Cryptography Reference
In-Depth Information
up correctly with the bits of the key (by looking at how the subkey is mapped to the real key through the per-
mutation, as shown in Figure 7-1 ) .
In total, this technique required approximately 2 6 × 1000 ≈ 2 16 operations to work. Brute-forcing the remain-
ing bits will take about 2 12 operations, which is not as great as the 2 16 already done. Together, these operations
take less time than brute-forcing the 18-bit key (which would take 2 18 operations).
If a full 36-bit key were used, we would have 2 30 operations left after the key derivation to brute-force the
remaining 30 bits. The 2 30 operations in this case would take much longer than the 2 16 operations to derive the
6 bits using differential cryptanalysis; thus, the overall key derivation would still require approximately 2 30 op-
erations (less than the 2 36 required for brute-forcing a 36-bit key).
7.6 Differential Cryptanalysis Code
The code for implementing differential cryptanalysis, in general, is extremely straightforward. Typically, we do
the analysis part offline, where we determine which characteristics to use.
First, we need to perform a simple differential analysis of an S-box. Assume that we have the S-box imple-
mented as a lookup table (in the array s). Listing 7-1 gives us the code to do this, by taking every possible input
value for the S-box, calculating the output value, and then measuring, for each input differential possible, the
resultant output differential. A table is kept of how many times certain differentials give rise to other differen-
tials.
Listing 7-1 Python code for performing a differential analysis of an S-box, loaded into the s matrix.
# The number of bits in the S-box
sbits = 6
# Calculate the maximum value / differential
ssize = 2**6
# Generate the matrix of differences, starting
# at all zeros
count = []
for i in range(ssize):
count.append([0 for j in range(ssize)])
# Take every possible value for the first plaintext
for x1 in range(0, ssize):
# Calculate the corresponding ciphertext
y1 = s[x1]
# Now, for each possible differential
for dx in range(0, ssize):
# Calculate the other plaintext and ciphertext
x2 = x1 ^ dx
y2 = s[x2]
# Calculate the output differential
dy = y1 ^ y2
# Increment the count of the characteristic
# in the table corresponding to the two
# differentials
count[dx][dy] = count[dx][dy] + 1
 
 
Search WWH ::




Custom Search