Cryptography Reference
In-Depth Information
7.4 Combining S-Box Characteristics
Note that characteristics are not estimates, as the expressions in linear cryptanalysis are, but actual occurrences
in the S-boxes themselves that have known probabilities. Hence, we do not need the Piling-up Lemma to com-
bine S-box equations but can merely chain them together, multiplying the probabilities directly using normal
rules of probability.
We have a graphical representation of this process of combining S-box characteristics in
Figure 7-1
. In this
diagram, we are using two different relationships (in binary):
Figure 7-1
Differential attack on the EASY1 cipher.
(001001
⇒
011000)
(010010
⇒
000001)
Both of these characteristics have a probability of 6/64. The first round uses the first characteristic, which has
only two output bits affected by the two input bits. These output bits then feed into the second S-box of the
second round after permutation.
Each charactistic is expected to be independent of the others; thus, we can multiply the probability of each to
obtain a probability for each occurring at the same time:
Search WWH ::
Custom Search