Wikipedia

Differential cryptanalysis: Difference between revisions

Browse history interactively
← Previous editNext edit →
Content deleted Content added
VisualWikitext
m Repairing links to disambiguation pages - You can help!
failed verification. needs specific citation to article/chapter and not a big category search results
Line 16:
(and ⊕ denotes exclusive or) for each such S-box ''S''. In the basic attack, one particular ciphertext difference is expected to be especially frequent. In this way, the [[cipher]] can be distinguished from [[randomness|random]]. More sophisticated variations allow the key to be recovered faster than [[Brute force attack|an exhaustive search]].
 
In the most basic form of key recovery through differential cryptanalysis, an attacker requests the ciphertexts for a large number of plaintext pairs, then assumes that the differential holds for at least ''r'' − 1 rounds, where ''r'' is the total number of rounds.<ref>{{Cite web |title=Differential Cryptanalysis - an overview {{!}} ScienceDirect Topics |url=https://www.sciencedirect.com/topics/computer-science/differential-cryptanalysis |access-date=2023-04-13 |website=www.sciencedirect.comfact}}</ref> The attacker then deduces which round keys (for the final round) are possible, assuming the difference between the blocks before the final round is fixed. When round keys are short, this can be achieved by simply exhaustively decrypting the ciphertext pairs one round with each possible round key. When one round key has been deemed a potential round key considerably more often than any other key, it is assumed to be the correct round key.
 
For any particular cipher, the input difference must be carefully selected for the attack to be successful. An analysis of the algorithm's internals is undertaken; the standard method is to trace a path of highly probable differences through the various stages of encryption, termed a ''differential characteristic''.
Retrieved from "https://en.wikipedia.org/wiki/Differential_cryptanalysis"