkably better than the best previous boomerang distinguishers of SKINNY in terms of probability and number of rounds. Table 8 summarizes our results on boomerang distinguishers for SKINNY-n-2n and SKINNY-n-3n, where they are compared with the best previous ones.
Firstly, we investigated the best previous boomerang distinguishers in [SQH19], to see for how many rounds they can be extended. To this end, by keeping the middle part and the tweakey's difference of the proposed distinguishers unchanged, we extend them some rounds forwards and backward. Then, by fixing the input and output differences of E m , we look for the best differential trails covering the extended E 0 and E 1 . After that, taking into account the clustering effect, we compute p and q. In conclusion, given that r is known from [SQH19], we compute the total probability using p 2 q 2 r formula. The summary of our results concerning this search is given in Table 17. As it can be seen, the best previous boomerang distinguishers of SKINNY-64-128, SKINNY-128-256 and SKINNY-128-384 proposed in [SQH19] and [LGS17], can be extended up to 18, 19, and 24 rounds respectively, whereas the best previous boomerang distinguisher for 22 rounds of SKINNY-64-192, can not be extended for a higher number of rounds at all.
Based on the results in [SQH19], where it is proved that the upper and lower differential paths in boomerang distinguishers of SKINNY can be dependent up to 6 rounds, we searched for the boomerang distinguisher of SKINNY taking into account the 6-round middle part as E m . Given that the boomerang distinguishers for 8-bit versions of SKINNY, cover more number of rounds [SGSL18] in comparison to the 4-bit versions, and 8-bit S-boxes are heavy for MILP/SAT solvers, applying our searching method on 8-bit versions of SKINNY is more time-consuming. Accordingly, we applied a dedicated method to find boomerang distinguishers for SKINNY to speed up the search. Due to the structural similarity between 4bit and 8-bit versions of SKINNY, our idea is to use the discovered boomerang distinguishers for 4-bit versions, in discovering boomerang distinguishers for 8-bit versions. Once a boomerang distinguisher is discovered for 18 rounds of SKINNY-64-128, we use the middle part of the discovered boomerang distinguisher to find a boomerang distinguisher for 18 rounds of SKINNY-128-256, as well as 22 rounds of SKINNY-128-384. To do so, we divide 18 (and 22) rounds of SKINNY-128-256 (and SKINNY-128-384) into three parts such that E m includes the 6-round middle part. Then, we look for the best differential trails for the first and last parts, i.e., E 0 and E 1 satisfying the active pattern of the input and output in the discovered E m . The discovered boomerang distinguishers for 22 rounds of SKINNY-64-192 can be used to discover boomerang distinguishers for 22 rounds of SKINNY-128-384 in the same way. As a result, the discovered boomerang distinguishers have a common active pattern in the middle part.
Throughout applying our searching method for boomerang distinguishers on SKINNY, we observed that a suitable boomerang distinguisher for 18 rounds of SKINNY-64-128 and SKINNY-128-256, can be extended up to 19 and 21 rounds of these variants respectively. Besides, we observed that a suitable boomerang distinguisher for 22 rounds of SKINNY-64-192 and SKINNY-128-384 can be extended up to 23 and 25 rounds respectively. Among all of the discovered boomerang distinguishers using our dedicated searching method, we picked the two best ones called the boomerang distinguisher I, and boomerang distinguisher II, which are presented in the next sections.

Boomerang Distinguisher I for SKINNY
In this section, we present the details of boomerang distinguisher I for different variants of SKINNY. This distinguisher is constructed using our dedicated method to search for boomerang distinguishers of SKINNY, where we first discover a suitable boomerang distinguisher for 18 rounds of SKINNY-64-128 and then use its middle part to discover boomerang distinguishers for other variants of SKINNY. That is why the active pattern in the middle part of boomerang distinguisher I is the same for all variants of SKINNY. We first focus on the boomerang distinguisher I for SKINNY-64-128 and SKINNY-128-256.
