Cryptography Reference
In-Depth Information
Fig. 3.8
Differential path of
a correct pair with respect to a
r
-round
ε
-characteristic
We will call an
r -round characteristic
4
an
(
r
+
1
)
-tuple
Ω
=
(Ω
0
,Ω
1
,...,Ω
r
)
L
i
R
32
32
L
i
+
1
R
where
Ω
i
=
(Ω
,Ω
)
∈{
0
,
1
}
×{
0
,
1
}
and
Ω
=
Ω
for every
i
≥
0.
i
i
32
,an
r
-round characteristic
For
ε
∈{
0
,
1
}
Ω
is called an
r
-round
ε
-characteristic if
L
R
r
(Ω
r
,Ω
)
=
(ε,
0
)
. A correct pair with respect to a
r
-round characteristic
Ω
is a pair
P
)
L
i
R
(
,
(Ω
,Ω
)
=
(Δ
L
i
,Δ
R
i
)
∈{
,...,
}
of plaintexts
P
such that
for every
i
1
r
.
i
P
)
(
,
≤
Namely, a correct pair
P
is such that at round
i
r
the XOR-differences
R
i
L
i
R
in input and output of the
f
-function are
i
respectively. For
instance, Fig.
3.8
represents the differential path of a correct pair with respect to an
r
-round
Ω
and
Ω
1
⊕
Ω
−
1
−
ε
-characteristic. Eventually, the
probability p
of a characteristic
Ω
is the
Ω
probability that a pair of plaintexts
(
P
,
P
⊕
Ω
0
)
is a correct pair with respect to
Ω
.
3.5.2 Attack Description
The attack assumes that the adversary can ask for the encryption of chosen plaintexts
under a secret key
K
which he aims at recovering. The adversary is further able
to induce some fault in the left half of the DES internal state at the end of some
round
r
. More precisely,
L
r
is replaced by
L
r
in the encryption of
P
which
produces a faulty ciphertext
C
. Note that, equivalently, the adversary could induce
a fault in
R
r
+
1
or in the output of the
f
-function at round
r
⊕
ε
+
1. The error vector
ε
32
. For instance, in a single-bit error
is randomly distributed among a set
E
⊆{
0
,
1
}
model,
E
is the set of 32-bit words whose Hamming weights equal 1. The attacker is
4
This definition slightly differs from the definition in [178].