This preview shows page 1. Sign up to view the full content.
Unformatted text preview: They input difference of the left side is L; it could be anything. The input difference of the right side is 0. (The two inputs have the same righthand side, so their difference is 0.) Since there is no difference going in to the round function, then there is no difference coming out of the round function. Therefore, the output difference of the left side is L • 0 = L, and the output difference of the right side is 0. This is a trivial characteristic, and is true with probability 1. Figure 12.6b is a less obvious characteristic. Again, the input difference to the left side is arbitrary: L. The input difference to the right side is 0x60000000; the two inputs differ in only the second and third bits. With a probability of 14/ , the output difference of the round function is L • 0x00808200. This means 64 that the output difference of the left side is L • 0x00808200 and the output difference of the right side is 0x60000000—with probability 14/64. Different characteristics can be joined. And, assuming the rounds are independent, the probabilities can be multiplied. Figure 12.7 joins the two characteristics previously described. The input difference to the left side is 0x00808200 and the input difference to the right side is 0x60000000. At the end of the first round the input difference and the output of the round function cancel out, leaving an output difference of 0. This feeds into the second round; the final output difference of the left side is 0x60000000 and the final output difference of the right side is 0. This tworound characteristic has a probability of 14/64. A plaintext pair that satisfies the characteristic is a right pair. A plaintext pair which does not is a wrong pair. A right pair will suggest the correct round key (for the last round of the characteristic); a wrong pair will suggest a random round key. Figure 12.6 DES characteristics. Figure 12.7 A tworound DES characteristic. To find the correct round key, simply collect enough guesses so that one subkey is suggested more often than all the others. In effect, the correct subke...
View
Full
Document
This note was uploaded on 10/18/2010 for the course MATH CS 301 taught by Professor Aliulger during the Fall '10 term at Koç University.
 Fall '10
 ALIULGER
 Cryptography

Click to edit the document details