Boomerang Distinguisher I for SKINNY-64-128 and SKINNY-128-256 Table 9 describes the specification of the boomerang distinguisher I for 18 rounds of SKINNY-64-128 and Figure 12 represents the upper and lower differential trails of this boomerang distinguisher, where the yellow squares stand for active cells and green squares represent any differences as before. Hex numbers at the top of the state squares are exact differences specified by the differential trails. The horizontal dashed lines in Figure 12, separate E 0 , E m and E 1 . It can be seen that each one of E 0 , E 1 and E m includes 6 rounds, such that the middle part E m , is composed of rounds R 7 to R 12 , over which the upper and lower differential trails are extended with probability 1 towards each other. Next, we compute the probability of the middle part E m , where we assume to include the dependency between the upper and lower differential trails. As illustrated in Figure 12, most of the common active S-boxes between the upper and lower differential trails, appear in rounds R 8 to R 10 . Hence, we start with computing the probability for intermediate rounds consisting of rounds R 8 to R 10 . It can be seen that c 9 and D 1 , in lower and upper differential trails respectively, are almost uniformly distributed. On the other hand, due to the weak diffusion of the linear layer, the difference d 1 in lower differential trail, does not diffuse to more cells. In addition, d 1 , should not necessarily take an identical value in two sides of boomerang. Consequently, assuming that d 1,1 and d 1,2 , denote the different values of difference d 1 , in two sides of boomerang, and c 9 and D 1 are uniformly distributed, the probability of the 3-round middle part including rounds R 8 to R 10 can be computed as follows: · DBCT (B 11 , C 13 , d 4 ) · BCT(C 9 , d 14 ) · DBCT (C 13 , d 4 , e 13 ) · BCT(C 10 , d 4 ) · DDT(d 1,1 , e 1 ).DDT(d 1,2 , e 1 ) · DDT(d 14 , e 13 ) = 2 −11.55 , where n = 4, B 11 = 2, C 10 = D, and e 1 = e 13 = 5. Experimental value of p 3r m is 2 −11.70 , which is very close to the provided theoretical value. Next, we append round R 11 , and  Figure 12: Boomerang distinguisher I for 18 rounds of SKINNY-64-128 with the form 6 + 6 + 6 provide a formula to theoretically evaluate the probability for the 4-round intermediate part including rounds R 8 , R 9 , R 10 , and R 11 . To this end, note that the difference e 13 has not to be identical in two faces of boomerang. Thus, assuming that e 13,1 and e 13,2 represents the differences at position e 13 , in two sides of boomerang, we have: where n = 4, B 11 = 2, C 10 = D, e 1 = 5, and f 13 = 2. Based on the experimental evaluations, p 4r m = 2 −13.89 which is very close to the provided theoretical value. It should be noted that, providing an accurate formula for high number of rounds in which the clustering effect in the middle part can be considered, is not only complicated, but also evaluating such a formula in our boomerang distinguishers is a computationally hard problem, especially for 8-bit versions of SKINNY. In conclusion, to avoid the complicated formulas, and with the aim of providing a more accurate bound, we switch to the experimental approach.
As illustrated in Figure 12, the lower crossing differences after 6 rounds are not enough random, as there are still nonzero differences in state a . On the other hand, four rounds ahead and four rounds behind the 6-round E m , are fully passive, and we can be sure that there does not exist dependency out of the 6-round middle part, as after propagating the lower and upper differential trails by four more rounds forwards and backward, the crossing differences can be seen as perfectly uniform. Note that the input and output differences of E m in Figure 12 are imposed by the tweakey differences. Given that, the tweakey schedule is linear, and the master tweakey difference is fixed, the only possible combination for the input/output differences of E m in Figure 12, is ∆X 6 = 0000000000040000, ∇X 12 = 0000000000000000. Therefore, by fixing the input/output differences of E m , by ∆X 6 , and ∇X 12 respectively, we can simply evaluate the experimental probability of the 6-round middle part.
