Differential cryptanalysis: Difference between revisions

Differential cryptanalysis is usually a [[chosen plaintext attack]], meaning that the attacker must be able to obtain [[Encryption|ciphertexts]] for some set of [[plaintext]]s of their choosing. There are, however, extensions that would allow a [[known plaintext attack|known plaintext]] or even a [[ciphertext-only attack]]. The basic method uses pairs of plaintext related by a constant ''difference''. [[Subtraction|Difference]] can be defined in several ways, but the [[Exclusive or|eXclusive OR (XOR)]] operation is usual. The attacker then computes the differences of the corresponding ciphertexts, hoping to detect statistical patterns in their distribution. The resulting pair of differences is called a '''differential'''. Their statistical properties depend upon the nature of the [[S-box]]es used for encryption, so the attacker analyses differentials <math>(\Delta_x, \Delta_y)</math> where <blockquote>
<math display=block>\Delta_y = S(x \oplus \Delta_x) \oplus S(x)</math></blockquote>
(and ⊕ denotes exclusive or) for each such S-box ''S''. In the basic attack, one particular ciphertext difference is expected to be especially frequent. In this way, the [[cipher]] can be distinguished from [[randomness|random]]. More sophisticated variations allow the key to be recovered faster than [[Brute force attack|exhaustive search]].