Cryptography Reference
In-Depth Information
set of more than one quadrillion bytes (more than one million Gbytes). That's
beyond good and evil, not only technically. Nobody would ever encrypt such a
huge data set with only one key. Certainly, no attacker could foist such a data
set on a code writer ever.
So, if you read something along the lines of 'DES can be attacked by dif-
ferential cryptanalysis', it is basically true but can't be realized in practice.
Such claims create false doubts about this algorithm if they remain unquali-
fied. DES is resistant to this attack thanks to the careful design of its S-boxes
(and 16 rounds, a number certainly not chosen at will): attacking with differen-
tial cryptanalysis is not more effective than brute force even with known (but
not chosen) plaintext.
This is why differential cryptanalysis enjoys a strong interest. In fact, it was
the first method that worked faster than brute force. Moreover, the resources
required might be reduced to practically interesting levels one day.
4.4.3 Attacking With Related Keys. Weak Keys
Thought experiments are always possible and interesting when they bring new
findings. The attack with related keys was originally such a thought experiment.
The underlying idea is to look at the changed key bits rather than at the effect
these changed plaintext bits have. For the time being, we are not interested in
the practical realization of this attack. In theory, it looks like this: a known
or perhaps chosen plaintext is encrypted with different keys, which naturally
differ in certain bits. The key is reconstructed from the ciphertexts created.
Schneier [SchnCr, 12.4] writes that the irregular rotation of the DES keys in the
single rounds frustrates this attack. The DES designers may also have thought
about it! But 2
17
(over 100 000) chosen plaintexts are sufficient for this type
of attack if the key is rotated constantly. This was shown in a study by (well,
guess who) Biham.
This attack was found to be independent of the number of rounds and, if
feasible, effective also against Triple-DES, described in Section 5.2.1.
A related principle was exploited in a new type of attack that created a great
stir. More about it in Section 4.4.5.
Weak Keys
As troubling as this heading may sound, the impact on the security of DES
is negligible. The reason is that the algorithm is insecure to special keys. For