To assess the empirical probability of intermediate E m with 6 rounds in Figure 12, we chose a tweakey at random following the pseudo-code in Appendix I, we perform 2 26 boomerang queries. We repeat this test for 1000 randomly chosen tweakey and count the average number of right quartets. Accordingly, the probability of E m is 2 −19.16 . For the full 18-round distinguisher, taking into account the clustering effect, the probability of the first and last 6 rounds can be simply calculated using the automatic methods based on MILP/SAT which are p = 2 −2.41 and q = 2 −8 , respectively. In conclusion, a lower bound for the probability of full 18-round boomerang distinguisher I for SKINNY-64-128 is p 2 q 2 r = 2 −39.98 . We experimentally verified the correctness of this bound. To do so, we accomplished several random experiments such that each experiment includes 2 41 random boomerang queries in total, and computed the average number of returned boomerangs. More precisely, to accomplish an experiment consisting of 2 41 random boomerang queries, we performed 512 parallel experiments, each of which includes 2 16 bunches of 2 16 random boomerang queries where a random fixed tweakey was used in each bunch and a random plaintext was used in every single query. As a result, we observed that about 3.71 boomerangs return on average. Table 22 provides a right quartet for this distinguisher.
The boomerang distinguisher I for 18 rounds of SKINNY-64-128 can be extended one round backward, to construct a 19-round boomerang distinguisher, whose specification is provided in Table 10, which improves the previous results by one round. Also, as it can be seen in Figure 12, removing the last round of 18-round boomerang distinguisher I for SKINNY-64-128, results in a 17-round boomerang distinguisher with probability 2 −27.98 , which is better than the 17-round boomerang distinguisher proposed in [LGS17], in terms of probability. r 0 = 7, r m = 6, r 1 = 6, p = 2 −9 , q = 2 −8 , r = 2 −19.16 , p 2 .q 2 .r = 2 −53.16 As mentioned before, to find a boomerang distinguisher for 18 rounds of SKINNY-128-256, we divide it into three 6-round parts and then look for the best differential trails for E 0 and E 1 , satisfying the input/output activeness pattern of the discovered E m in boomerang distinguisher I for SKINNY-64-128. Due to the structural similarity between the SKINNY-64-128 and SKINNY-128-256, we found an 18-round boomerang distinguisher for SKINNY-128-256 with the same activeness pattern as 18-round boomerang distinguisher I for SKINNY-64-128. The large block size of SKINNY-128-256 lets us to extend the discovered boomerang distinguisher I for SKINNY-128-256 up to 21 rounds of this cipher, which improves the previous distinguisher by two rounds. The specification of boomerang distinguisher I for 18 to 21 rounds of SKINNY-128-256 are described in Table 18. Table 11 describes the specification of boomerang distinguisher I for 22 rounds of SKINNY-64-192, and Figure 13 illustrates the upper and lower differential trails of this distinguisher. E 0 and E 1 are composed of the first and last 8 rounds, respectively, and the 6-round middle part has been considered as E m . It can be seen that the activeness pattern in the middle part of this distinguisher is exactly the same as the activeness pattern of the middle part in boomerang distinguisher I for SKINNY-64-128.

Boomerang Distinguisher I for SKINNY-64-192 and SKINNY-128-384
Next, we show that E m in Figure 13, contains entire dependency between the upper and lower differential trails. The propagation of lower differences with probability 1 over the E m in Figure 13, shows that there are still non-zero differences even after 6 rounds. Hence, the upper and lower differential trails are dependent in E m . On the other hand, 6 rounds before and after E m , are passive and the upper and lower crossing differences are uniformly distributed after 6 rounds propagation in forward and backward directions, respectively. Consequently, E m contains entire dependency between the upper and lower differential trails in Figure 13. Given that the input/output differences of the middle part E m are induced from the tweakey differences and therefore, are fixed, we experimentally evaluate the probability of the middle part, for the fixed input/output differences shown in Figure 13. Our experimental evaluation follows the pseudo-code given in Appendix I, where we chose a tweakey at random and then perform N = 2 26 boomerang queries. After iteration of this test for 1000 randomly chosen tweakey we count the average number of right quartets. Next, taking into account the clustering effect, we compute p and q which are given in Table 11. Lastly, using the p 2 q 2 r formula we provide a lower bound for the probability of boomerang distinguisher. We also experimentally verified the correctness of the constructed distinguisher. To do so, we performed several experiments each of which consists of 2 40 boomerang queries where a new random tweakey is used for each bunch of 2 20 queries, and observed that about 2.26 right quartets are discovered on average. Table 23 provides a right quartet satisfying the boomerang distinguisher I for SKINNY-64-192. Boomerang distinguisher I for SKINNY-64-192, can be extended one round backward, which results in a 23-round boomerang distinguisher whose specification is given by Table 12, whereas the best previous boomerang distinguisher for 22 rounds of SKINNY-64-192 in [LGS17], can't be extended for 23 rounds of this version. r 0 = 9, r m = 6, r 1 = 8, p = 2 −9.41 , q = 2 −7 , r = 2 −20.02 , p 2 .q 2 .r = 2 −52.84 ∆T K 0100000000000000 0B00000000000000 0800000000000000 ∆X 0 0400100000010010 ∆X 9 00000000000A0000 ∇T K 0020000000000000 0030000000000000 00D0000000000000 ∇X 15 0000000000000000 ∇X 23 5605060000450605 In the same way, we also found a boomerang distinguisher for 22 rounds of SKINNY-128-384 with the same activeness pattern as boomerang distinguisher I for 22 rounds of   . Table 24 represents one of the right quartets that were discovered during our experiments.

