Related-Key and Slide Attacks: Analysis, Connections, and Improvements -Extended Abstract- Mathieu Ciet, Gilles Piret, and Jean-Jacques Quisquater Universit´ e catholique de Louvain, Crypto Group Place du Levant, 3 1348 Louvain-la-Neuve, Belgium {ciet, piret, jjq}@dice.ucl.ac.be - http://www.dice.ucl.ac.be/~crypto Abstract. In this paper we present the most important results devel- oped in key schedule cryptanalysis during the last ten years. Namely, we deal with related-key attacks, differential related-key attacks, and slide attacks. The related-key attack is presented in a more general framework than in the paper of Biham [1]. We give two improvements to the slide attacks. Finally, the link between these attacks is studied. 1 Introduction The most well known attacks on block ciphers are those targeting at the ci- phering itself, for example the linear and differential cryptanalysis. In this paper we present attacks that are particular in the sense that they focus on the key scheduling. Firstly, the related key attack, introduced by Eli Biham in [1], sec- ondly a variant with differential related key attack and finally the slide attack developed by Alex Biryukov and David Wagner [5,6]. Biham’s related-key attack is presented in a general framework. We also give two personal improvements to the slide attack. Finally, we emphasize on the strong link between these attacks. 2 Related-key Attacks 2.1 The chosen key attack The basic related-key attack that we refer as ”chosen key attack” relies on an un- usual hypothesis: namely, encryption is performed using two unknown different keys that have a particular relationship known to the attacker. First we present the attack in a general framework; the first step is to describe the relationship that must be satisfied by the two keys K and K ∗ , in order to be vulnerable to Biham’s attack. Then we analyze what can be improved if we are dealing with the particular case of a Feistel cipher.