The slide attack, presented by Biryukov and Wagner, has already become a classical tool in cryptanalysis of block ciphers. While it was used to mount practical attacks on a few cryptosystems, its practical applicability is limited, as typically, its time complexity is lower bounded by 2 n (where n is the block size). There are only a few known scenarios in which the slide attack performs better than the 2 n bound. In this paper, we concentrate on efficient slide attacks, whose time complexity is less than 2 n. We present a number of new attacks that apply in scenarios in which previously known slide attacks are either inapplicable, or require at least 2 n operations. In particular, we present the first known slide attack on a Feistel construction with a 3-round self-similarity, and an attack with practical time complexity of 2 40 on a 128-bit key variant of the GOST block cipher with unknown S-boxes. The best previously known attack on the same variant, with known S-boxes (by Courtois), has time complexity of 2 91.

Original languageEnglish
Pages (from-to)641-670
Number of pages30
JournalJournal of Cryptology
Issue number3
StatePublished - 1 Jul 2018


  • 1K-AES
  • 3K-DES
  • Cycle structure
  • GOST
  • Slide attacks

All Science Journal Classification (ASJC) codes

  • Software
  • Computer Science Applications
  • Applied Mathematics


Dive into the research topics of 'Efficient Slide Attacks'. Together they form a unique fingerprint.

Cite this