Des, Differential Cryptanalysis
Differential Cryptanalysis of the Full 16-round DES
Eli Biham
Computer Science D e p a r t m e n t Technion - Israel Institute of Technology Haifa 32000, Israel
Adi Shamir
Department of Applied Mathematics and C o m p u t e r Science The Weizmann Institute of Science Rehovot 76100, Israel
Abstract
I this paper we develop the first known attack which is capable of breaking n the full 16 round DES in less than the complexity of exhaustive search. The d a t a analysis phase computes the key by analyzing about 2% ciphertexts in 237time. The 2% usable ciphertexts are obtained during the data collection phase from a larger pool of 247 chosen plaintexts by a simple bit repetition criteria which discards more than 99.9% of the ciphertexts as soon as they are generated. While earlier versions of differential attacks were based on huge counter arrays, the new attack requires negligible memory and can be carried out in parallel on up to 2= disconnected processors with Linear speedup. In addition, the new attack can be carried out even if the analyzed ciphertexts are derived from up to 2= different keys due to frequent key changes during the d a t a collection phase. The attack can be carried out incrementally with any number of available ciphertexts, and its probability of success grows linearly with this number (e.g., when 229 usable ciphertexts are generated from a smaller pool of 240 plaintexts, the analysis time decreases t o 230 and the probability of success is about 1%).
1
Introduction
The Data Encryption Standard (DES) is t h e best known and most widely used cryptosystem for civilian applications. It consists of 16 rounds of substitution and perm u t a t i o n operations, carried out under t h e control of a 56 bit key (see [6] for further
E.F. Brickell (Ed.): Advances in Cryptology - CRYPT0 '92, LNCS 740, pp. 487-496, 1993. 0 Springer-Verlag Berlin Heidelberg 1993
188
details). It was adopted a s a US national standard in the mid
Eli Biham
Computer Science D e p a r t m e n t Technion - Israel Institute of Technology Haifa 32000, Israel
Adi Shamir
Department of Applied Mathematics and C o m p u t e r Science The Weizmann Institute of Science Rehovot 76100, Israel
Abstract
I this paper we develop the first known attack which is capable of breaking n the full 16 round DES in less than the complexity of exhaustive search. The d a t a analysis phase computes the key by analyzing about 2% ciphertexts in 237time. The 2% usable ciphertexts are obtained during the data collection phase from a larger pool of 247 chosen plaintexts by a simple bit repetition criteria which discards more than 99.9% of the ciphertexts as soon as they are generated. While earlier versions of differential attacks were based on huge counter arrays, the new attack requires negligible memory and can be carried out in parallel on up to 2= disconnected processors with Linear speedup. In addition, the new attack can be carried out even if the analyzed ciphertexts are derived from up to 2= different keys due to frequent key changes during the d a t a collection phase. The attack can be carried out incrementally with any number of available ciphertexts, and its probability of success grows linearly with this number (e.g., when 229 usable ciphertexts are generated from a smaller pool of 240 plaintexts, the analysis time decreases t o 230 and the probability of success is about 1%).
1
Introduction
The Data Encryption Standard (DES) is t h e best known and most widely used cryptosystem for civilian applications. It consists of 16 rounds of substitution and perm u t a t i o n operations, carried out under t h e control of a 56 bit key (see [6] for further
E.F. Brickell (Ed.): Advances in Cryptology - CRYPT0 '92, LNCS 740, pp. 487-496, 1993. 0 Springer-Verlag Berlin Heidelberg 1993
188
details). It was adopted a s a US national standard in the mid
References: [l] Eli Biham, Adi Shamir, Diflerential Cryptanalysis o j DES-like Cryptosystcms7 Journal of Cryptology, Vol. 4. So. 1. pp. 3-72, 1991. The extended abstract appears in Advances in cryptology, proceedings of CRYFTO’SO, pp. 2-21, 1990. [2] Eli Biham, .4di Shamir, DzjJerential Cryptanalysis of Feai and 11’-Hash, technical report cS91-17, Department of Applied Mathematics and Computer Science, The Weizmann Institute of Science? 1991. The extended abstract appears in Advances in cryptology, proceedings of EUKOCRYFT’Si, pp. 1-16, 1991. [3] Eli Biham, Adi Shamir, Diflerential Crgptanafysis ofSnefru, Khafre, REDOC-[I, L O K I and Lucifer, technical report CS91-18, Department of Applied Mathematics and Computer Science, The Weizmann Institute of Science, 1991. The extended abstract appears in Advances in cryptology, proceedings of CRYPTO’91, 1991. [4]David Chaum, Jan-Hendrik Evertse, Cryptanalysis of DES with a reduced number of rounds, Sequences of linear factors in block ciphers, Advances in cryptology, proceedings of CRYPT0’85, pp. 192-211. 1985. [5] D. W. Dat-ies, private communication. [6] National Bureau of Standards, Data Encryption Standard, G.S. Department of Commerce, FIPS pub. 46, January 1977.