Skip to main content
SpringerLink
Log in

Reflections on slide with a twist attacks

  • Published:
Designs, Codes and Cryptography Aims and scope Submit manuscript

Abstract

Slide attacks use pairs of encryption operations which are slid against each other. Slide with a twist attacks are more sophisticated variants of slide attacks which slide an encryption operation against a decryption operation. Designed by Biryukov and Wagner in 2000, these attacks were used against several cryptosystems, including DESX, the Even–Mansour construction, and Feistel structures with four-round self-similarity. They were further extended in 2012 to the mirror slidex framework, which was used to attack the 20-round GOST block cipher and several additional variants of the Even–Mansour construction. In this paper, we revisit all the previously published applications of these techniques and show that in almost all cases, the same or better results can be achieved by a simpler attack which is based on the seemingly unrelated idea of exploiting internal fixed points. The observation that such fixed points can be useful in cryptanalysis of block ciphers is known for decades and is the basis of the reflection attack presented by Kara in 2007. However, all the examples to which reflection attacks were applied were based on particular constructions such as Feistel structures or GOST key schedules in which it was easy to explicitly list and count the fixed points. In this paper, we generalize Kara’s reflection attack by using the combinatorial result that random involutions on \(2^n\) values are expected to have a surprisingly large number of \(O(2^{n/2})\) fixed points (whereas random permutations are expected to have only O(1) fixed points). This makes it possible to reduce the complexity of the best known attack on additional cryptographic schemes in which it is difficult to explicitly characterize and count the internal fixed points.

This is a preview of subscription content, log in via an institution to check access.

Access this article

Log in via an institution

Price excludes VAT (USA)
Tax calculation will be finalised during checkout.

Instant access to the full article PDF.

Institutional subscriptions

Fig. 1
Fig. 2
Fig. 3

Similar content being viewed by others

Notes

  1. For sake of simpler presentation, we slightly disregard the exact success probability of the attacks. All the attacks reported in the paper have a constant non-negligible success rate (for the proposed complexities). At the same time, we alert the reader that sometimes, the success rate might be slightly lower than 50 % (e.g., when we assume a collision occurs given \(2^{n/2}\) n-bit strings, rather than \(1.17\cdot 2^{n/2}\)). Additionally, for sake of comparison, when comparing with previous attacks, we always report the comparable data complexity that offers the same success rate.

  2. Note that any cryptosystem can be represented in such a way by artificially adding an identity operation (which is an involution) in its middle, but since the omission of \(E_1\) does not simplify the cryptosystem in this case, we will not get a better attack.

  3. We note that in some cases, it is possible to discard candidate plaintext pairs before applying the attack on \(E_0\) and \(E_2\).

  4. We alert the reader that in DES the key length is 56 bits, and thus the time complexity of the attack is essentially about \(2^{56} \cdot 2^{64/2}\) (again taking into account that a small multiplicative constant in the data/time complexities increases the success rate).

  5. We alert the reader that in most slide attacks, the ordered pair \((P_i,P_j)\) is different than the ordered pair \((P_j,P_i)\), as the question of which plaintext is slid with respect to which plaintext does depend on the order.

  6. We note that in [17] the concept of probabilistic slide attacks is explored. The attack uses a differential \(\alpha \rightarrow \beta \) for \(E_1\), similarly to our framework. The data complexity of the attack is \(O(2^{(n/2)} \cdot \sqrt{1/p})\) known plaintexts (and a similar memory complexity) with time complexity of \(O(2^{n/2} \cdot \sqrt{1/p} \cdot t)\). Our approach uses more data (in the stricter chosen ciphertext model) but requires significantly smaller memory.

  7. To increase the probability of success to 90 %, one should use \(2^{n/2+1.1}\) known plaintexts.

  8. We note that both the slide with a twist attack as well as the reflection-based attack can be transformed into memoryless attacks using adaptive chosen plaintext queries and cycle finding algorithms. The resulting data complexity is about \(2^{n/2}\) adaptively chosen plaintexts, and the time complexity is the same (and no additional memory is needed).

