Slide attack

From Wikipedia, the free encyclopedia

The idea of the slide attack was originally published by Edna Grossman and Bryant Tuckerman in an IBM Technical Report in 1977. It is a form of cryptanalysis designed to deal with the prevailing idea that even weak ciphers can become very strong by increasing the number of rounds, which can ward off a differential attack. Grossman and Tuckerman demonstrated the attack on a weak block cipher named New Data Seal (NDS). A summary of the report, including a description of the NDS block cipher and the attack, is given in Cipher Systems (Beker & Piper, 1982). Bruce Schneier first suggested the term slide attack to David Wagner and Alex Biryukov, who used it in their 1999 paper.

The slide attack works in such a way as to make the number of rounds in a cipher irrelevant. Rather than looking at the data-randomizing aspects of the block cipher the slide attack works by analyzing the key schedule and exploiting weaknesses in it to break the cipher. The most common one is the keys repeating in a cyclic manner.

The only requirements for a slide attack to work on a cipher is that it can be broken down into multiple rounds of an identical F function. This probably means that it has a cyclic key schedule. The F function must be vulnerable to a known-plaintext attack. The slide attack is closely related to the related-key attack.

First, to introduce some notation. In this section assume the cipher takes n bit blocks and has a key-schedule using K_1 \cdots K_m as keys of any length.

The slide attack works by breaking the cipher up into identical permutation functions, F. This F function may consist of more than one round of the cipher; it is defined by the key-schedule. For example, if a cipher uses an alternating key schedule where it switches between a K1 and K2 for each round, the F function would consist of two rounds. Each of the Ki will appear at least once in F.

The next step is to collect 2n / 2 plaintext-ciphertext pairs. Depending on the characteristics of the cipher fewer may suffice, but by the birthday paradox no more than 2n / 2 should be needed. These pairs, which denoted as (P,C) are then used to find a slid pair which denoted (P0,C0)(P1,C1). A slid pair has the property that P0 = F(P1) and that C0 = F(C1). Once a slid pair is identified, the cipher is broken because of the vulnerability to known-plaintext attacks. The key can easily be extracted from this pairing. The slid pair can be thought to be what happens to a message after one application of the function F. It is ’slid’ over one encryption round and this is where the attack gets its name.

Image:Slideattack.jpg

The process of finding a slid pair is somewhat different for each cipher but follows the same basic scheme. One uses the fact that it is relatively easy to extract the key from just one iteration of F. Choose any pair of plaintext-ciphertext pairs, (P0,C0)(P1,C1) and check to see what the keys corresponding to P0 = F(P1) and C0 = F(C1) are. If these keys match, this is a slid pair; otherwise move on to the next pair.

With 2n / 2 plaintext-ciphertext pairs one slid pair is expected, along with a small number of false-positives depending on the structure of the cipher. The false positives can be eliminated by using the keys on a different message-ciphertext pair to see if the encryption is correct. The probability that the wrong key will correctly encipher two or more messages is very low for a good cipher.

Sometimes the structure of the cipher greatly reduces the number of plaintext-ciphertext pairs needed, and thus also a large amount of the work. The clearest of these examples is the Feistel cipher using just one key. The reason for this is given a P = (L0,R0) the search is for a P_0=(R_0, L_0 \bigoplus F(R_0,K)). This reduces the possible paired messages from 2n down to 2n / 2 (since half the message is fixed) and so at most 2n / 4 plaintext-ciphertext pairs are needed in order to find a slid-pair.

Block ciphers
v  d  e
Algorithms: 3-Way | AES | Akelarre | Anubis | ARIA | BaseKing | Blowfish | C2 | Camellia | CAST-128 | CAST-256 | CIKS-1 | CIPHERUNICORN-A | CIPHERUNICORN-E | CMEA | Cobra | COCONUT98 | Crab | CRYPTON | CS-Cipher | DEAL | DES | DES-X | DFC | E2 | FEAL | FROG | G-DES | GOST | Grand Cru | Hasty Pudding Cipher | Hierocrypt | ICE | IDEA | IDEA NXT | Iraqi | Intel Cascade Cipher | KASUMI | KHAZAD | Khufu and Khafre | KN-Cipher | Libelle | LOKI89/91 | LOKI97 | Lucifer | M6 | MacGuffin | Madryga | MAGENTA | MARS | Mercy | MESH | MISTY1 | MMB | MULTI2 | NewDES | NOEKEON | NUSH | Q | RC2 | RC5 | RC6 | REDOC | Red Pike | S-1 | SAFER | SC2000 | SEED | Serpent | SHACAL | SHARK | Skipjack | SMS4 | Square | TEA | Triple DES | Twofish | UES | Xenon | xmx | XTEA | Zodiac
Design: Feistel network | Key schedule | Product cipher | S-box | SPN

Attacks: Brute force | Linear / Differential / Integral cryptanalysis | Mod n | Related-key | Slide | XSL
Standardization: AES process | CRYPTREC | NESSIE

Misc: Avalanche effect | Block size | IV | Key size | Modes of operation | Piling-up lemma | Weak key
Cryptography
v  d  e
History of cryptography | Cryptanalysis | Cryptography portal | Topics in cryptography
Symmetric-key algorithm | Block cipher | Stream cipher | Public-key cryptography | Cryptographic hash function | Message authentication code | Random numbers
Retrieved from "http://en.wikipedia.org../../../s/l/i/Slide_attack.html"
Advanced Search
Included Web Search Engines


Safe Search

close

Top Matching Results

Occasionally Search.com will highlight specialized results that are based on the context of your query. Examples of specialized results include specific links to news, images, or video.

Top Matching Results may highlight information from other Search.com pages, content from the CNET Network of sites, or third party content. The listings are based purely on relevance. Search.com does not receive payment for listings in this section but our partners that provide this data may get paid for listing these products.

Sponsored Links

This section contains paid listings which have been purchased by companies that want to have their sites appear for specific search terms and related content. These listings are administered, sorted and maintained by a third party and are not endorsed by Search.com.

Search Results

Search.com sends your search query to several search engines at one time and integrates the results into one list which has been sorted by relevance using Search.com's proprietary algorithm. You can customize the list of search engines included in your metasearch from the preferences.

The search engines that are used in your metasearch may allow companies to pay to have their Web sites included within the results. To view the Paid Inclusion policy for a specific search engine, please visit their Web site. Search.com does not accept payment or share revenue with any search engine partner for listings in this section.