 Differential cryptanalysis

Differential cryptanalysis is a general form of cryptanalysis applicable primarily to block ciphers, but also to stream ciphers and cryptographic hash functions. In the broadest sense, it is the study of how differences in an input can affect the resultant difference at the output. In the case of a block cipher, it refers to a set of techniques for tracing differences through the network of transformations, discovering where the cipher exhibits nonrandom behaviour, and exploiting such properties to recover the secret key.
Contents
History
The discovery of differential cryptanalysis is generally attributed to Eli Biham and Adi Shamir in the late 1980s, who published a number of attacks against various block ciphers and hash functions, including a theoretical weakness in the Data Encryption Standard (DES). It was noted by Biham and Shamir that DES is surprisingly resistant to differential cryptanalysis, in the sense that even small modifications to the algorithm would make it much more susceptible.^{[1]}
In 1994, a member of the original IBM DES team, Don Coppersmith, published a paper stating that differential cryptanalysis was known to IBM as early as 1974, and that defending against differential cryptanalysis had been a design goal.^{[2]} According to author Steven Levy, IBM had discovered differential cryptanalysis on its own, and the NSA was apparently well aware of the technique.^{[3]} IBM kept some secrets, as Coppersmith explains: "After discussions with NSA, it was decided that disclosure of the design considerations would reveal the technique of differential cryptanalysis, a powerful technique that could be used against many ciphers. This in turn would weaken the competitive advantage the United States enjoyed over other countries in the field of cryptography."^{[2]} Within IBM, differential cryptanalysis was known as the "Tattack"^{[2]} or "Tickle attack".^{[4]}
While DES was designed with resistance to differential cryptanalysis in mind, other contemporary ciphers proved to be vulnerable. An early target for the attack was the FEAL block cipher. The original proposed version with four rounds (FEAL4) can be broken using only eight chosen plaintexts, and even a 31round version of FEAL is susceptible to the attack.
Attack mechanics
Differential cryptanalysis is usually a chosen plaintext attack, meaning that the attacker must be able to obtain encrypted ciphertexts for some set of plaintexts of his choosing. The scheme can successfully cryptanalyze DES with an effort on the order 2^{47} chosen plaintexts. There are, however, extensions that would allow a known plaintext or even a ciphertextonly attack. The basic method uses pairs of plaintext related by a constant difference; difference can be defined in several ways, but the eXclusive OR (XOR) operation is usual. The attacker then computes the differences of the corresponding ciphertexts, hoping to detect statistical patterns in their distribution. The resulting pair of differences is called a differential. Their statistical properties depend upon the nature of the Sboxes used for encryption, so the attacker analyses differentials (Δ_{X}, Δ_{Y}), where Δ_{Y} = S(X ⊕ Δ_{X}) ⊕ S(X) (and ⊕ denotes exclusive or) for each such Sbox S. In the basic attack, one particular ciphertext difference is expected to be especially frequent; in this way, the cipher can be distinguished from random. More sophisticated variations allow the key to be recovered faster than exhaustive search.
In the most basic form of key recovery through differential cryptanalysis, an attacker requests the ciphertexts for a large number of plaintext pairs, then assumes that the differential holds for at least r1 rounds, where r is the total number of rounds. The attacker then deduces which round keys (for the final round) are possible assuming the difference between the blocks before the final round is fixed. When round keys are short, this can be achieved by simply exhaustively decrypting the ciphertext pairs one round with each possible round key. When one round key has been deemed a potential round key considerably more often than any other key, it is assumed to be the correct round key.
For any particular cipher, the input difference must be carefully selected if the attack is to be successful. An analysis of the algorithm's internals is undertaken; the standard method is to trace a path of highly probable differences through the various stages of encryption, termed a differential characteristic.
Since differential cryptanalysis became public knowledge, it has become a basic concern of cipher designers. New designs are expected to be accompanied by evidence that the algorithm is resistant to this attack, and many, including the Advanced Encryption Standard, have been proven secure against the attack.
Attack in Details
The attack relies primarily on the fact that a given input/output difference pattern only occurs for certain values of inputs. Usually the attack is applied in essence to the nonlinear components as if they were a solid component (usually they are in fact lookup tables or sboxes). Observing the desired output difference (between two chosen or known plaintext inputs) suggests possible key values.