Boomerang Distinguisher II for SKINNY-64-128 and SKINNY-128-256
Throughout our search for boomerang distinguishers of SKINNY, we discovered a boomerang distinguisher which was a little better than boomerang distinguisher I for SKINNY-64-128 and SKINNY-128-256, in terms of probability, which is introduced here as boomerang distinguisher II for these variants of SKINNY. Due to our strategy to search for boomerang distinguishers of SKINNY, the activeness pattern of the middle part in boomerang distinguisher II is also the same for 18 rounds of SKINNY-64-128 and SKINNY-128-256. Therefore, we represent both of them in Figure 14.
In Figure 14, the hex numbers inside the squares represent the exact differences of upper and lower differential trails in boomerang distinguisher II for SKINNY-128-256, whereas the hex number at the top of the state arrays represent the exact difference of upper and lower differential trails in boomerang distinguisher II for SKINNY-64-128. As illustrated in Figure 14, four rounds before and after E m , are fully passive which shows E m contains entire dependency between the upper and lower differential trails. A lower bound can be computed for the probability of this distinguisher as before. As it is shown in Figure 14, the 18-round boomerang distinguisher II for SKINNY-64-128 can be extended one round backward to construct a 19-round boomerang distinguisher for this variant of SKINNY. Similarly, the boomerang distinguisher II for SKINNY-128-256 can be extended up to 21 rounds of this variant. The full specification of boomerang distinguisher II for SKINNY-64-128 and SKINNY-128-256 are given in Table 20 and Table 21, respectively. Following the same configuration as the empirical verification of boomerang distinguisher I for 18 rounds of SKINNY-64-128, we experimentally verified the correctness of boomerang distinguisher II for 18 rounds of SKINNY-128-256. Table 25 represents one of the right quartets discovered during our experiments. It is worth noting that the boomerang distinguisher II for 18 rounds of SKINNY-128-256 is the first practical boomerang distinguisher for 18 rounds of SKINNY-128-256 that can be verified practically without consuming too much computing power.

Rectangle Attacks on Reduced-Round SKINNY and CRAFT
In this section, based on the new distinguishers introduced in the previous section for SKINNY, i.e. distinguisher I/II, and the 14-round boomerang distinguisher of CRAFT in Figure 10, we present improved related-tweakey rectangle attacks on reduced SKINNY and CRAFT. Through this section, we follow the generalized framework for key recovery which has been recently proposed by Zhao et al. [ZDM + 20], based on the same notations as much as possible. Hence, we define E b as a part of the cipher when backtracking the trail from the input difference of the boomerang distinguisher in backward direction under related-tweakey difference ∆T K for n b round(s). Similarly, we can define E f as a part of the cipher when propagating the trail from the output difference of the boomerang distinguisher in forward direction under related-tweakey difference ∇T K for n f round(s). Each cell has c bits and we use r b (resp. r f ) to denote the number of unknown bits in the input difference of E b ( resp. output difference of E f ). The notation m b (resp. m f ) is used to denote the number of involved bits of the sub-tweaks in E b (resp. E f ). To have s quartets satisfying the distinguisher, we need y structures of plaintexts where for each structure we assign all possible values to the unknown cells of the plaintexts (r b bits) and we also should have y = √ s · 2 n/2−r b / p 2 · r · q 2 . The number of messages queried under each related-tweakey is defined as M = y · 2 r b .

