Unformatted text preview: lysis by showing that the amount of plaintext required to mount such an attack is greater than the amount of plaintext possible.) Here are a few important points. First, this attack is largely theoretical. The enormous time and data requirements to mount a differential cryptanalytic attack put it beyond the reach of almost everyone. To get the requisite data for this attack against a full DES, you have to encrypt a 1.5 megabitspersecond data stream of chosen plaintext for almost three years. Second, this is primarily a chosenplaintext attack. It can be converted to a knownplaintext attack, but you have to sift through all of the plaintextciphertext pairs looking for the useful ones. For full 16round DES, this makes the attack slightly less efficient than brute force (the differential cryptanalytic attack requires 255.1 operations, and brute force requires 255). The consensus is that DES, when implemented properly, is still secure against differential cryptanalysis. Why is DES so resistant to differential cryptanalysis? Why are the Sboxes optimized to make this attack as difficult as possible? Why are there as many rounds as required, but no more? Because the designers knew about it. IBM’s Don Coppersmith recently wrote [373,374]: The design took advantage of certain cryptanalytic techniques, most prominently the technique of “differential cryptanalysis,” which were not known in the published literature. After discussions with NSA, it was decided that disclosure of the design consideration would reveal the technique of differential cryptanalysis, a powerful technique that can be used against many ciphers. This in turn would weaken the competitive advantage the United States enjoyed over other countries in the field of cryptography. Adi Shamir responded to this, challenging Coppersmith to say that he hadn’t found any stronger attacks against DES since then. Coppersmith has chosen to remain silent on that question [1426]. RelatedKey Cryptanalysis Table 12.3 showed the number of bits the DES key is rotated after each round: 2 bi...
View
Full
Document
This note was uploaded on 10/18/2010 for the course MATH CS 301 taught by Professor Aliulger during the Fall '10 term at Koç University.
 Fall '10
 ALIULGER
 Cryptography

Click to edit the document details