This article includes alist of references,related reading, orexternal links,but its sources remain unclear because it lacksinline citations. Please helpimprove this article byintroducing more precise citations.(March 2009) (Learn how and when to remove this message)

Theslide attack is a form ofcryptanalysis designed to deal with the prevailing idea that even weakciphers can become very strong by increasing the number ofrounds, which can ward off adifferential attack. The slide attack works in such a way as to make the number of rounds in a cipher irrelevant. Rather than looking at the data-randomizing aspects of the block cipher, the slide attack works by analyzing thekey schedule and exploiting weaknesses in it to break the cipher. The most common one is the keys repeating in a cyclic manner.

The attack was first described byDavid Wagner andAlex Biryukov.Bruce Schneier first suggested the termslide attack to them, and they used it in their 1999 paper describing the attack.

The only requirements for a slide attack to work on a cipher is that it can be broken down into multiple rounds of an identicalF function. This probably means that it has a cyclic key schedule. TheF function must be vulnerable to aknown-plaintext attack. The slide attack is closely related to therelated-key attack.

The idea of the slide attack has roots in a paper published byEdna Grossman andBryant Tuckerman in an IBM Technical Report in 1977.^[1] Grossman and Tuckerman demonstrated the attack on a weakblock cipher namedNew Data Seal (NDS). The attack relied on the fact that the cipher has identical subkeys in each round, so the cipher had a cyclic key schedule with a cycle of only one key, which makes it an early version of the slide attack. A summary of the report, including a description of the NDS block cipher and the attack, is given inCipher Systems (Beker & Piper, 1982).

First, to introduce some notation. In this section assume the cipher takesn bit blocks and has a key-schedule using${\displaystyle K_1\cdots K_m}$ as keys of any length.

The slide attack works by breaking the cipher up into identical permutationfunctions,F. ThisF function may consist of more than one roundof the cipher; it is defined by the key-schedule. For example, if a cipher uses an alternating key schedule where it switches between a${\displaystyle K_1}$ and${\displaystyle K_2}$ for each round, theF function would consist of two rounds. Each of the${\displaystyle K_i}$ willappear at least once inF.

The next step is to collect${\displaystyle 2^{n/2}}$ plaintext-ciphertext pairs. Depending onthe characteristics of the cipher fewer may suffice, but by thebirthday problem no more than${\displaystyle 2^{n/2}}$ should be needed. These pairs, which denoted as${\displaystyle (P,C)}$ are then used to find aslid pair which is denoted${\displaystyle (P_0,C_0)(P_1,C_1)}$. A slid pair has the property that${\displaystyle P_0=F(P_1)}$ and that${\displaystyle C_0=F(C_1)}$. Once a slid pair is identified, the cipher is broken because of the vulnerability to known-plaintext attacks. The key can easily be extracted from this pairing.The slid pair can be thought to be what happens to a message after one application of the functionF. It is ’slid’ over one encryption round and this is where the attack gets itsname.

The process of finding a slid pair is somewhat different for each cipherbut follows the same basic scheme. One uses the fact that it is relativelyeasy to extract the key from just one iteration ofF. Choose any pair ofplaintext-ciphertext pairs,${\displaystyle (P_0,C_0)(P_1,C_1)}$ and check to see what the keys corresponding to${\displaystyle P_0=F(P_1)}$ and${\displaystyle C_0=F(C_1)}$ are. If these keys match, this is a slid pair; otherwise move on to the next pair.

With${\displaystyle 2^{n/2}}$ plaintext-ciphertext pairs one slid pair is expected, along with a small number of false-positives depending on the structure of the cipher. The false positivescan be eliminated by using the keys on a different message-ciphertext pair to see if the encryption is correct. The probability that the wrong key will correctly encipher two or more messages is very low for a good cipher.

Sometimes the structure of the cipher greatly reduces the number ofplaintext-ciphertext pairs needed, and thus also a large amount of the work.The clearest of these examples is theFeistel cipher using a cyclic key schedule.The reason for this is given a${\displaystyle P=(L_0,R_0)}$ the search is for a${\displaystyle P_0=(R_0,L_0⨁F(R_0,K))}$. This reduces the possible paired messages from${\displaystyle 2^n}$down to${\displaystyle 2^{n/2}}$ (since half the message is fixed) and so at most${\displaystyle 2^{n/4}}$ plaintext-ciphertext pairs are needed in order to find a slid pair.

• Henry Beker & Fred Piper (1982).Cipher Systems: The Protection of Communications.John Wiley & Sons. pp. 263–267.ISBN 978-0-471-89192-5. (contains a summary of the paper by Grossman and Tuckerman)
• Alex Biryukov andDavid Wagner (March 1999).Slide Attacks(PDF/PostScript). 6th International Workshop onFast Software Encryption (FSE '99).Rome:Springer-Verlag. pp. 245–259. Retrieved2007-09-03.
• Alex Biryukov & David Wagner (May 2000).Advanced Slide Attacks(PDF/PostScript). Advances in Cryptology, Proceedings ofEUROCRYPT 2000.Bruges: Springer-Verlag. pp. 589–606. Retrieved2007-09-03.
• S. Furuya (December 2001).Slide Attacks with a Known-Plaintext Cryptanalysis(PDF). 4th International Conference on Information Security and Cryptology (ICISC 2001).Seoul: Springer-Verlag. pp. 214–225. Retrieved2007-09-03.
• Eli Biham (1994)."New Types of Cryptanalytic Attacks Using Related Keys"(PDF/PostScript).Journal of Cryptology.7 (4):229–246.CiteSeerX 10.1.1.48.8341.doi:10.1007/bf00203965.ISSN 0933-2790.S2CID 19776908. Retrieved2007-09-03.
• M. Ciet, G. Piret,J. Quisquater (2002)."Related-Key and Slide Attacks: Analysis, Connections, and Improvements"(PDF/PostScript). Retrieved2007-09-04.{{cite journal}}:Cite journal requires|journal= (help)CS1 maint: multiple names: authors list (link)

• Cryptographic attacks

• Articles with short description
• Short description matches Wikidata
• Articles lacking in-text citations from March 2009
• All articles lacking in-text citations
• CS1 errors: missing periodical
• CS1 maint: multiple names: authors list