"Differential Cryptanalysis (cont.)"

1. We will show an attack on full 16-round DES, which is an amazing cascade of tricks and methods of cryptanalysis. (Iterative patterns; Structures; Signal/Noise ratio; 1R,2R,3R attacks; The first round trick.)
 

2. We will briefly discuss extensions of differential cryptanalysis: Differentials vs. characteristics; Bytewise (truncated) differentials; Good pair oracles; Boomerang attack.

[Notes after the lecture]
Characteristics are a comfortable means of estimating the lower bounds of probabilities of differentials (product of probabilities for each round). The attack itself however does not use the exact path-characteristic, but uses only the final output difference. Thus if several pathes-characteristics can lead to the same output difference starting from the same input difference, then we talk about differentials. In many ciphers  (but not in DES due to its bit-wise structure) differentials have much higher probabilities than corresponding characteristics. For example this is true for ciphers in which all operations are performed on a byte-wise  level.
 
 

Reading for the lecture

1. FIPS PUB: The Data Encryption Standard.

2. Don Coppersmith, "The Data Encryption Standard and its Strength Against Attacks".
IBM TR. [not on-online].

3. Eli Biham, Adi Shamir, "Differential Cryptanalysis of the Full 16-Round DES (.ps)",
   CS 708, December 1991,   Proceedings of Crypto'92, LNCS 740. (see also our library).

4. Eli Biham, Adi Shamir, "Differential cryptanalysis of DES-like cryptosystems",
     Technical report CS90-16, Weizmann Institute of Science
     CRYPTO'90 & Journal of Cryptology, Vol. 4, No. 1, pp. 3-72, 1991.

5. X.Lai, J.L. Massey, S.Murphy, "Markov Ciphers and Differential Cryptanalysis",
Proceedings of EUROCRYPT'91, LNCS 547, pp.17-38, Springer-Verlag, 1991.