Differential Cryptanalysis Differential cryptanalysis exploits the high probability of certain occurrences of plaintext differences and differences into the last round of the cipher Differential cryptanalysis is a chosen plaintext attack, meaning that the attacker is able to select inputs and examine outputs in an attempt to derive the ke
Differential Cryptanalysis • Differential cryptanalysis exploits the high probability of certain occurrences of plaintext differences and differences into the last round of the cipher. • Differential cryptanalysis is a chosen plaintext attack, meaning that the attacker is able to select inputs and examine outputs in an attempt to derive the key
Feistel Networks:,⑥ f,…,f:0.1}→01 Arbitrary functions Not necessarily invertible ④← R=L1f(R:1) xs5oα¥卫5
Feistel Networks f1 , …, fk : {0,1}n → {0,1}n • Arbitrary functions • Not necessarily invertible f1 f2 fk-1 fk L0 : R0 : L1 : R1 : Lk-2 : Rk-2 : Lk-1 : Rk-1 : Lk : Rk : n bits n bits Round 1 Round 2 Round k-1 Round k … Li = Ri-1 Ri = Li-1 fi (Ri-1 )
fReeing a Feistel Network For any f1,…fk:{0,1}n→{0,1yn, a feistel network computes a permutation T: o, 1]n>[0, 1]n L1=R1⊕f(L1 Inverse:
Inverting a Feistel Network f1 f2 fk-1 fk L0 : R0 : L1 : R1 : Lk-2 : Rk-2 : Lk-1 : Rk-1 : Lk : Rk : … Li-1 = Ri fi (Li ) Ri-1 = Li Theorem For any f1 , …, fk : {0,1}n → {0,1}n , a Feistel network computes a permutation p : {0,1}n → {0,1}n Inverse:
Inside des xo=IP(m)=LoRo 16 Rounds,=1,2,…,16: L:=R R;:=L1f(R1,K1 where f(R1,K)=P(S(E(R:1)K1) with operations E(expansion) S(S-box lookup), and p some (permutation) IP-L16R16)
Inside DES • x0 = IP(m) = L0R0 . • 16 Rounds, i = 1, 2, …, 16: Li := Ri-1 , Ri := Li-1 f (Ri-1 , Ki ), where f (Ri-1 , Ki ) = P(S(E(Ri-1 ) Ki )), with operations E (expansion), S (S-box lookup), and P some (permutation). • c = IP-1 (L16R16)