Cryptography Reference
In-Depth Information
Fig. 3.8 Differential path of
a correct pair with respect to a
r -round
ε
-characteristic
We will call an r -round characteristic 4 an
(
r
+
1
)
-tuple
Ω = 0 1 ,...,Ω r )
L
i
R
32
32
L
i + 1
R
where
Ω i
=
) ∈{
0
,
1
}
×{
0
,
1
}
and
Ω
= Ω
for every i
0.
i
i
32 ,an r -round characteristic
For
ε ∈{
0
,
1
}
Ω
is called an r -round
ε
-characteristic if
L
R
r
r
) = (ε,
0
)
. A correct pair with respect to a r -round characteristic
Ω
is a pair
P )
L
i
R
(
,
) =
L i
R i )
∈{
,...,
}
of plaintexts
P
such that
for every i
1
r
.
i
P )
(
,
Namely, a correct pair
P
is such that at round i
r the XOR-differences
R
i
L
i
R
in input and output of the f -function are
i respectively. For
instance, Fig. 3.8 represents the differential path of a correct pair with respect to an
r -round
Ω
and
Ω
1 Ω
1
ε
-characteristic. Eventually, the probability p
of a characteristic
Ω
is the
Ω
probability that a pair of plaintexts
(
P
,
P
Ω 0 )
is a correct pair with respect to
Ω
.
3.5.2 Attack Description
The attack assumes that the adversary can ask for the encryption of chosen plaintexts
under a secret key K which he aims at recovering. The adversary is further able
to induce some fault in the left half of the DES internal state at the end of some
round r . More precisely, L r is replaced by L r
in the encryption of P which
produces a faulty ciphertext C . Note that, equivalently, the adversary could induce
a fault in R r + 1 or in the output of the f -function at round r
ε
+
1. The error vector
ε
32 . For instance, in a single-bit error
is randomly distributed among a set
E ⊆{
0
,
1
}
model,
E
is the set of 32-bit words whose Hamming weights equal 1. The attacker is
4
This definition slightly differs from the definition in [178].
Search WWH ::




Custom Search