## Advanced Slide Attacks (2000)

### Cached

### Download Links

- [www.mathmagic.cn]
- [now.cs.berkeley.edu]
- [www.wisdom.weizmann.ac.il]
- [www.iacr.org]
- DBLP

### Other Repositories/Bibliography

Citations: | 53 - 5 self |

### BibTeX

@INPROCEEDINGS{Biryukov00advancedslide,

author = {Alex Biryukov and David Wagner},

title = {Advanced Slide Attacks},

booktitle = {},

year = {2000},

pages = {589--606},

publisher = {Springer-Verlag}

}

### Years of Citing Articles

### OpenURL

### Abstract

Abstract. Recently a powerful cryptanalytic tool—the slide attack— was introduced [3]. Slide attacks are very successful in breaking iterative ciphers with a high degree of self-similarity and even more surprisingly are independent of the number of rounds of a cipher. In this paper we extend the applicability of slide attacks to a larger class of ciphers. We find very efficient known- and chosen-text attacks on generic Feistel ciphers with a periodic key-schedule with four independent subkeys, and consequently we are able to break a DES variant proposed in [2] using just 128 chosen texts and negligible time for the analysis (for one out of every 2 16 keys). We also describe known-plaintext attacks on DESX and Even-Mansour schemes with the same complexity as the best previously known chosen-plaintext attacks on these ciphers. Finally, we provide new insight into the design of GOST by successfully analyzing a 20-round variant (GOST⊕) and demonstrating weak key classes for all 32 rounds. 1

### Citations

303 |
How to construct pseudorandom permutations from pseudorandom functions
- Luby, Rackoff
- 1988
(Show Context)
Citation Context ...c key-schedule with 2 n=2 known plaintexts and about 2 n=2 time, or with about 2 n=4 chosen plain-ciphertexts and about 2 n=4 time. Also, sliding with a twist can be used to distinguish a Luby-Racko [=-=13]-=- construction with two alternating pseudo-random functions f and g and with an arbitrary number of rounds (an accepted notation iss(f; g; f; g; : : : ; f; g)) from a random permutation with about 2 n=... |

180 | Description of a new variable-length key, 64bit block cipher (blowfish
- Schneier
(Show Context)
Citation Context ..., The Weizmann Institute of Science, Rehovot 76100, Israel. Email: albi@wisdom.weizmann.ac.il ?? University of California, Berkeley. Email: daw@cs.berkeley.edu attack was presented on modied Blowsh [1=-=7]-=-, a cipher based on key-dependent S-boxes which so far had resisted all the conventional attacks. The existence of attacks which are independent of the number of rounds is perhaps counter-intuitive. T... |

171 | New Types of Cryptanalytic Attacks Using Related Keys, Abstracts Eurocrypt '93
- Biham
(Show Context)
Citation Context ...r DES was proposed. This key-schedule was supposed to be \as eective as that used in the current DES" and was \suggested for use in any new algorithm" [2]. This variant of DES was already st=-=udied in [1]-=- resulting in a related-key attack on it. In this section we show a chosen plaintext/ciphertext slide attack on this variant of DES, which uses only 128 chosen texts and negligible time for analysis. ... |

149 | Slide attacks
- Biryukov, Wagner
- 1999
(Show Context)
Citation Context ...ating weak key classes for all 32 rounds. Keywords: cryptanalysis, block-cipher, slide attack. 1 Introduction The slide attack is a powerful new method of cryptanalysis of block-ciphers introduced in =-=[3]-=-. The unique feature of this new cryptanalytic attack is its independence of the number of rounds used in the cipher of interest: when a slide attack is possible, the cipher can be broken no matter ho... |

100 | Communication theory of secrecy systems. Bell system technical journal - Shannon - 1949 |

54 | A construction of a cipher from a single pseudorandom permutation
- Even, Mansour
- 1997
(Show Context)
Citation Context ... Note that these ciphertext-only attacks are applicable not only to ECB mode but also to most of the standard chaining modes, including CBC and CFB modes. Cryptanalysis of the Even-Mansour Scheme. In =-=[7]-=-, Even and Mansour studied a simple n-bit block cipher construction based on asxed pseudo-random permutation and keyed n-bit xors at the input and at the output. Due to the generic nature of our previ... |

34 | Cryptanalysis of LOKI'91
- Knudsen
- 1993
(Show Context)
Citation Context ... break a weakened Feistel cipher 11 by a chosen plaintext attack, independent of the number of rounds. We were also inspired by Biham's work on related-key cryptanalysis [1], and Knudsen's early work =-=[12]-=-. Some related concepts can be found in Coppersmith's analysis ofsxed points in DES weak keys and cycle structure of DES using these keys [5]. This analysis was continued further by Moore and Simmons ... |

