This preview shows page 1. Sign up to view the full content.
Unformatted text preview: and more ciphertext pairs, one key will emerge as the most probable. This is the correct key. The details are more complicated. Figure 12.5 is the DES round function. Imagine a pair of inputs, X and X’, that have the difference DX. The outputs, Y and Y’ are known, and therefore so is the difference, Y. Both the expansion permutation and the Pbox are known, so ”A and ”C are known. B and B’ are not known, but their difference ”B is known and equal to ”A. (When looking at the difference, the XORing of Ki with A and A’ cancels out.) So far, so good. Here’s the trick: For any given ”A, not all values of ”C are equally likely. The combination of ”A and ”C suggests values for bits of A XOR Ki and A’ XOR Ki. Since A and A’ are known, this gives us information about Ki. Look at the last round of DES. (Differential cryptanalysis ignores the initial and final permutation. They have no effect on the attack, except to make it harder to explain.) If we can identify K16 then we have 48 bits of the key. (Remember, the subkey in each round consists of 48 bits of the 56bit key.) The other 8 bits we can get by brute force. Differential cryptanalysis will get us K16. Certain differences in plaintext pairs have a high probability of causing certain differences in the resulting ciphertext pairs. These are called characteristics. Characteristics extend over a number of rounds and essentially define a path through these rounds. There is an input difference, a difference at each round, and an output difference—with a specific probability. You can find these characteristics by generating a table where the rows represent the possible input XORs (the XOR of two different sets of input bits), the columns represent the possible output XORs, and the entries represent the number of times a particular output XOR occurs for a given input XOR. You can generate such a table for each of DES’s eight Sboxes. Figure 12.5 DES round function. For example, Figure 12.6a is a oneround characteristic....
View
Full
Document
This note was uploaded on 10/18/2010 for the course MATH CS 301 taught by Professor Aliulger during the Fall '10 term at Koç University.
 Fall '10
 ALIULGER
 Cryptography

Click to edit the document details