Background and definitions

The Boomerang attack, introduced in 1999 by Wagner ^[1], is a cryptanalysis technique against block ciphers based on differential cryptanalysis. To study the resistance to this attack, Cid et al.^[2] introduced the Boomerang Connectivity Table (BCT). Next, Boura and Canteaut^[3] , introduced the notion of boomerang uniformity.

For a permutation ${\displaystyle F:\mathbb {F} _{2^{n}}\rightarrow \mathbb {F} _{2^{n}}}$, the Boomerang Connectivity Table (BCT) is given by a ${\displaystyle 2^{n}\times 2^{n}}$ table ${\displaystyle T_{F}}$,

${\displaystyle T_{F}(a,b)=|\{x\in \mathbb {F} _{2^{n}}:F^{-1}(F(x)+a)+F^{-1}(F(x+b)+a)=b\}|}$.

The boomerang uniformity of ${\displaystyle F}$ is the maximal value, i.e. ${\displaystyle \beta _{F}=\max _{a,b\in \mathbb {F} _{2^{n}}^{*}}T_{F}(a,b)}$

Main properties

For ${\displaystyle F}$ a permutation, the following properties on the boomerang uniformity were proven.

• The boomerang uniformity is invariant for inverse and affine equivalence but not for EA- and CCZ-equivalence.
  • For ${\displaystyle F'}$ an affine equivalent permutation, ${\displaystyle F'=A_{2}\circ F\circ A_{1}}$, we have ${\displaystyle T_{F'}(a,b)=T_{F}(L_{1}(a),L_{2}^{-1}(b))}$, with ${\displaystyle L_{i}}$ the linear part of ${\displaystyle A_{i}}$.
  • For the inverse we have ${\displaystyle T_{F^{-1}}(a,b)=T_{F}(b,a)}$.
• Relation with the differential uniformity: ${\displaystyle \delta _{F}\leq \beta _{F}}$ and ${\displaystyle \delta _{F}=2}$ if and only if ${\displaystyle \beta _{F}=2}$.
• ${\displaystyle T_{F}(a,b)=|\{(x,y):F(x+a)+F(y+a)=b,F(x)+F(y)=b\}|}$.
• If ${\displaystyle F}$ is a power permutation, then ${\displaystyle \beta _{F}=\max _{b\neq 0}T(1,b)}$.
• If ${\displaystyle F}$ is a quadratic permutation, then ${\displaystyle \delta _{F}\leq \beta _{F}\leq \delta _{F}(\delta _{F}-1)}$.