Related-Tweakey Rectangle Attack on Reduced-Round SKINNY-64-192
Through the attacks on SKINNY-64-192 and other variants, we use the below properties of SKINNY [ZDM + 20, SMB18]: • Given that the round-tweak is XORed with internal state after the SC layer and also AC, SR and MC layers are linear, we can do key recovery at Y 0 of E b by defining where ∆ 1 is the difference at the input of the boomerang distinguisher (see Figure 15). Hence, it does not necessary to guess this round's sub-tweak.
• Similarly we can start the key recovery attack at W −n b +1 of E b , by defining the equivalent tweak ETK by using ET K = M C • SR(T K r b −1 ).
• Given the ciphertext C, we can decrypt MC and SR layers of the last round of E f . Hence, we use SR −1 • MC −1 (C) for the key recovery attack. For the last two rows that are not affected by the sub-tweak, we can also invert SC layer also. Following Figure 15, we prefix three rounds at the beginning and three rounds at the end of the distinguisher I for SKINNY-64-192, which includes 23 rounds, to conduct a related-tweakey boomerang attack on 29 rounds of the cipher. Hence, E b includes rounds −2, −1, 0 and E f includes rounds 24, 25, 26. In the attack process, r b = 13·c, m b = 16·c, r f = 16 · c and m f = 20 · c, where c = 4. We should satisfy y = √ s · 2 n/2−r b / p 2 · r · q 2 which is y = 2 · 2 32−52 / √ 2 −52.84 = 2 7.42 for s = 4 and M = y · 2 r b = 2 59.42 . The attack procedure is as follows: 1. In data collection, we construct y structures at W −2 of E b , each structure include 2 rb possible values for the unknown cells to achieve M = y · 2 r b different plaintexts. Next, each plaintext (P ) is encrypted under four related tweaks T K 1 , T K 2 = ∆T K ⊕ T K 1 , T K 3 = ∇T K ⊕ T K 1 and T K 4 = ∆T K ⊕ T K 3 to receive (C 1 , C 2 , C 3 , C 4 ). Then, (P, C 1 ), (P, C 2 ), (P, C 3 ) and (P, C 4 ) are respectively stored in four separate lists as L 1 , L 2 , L 3 and L 4 , where L 2 and L 4 are stored in hash tables H 1 and H 2 respectively, indexed by the r b bits of plaintexts.
2. We guess a value for the m b bits of the sub-tweaks of T K 1 that are involved in E b and do as follows: (a) We create two sets S 1 and S 2 and for each pair (P 1 , C 1 ) ∈ L 1 , using the guessed bits of T K 1 we partially encrypt it up to Y 0 , XOR it with the expected intermediate difference at Y 0 , i.e. ∆Y 0 , decrypt it partially using T K 2 = T K 1 ⊕ ∆T K to achieve P 2 and find related (P 2 , C 2 ) ∈ H 1 and store (P 1 , C 1 ), (P 2 , C 2 ) in the set S 1 . We do a similar approach for P 3 ∈ L 3 and P 4 ∈ L 4 /H 2 and store the related pairs (P 3 , C 3 ), (P 4 , C 4 ) in the set S 2 . Hence, the size of each set S 1 and S 2 is M = y · 2 r b = 2 59.42 . It is clear: {∀((P 1 , C 1 ), (P 2 , C 2 )) ∈ S 1 :(P 1 , C 1 ) ∈ L 1 , (P 2 , C 2 ) ∈ L 2 , E bT K 1 (P 1 ) ⊕ E bT K 2 (P 2 ) = ∆Y 0 } and {∀((P 3 , C 3 ), (P 4 , C 4 )) ∈ S 2 :(P 3 , C 3 ) ∈ L 3 , (P 4 , C 4 ) ∈ L 4 , Assuming the known bits at the output difference includes n − r f bits, while we are propagating from ∇ 4 as the output difference of the distinguisher toward the ciphertext, we use those n − r f bits of C 1 and n − r f bits of C 2 to put S 1 to hash table H 3 . Next, for any ((P 3 , C 3 ), (P 4 , C 4 )) ∈ S 2 we try to find an entry ((P 1 , C 1 ), (P 2 , C 2 )) ∈ H 3 such that (C 1 , C 3 ) and (C 2 , C 4 ) collide in n−r f known bits. We remove any entry in S 2 /H 3 that does not collide at all. The remaining quartets will be about M 2 · 2 −2(n−r f ) . However, in our case of SKINNY-64-192, n − r f = 0 and the remaining quartets will be (2 59.42 ) 2 · 2 2·(0) = 2 118.84 .
