651
APPENDIX N
Differential and Linear
Cryptanalysis of DES
In this appendix, we briefly discuss two issues related to the DES cipher discussed in
Chapter 6: differential and linear cryptanalysis. Thorough coverage of these two issues
is beyond the scope of this book. This appendix is designed to give the general picture
and a motivation for interested readers.
N.1 DIFFERENTIAL CRYPTANALYSIS
Differential cryptanalysis for DES was invented by Biham and Shamir. In this cryp-
tanalysis, the intruder concentrates on
chosen-plaintext
attacks. The analysis uses the
propagation of input differences through the cipher. The term
difference
here is used to
refer to the exclusive-or of two different inputs (plaintexts). In other words, the intruder
analyzes how P
⊕
P
′
is propagated through rounds.
Probabilistic Relations
The idea of differential cryptanalysis is based on the probabilistic relations between
input differences and output differences. Two relations are of particular interest in the
analysis:
differential profiles
and
round characteristics,
as shown in Figure N.1.
Figure N.1
Differential profile and round characteristic for DES
∆
In
∆
In
∆
Out
∆
Out
S-box
a. Differential Profile b. Round Characteristic
Probabilities
Table
Probabilities
Table
∆P
∆P
∆C
∆C
DES
Round
for70220_appN.fm Page 651 Thursday, January 25, 2007 6:00 PM
评论0