**New Slide Attacks on Almost Self-Similar Ciphers**

*Orr Dunkelman and Nathan Keller and Noam Lasry and Adi Shamir*

**Abstract: **The slide attack is a powerful cryptanalytic tool which has the unusual property that it can break iterated block ciphers with a complexity that does not depend on their number of rounds. However, it requires complete self similarity in the sense that all the rounds must be identical. While this can be the case in Feistel structures, this rarely happens in SP networks since the last round must end with an additional post-whitening subkey. In addition, in many SP networks the final round has additional asymmetries -- for example, in AES the last round omits the MixColumns operation. Such asymmetry in the last round can make it difficult to utilize most of the advanced tools which were developed for slide attacks, such as deriving from one slid pair additional slid pairs by repeatedly re-encrypting their ciphertexts.

In this paper we overcome this "last round problem" by developing four new types of slide attacks. We demonstrate their power by applying them to many types of AES-like structures (with and without linear mixing in the last round, with known or secret S-boxes, with 1,2 and 3 periodicity in their subkeys, etc). In most of these cases, the time complexity of our attack is close to $2^{n/2}$, which is the smallest possible complexity for slide attacks. Our new slide attacks have several unique properties: The first attack uses slid sets in which each plaintext from the first set forms a slid pair with some plaintext from the second set, but without knowing the exact correspondence. The second attack makes it possible to create from several slid pairs an exponential number of new slid pairs which form a hypercube spanned by the given pairs. The third attack has the unusual property that it is always successful, and the fourth attack can use known messages instead of chosen messages, with only slightly higher time complexity.

**Category / Keywords: **secret-key cryptography / Slide attack, 1-KSA, 1K-AES, Slid sets, Hypercuber of slid pairs, suggestive structures, Substitution slide

**Date: **received 16 May 2019

**Contact author: **orrd at cs haifa ac il

**Available format(s): **PDF | BibTeX Citation

**Version: **20190520:125458 (All versions of this report)

**Short URL: **ia.cr/2019/509

[ Cryptology ePrint archive ]