Slide Attacks Alex Biryukov? and David Wagner?? Abstract. It is a general belief among the designers of block-ciphers that even a relatively weak cipher may become very strong if its number of rounds is made very large. In this paper we describe a new gene- ric known- (or sometimes chosen-) plaintext attack on product ciphers, which we call the slide attack and which in many cases is independent of the number of rounds of a cipher. We illustrate the power of this new tool by giving practical attacks on several recently designed ciphers: TREYFER, WAKE-ROFB, and variants of DES and Blowfish. 1 Introduction As the speed of computers grows, fast block ciphers tend to use more and more rounds, rendering all currently known cryptanalytic techniques useless. This is mainly due to the fact that such popular tools as differential [1] and linear ana- lysis [13] are statistic attacks that excel in pushing statistical irregularities and biases through surprisingly many rounds of a cipher. However any such approach finally reaches its limits, since each additional round requires an exponential ef- fort from the attacker. This tendency towards a higher number of rounds can be illustrated if one looks at the candidates submitted to the AES contest. Even though one of the main criteria of the AES was speed, several prospective candidates (and not the slowest ones) have really large numbers of rounds: RC6(20), MARS(32), SERPENT(32), CAST(48). This tendency is a reflection of a belief/empirical evidence that after some high number of rounds even a relatively weak cipher becomes very strong. It is supported by the example of DES, where breaking even 16 rounds is already a very hard task, to say nothing about 32–48 rounds (e.g. double- or triple-DES). Thus for the cryptanalyst it becomes natural to search for new tools which are essentially independent of the number of rounds of a cipher. The first step in this direction can be dated back to a 1978 paper by Grossman and Tuckerman [9], which has shown how to break a weakened Feistel cipher1 by a chosen plaintext attack, independent of the number of rounds. We were also inspired by Biham’s work on related-key cryptanalysis [2], and Knudsen’s early work [12]. ? Applied Mathematics Department, Technion - Israel Institute of Technology, Haifa, Israel 32000. Email: [email protected] ?? University of California, Berkeley. Email: [email protected] 1 An 8-round Feistel cipher with eight bits of key material per round used to swap between two S-boxes S0 and S1 in a Lucifer-like manner. A really weak cipher by modern criteria. L. Knudsen (Ed.): FSE’99, LNCS 1636, pp. 245–259, 1999. c Springer-Verlag Berlin Heidelberg 1999 246 A. Biryukov and D. Wagner In this paper we introduce a new class of generic attacks which we call slide attacks together with a new set of cryptanalytic tools applicable to all product (mainly iterative) ciphers and even to any iterative (or recursive) process over the finite domain (stream ciphers, etc.). Such attacks apply as soon as the iterative process exhibits some degree of self-similarity and are in many cases independent of the exact properties of the iterated round function and of the number of rounds. While the two other generic cryptanalytic attacks—differential and linear analysis—concentrate mainly on the propagation properties of the encryption engine (assuming a strong key-scheduling which produces independent subkeys), the degree of self-similarity of a cipher as studied by slide attacks is a totally diffe- rent aspect. Depending on the cipher’s design, slide attacks range from exploiting key-scheduling weaknesses to exploiting more general structural properties of a cipher. The most obvious version of this attack is usually easy to prevent by destroying the self-similarity of an iterative process, for example by adding ite- ration counters or fixed random constants. However more sophisticated variants of this technique are harder to analyze and to defend against. We start by analyzing several block ciphers that decompose into r iterations of a single key-dependent permutation Fi. We call such ciphers homogeneous. This usually arises when the key-schedule produces a periodic subkey sequence, when Fi = Fj for all i j mod p where p represents the period. In the simplest case, p = 1 and all round≡ subkeys are the same. We call these attacks self-related key attacks, since they are essentially a special case of related-key attacks [2]. Note, however, that our attacks require only a known- (or sometimes chosen-) plaintext