applied cryptography - protocols, algorithms, and source code in c

And the attack works against des in any of its

Info iconThis preview shows page 1. Sign up to view the full content.

View Full Document Right Arrow Icon
This is the end of the preview. Sign up to access the rest of the document.

Unformatted text preview: and more ciphertext pairs, one key will emerge as the most probable. This is the correct key. The details are more complicated. Figure 12.5 is the DES round function. Imagine a pair of inputs, X and X’, that have the difference DX. The outputs, Y and Y’ are known, and therefore so is the difference, Y. Both the expansion permutation and the P-box are known, so ”A and ”C are known. B and B’ are not known, but their difference ”B is known and equal to ”A. (When looking at the difference, the XORing of Ki with A and A’ cancels out.) So far, so good. Here’s the trick: For any given ”A, not all values of ”C are equally likely. The combination of ”A and ”C suggests values for bits of A XOR Ki and A’ XOR Ki. Since A and A’ are known, this gives us information about Ki. Look at the last round of DES. (Differential cryptanalysis ignores the initial and final permutation. They have no effect on the attack, except to make it harder to explain.) If we can identify K16 then we have 48 bits of the key. (Remember, the subkey in each round consists of 48 bits of the 56-bit key.) The other 8 bits we can get by brute force. Differential cryptanalysis will get us K16. Certain differences in plaintext pairs have a high probability of causing certain differences in the resulting ciphertext pairs. These are called characteristics. Characteristics extend over a number of rounds and essentially define a path through these rounds. There is an input difference, a difference at each round, and an output difference—with a specific probability. You can find these characteristics by generating a table where the rows represent the possible input XORs (the XOR of two different sets of input bits), the columns represent the possible output XORs, and the entries represent the number of times a particular output XOR occurs for a given input XOR. You can generate such a table for each of DES’s eight S-boxes. Figure 12.5 DES round function. For example, Figure 12.6a is a one-round characteristic....
View Full Document

This note was uploaded on 10/18/2010 for the course MATH CS 301 taught by Professor Aliulger during the Fall '10 term at Koç University.

Ask a homework question - tutors are online