Efficient Slide Attacks

Bar-On, Achiya; Biham, Eli; Dunkelman, Orr; Keller, Nathan

doi:10.1007/s00145-017-9266-8

Cited by 22 publications

(7 citation statements)

References 31 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…This idea corresponds to Feistel networks with round functions instantiated in the probably simplest form of G i (k i , x i ) = F i (k i ⊕ x i ), where F i is keyless and public; and at the i-th round, the intermediate state is updated according toThis model was named Key-Alternating Feistel (KAF) by Lampe and Seurin [35], and is also known as Feistel-2 schemes according to IACR Tikz library. It has been extensively studied by the cryptanalytic community [9,32,28], and frequently became the instructive example for new attacks [10,2].The gap between LR and KAF ciphers is non-negligible. For example, with less than 2 2n complexity, the best known generic key recovery attacks break 4-round LR [32] which is in sharp contrast with 6-round KAF [28].…”

mentioning

confidence: 99%

See 1 more Smart Citation

Revisiting Key-Alternating Feistel Ciphers for Shorter Keys and Multi-user Security

Guo

Wang

2018

Lecture Notes in Computer Science

View full text Add to dashboard Cite

Key-Alternating Feistel (KAF) ciphers, a.k.a. Feistel-2 models, refer to Feistel networks with round functions of the form Fi(ki⊕xi), where ki is the (secret) round-key and Fi is a public random function. This model roughly captures the structures of many famous Feistel ciphers, and the most prominent instance is DES. Existing provable security results on KAF assumed independent round-keys and round functions (ASI-ACRYPT 2004 & FSE 2014. In this paper, we investigate how to achieve security under simpler and more realistic assumptions: with round-keys derived from a short main-key, and hopefully with identical round functions. For birthday-type security, we consider 4-round KAF, investigate the minimal conditions on the way to derive the four round-keys, and prove that when such adequately derived keys and the same round function are used, the 4-round KAF is secure up to 2 n/2 queries. For beyond-birthday security, we focus on 6-round KAF. We prove that when the adjacent round-keys are independent, and independent round-functions are used, the 6 round KAF is secure up to 2 2n/3 queries. To our knowledge, this is the first beyond-birthday security result for KAF without assuming completely independent round-keys. Our results hold in the multi-user setting as well, constituting the first non-trivial multi-user provable security results on Feistel ciphers. We finally demonstrate applications of our results on designing keyschedules and instantiating keyed sponge constructions.To obtain a 2n-bit BC, the IEM model requires 2n-bit permutations. Whereas following the Feistel approach, several n-to-n-bit functions suffice. Moreover, these functions need not to be invertible (this might be the reason why Feistel ciphers were extremely popular before 1990s). In all, Feistel ciphers could be built upon primitives with smaller domain and less structural properties, which is particularly appealing from a theoretical point of view. From the security point of view, without any additional hardness assumption other than the idealness of round functions, provable security is limited by the domain-size of the round functions [48]. Therefore, IEM benefits from the use of larger primitives: with t independent 2n-bit random permutations and 2tn key bits, t-round IEM is provably secure up to 2 2tn t+1 adversarial queries [15] which approaches 2 2n for large t. In contrast, Feistel models can only be secure against at most 2 n queries [48], which is far less than its domain-size 2 2n . This upper bound is very unsatisfying. Despite this limitation as well as the gap between the idealized model and the rather weak round functions in practice, this provable approach supplies insights into the BC structures, excludes generic attacks, and may help refine designs. Due to these, this approach is valuable and has received a lot of attention. The Luby-Rackoff (LR) Scheme, in reference to the seminal work of Luby and Rackoff [37], might be the most popular model for Feistel ciphers so far. In this model, the round functions G i (k i , x R ) are ...

show abstract

mentioning

confidence: 99%

“…This model was named Key-Alternating Feistel (KAF) by Lampe and Seurin [35], and is also known as Feistel-2 schemes according to IACR Tikz library. It has been extensively studied by the cryptanalytic community [9,32,28], and frequently became the instructive example for new attacks [10,2].…”

mentioning

confidence: 99%

Revisiting Key-Alternating Feistel Ciphers for Shorter Keys and Multi-user Security

Guo

Wang

2018

Lecture Notes in Computer Science

View full text Add to dashboard Cite

show abstract

“…Slide attack [12] is proposed by Biryukov and Wagner at FSE 1999. In the Journal of Cryptology (2018), more efficient slide attacks are proposed to reduce the time complexity of the slide attack [13]. At Eurocrypt 2020, several new types of slide attacks are proposed to overcome the asymmetry of the last round [14].…”

Section: Introductionmentioning

confidence: 99%

Slide Attack on Full-Round ULC Lightweight Block Cipher Designed for IoT

Zhang

Lai

Wang

et al. 2022

Security and Communication Networks

View full text Add to dashboard Cite

To meet the security demand for IoT devices, many new lightweight block ciphers are proposed. ULC is a lightweight block cipher designed for the IoT. It has many advantages in terms of memory use, efficiency, and security. In this paper, a slide attack on full-round ULC is proposed in a related key setting. First, two properties on ULC are discovered. The first property is presented to illustrate the property of a slid pair for ULC. The second property is introduced to construct a link between some round key bits and some master key bits. Based on these properties, a key recovery attack on ULC is proposed. In this attack, with the condition of one related key, all the 80 master key bits can be recovered with the data complexity of O(232), the memory complexity of O(232), and the time complexity of O(263). The result of this paper indicates that ULC can’t resist slide attack in related key settings.

show abstract

“…First, several cryptanalytic attacks on secret S-boxes constructions (such as GOST [GOS98] and Blowfish [Sch94]) may have access to the difference distribution table rather than the S-box itself. For example, in Bar-On et al's slide attack on GOST [BOBDK18], the attacker can learn the DDT, and needs to deduce the secret S-box from it.…”

Section: Introductionmentioning

confidence: 99%

Reconstructing an S-box from its Difference Distribution Table

Dunkelman¹,

Huang²

2019

ToSC

Self Cite

View full text Add to dashboard Cite

In this paper we study the problem of recovering a secret S-box from its difference distribution table (DDT). While being an interesting theoretical problem on its own, the ability to recover the S-box from the DDT of a secret S-box can be used in cryptanalytic attacks where the attacker can obtain the DDT (e.g., in Bar-On et al.’s attack on GOST), in supporting theoretical analysis of the properties of difference distribution tables (e.g., in Boura et al.’s work), or in some analysis of S-boxes with unknown design criteria (e.g., in Biryukov and Perrin’s analysis).We show that using the well established relation between the DDT and the linear approximation table (LAT), one can devise an algorithm different from the straightforward guess-and-determine (GD) algorithm proposed by Boura et al. Moreover, we show how to exploit this relation, and embed the knowledge obtained from it in the GD algorithm. We tested our new algorithm on random S-boxes of different sizes, and for random 14-bit bijective S-boxes, our results outperform the GD attack by several orders of magnitude.

show abstract

Efficient Slide Attacks

Cited by 22 publications

References 31 publications

Revisiting Key-Alternating Feistel Ciphers for Shorter Keys and Multi-user Security

Revisiting Key-Alternating Feistel Ciphers for Shorter Keys and Multi-user Security

Slide Attack on Full-Round ULC Lightweight Block Cipher Designed for IoT

Reconstructing an S-box from its Difference Distribution Table

Contact Info

Product

Resources

About