This preview shows page 1. Sign up to view the full content.
Unformatted text preview: ous Table of Contents Next
 The results are most interesting. Table 12.14 is a summary of the best differential attack against DES with varying numbers of rounds [172]. The first column is the number of rounds. The next two columns are the numbers of chosen plaintexts or known plaintexts that must be examined for the attack, and the fourth column is the number of those plaintexts actually analyzed. The last column is the complexity of analysis, after the required plaintexts are found. Table 12.14 Differential Cryptanalysis Attacks against DES No. of Rounds 8 9 10 11 12 13 14 15 16 Chosen Plaintexts 214 224 224 231 231 239 239 247 247 Known Plaintexts 238 244 243 247 247 252 251 256 255 Analyzed Plaintexts 4 2 214 2 221 2 229 27 236 Complexity of Analysis 29 232 215 232 221 232 229 237 237 The complexity of the analysis can be greatly reduced for these variants by using about four times as many plaintexts with the clique method. The best attack against full 16round DES requires 247 chosen plaintexts. This can be converted to a known plaintext attack, but that requires 255 known plaintexts. And 237 DES operations are required during analysis. Differential cryptanalysis works against DES and other similar algorithms with constant Sboxes. The attack is heavily dependent on the structure of the Sboxes; the ones in DES just happen to be optimized against differential cryptanalysis. And the attack works against DES in any of its operating modes—ECB, CBC, CFB, and OFB—with the same complexity [172]. DES’s resistance can be improved by increasing the number of rounds. Chosenplaintext differential cryptanalysis DES with 17 or 18 rounds takes about the same time as a bruteforce search [160]. At 19 rounds or more, differential cryptanalysis becomes impossible because it requires more than 264 chosen plaintexts: Remember, DES has a 64bit block size, so it only has 264 possible plaintext blocks. (In general, you can prove that an algorithm is resistant to differential cryptana...
View Full
Document
 Fall '10
 ALIULGER
 Cryptography

Click to edit the document details