Differential Cryptanalysis of the Full 16-round DES
Computer Science D e p a r t m e n t Technion - Israel Institute of Technology Haifa 32000, Israel
Department of Applied Mathematics and C o m p u t e r Science The Weizmann Institute of Science Rehovot 76100, Israel
I this paper we develop the first known attack which is capable of breaking n the full 16 round DES in less than the complexity of exhaustive search. The d a t a analysis phase computes the key by analyzing about 2% ciphertexts in 237time. The 2% usable ciphertexts are obtained during the data collection phase from a larger pool of 247 chosen plaintexts by a simple bit repetition criteria which discards more than 99.9% of the ciphertexts as soon as they are generated. While earlier versions of differential attacks were based on huge counter arrays, the new attack requires negligible memory and can be carried out in parallel on up to 2= disconnected processors with Linear speedup. In addition, the new attack can be carried out even if the analyzed ciphertexts are derived from up to 2= different keys due to frequent key changes during the d a t a collection phase. The attack can be carried out incrementally with any number of available ciphertexts, and its probability of success grows linearly with this number (e.g., when 229 usable ciphertexts are generated from a smaller pool of 240 plaintexts, the analysis time decreases t o 230 and the probability of success is about 1%).
The Data Encryption Standard (DES) is t h e best known and most widely used cryptosystem for civilian applications. It consists of 16 rounds of substitution and perm u t a t i o n operations, carried out under t h e control of a 56 bit key (see  for further
E.F. Brickell (Ed.): Advances in Cryptology - CRYPT0 '92, LNCS 740, pp. 487-496, 1993. 0 Springer-Verlag Berlin Heidelberg 1993
details). It was adopted a s a US national standard in the mid 701s, and had been extensively analyzed for over 15 years. However, no attack which is faster than exhaustive search (whose complexity is 255 due to a simple complementation property that halves the number of searched keys) has ever been reported in the open literature.
The lack of progress in t h e cryptanalysis of the full DES led many researchers to analyse simplified variants of DES, and in particular variants of DES with fewer than 16 rounds. Chaum and Evertse described an attack on reduced variants of DES, whose complexity is 254 for the six-round variant. They showed that their attack is not applicable t o variants with eight or more rounds. DaviesI5) devised a known plaintext attack whose application to DES reduced to eight rounds analyzes 240 known plaintexts and has time complexity ’240.This attack is not applicable to the full 16round DES since it has to analyze more than the ‘P4 possible plaintexts. The most successful attack on reduced variants of DES was the method we called differential cryptanalysis [l],which could break variants of DES with up to 15 rounds faster than via exhaustive search. However, for the full 16-round DES t h e complexity of t h e attack was 2”, which was slower than exhaustive search. Similar attacks were used to cryptanalyze a large number of DES-like cryptosystems and hash functions [2.3]. In this paper w e finally break through the 16-round barrier. We develop a n improved version of differential cryptanalysis which can break the full 16-round DES in 237time and negligible space by analyzing 2% ciphertexts obtained from a larger pool of 247 chosen plaintexts. A n interesting feature of the new attack is that it can be applied with the same complexity and success probability even if the key is frequently changed and thus the collected ciphertexts are derived from many different keys. T h e attack can be czrried out incrementaily, and one of t h e keys can be computed in real time while it is still valid. This is...
References: [l] Eli Biham, Adi Shamir, Diflerential Cryptanalysis o j DES-like Cryptosystcms7 Journal of Cryptology, Vol. 4. So. 1. pp. 3-72, 1991. The extended abstract appears in Advances in cryptology, proceedings of CRYFTO’SO, pp. 2-21, 1990.
 Eli Biham, .4di Shamir, DzjJerential Cryptanalysis of Feai and 11’-Hash, technical report cS91-17, Department of Applied Mathematics and Computer Science, The Weizmann Institute of Science? 1991. The extended abstract appears in Advances in cryptology, proceedings of EUKOCRYFT’Si, pp. 1-16, 1991.
 Eli Biham, Adi Shamir, Diflerential Crgptanafysis ofSnefru, Khafre, REDOC-[I, L O K I and Lucifer, technical report CS91-18, Department of Applied Mathematics and Computer Science, The Weizmann Institute of Science, 1991. The extended abstract appears in Advances in cryptology, proceedings of CRYPTO’91, 1991.
David Chaum, Jan-Hendrik Evertse, Cryptanalysis of DES with a reduced number of rounds, Sequences of linear factors in block ciphers, Advances in cryptology, proceedings of CRYPT0’85, pp. 192-211. 1985.
 D. W. Dat-ies, private communication.
 National Bureau of Standards, Data Encryption Standard, G.S. Department of Commerce, FIPS pub. 46, January 1977.
Please join StudyMode to read the full document