Cryptography Stack Exchange
Cryptography Stack Exchange

Questions tagged [differential-analysis]

Differential cryptanalysis is a form of cryptanalysis which studies cryptographic algorithms by observing how differences in input affect differences in output.

In practice, this is usually a chosen-plaintext attack with a quite large number of plaintexts (but for "broken" algorithms still smaller than the key space).

The terminology is presented by Biham and Shamir and within IBM, the attack was formerly known as the "T-attack" or ”tickle attack.

152 questions
31
votes
2 answers

How do I apply differential cryptanalysis to a block cipher?

I have read a lot of summaries of block ciphers particularly with regards to the NIST competitions stating that reduced-round block ciphers are – for example – vulnerable to differential cryptanalysis. I have a general idea that the application of…
user46
19
votes
0 answers

Adding bit constants to the key schedule to reduce rounds?

Bit constants are often added to the key schedule to reduce slide attacks. I have reviewed David Wagner's work, where he showed that the increased rounds in a Feistel network do not help if you have key symmetry. I have been trying to find some…
b degnan
  • 5,110
  • 1
  • 27
  • 49
19
votes
1 answer

Understanding the wide trail design strategy

I am trying to understand the wide trail design strategy. I have read the paper (paywall-free preprint) which describes it from the point of view of AES. From what I understand, it is a technique to increase diffusion in a particular way to resist…
forest
  • 15,626
  • 2
  • 49
  • 103
17
votes
1 answer

Selection of rotation constants in ARX design

My question is about choosing the rotation values in ARX design such as SIMON-like or SPECK-like ciphers to provide optimal differential and linear immunity. According to this, the selection of $a$ and $b$ values (shown in SIMON-like figure below)…
hardyrama
  • 2,288
  • 1
  • 17
  • 41
14
votes
4 answers

Why is the permutation in AES (and other ciphers) not random or key-dependent?

If the permutation in AES (or other ciphers) were randomly generated or dependent on the key, would it not be stronger against differential attacks? If this is so, then might we need fewer rounds for the same level of security?
Red Book 1
  • 1,025
  • 10
  • 26
9
votes
2 answers

How to build a difference distribution table?

i am studying about differential cryptanalysis, and found one metric to measure the resistance of a sbox to it, but to use it, it is necessary to build a difference distribution table, like the one in this link, this is is the table of sobox s1 of…
Yuri Waki
  • 281
  • 2
  • 6
8
votes
1 answer

How can Blowfish be resistant against differential cryptanalysis if it doesn't have S-boxes tuned for that?

The S-boxes used in DES were carefully tuned for resistance against differential cryptanalysis, a technique not known to the public at that time but known to designers of DES. It was later discovered that even a small change to DES would make it…
juhist
  • 1,643
  • 1
  • 13
  • 18
7
votes
2 answers

S-box with differential uniformity = 2

I read that we do not know if there exists an 8x8 sbox with differential uniformity = 2. I suppose we cannot compute every possible sbox because there are $64!$ possible s-boxes. Am I right?
asdf
  • 324
  • 3
  • 11
7
votes
1 answer

What is a differential trail?

From what I could find it relates input differences to output differences usually across multiple rounds. But is it the entire probability distribution over all output differences for one input difference? Or is it the list of differences that…
Simon F
  • 91
  • 6
7
votes
2 answers

DES with the bitwise complement of a key

I was reading upon Biham and Shamir's paper and a fact has been presented over there: if $ P_1 = \bar P_2$ and I choose a key $K_1 = \bar K_2$ then in that case $$T_1 = DES(P_1, K_1)$$ $$T_2 = DES(P_2, K_2)$$ then $T_1 = \bar T_2$ . Does this hold…
codeomnitrix
  • 173
  • 1
  • 6
7
votes
1 answer

Differential cryptanalysis - breaking the last round of FEAL4?

I've been trying to learn cryptanalysis. I've come across this resource which proved very helpful: http://theamazingking.com/crypto-feal.php So far I've been almost successful in breaking FEAL4 using differential cryptanalysis - I've got three of…
Thomas
  • 7,568
  • 1
  • 32
  • 45
6
votes
1 answer

Differential and Linear trail propagation in Noekeon

In the Noekeon Cipher Specification they write the following : The propagation through Lambda is denoted by $(a \rightarrow A)$, also called a step. Because of the linearity of Lambda it is fully deterministic: both for LC and DC patterns, we…
Yuon
  • 163
  • 9
6
votes
2 answers

Security of the AES with a Secret S-box

In this paper they change the $AES$ S-box to a uniformly random one and answer the questions: How does the security of AES change when the S-box is changed by a secret S-box? Would it be safe to reduce the number of rounds? I have tried reading…
Red Book 1
  • 1,025
  • 10
  • 26
6
votes
2 answers

Can I use a differential that can be traced through the whole cipher with 100% probability?

I'm trying to attack a very simple cipher using differential cryptanalysis as a way of becoming familiar with this method. The cipher is so simple that I've found a differential which I can trace through all the rounds of the cipher with 100%…
Hugo
  • 305
  • 1
  • 7
6
votes
1 answer

Finding differentials and space complexity

In Differential Cryptanalysis of DES-like Cryptosystems by Biham and Shamir, they provide examples using differentials inputs such as $\Omega_p = 00\ 80\ 82\ 00\ 60\ 00\ 00\ 00_x$. Most of article is about differential cryptanalysis and presents the…
Biv
  • 10,088
  • 2
  • 42
  • 68
1
2 3
10 11