21 | Limitations of the Even-Mansour construction
- Daemen
- 1993
(Show Context)
Citation Context ...ur slide attack succeeds with just 2 (n+1)=2 known plaintexts and 2 (n+1)=2 work. This provides a knownplaintext attack with the same complexities as the best previously-known chosen plaintext attack =-=[6]-=- and within a factor of p 2 away from the Even-Mansour lower bound. 5 Analysis of GOST GOST, the Russian encryption standard [19], was published in 1989. 9 Even after considerable amount of time and e... |

16 |
Multiple encryption: Weighing security and performance
- Kaliski, Robshaw
- 1996
(Show Context)
Citation Context ... keyed transformations around a complex mixing transform goes back to Shannon [18, pp.713]. 6 One may apply dierential or linear cryptanalysis to DESX, but then at least 2 60 { 2 61 texts are needed [=-=11-=-]. In contrast, slide attacks allow for a generic attack with a much smaller data complexity. E ky k kx ky k kx c 0 p c p 0 D c 0 c Fig. 5. Sliding with a twist, applied to DESX. E 1 k (c i ) p i int... |

10 |
Tuckerman: Analysis of a Weakened Feistel-like Cipher
- Grossman, B
- 1978
(Show Context)
Citation Context ...cal, but we view it as asrst step towards a better understanding of the GOST design. 6 Related Work Thesrst step in the \sliding" direction can be dated back to a 1978 paper by Grossman and Tucke=-=rman [8]-=-, which has shown how to break a weakened Feistel cipher 11 by a chosen plaintext attack, independent of the number of rounds. We were also inspired by Biham's work on related-key cryptanalysis [1], a... |

10 |
The Real Reason for Rivest’s Phenomenon
- Coppersmith
- 1986
(Show Context)
Citation Context ...related-key cryptanalysis [1], and Knudsen’s early work [12]. Some related concepts can be found in Coppersmith’s analysis of fixed points in DES weak keys and cycle structure of DES using these keys =-=[5]-=-. This analysis was continued further by Moore and Simmons [14]. For a DES weak key, all round subkeys are constant, and so encryption is self-inverse and fixed points are relatively common: there are... |

8 |
Isaeva: Cryptographic Protection for Information Processing Systems
- Zabotin, Glazkov, et al.
- 1989
(Show Context)
Citation Context ... same complexities as the best previously-known chosen plaintext attack [6] and within a factor of p 2 away from the Even-Mansour lower bound. 5 Analysis of GOST GOST, the Russian encryption standard =-=[19-=-], was published in 1989. 9 Even after considerable amount of time and eort, no progress in cryptanalysis of the standard was made in the open literature except for a brief overview of a GOST structur... |

6 |
Principles and Performance of Cryptographic Algorithms
- Preneel, Rijmen, et al.
- 1998
(Show Context)
Citation Context ...s which so far had resisted all the conventional attacks. The existence of attacks which are independent of the number of rounds is perhaps counter-intuitive. To illustrate this consider a quote from =-=[15]: \Ex-=-cept in a few degenerate cases, an algorithm can be made arbitrarily secure by adding more rounds." Slide attacks force us to revise this intuition, and this motivates our detailed study of advan... |

3 |
The Exact Security of
- Bellare, Rogaway
(Show Context)
Citation Context ...ion of DES proposed by Rivest in 1984. It makes DES more resistant to exhaustive search attacks by xoring two 64-bit keys: one at the input and another at the output of the DES encryption box 5 . See =-=[10, 16]-=- for theoretical analysis of DESX. In this section we show the unexpected result that the DESX construction contains just enough symmetry to allow for slide attacks. These results are actually general... |

2 |
Key Scheduling
- Brown, Seberry
- 1990
(Show Context)
Citation Context ...Wesnd very ecient known- and chosen-text attacks on generic Feistel ciphers with a periodic key-schedule with four independent subkeys, and consequently we are able to break a DES variant proposed in =-=[2]-=- using just 128 chosen texts and negligible time for the analysis (for one out of every 2 16 keys). We also describe known-plaintext attacks on DESX and Even-Mansour schemes with the same complexity a... |

1 |
The Real Reason for Rivest's Phenomenon, proceedings of CRYPTO'85
- Coppersmith
- 1986
(Show Context)
Citation Context ...n related-key cryptanalysis [1], and Knudsen's early work [12]. Some related concepts can be found in Coppersmith's analysis ofsxed points in DES weak keys and cycle structure of DES using these keys =-=[5]-=-. This analysis was continued further by Moore and Simmons [14]. For a DES weak key, all round subkeys are constant, and so encryption is self-inverse andsxed points are relatively common: there are p... |

1 |
How to Protect Against Exhaustive Key Search
- Kilian, Rogaway
- 1996
(Show Context)
Citation Context ...ion of DES proposed by Rivest in 1984. It makes DES more resistant to exhaustive search attacks by xoring two 64-bit keys: one at the input and another at the output of the DES encryption box 5 . See =-=[10, 16]-=- for theoretical analysis of DESX. In this section we show the unexpected result that the DESX construction contains just enough symmetry to allow for slide attacks. These results are actually general... |