Content deleted Content added
m Task 18 (cosmetic): eval 2 templates: hyphenate params (1×); |
add {{Unreferenced section}}s |
||
Line 10:
==Attack mechanics==
{{Unreferenced section|date=July 2021}}
Differential cryptanalysis is usually a [[chosen plaintext attack]], meaning that the attacker must be able to obtain [[Encryption|ciphertexts]] for some set of [[plaintext]]s of their choosing. There are, however, extensions that would allow a [[known plaintext attack|known plaintext]] or even a [[ciphertext-only attack]]. The basic method uses pairs of plaintext related by a constant ''difference''. [[Subtraction|Difference]] can be defined in several ways, but the [[Exclusive or|eXclusive OR (XOR)]] operation is usual. The attacker then computes the differences of the corresponding ciphertexts, hoping to detect statistical patterns in their distribution. The resulting pair of differences is called a '''differential'''. Their statistical properties depend upon the nature of the [[S-box]]es used for encryption, so the attacker analyses differentials <math>(\Delta_x, \Delta_y)</math> where <blockquote><math>\Delta_y = S(x \oplus \Delta_x) \oplus S(x)</math></blockquote>(and ⊕ denotes exclusive or) for each such S-box ''S''. In the basic attack, one particular ciphertext difference is expected to be especially frequent. In this way, the [[cipher]] can be distinguished from [[randomness|random]]. More sophisticated variations allow the key to be recovered faster than [[Brute force attack|exhaustive search]].
Line 19 ⟶ 20:
==Attack in detail==
{{Unreferenced section|date=July 2021}}
The attack relies primarily on the fact that a given input/output difference pattern only occurs for certain values of inputs. Usually the attack is applied in essence to the non-linear components as if they were a solid component (usually they are in fact look-up tables or ''S-boxes''). Observing the desired output difference (between two chosen or known plaintext inputs) ''suggests'' possible key values.
| |||