  9. We note that a similar reflection property exists with \(P^R = C^R\) and \(P^L = C^L \oplus Out_1 \oplus \varDelta '\) for \(\varDelta ' = K_1 \oplus K_3\). This property can be exploited while reusing the data used for the other attack.

References

  1. Bard G.V., Ault S.V., Courtois N.T.: Statistics of random permutations and the cryptanalysis of periodic block ciphers. Cryptologia 36(3), 240–262 (2012). doi:10.1080/01611194.2011.632806

  2. Biryukov A., Wagner D.: Slide attacks. In: Knudsen L.R. (ed.) Proceedings of the 6th International Workshop on Fast Software Encryption, FSE ’99, Rome, 24–26 March, 1999. Lecture Notes in Computer Science, vol. 1636, pp. 245–259. Springer, Berlin (1999). doi:10.1007/3-540-48519-8_18

  3. Biryukov A., Wagner D.: Advanced slide attacks. In: Preneel B. (ed.) Proceedings of the International Conference on the Theory and Application of Cryptographic Techniques, Advances in Cryptology—EUROCRYPT 2000, Bruges, 14–18 May, 2000. Lecture Notes in Computer Science, vol. 1807, pp. 589–606. Springer, Berlin (2000). doi:10.1007/3-540-45539-6_41

  4. Brown L., Seberry J.: Key scheduling in des type cryptosystems. In: Seberry J., Pieprzyk J. (eds.) Proceedings of the International Conference on Cryptology, Advances in Cryptology—AUSCRYPT ’90, Sydney, 8–11 January, 1990. Lecture Notes in Computer Science, vol. 453, pp. 221–228. Springer, Berlin (1990). doi:10.1007/BFb0030363

  5. Coppersmith D.: The real reason for Rivest’s phenomenon. In: Williams H.C. (ed.) Proceedings of the Advances in Cryptology—CRYPTO ’85, Santa Barbara, CA, 18–22 August, 1985. Lecture Notes in Computer Science, vol. 218, pp. 535–536. Springer, Berlin (1986). doi:10.1007/3-540-39799-X_42

  6. Courtois N.: Algebraic complexity reduction and cryptanalysis of GOST. IACR Cryptology ePrint Archive, 626 (2011). http://eprint.iacr.org/2011/626. Accessed 1 June 2015

  7. Courtois N.T., Bard G.V.: Random permutation statistics and an improved slide-determine attack on keeloq. In: Naccache D. (ed.) Cryptography and Security: From Theory to Applications—Essays Dedicated to Jean–Jacques Quisquater on the Occasion of His 65th Birthday. Lecture Notes in Computer Science, vol. 6805, pp. 35–54. Springer, Berlin (2012). doi:10.1007/978-3-642-28368-0_6

  8. Dinur I., Dunkelman O., Shamir A.: Improved attacks on full GOST. In: Canteaut A. (ed.) Proceedings of the Fast Software Encryption—19th International Workshop, FSE 2012, Washington, DC, 19–21 March, 2012. Revised Selected Papers. Lecture Notes in Computer Science, vol. 7549, pp. 9–28. Springer, Berlin (2012). doi:10.1007/978-3-642-34047-5_2

  9. Dunkelman O., Keller N., Shamir A.: Minimalism in cryptography: the Even–Mansour scheme revisited. In: Pointcheval D., Johansson T. (eds.) Proceedings of the Advances in Cryptology—EUROCRYPT 2012–31st Annual International Conference on the Theory and Applications of Cryptographic Techniques, Cambridge, 15–19 April, 2012. Lecture Notes in Computer Science, vol. 7237, pp. 336–354. Springer, Berlin (2012). doi:10.1007/978-3-642-29011-4_21

  10. Dunkelman O., Keller N., Shamir A.: Slidex attacks on the Even–Mansour encryption scheme. J. Cryptol. 28(1), 1–28 (2015). doi:10.1007/s00145-013-9164-7

  11. Even S., Mansour Y.: A construction of a cipher from a single pseudorandom permutation. J. Cryptol. 10(3), 151–162 (1997). doi:10.1007/s001459900025

  12. Flajolet P., Sedgewick R.: Analytic Combinatorics. Cambridge University Press, Cambridge (2009). http://www.cambridge.org/uk/catalogue/catalogue.asp?isbn=9780521898065. Accessed 1 June 2015

  13. Government Committee of the USSR for Standards: Gosudarstvennei Standard 28147–89, Cryptographic Protection for Data Processing Systems. Technical Report (1989).