assumption and thus are much more practical than most related key attacks2. For the case of block ciphers operating on a n-bit block, the complexity of slide attacks (if they work) is usually close to O(2n=2) known plaintexts. For Feistel ciphers where the round function Fj modifies only half of the block, there is also a chosen-plaintext variant which can often cut the complexity down to O(2n=4) chosen texts. A somewhat less expected observation is that schemes relying on key-depen- dent S-boxes are also vulnerable to sliding. In general, autokey ciphers and data- dependent transformations are potentially vulnerable to such attacks. We sum- marize our results in Table 1. This paper is organized as follows. In Section 2, we describe the details of a typical slide attack, and in Section 3 we show how the attacks can be optimized for Feistel ciphers. We then proceed with an introductory example: a 96-bit DES variant with 64-rounds, which we call 2K-DES, Section 4. The next two sections are devoted to cryptanalysis of several concrete cipher proposals: Section 5 breaks TREYFER, a cipher published in FSE’97, and Section 6 analyzes stream cipher proposals based on WAKE presented at FSE’97 and FSE’98. Finally, Section 7 shows slide attacks on ciphers with key-dependent S-boxes, focusing on a variant of Blowfish with zero round subkeys. 2 However, Knudsen’s early work on LOKI91 [12] showed how to use a related-key-type weakness to reduce the cost of exhaustive keysearch using only chosen plaintexts. Slide Attacks 247 Table 1. Summary of our attacks on various ciphers. Cipher (Rounds) Key Bits Our Attack Data Complexity Time Complexity Blowfish1 (16) 448 227CP 227 Treyfer (32) 64 232KP 244 2K-DES (64) 96 233ACP 233 2K-DES (64) 96 232KP 250 WAKE-ROFB (k)32n 232CR 232 1 – Modified variant, without round subkeys. KP — known-plaintext, CP — chosen- plaintext, ACP — adaptive chosen-plaintext, CR — chosen-resynchronization (IV). 2 A Typical Slide Attack In Figure 1, we show the process of encrypting the n-bit plaintext X0 under a typical product cipher to obtain the ciphertext Xr. Here Xj denotes the interme- diate value of the block after j rounds of encryption, so that Xj = Fj(Xj 1;kj). − For the sake of clarity, we often omit k by writing F (x)orFi(x) instead of F (x; k)orFi(x; k). X0 F1 F2 Fr Xr ··· Fig. 1. A typical block cipher As we mentioned before, the attack presented in this note is independent of the number of rounds of the cipher, since it views a cipher as a product of identical permutations F (x; k), where k is a fixed secret key (here F might include more than one round of the cipher). Moreover its dependence on the particular structure of F is marginal. The only requirement on F is that it is very weak against known-plaintext attack with two plaintext-ciphertext pairs. More specifically, we call F a weak permutation if given the two equations F (x1;k)=y1 and F (x2;k)=y2 it is “easy” to extract the key k. This is informal definition since the amount of easiness may vary from cipher to cipher. We can show that 3 rounds of DES form a weak permutation3. One and a half round IDEA is also weak. 3 For F = three rounds of DES, with DES keyschedule one may consider 4-bit output of specific S-box at the 1st and 3rd rounds. This gives a 4-bit condition on the 6 key bits entering this S-box at the 1st and on 6 bits entering this S-box at the 3rd round. Using similar observations it is possible to extract the full DES 56-bit key in time faster than that of one DES encryption. 248 A. Biryukov and D. Wagner We next show in Figure 2 how a slide attack against such a cipher might proceed. The idea is to “slide” one copy of the encryption process against another copy of the encryption process, so that the two processes are one round out of phase. We let X0 and X0 denote the two plaintexts, with Xj = Fj(Xj 1) and − Xj0 = Fj(Xj0 1). With this notation, we line up X1 next to X0 , and Xj+1 next − to Xj0 . X0 F1 F2 Fr Xr ··· X0 F1 F2 Fr X0 0 ··· r Fig. 2. A typical slide attack Next, we suppose that Fj = Fj+1 for all j 1; this is the assumption required to make the slide attack work. In this case, all≥ the round functions are the same, so for the remainder of this section we will drop the subscripts and simply write F for the generic round transform. The crucial observation is that if we have a match X1 = X0 , then we will also have Xr = Xr0 1. The proof is by induction. Suppose that Xj = Xj0 1. Then − − we may compute Xj+1 = F (Xj)=F (Xj0 1)=F (Xj0 1)=Xj0 , which completes − − the proof.