Differential cryptanalysis is a general form of cryptanalysis applicable primarily to block ciphers, but also to stream ciphers and cryptographic hash functions. In the broadest sense, it is the study of how differences in an input can affect the resultant difference at the output. In the case of a block cipher, it refers to a set of techniques for tracing differences through the network of transformations, discovering where the cipher exhibits non-random behaviour, and exploiting such properties to recover the secret key.

Origins of differential cryptanalysis

The discovery of differential cryptanalysis is generally attributed to Eli Biham and Adi Shamir in the late 1980s, who published a number of attacks against various block ciphers and hash functions, including a theoretical weakness in the Data Encryption Standard (DES). It was noted that DES is surprisingly resilient to differential cryptanalysis, in the sense that even small modifications make it much more susceptible; this suggested that the designers at IBM knew of this in the 1970s. Indeed, parties involved in the creation of DES have since admitted that defending against differential cryptanalysis was a design goal (Don Coppersmith, 1994). It would appear that the National Security Agency (NSA), who also had some input into the design, were well aware of the technique before its rediscovery at IBM, and did not want the attack to become public knowledge; this was the reason the design process was kept secret. Within IBM, differential cryptanalysis was known as the "T-attack", or "Tickling attack" [1] (http://groups.google.com/groups?selm=4v0jrv%24kf%40ground.cs.columbia.edu).

While DES was designed with differential cryptanalysis in mind, other contemporary ciphers proved to be extremely vulnerable. An early target for the attack was FEAL, which illustrates the potential of the technique. The original version with four rounds (FEAL-4) can be broken using only eight chosen plaintexts; moreover, FEAL with up to 31 rounds is susceptible to differential cryptanalysis.

A description of the attack

Differential cryptanalysis is usually a chosen plaintext attack, meaning that the attacker must be able to obtain encrypted ciphertexts for some set of plaintexts of his choosing. There are, however, extensions that would allow a known plaintext or even a ciphertext-only attack. The basic method uses pairs of plaintext related by a constant difference; difference can be defined in several ways, but the eXclusive OR (XOR) operation is usual. The attacker then computes the differences of the corresponding ciphertexts, hoping to detect statistical patterns in their distribution. In conventional differential cryptanalysis, one particular ciphertext difference is expected to be especially frequent; in this way, the cipher can be distinguished from random. More sophisticated variations allow the key to be recovered faster than exhaustive search.

For any particular cipher, the input difference must be carefully selected if the attack is to be successful. An analysis of the algorithm's internals is undertaken; the standard method is to trace a path of highly probable differences through the various stages of encryption, termed a differential characteristic.

Since differential cryptanalysis became public knowledge, it has become a basic concern of cipher designers. New designs are expected to be accompanied by evidence that the algorithm is resistant to this attack, and many, including the Advanced Encryption Standard, have been proved to be secure against the attack.

See also

• Cryptography
• Linear cryptanalysis

References

• Eli Biham, Adi Shamir, Differential Cryptanalysis of the Data Encryption Standard, Springer Verlag, 1993. ISBN 0-387-97930-1, ISBN 3-540-97930-1.
• Biham, E. and A. Shamir. (1990). Differential Cryptanalysis of DES-like Cryptosystems. Advances in Cryptology — CRYPTO '90. Springer-Verlag. 2–21.
• Coppersmith, Don. (1994). The data encryption standard (DES) and its strength against attacks. IBM Journal of Research and Development, 38(3), 243–250. [2] (http://www.research.ibm.com/journal/rd/383/coppersmith.pdf)

External links

• A tutorial on differential (and linear) cryptanalysis (http://www.engr.mun.ca/~howard/Research/Papers/ldc_tutorial.html)
• A list of links on the topic  (http://www.tcs.hut.fi/~helger/crypto/link/block/dc.html)
• A description of the attack applied to DES (http://home.earthlink.net/~mylnir/desdoc.html)