OBAKE Cryptanalysis:

Slide Attack

Slide attack is generic attack designed by Biryukov and Wagner. It can be applied in both Known Plaintext or Chosen Plaintext scenarios. It can be viewed as a variant of a Related Key attack, in which a relation of the key with itself is exploited. The main feature of this attack is that it realizes a dream of cryptanalysts: if the cipher is vulnerable to such an attack, the complexity of the attack is independent of the number of rounds of the cipher.

Several ciphers or slight modifications of existing ciphers have been shown vulnerable to such attacks: for example, the Brown-Seberry variant of the Data Encryption Standard (DES) (rotations in key-schedule are by seven positions, instead of varying 1, 2 rotations as in the original DES), DES-X, the Even-Mansour scheme, arbitrary Feistel ciphers with 4-round periodic keyschedule as well as round-reduced versions of GOST.

It is clear that slide-attack would apply to any iterative construction which has enough selfsimilarity in its rounds. It could be applied to block-ciphers as described above, to streamciphers (see for example resynchronization attack on WAKE-ROFB) or to MAC and hash-functions: see for example a recent slid pair discovery for SHA-1 by Saarinen. In practice the attack seems easy to avoid by breaking the similarity of the round transforms by applying round counters (as is done for example in Skipjack) or different random constants in each round (as in Rijndael/AES, SHA-256 and many other constructions). Whether such simple changes are indeed sufficient is a matter of further research.

OBAKE-512 is designed to resist this type of attack, as explained below:

  • OBAKE-512 works with multiple keys and some of them being random. This way, there is no type of correlation that can act as a "constant", even in the case where the same data is encrypted with the same keys. You can take a look on this capability at this page and this page.

  • OBAKE-512 does not utilizes "rounds" to achieve a best cryptographic security, but several non-linear schemes of different algorithms and keys being used there.

  • OBAKE-512 uses MACs (message authentication code) that are encrypted with one or more keys before being appended to the encrypted result. Thus, equivalence cannot be established by the XOR rule.

  • OBAKE-512 uses 512-bit "Rainbow-proof" and "Lookup-proof" hashes in some stages, thus avoiding other existing attacks on HASH templates or equivalence/correlation attacks.

Bibliographic references

H.C.A. Tilborg et al., "Encyclopedia of Cryptography and Security", H. C. A. v. Tilborg Ed., SpringerScience+Business Media LLC, 2011.

A. Biryukov and D. Wagner, Slide attacks. Proceedings of Fast Software EncryptionFSE99, Lecture Notes in Computer Science, vol. 1636, ed. L.R. Knudsen, Springer-Verlag, Berlin, 1999.

A. Biryukov and D. Wagner, Advanced Slide Attacks. Advances in CryptologyEUROCRYPT 2000, Lecture Notes in Computer Science, vol. 1807, ed. B. Preneel. Springer-Verlag, Berlin, 2000.

S. Even and Y. Mansour, A construction of a cipher from a single pseudorandom permutation. Journal of Cryptology, 1997.