crypto-slides-21-dc.1x1

# crypto-slides-21-dc.1x1 - Dierential Cryptanalysis See...

This preview shows pages 1–7. Sign up to view the full content.

Diferential Cryptanalysis See: Biham and Shamir, Diferential Cryptanalysis oF the Data Encryption Standard , Springer Ver- lag, 1993. c c Eli Biham - August 18, 2010 607 Diferential Cryptanalysis (21)

This preview has intentionally blurred sections. Sign up to view the full version.

View Full Document
Diferential Cryptanalysis The frst method which reduced the complexity oF attacking DES below (halF oF) exhaustive search. Note : In all the Following discussion we ignore the existence oF the initial and the fnal permutations, since they do not a±ect the analysis. Motivation : 1. All the operations except For the S boxes are linear. 2. Mixing the key in all the rounds prohibits the attacker From knowing which entries oF the S boxes are actually used, and thus he cannot know their output. c c Eli Biham - August 18, 2010 608 Diferential Cryptanalysis (21)
Diferential Cryptanalysis (cont.) How can we inhibit the key From hiding the inFormation? The basic idea oF diferential cryptanalysis : Study the diferences between two encryptions oF two diferent plaintexts: P and P . Notation : ±or any value X during the encryption oF P , and the corresponding value X during encryption oF P , denote the diference by X = X X . c c Eli Biham - August 18, 2010 609 Diferential Cryptanalysis (21)

This preview has intentionally blurred sections. Sign up to view the full version.

View Full Document
Diferential Cryptanalysis (cont.) Advantages : It is easy to predict the output diference oF linear operations given the input diference: Unary operations (E, P, IP): ( P ( X )) = P ( X ) P ( X ) = P ( X ) Binary operations (XOR): ( X Y ) = ( X Y ) ( X Y ) = X Y Mixing the key : ( X K ) = ( X K ) ( X K ) = X We conclude that the diferences are linear in linear operations, and in partic- ular, the result is key independent . c c Eli Biham - August 18, 2010 610 Diferential Cryptanalysis (21)
Diferences and the S Boxes Assume we have two inputs X and X for the same S box, and that we know only their diference X . Denote Y = S ( X ). What do we know about Y ? The simple case: when X = 0 : S ( X ) = S ( X ) for any X , and Y = 0 . IF X n = 0: we do not know the output diFerence. De±nition : Lets look on the distribution of the pairs ( X ,Y ) of all the pos- sible inputs X . We call the table containing this information diference dis- tribution table oF the S box . c c Eli Biham - August 18, 2010 611 Diferential Cryptanalysis (21)

This preview has intentionally blurred sections. Sign up to view the full version.

View Full Document
The Diference Distribution Table oF S1 Input Output XOR XOR 0 x 1 x 2 x 3 x 4 x 5 x 6 x 7 x 8 x 9 x A x B x C x D x E x F x 0 x 64 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 1 x 0 0 0 6 0 2 4 4 0 10 12 4 10 6 2 4 2 x 0 0 0 8 0 4 4 4 0 6 8 6 12 6 4 2 3 x 14 4 2 2 10 6 4 2 6 4 4 0 2 2 2 0 4 x 0 0 0 6 0 10 10 6 0 4 6 4 2 8 6 2 5 x 4 8 6 2 2 4 4 2 0 4 4 0 12 2 4 6 6 x 0 4 2 4 8 2 6 2 8 4 4 2 4 2 0 12 7 x 2 4 10 4 0 4 8 4 2 4 8 2 2 2 4 4 8 x 0 0 0 12 0 8 8 4 0 6 2 8 8 2 2 4 9 x 10 2 4 0 2 4 6 0 2 2 8 0 10 0 2 12 A x 0 8 6 2 2 8 6 0 6 4 6 0 4 0 2 10 B x 2 4 0 10 2 2 4 0 2 6 2 6 6 4 2 12 C x 0 0 0 8 0 6 6 0 0 6 6 4 6 6 14 2 D x 6 6 4 8 4 8 2 6 0 6 4 6 0 2 0 2 E x 0 4 8 8 6 6 4 0 6 6 4 0 0 4 0 8 F x 2 0 2 4 4 6 4 2 4 8 2 2 2 6 8 8 10 x 0 0 0 0 0 0 2 14 0 6 6 12 4 6 8 6 .
This is the end of the preview. Sign up to access the rest of the document.

## This note was uploaded on 04/14/2011 for the course CS 236506 taught by Professor Yanivcarmeli during the Spring '11 term at Technion.

### Page1 / 63

crypto-slides-21-dc.1x1 - Dierential Cryptanalysis See...

This preview shows document pages 1 - 7. Sign up to view the full document.

View Full Document
Ask a homework question - tutors are online