Content deleted Content added
→Further reading: Add book 'The block cipher companion' as a reference |
mNo edit summary |
||
Line 16:
(and ⊕ denotes exclusive or) for each such S-box ''S''. In the basic attack, one particular ciphertext difference is expected to be especially frequent. In this way, the [[cipher]] can be distinguished from [[randomness|random]]. More sophisticated variations allow the key to be recovered faster than [[Brute force attack|exhaustive search]].
In the most basic form of key recovery through differential cryptanalysis, an attacker requests the ciphertexts for a large number of plaintext pairs, then assumes that the differential holds for at least ''r'' − 1 rounds, where ''r'' is the total number of rounds.<ref>{{Cite web |title=Differential Cryptanalysis - an overview {{!}} ScienceDirect Topics |url=https://www.sciencedirect.com/topics/computer-science/differential-cryptanalysis |access-date=2023-04-13 |website=www.sciencedirect.com}}</ref> The attacker then deduces which round keys (for the final round) are possible, assuming the difference between the blocks before the final round is fixed. When round keys are short, this can be achieved by simply exhaustively decrypting the ciphertext pairs one round with each possible round key. When one round key has been deemed a potential round key considerably more often than any other key, it is assumed to be the correct round key.
For any particular cipher, the input difference must be carefully selected for the attack to be successful. An analysis of the algorithm's internals is undertaken; the standard method is to trace a path of highly probable differences through the various stages of encryption, termed a ''differential characteristic''.
Line 28:
For example, if a differential of 1 => 1 (implying a difference in the [[least significant bit]] (LSB) of the input leads to an output difference in the LSB) occurs with probability of 4/256 (possible with the non-linear function in the [[AES cipher]] for instance) then for only 4 values (or 2 pairs) of inputs is that differential possible. Suppose we have a non-linear function where the key is XOR'ed before evaluation and the values that allow the differential are {2,3} and {4,5}. If the attacker sends in the values of {6, 7} and observes the correct output difference it means the key is either 6 ⊕ K = 2, or 6 ⊕ K = 4, meaning the key K is either 2 or 4.
In essence, for an n-bit non-linear function one would ideally seek as close to 2<sup>−(''n'' − 1)</sup> as possible to achieve ''differential uniformity''. When this happens, the differential attack requires as much work to determine the key as simply brute forcing the key.<ref>{{Cite journal |last=Indesteege |first=Sebastiaan |last2=Preneel |first2=Bart |date=2009 |editor-last=Dunkelman |editor-first=Orr |title=Practical Collisions for EnRUPT |url=https://link.springer.com/chapter/10.1007/978-3-642-03317-9_15 |journal=Fast Software Encryption |language=en |___location=Berlin, Heidelberg |publisher=Springer |pages=246–259 |doi=10.1007/978-3-642-03317-9_15 |isbn=978-3-642-03317-9}}</ref>
The AES non-linear function has a maximum differential probability of 4/256 (most entries however are either 0 or 2). Meaning that in theory one could determine the key with half as much work as brute force, however, the high branch of AES prevents any high probability trails from existing over multiple rounds. In fact, the AES cipher would be just as immune to differential and linear attacks with a much ''weaker'' non-linear function. The incredibly high branch (active S-box count) of 25 over 4R means that over 8 rounds no attack involves fewer than 50 non-linear transforms, meaning that the probability of success does not exceed Pr[attack] ≤ Pr[best attack on S-box]<sup>50</sup>. For example, with the current S-box AES emits no fixed differential with a probability higher than (4/256)<sup>50</sup> or 2<sup>−300</sup> which is far lower than the required threshold of 2<sup>−128</sup> for a 128-bit block cipher. This would have allowed room for a more efficient S-box, even if it is 16-uniform the probability of attack would have still been 2<sup>−200</sup>.
| |||