Differential cryptanalysis Differential cryptanalysis exploits the high probability of certain occurrences of plaintext differences and differences into the last round of the cipher Differential cryptanalysis is a chosen plaintext attack, meaning that the attacker is able to select inputs and examine outputs in an attempt to derive the key
Differential Cryptanalysis • Differential cryptanalysis exploits the high probability of certain occurrences of plaintext differences and differences into the last round of the cipher. • Differential cryptanalysis is a chosen plaintext attack, meaning that the attacker is able to select inputs and examine outputs in an attempt to derive the key
Feistel Networks]⑥ f,…:0,1}→{0.1}4 · Arbitrary functions Not necessarily invertible L=R R=L1f(R11) 卫So
Feistel Networks f1 , …, fk : {0,1}n → {0,1}n • Arbitrary functions • Not necessarily invertible f1 f2 fk-1 fk L0 : R0 : L1 : R1 : Lk-2 : Rk-2 : Lk-1 : Rk-1 : Lk : Rk : n bits n bits Round 1 Round 2 Round k-1 Round k … Li = Ri-1 Ri = Li-1 fi (Ri-1 )
inerting a Feistel Network G←(f1 For any f,…fk:{0,1y→>{0,1} a feistel network computes a permutation T: (o, 1]n>0, 1]n [Li-1=R,0f (L) Inverse:
Inverting a Feistel Network f1 f2 fk-1 fk L0 : R0 : L1 : R1 : Lk-2 : Rk-2 : Lk-1 : Rk-1 : Lk : Rk : … Li-1 = Ri fi (Li ) Ri-1 = Li Theorem For any f1 , …, fk : {0,1}n → {0,1}n , a Feistel network computes a permutation p : {0,1}n → {0,1}n Inverse:
Inside des xo=IP(m =Loro 16 Rounds,i=1,2,,16 R -1 R;:=Ln1f(R1,K1)2 where f(R21,k1)=P(S(E(R:1)K1) with operations e(expansion) S(S-box lookup), and P some (permutation) C=IP(LI6R16)
Inside DES • x0 = IP(m) = L0R0 . • 16 Rounds, i = 1, 2, …, 16: Li := Ri-1 , Ri := Li-1 f (Ri-1 , Ki ), where f (Ri-1 , Ki ) = P(S(E(Ri-1 ) Ki )), with operations E (expansion), S (S-box lookup), and P some (permutation). • c = IP-1 (L16R16)