A Differential Boomerang Attack Against 7-round Rijndael

In this paper, we report on our design of a choosen plaintext attack with work factor 2252 to recover of the first and the last subkeys of a 7-round Rijndael, while differential cryptanalysis against Rijndael have been done for up to 6 rounds and reported in published papers. We found a 5-round boomerang characteristic for Rijndael, and designed a choosen plaintext attack based on this characteristic ,with work factor 2249 to recover the 32 bits of the 1st round subkey and the 32 bits of the 7th round subkey. We also designed some simmilar attacks to recover other bits of subkeys of the first round and the last round. Therefore the work factor of this choosen plaintext attack to recover all bits of the first and the last subkeys of a 7-round Rijndael will be 2252, that is less than exhaustive search. It meanes that a 7-round Rijndael will be compromised with differential boomerang cryptanalysis.