(c) We then initialize a list of 2 m f counters, i.e. 2 80 , each of them corresponds to a choice for the active m f bits of sub-tweaks of the last three rounds.
(d) For each surviving quartet from Step 2b, we do the key recovery step by step as follows: i. We partially decrypt the ciphertext pairs (C 1 , C 3 ) and determine their related Z 26 sates. Given that m b = 64 the amount of table look-ups are 3 · 2 m b · M = 2 125.01 , to create the lists. To do the first filtering at Steps 2(d)i and 2(d)ii, we should do one round decryption for the survived quartets that are 2 118.84 quartets and costs 2 118.84 · 1 29 = 2 113.98 and should be repeated for any guess of m b , leads to 2 177.98 . Next, through Steps 2(d)iii to 2(d)xiv we should do one round encryption which costs 2 106.84 · 1 29 = 2 101.99 and should be repeated for any guess of m b , leads to 2 165.99 . We should do another round decryption for the survived quartets after Step 2(d)xiv through the rest of the attack, that are 2 102.84 quartets, and costs 2 102.84 · 1 29 = 2 97.99 and again should be repeated for any guess of m b , leads to 2 161.99 . It is the dominant complexity of the rest of the attack up to the Step 2(d)xxii. In item 2(d)xxiii, the complexity is 2 m b · 2 192−m b −h = 2 172 , for h = 20. Hence, the total time complexity will be almost 2 178 . The data complexity of the attack is 4 · M = 2 61.42 chosen plaintexts. The memory complexity is 4 · M + M + 2 m f = 5 · 2 59.42 + 2 80 ≈ 2 80 . The signal/noise ratio is S N = p 2 ·r·q 2 2 −n = 2 −52.84 2 −64 = 2 11.16 and the success probability is P s = 0.976.
A similar attack can be conducted on other variants of SKINNY as well. Based on the parameter-set that is depicted in Table 13, a summary of the key recovery attacks has been presented in Table 1. Following this we achieved the below results: 1. We prefix two rounds at the beginning and two rounds at the end of the distinguisher II for SKINNY-64-128, which includes 19 rounds, to conduct a related-tweakey boomerang attack on 23 rounds of the cipher. In this process r b = 8 · 4, m b = 8 · 4, r f = 13 · 4 and m f = 12 · 4. We should satisfy y = 2 26.54 for s = 4 and it results M = 2 58.54 . Given that m b = 32 the amount of table look-ups are 2 92.12 , to create the lists. To do the first filtering, based on the ciphertexts, we should inverse the last round's MC-layer which costs less than 2 56.01 . We should also do one round decryption for the survived quartets that are 2 93.08 quartets and costs 2 32 · 2 93.08 · 1 23 = 2 120.56 . In item 2(d)xxiii, the complexity is 2 m b · 2 128−m b −h = 2 88 , for h = 40. Given that the complexity of the other steps are negligible, the time complexity will be approximately 4M + 2 120.56 + 2 88 ≈ 2 120.7 . The data complexity of the attack is 2 60.54 chosen plaintexts. The memory complexity is 5 · 2 58.54 + 2 48 ≈ 2 60.9 . The signal/noise ratio is 2 12.92 and the success probability is P s = 0.977.
