In this paper we present the first boomerang analysis of WARP
, a recently proposed Generalized Feistel Network with
extremely compact hardware implementations. We start by looking for boomerang characteristics that directly take into
account the boomerang switch effects by showing how to adapt Delaune et al. automated tool to the case of Feistel ciphers,
and propose several improvements to keep the execution time reasonable. We manage to cover 23 rounds with probability $2^{−124}$,
which becomes the best distinguisher presented on WARP
so far. We then look for an attack by adding the key recovery
phase to our model and we obtain a 26-round rectangle attack with time and data complexities of $2^{115.9}$ and $2^{120.6}$ respectively,
again resulting in the best result presented so far. Incidentally, our analysis discloses how an attacker can take
advantage of the position of the key addition (put after the S-box application to avoid complementation properties),
which in our case offers an improvement of a factor of $2^{75}$ of the time complexity in comparison to a variant
with the key addition positioned before. Note that our findings do not threaten the security of the cipher which iterates 41 rounds.