This preview shows page 1. Sign up to view the full content.
Unformatted text preview: attack against DES at the time of this writing. Linear cryptanalysis is heavily dependent on the structure of the Sboxes and the Sboxes in DES are not optimized against this attack. In fact, the ordering of the Sboxes chosen for DES lies among the 9 percent to 16 percent that offer the least protection against linear cryptanalysis [1018]. According to Don Coppersmith [373,374], resistance to linear cryptanalysis “was not part of the design criteria of DES.” Either they didn’t know about linear cryptanalysis or they knew about something else even more powerful whose resistance criteria took precedence. Linear cryptanalysis is newer than differential cryptanalysis, and there may be more performance improvements in the coming years. Some ideas are proposed in [1270,811], but it is not clear that they can be used effectively against full DES. They work very well against reduced round variants, however. Future Directions
Some work has been done to try to extend the concept of differential cryptanalysis to higherorder differentials [702,161,927,858,860]. Lars Knudsen uses something called partial differentials to attack 6round DES; it requires 32 chosen plaintexts and 20,000 encryptions [860]. It is still too new to know if these extensions will make it easier to attack full 16round DES. Another avenue of attack is differentiallinear cryptanalysis: combining differential and linear cryptanalysis. Susan Langford and Hellman have an attack on 8round DES that recovers 10 key bits with an 80 percent probability of success with 512 chosen plaintexts and a 95 percent probability of success with 768 chosen plaintexts [938]. After the attack, a bruteforce search of the remaining keyspace (246 possible keys) is required. While this attack is comparable in time to previous attacks, it requires far less plaintext. However, it doesn’t seem to extend easily to more rounds. But this attack is still new and work continues. It is possible that there may be a breakthrough some time during the next few years. Maybe there are benefits in combining this attack...
View
Full
Document
 Fall '10
 ALIULGER
 Cryptography

Click to edit the document details