Differential Cryptanalyse

The differential cryptanalyse is a generic method of Cryptanalyse which can be applied to the algorithms of iterative coding per blocks, but also with the algorithms of Chiffrement by flood S and with the function of chopping.

In its broadest direction, it consists of the study on the way in which the differences between the input data affect the differences in their exits. In the case of an iterative coding per blocks, the term refers to the whole of the techniques making it possible to recall the differences through the network of the transformations, thus discovering where the algorithm shows a prédictible behavior and thus exploiting these properties in order to find the secret key.

Origins of the differential cryptanalyse

The discovery of the differential cryptanalyse is generally allotted to Eli Biham and Adi Shamir at the end of the years 1980. The latter then published a great number of attacks against various iterative encryption algorithms per blocks and various functions of chopping; these articles included/understood the presentation of a theoretical weakness in the algorithm OF the.

It was then noted that was particularly resistant to this attack and in particular that small modifications in its parameters weakened it. This report gave birth to the rumor that its originators (working for IBM) knew already this method in the years 1970. Indeed, several people having taken part in her design since admitted that defense against the differential cryptanalyse was well one of the sought-after goals then (Don Coppersmith, 1994). It would even seem that the NSA which also contributed to the design of, was informed even of this technique before its redécouverte by IBM. The NSA even required that the process of the design is held secret in order to avoid the propagation of this method. Inside IBM, the differential cryptanalyse was known under the name of T-attack , abbreviation of Tickling attack , the attacks by tickling because it consisted in tickling the entries to see the effect on the exits.

Whereas the differential cryptanalyse had been conceived to resist, other algorithms designed at the same time appeared particularly vulnerable. One of the first targets was FERROALUMINIUM, which illustrated the power of the method. Its original version, made up of four iterations (FEAL-4), can be compromised with only eight messages in light chosen carefully. That goes even further. Indeed, FERROALUMINIUM is likely to be attacked by this method in all its versions with 31 iterations or less.

Description of the attack

The differential cryptanalyse is in general carried out in a context of text clearly selected, which means that the attacker is able to obtain the quantified results of clear texts of its choice. There exist alternatives which function in other modes of attack: with clearly known text or text only quantified. The cryptanalyse rests on pairs of clear texts which have a constant difference. The operation of difference can be defined in various ways, the Fonction OR exclusive is most current. The attacker calculates then the differences in the quantified texts, in order to extract some from the reasons being able to indicate a skew. The differences at exit of coding are named differential . Their statistical properties depend on the nature of the boxes-S of the encryption algorithm. For each box of substitution $S$, the attacker can calculate a pair of differentials $(\backslash \; Delta\_X,\; \backslash \; Delta\_Y)\; ~$ with:

$\backslash \; Delta\_Y\; =\; S\; (X)\; \backslash \; oplus\; S\; (X\; \backslash \; oplus\; \backslash \; Delta\_X)\; =$ the difference at exit

$\backslash \; Delta\_X~$ is the difference applied to the text in entry.

In the traditional attack, a particular difference in the quantified text makes it possible to distinguish the text quantified from a random flood (the risk at exit is a property awaited in any robust coding). More sophisticated techniques make it possible to decrease the complexity of the attack as in the case of DES. the choice of the differences applied in entry is crucial for the success of the attack. An analysis of the wheels of the algorithm makes it possible to determine the differences which are likely greatest to appear on the routing of the data and to determine a characteristic differential .

See too

• linear Cryptanalyse
• Attack Boomerang
• Cryptanalyse χ ²

Random links:

Sky Ranch | Germaine Lecuyer | The Black Noodle Project | PySerial | Jean Seignemartin | Oakland,_Iowa

© 2007-2008 speedlook.com; article text available under the terms of GFDL, from fr.wikipedia.org