Attack in Detail
The attack relies primarily on the fact that a given input/output difference pattern only occurs for certain values of inputs. Usually the attack is applied in essence to the non-linear components as if they were a solid component (usually they are in fact look-up tables or sboxes). Observing the desired output difference (between two chosen or known plaintext inputs) suggests possible key values.
For example, if a differential of 1 => 1 (implying a difference in the Least Significant Bit (LSB) of the input leads to an output difference in the LSB) occurs with probability of 4/256 (possible with the non-linear function in the AES cipher for instance) then for only 4 values (or 2 pairs) of inputs is that differential possible. Suppose we have a non-linear function where the key is XOR'ed before evaluation and the values that allow the differential are {2,3} and {4,5}. If the attacker sends in the values of {6, 7} and observes the correct output difference it means the key is either 6 xor K = 2 or 6 xor K = 4, meaning the key is either K = {2,4}.
In essence, for an n-bit non-linear function one would ideally seek as close to 2-(n-1) as possible to achieve differential uniformity. When this happens, the differential attack requires as much work to determine the key as simply brute forcing the key.
The AES non-linear function has a maximum differential probability of 4/256 (most entries however are either 0 or 2). Meaning that in theory one could determine the key with half as much work as brute force, however, the high branch of AES prevents any high probability trails from existing over multiple rounds. In fact, the AES cipher would be just as immune to differential and linear attacks with a much weaker non-linear function. The incredibly high branch (active sbox count) of 25 over 4R means that over 8 rounds no attack involves fewer than 50 non-linear transforms, meaning that the probability of success does not exceed Pr <= Pr50. For example, with the current sbox AES emits no fixed differential with a probability higher than (4/256)50 or 2−300 which is far lower than the required threshold of 2−128 for a 128-bit block cipher. This would have allowed room for a more efficient sbox, even if it is 16-uniform the probability of attack would have still been 2−200.
There exists no bijections for even sized inputs/outputs with a 2-uniformity. They exist in odd fields (such as GF(27)) using either cubing or inversion (there are other exponents that can be used as well). For instance S(x) = x3 in any odd binary field is immune to differential and linear cryptanalysis. This is in part why the MISTY designs use 7- and 9-bit functions in the 16-bit non-linear function. What these functions gain in immunity to differential and linear attacks they lose to algebraic attacks. That is, they are possible to describe and solve via a SAT solver. This is in part why AES (for instance) has an affine mapping after the inversion.
Read more about this topic: Differential Cryptanalysis
Famous quotes containing the words attack in, attack and/or detail:
“I make this direct statement to the American people that there is far less chance of the United States getting into war, if we do all we can now to support the nations defending themselves against attack by the Axis than if we acquiesce in their defeat, submit tamely to an Axis victory, and wait our turn to be the object of attack in another war later on.”
—Franklin D. Roosevelt (18821945)
“Conventionality is not morality. Self-righteousness is not religion. To attack the first is not to assail the last. To pluck the mask from the face of the Pharisee is not to lift an impious hand to the Crown of Thorns.”
—Charlotte Brontë (18161855)
“If the religious spirit be ever mentioned in any historical narration, we are sure to meet afterwards with a detail of the miseries which attend it. And no period of time can be happier or more prosperous, than those in which it is never regarded or heard of.”
—David Hume (17111776)