2. We extend the 21-round boomerang distinguisher I against SKINNY-128-256 to 24 rounds key recovery attack. It worth noting that distinguisher II has better probability but distinguisher I provides lower total complexity in key recovery, based on our analysis. Through the attack, we prefix a round at the beginning and two rounds at the end of the distinguisher I for SKINNY-128-256, which includes 21 rounds, to conduct a related-tweakey boomerang attack on 24 rounds of the cipher. In this process r b = 0, m b = 0, r f = 14 · 8 and m f = 13 · 8. In this attack, we have y = 2 123.21 for s = 4 and M = 2 123.21 . Given that m b = 0 the amount of table look-ups are 2 124.8 , to create the lists. To do the first filtering, based on the ciphertexts, we should inverse the last round's MC-layer and a cell of SC-layer which costs less than 2 120.63 . We should also do one round decryption for the survived quartets that are 2 214.43 Table 13: Summary of the used parameters through our key recovery attacks on the variants of SKINNY and CRAFT, where D, nD, n b and n f respectively denote the used distinguisher, the number of rounds of the distinguisher, the number of rounds appended and the number of rounds prepended. We should also inverse the last round's MC-layer and a cell of SC-layer which costs less than 2 120.43 . We should also do one round decryption for the survived quartets that are 2 246.59 quartets and costs 2 120 · 2 246.59 · 1 30 = 2 361.68 . In item 2(d)xxiii, the complexity is 2 280 , for h = 104. Given that the complexity of the other steps are negligible, the time complexity will be approximately 4M + 2 361.68 + 2 280 ≈ 2 361.68 . The data complexity of the attack is 2 125.29 chosen plaintexts and the memory complexity is 2 125.8 . The signal/noise ratio is S N = p 2 ·r·q 2 2 −n = 2 −116.59 2 −128 = 2 11.41 and the success probability is P s = 0.977.

Single-Tweakey Rectangle Attack on CRAFT
Similar to the attack on SKINNY variants, described in Subsection 7.1 and based on almost the same notations whenever it is applicable, in this section we use the best boomerang distinguisher covering 14 rounds of CRAFT, to provide a key-recovery attack on 18 rounds of the cipher in the single-tweakey model as it is depicted in Figure 16.
Through the attack, given that the round-tweak is XORed with the internal state after the MC layer, we can ignore this layer and construct the structures of plaintexts on Y i of the first round of E b . Besides, given the ciphertexts, it is possible to decrypt the last round's SB and PN layers of E f . Besides, the MC layer is linear and we can filter the ciphertexts at the X i of the last round. Besides, we can verify the difference of the output of the distinguisher at W i of the first round of E f . Hence, it is not necessary to guess this round's sub-tweak, i.e. the first round of E f .
Following Figure 16, we prefix a round at the beginning and three rounds at the end of the dedicated distinguisher for CRAFT, which includes 14 rounds, to conduct a related-tweakey boomerang attack on 18 rounds of the cipher. In this process r b = 24 bits, m b = 24 bits, r f = 44 bits and m f = 84 bits. However, m f and m b have 4 bits overlap (T K 0 [13] which we highlighted it in purple) and the effective value of m f = 80 bits. In this attack, we have y = 2 · 2 32−24 / √ 2 −58.85 = 2 36.92 for s = 4 and M = y · 2 r b = 2 60.92 . The attack procedure is as follows: Figure 16: A 18-round key recovery attack against CRAFT 1. In data collection, we construct y = 2 36.92 structures at Y 0 , each structure include 2 rb possible values for the unknown cells to achieve M = y · 2 r b = 2 60.92 different plaintexts. Next, each plaintext (P ) is encrypted under tweaks T K to receive the ciphertext C. Then, (P, C) is stored in a list L 1 and also stored in a hash table H 1 , indexed by the r b bits of plaintexts.