  14. Isobe T.: A single-key attack on the full GOST block cipher. In: Joux A. (ed.) Proceedings of the 18th International Workshop on Fast Software Encryption—FSE 2011, Lyngby, 13–16 February, 2011. Revised Selected Papers. Lecture Notes in Computer Science, vol. 6733, pp. 290–305. Springer, Berlin (2011). doi:10.1007/978-3-642-21702-9_17

  15. Kaliski Jr. B.S., Rivest R.L., Sherman A.T.: Is DES a pure cipher? (Results of more cycling experiments on DES). In: Williams H.C. Proceedings of the Advances in Cryptology—CRYPTO ’85, Santa Barbara, CA, 18–22 August, 1985. Lecture Notes in Computer Science, vol. 218, pp. 212–226. Springer, Berlin (1986). doi:10.1007/3-540-39799-X_17

  16. Kara O.: Reflection attacks on product ciphers. IACR Cryptology ePrint Archive, 43 (2007). http://eprint.iacr.org/2007/043. Accessed 1 June 2015

  17. Soleimany H.: Probabilistic slide cryptanalysis and its applications to LED-64 and zorro. In: Cid C., Rechberger C. (eds.) Proceedings of the 21st International Workshop on Fast Software Encryption—FSE 2014, London, 3–5 March, 2014. Revised Selected Papers. Lecture Notes in Computer Science, vol. 8540, pp. 373–389. Springer, Berlin (2014). doi:10.1007/978-3-662-46706-0_19

  18. Soleimany H., Blondeau C., Yu X., Wu W., Nyberg K., Zhang H., Zhang L., Wang Y.: Reflection cryptanalysis of PRINCE-like ciphers. In: Moriai S. (ed.) Proceedings of the 20th International Workshop on Fast Software Encryption—FSE 2013, Singapore, 11–13 March, 2013. Revised Selected Papers. Lecture Notes in Computer Science, vol. 8424, pp. 71–91. Springer, Berlin (2013). doi:10.1007/978-3-662-43933-3_5

Download references

Acknowledgments

The second author was supported in part by the Israel Science Foundation through Grants Nos. 827/12 and 1910/12. The third author was supported by the Alon Fellowship.

Author information

Authors and Affiliations

  1. Département d’Informatique, École Normale Supérieure, 45 rue d’Ulm, 75230, Paris, France

    Itai Dinur

  2. Computer Science Department, University of Haifa, 31905, Haifa, Israel

    Orr Dunkelman

  3. Department of Mathematics, Bar-Ilan University, 52900, Ramat Gan, Israel

    Nathan Keller

  4. Faculty of Mathematics and Computer Science, Weizmann Institute of Science, P.O. Box 26, 76100, Rehovot, Israel

    Adi Shamir

Authors
  1. Itai Dinur
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Orr Dunkelman
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Nathan Keller
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. Adi Shamir
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Orr Dunkelman.

Additional information

This is one of several papers published in Designs, Codes and Cryptography comprising the “Special Issue on Cryptography, Codes, Designs and Finite Fields: In Memory of Scott A. Vanstone”.

Rights and permissions

Reprints and permissions

About this article

Check for updates. Verify currency and authenticity via CrossMark

Cite this article

Dinur, I., Dunkelman, O., Keller, N. et al. Reflections on slide with a twist attacks. Des. Codes Cryptogr. 77, 633–651 (2015). https://doi.org/10.1007/s10623-015-0098-y

Download citation

  • Received:

  • Revised:

  • Accepted:

  • Published:

  • Issue Date:

  • DOI: https://doi.org/10.1007/s10623-015-0098-y

Keywords

Mathematics Subject Classification

Search

Navigation