For example, if a differential of 1 => 1 (implying a difference in the LSB of the input leads to a output difference in the LSB) occurs with probability of 4/256 (possible with the nonlinear function in the AES cipher for instance) then for only 4 values (or 2 pairs) of inputs is that differential possible. Suppose we have a nonlinear function where the key is XOR'ed before evaluation and the values that allow the differential are {2,3} and {4,5}. If the attacker sends in the values of {6, 7} and observes the correct output difference it means the key is either 6 xor K = 2 or 6 xor K = 4, meaning the key is either K = {2,4}.
In essence, for an nbit nonlinear function one would ideally seek as close to 2^{(n1)} as possible to achieve differential uniformity. When this happens, the differential attack requires as much work to determine the key as simply brute forcing the key.
The AES nonlinear function has a maximum differential probability of 4/256 (most entries however are either 0 or 2). Meaning that in theory one could determine the key with half as much work as brute force, however, the high branch of AES prevents any high probability trails from existing over multiple rounds. In fact, the AES cipher would be just as immune to differential and linear attacks with a much weaker nonlinear function. The incredibly high branch (active sbox count) of 25 over 4R means that over 8 rounds no attack involves fewer than 50 nonlinear transforms, meaning that the probability of success does not exceed Pr[attack] <= Pr[best attack on sbox]^{50}. For example, with the current sbox AES emits no fixed differential with a probability higher than (4/256)^{50} or 2^{−300} which is far lower than the required threshold of 2^{−128} for a 128bit block cipher. This would have allowed room for a more efficient sbox, even if it is 16uniform the probability of attack would have still been 2^{−200}.
There exists no bijections for even sized inputs/outputs with a 2uniformity. They exist in odd fields (such as GF(2^{7})) using either cubing or inversion (there are other exponents that can be used as well). For instance S(x) = x^{3} in any odd binary field is immune to differential and linear cryptanalysis. This is in part why the MISTY designs use 7 and 9bit functions in the 16bit nonlinear function. What these functions gain in immunity to differential and linear attacks they lose to algebraic attacks. That is, they are possible to describe and solve via a SAT solver. This is in part why AES (for instance) has an affine mapping after the inversion.
Specialized types
 Higherorder differential cryptanalysis
 Truncated differential cryptanalysis
 Impossible differential cryptanalysis
 Boomerang attack
See also
References
 ^ Biham and Shamir, 1993, pp. 89
 ^ ^{a} ^{b} ^{c} Coppersmith, Don (May 1994). "The Data Encryption Standard (DES) and its strength against attacks" (PDF). IBM Journal of Research and Development 38 (3): 243. doi:10.1147/rd.383.0243. http://www.research.ibm.com/journal/rd/383/coppersmith.pdf. (subscription required)
 ^ Levy, Steven (2001). Crypto: How the Code Rebels Beat the Government — Saving Privacy in the Digital Age. Penguin Books. pp. 55–56. ISBN 0140244328.
 ^ Matt Blaze, sci.crypt, 15 August 1996, Re: Reverse engineering and the Clipper chip"
 Eli Biham, Adi Shamir, Differential Cryptanalysis of the Data Encryption Standard, Springer Verlag, 1993. ISBN 0387979301, ISBN 3540979301.
 Biham, E. and A. Shamir. (1990). Differential Cryptanalysis of DESlike Cryptosystems. Advances in Cryptology — CRYPTO '90. SpringerVerlag. 2–21.
 Eli Biham, Adi Shamir,"Differential Cryptanalysis of the Full 16Round DES," CS 708, Proceedings of CRYPTO '92, Volume 740 of Lecture Notes in Computer Science, December 1991. (Postscript)
 Eli Biham, slides from "How to Make a Difference: Early History of Differential Cryptanalysis"PDF (850 KB), March 16, 2006, FSE 2006, Graz, Austria
External links
 A tutorial on differential (and linear) cryptanalysis
 Helger Lipmaa's links on differential cryptanalysis
 A description of the attack applied to DES
Categories: Cryptographic attacks
Wikimedia Foundation. 2010.