Path: gmdzi!unido!mcsun!uunet!tut.cis.ohiostate.edu!ucsd!pacbell.com!
pacbell!hoptoad!gnu
From: gnu@hoptoad.uucp (John Gilmore)
Newsgroups: sci.crypt
Subject: Adi Shamir and Eli Biham reveal "Differential Cryptanalysis"
MessageID: <12001@hoptoad.uucp>
Date: 17 Aug 90 19:02:03 GMT
References: <11999@hoptoad.uucp>
Organization: Cygnus Support, Palo Alto
Lines: 96
Posted: Fri Aug 17 20:02:03 1990
The biggest news of Crypto '90 was that Adi Shamir revealed the
technique he and Eli Biham have been using to cryptanalyze DES. Their
paper introduces "Differential Cryptanalysis" and shows how they used
this chosen plaintext technique to blow away FEAL8, Snefru with two
rounds, Lucifer with 8 rounds, NHash with 6 rounds, and DES with less
than 16 rounds. NOTE that this method is harder than exhaustive search
for DES with 16 rounds  DES has not been broken here, but has been
quite a bit better understood.
The crucial realizations are: XOR is selfinverse, and the DES key
mixes into the plaintext with XOR. The rest of the DES, except the
Sboxes, are linear with respect to XOR. And the Sboxes are far from
random if you look at the XOR of their inputs and compare it to the
XOR of their outputs. These properties are exploited to push knowledge
about the inputs deep into the guts of DES where there is hope of getting
it out the other side as visible relationships in the ciphertext.
The technique is to look at a system that has two DES's going on
in parallel: one with plaintext X and the other with plaintext Y.
(Both use the same key.) What we look at is the XOR of X and Y.
The inputs are chosen to have a specific XOR value and then we
watch the XOR evolve as the encryption proceeds. Since the key
is XOR'd in on both DES's, it has no effect on the XOR between the
two sides  the method is keyindependent!
What happens to the XOR is completely predictable EXCEPT through the
Sbox. There, however, the probabilities are noneven, and this gives
us a handle. E.g. if the XOR of the inputs to the Sbox is 0, you know
the XOR of the outputs will be 0 also (the inputs were the same, so
will the outputs be the same). If the XOR of the inputs to S1 is 0x34,
the probability of the XOR of the outputs being 0x2 is 16/64 or 1/4th
(you can determine this from enumerating all the possible inputs and
looking them up in the box, which is fixed for all time and well
known). Since there are 4 output bits of the Sbox, a smooth
probability would be 1/16th  much different from 1/1 or 1/4th. We
can feed various plaintexts through that Sbox, and depending which key
bits are XOR'd in, we will see different probabilities of results.
From the probability distribution of the results, we can work backwards
to determine what the Sbox input was, and since the Sbox input was
the XOR of part of the key and part of the plaintext  and we know the
plaintext  we then know part of the key.
This only works in the last round of DES, since we need to see
unmangled ciphertext bits. The rest of the attack (which I'll leave
the paper to explain) is how you select interesting plaintext pairs,
whose Sbox probabilities are 1 or otherwise abnormally high, to
propagate your knowledge through the first N rounds to get it to the
last round where you can break key bits.
The onsite proceedings include a very readable paper describing
the attack (the only thing it lacks is a good drawing of how one
round of DES works); they are available from Sherry McMahan as
described in the parent message to this one. If you want to get
the full gory details, ask for "Differential Cryptanalysis of
DESlike Cryptosystems" from:
Adi Shamir
The Weizmann Institute
Applied Math Dept.
Rehovot 76100, ISRAEL
phone 9728 343253
Folks at the conference paid $5 for copying costs of this 100+ page
tech report; I'm sure he'd appreciate contributions if you ask for a
copy. The cost of clearing foreign checks often runs $1015 though.
I heard several people predict that next year's Crypto conference
would have a whole session devoted to differential cryptanalysis
and what uses people come up with for it.
Things that I read into this (personal opinions) are:
* The designers of DES knew about this attack, or about
this class of attacks. The attack SUCCEEDS (costs less
than brute force) for 15 rounds of DES, FAILS (costs more)
for 16 rounds of DES. Guess how many rounds DES uses?
* Adi and Eli also discovered that almost any change they
made to DES, even rearranging the order of the eight
Sboxes, made it weaker and made it possible to break
in less than brute force. The Sboxes were designed
either knowing about this attack and testing against it, or
knowing of other design criteria that manage to foil this
attack even if the particular attack was not envisioned.
* DES was not weakened by reducing the key to 56 bits,
since with a 56bit key and 16 rounds it is STILL
harder to break than with brute force. The work factor
at 16 rounds is 2^58. Regardless of the length of the
key, this is still true, so a 128bit key would not
have been any better.

John Gilmore {sun,pacbell,uunet,pyramid}!hoptoad!gnu g...@toad.com
The Gutenberg Bible is printed on hemp (marijuana) paper. So was the July 2,
1776 draft of the Declaration of Independence. Why can't we grow it now?
