What is Differential Cryptanalysis?

Differential cryptanalysis is the name of a variety of methods of cryptographic attack on block ciphers using a known plaintext attack. Differential cryptanalysis works by encrypting known plaintext, or unencrypted text, using a chosen cipher key to determine how the encryption process works. Two inputs are selected with a constant difference between them where the difference between the two inputs can be determined by different operations including the use of the eXclusive OR (XOR) operation. When the input pair is run through the differential cryptanalysis code, an output pair is formed using a cipher key. The input is known, so the cryptographer watches for patterns of change in the output.

Once the output is received, the cryptographer assigns probabilities to certain input-output pairs to determine which cipher key caused particular changes in the output pairs. Different cipher keys have different probabilities of certain outputs occurring for each input. These probabilities allow the cryptographer to make informed guesses as to various aspects of the key based on the input and output patterns.

This method was originally developed in the late 1980s by Eli Bidham and Adi Shamir. It was intended to attack block ciphers and check for weaknesses in the U.S. National Bureau of Standards’ Data Encryption Standard (DES) Algorithm, used as the Federal Information Processing Standard to encrypt sensitive unclassified data. In 1994, Don Coppersmith, one of the IBM software engineers who helped design the DES, said IBM was already familiar with differential cryptanalysis and had worked to make the DES resistant to attack.

To successfully determine what cipher key is being used with this process, certain requirements must be met. It is most successful when the cryptographer can choose the plaintext himself and receive output ciphertext. Differential cryptanalysis is suited best for iterative block ciphers. These types of ciphers encrypt plaintext using the same transformation in several rounds using a subkey.

Designers of ciphers and cryptographic codes work to ensure their code is not vulnerable to this type of known attack. One of these is the use of message keys and limitations on the amount of ciphertext received using a single message key. This is a weakness of differential cryptanalysis because of its reliance on large amounts of plaintext.

The differential cryptanalysis method relies on the use of particular tables to choose the input pair. Knowing this, an encryption system can protect itself against the attack in various ways. It doesn't matter whether the code is set up to select from a larger number of tables than expected, to select from all of the different tables, or to mix the table results as soon as the results are determined.