Abstract: In this work we study differential attacks -- and in particular boomerang attacks -- against ARX-based hash functions such as Blake and Skein. ARX designs are quite popular, but analysis of these schemes is hard because differentials path must be constructed and verified at the bit level. The first part of the talk will describe an improvement to boomerang attacks when used in the context of hash functions. We present a new way to combine message modifications, or auxiliary differentials, with the boomerang attack. We show that under some conditions, we can combine three independent paths instead of two for the classical boomerang attack. This leads to a semi-practical distinguisher for the compression function of Skein-256 (reduced to 32 rounds), and for the inner permutation of Blake-256 (reduced to 8 rounds). In the second part of the talk, we study the details of differential paths. We describe some techniques to compute constraints that must be satisfied by the messages and show that many previous results are based on paths that are not satisfiable. For our new attacks, the paths have been verified by building actual messages, since the complexity is low enough.