2. We guess a value for the m b bits of the sub-tweaks that are involved in E b and do as follows: (a) For each pair (P 1 , C 1 ) ∈ L 1 , using the guessed sub-tweaks, we partially encrypt it up to X 1 , XOR it with the intermediate difference at X 1 , decrypt it partially using the guessed sub-tweaks to achieve P 2 and find related (P 2 , C 2 ) ∈ H 1 and store (P 1 , C 1 ), (P 2 , C 2 ) in a set S 1 that its size will be M = y · 2 r b = 2 60.92 . It is clear: ∀ ((P 1 , C 1 ), (P 2 , C 2 )) ∈ S 1 : (P 1 , C 1 ) ∈ L 1 , (P 2 , C 2 ) ∈ L 2 , E bT K (P 1 ) ⊕ E bT K (P 2 ) = ∆ 1 .
(b) Assuming the known cells at the output difference includes n − r f = 20 bits, while we are propagating from ∇ 4 toward the ciphertext, we use those n − r f bits of C 1 and n − r f bits of C 2 to put S 1 to hash table H 2 . Next, for any ((P 1 , C 1 ), (P 2 , C 2 )) ∈ S 1 we try to find a different entry ((P 3 , C 3 ), (P 4 , C 4 )) ∈ H 2 such that (C 1 , C 3 ) and (C 2 , C 4 ) collide in n − r f known bits. We remove any entry in S 1 /H 2 that does not collide at all. The remaining quartets will be M 2 · 2 −2(n−r f ) , i. Given that m b = 24, the amount of table look-ups are 3 · 2 m b · M = 2 86.51 , to create the lists. To do the first filtering, based on the ciphertexts, we should inverse the last round's MC-layer which costs less than 2 · M · 1 18 = 2 57.83 . We should also do one round decryption for the survived quartets that are 2 81.85 quartets and costs 2 24 · 2 81.85 · 1 18 = 2 101.68 . The complexity of Step item 2(d)xiv is 2 m b · 2 128−m b −h = 2 56 for h = 72 and the complexity of Step item 2(d)ii to Step item 2(d)xiii is less than 2 8 · 2 85.85 · 2 18 = 2 90.68 . Hence, the time complexity will be approximately 4M + 2 101.68 + 2 56 + 2 90.68 ≈ 2 101.7 . The data complexity of the attack is M = 2 60.92 chosen plaintexts. The memory complexity is 4 · M + 2 m f = 4 · 2 60.92 + 2 84 ≈ 2 84 . The signal/noise ratio is S N = 2 8.15 and the success probability is P s = 0.976.

Conclusion
In this paper, we extended the recent advances in boomerang cryptanalysis of block ciphers by introducing new concepts entitled Double Boomerang Connectivity Table, DBCT (which is an extension to Boomerang Connectivity Table (BCT)), UBCT , and LBCT . We also applied a more advanced method to search for boomerang distinguishers. Next, we employed this technique and provided the first security analysis of CRAFT against the boomerang attack in the single-tweak model for which the designers have not reported the security bound against this attack. Our analysis showed that reduced rounds of CRAFT have a strong boomerang effect. For example, we presented a deterministic distinguisher for 6 rounds of the cipher. For other rounds, up to 14 rounds, we also provided boomerang distinguishers that outperform other previously known distinguishers in the single-tweak model, for the same number of rounds. In addition, based on the 14-round boomerang distinguisher for CRAFT, we provided a single-tweak rectangle attack on 18 rounds of this cipher. We also applied our heuristic approach to search for boomerang distinguishers of SKINNY in the related-tweakey model. As a result, we could considerably improve the best previous boomerang distinguishers of SKINNY-n-2n and SKINNY-n-3n for n ∈ {64, 128}. Then, building upon the improved boomerang distinguishers, we could improve the best previous attacks on SKINNY-64-128, SKINNY-64-192, SKINNY-128-256, and SKINNY-128-384, in the related-tweakey setting. It is worth noting that, our improved related-tweakey rectangle attacks on SKINNY-64-192, SKINNY-128-256, and SKINNY-128-384, can be directly applied for the same number of rounds of ForkSkinny-64-192, ForkSkinny-128-256, and ForkSkinny-128-384.

G A More Efficient Formula to Compute R 7r
A more efficient formula for computing the four-dimensional matrix R 7r [i, j, k, l], can be obtained as follows. M 3 (E 1 , f 12 , g 9 ) · M 4 (F 5 , g 9 , h 51 , h 52 ).