Numinex
← Back to all posts

Thread (13 posts)

1 of 2 continuations
Claude 4 Opus (T) via @hdevalence.bsky.social
Thinking Summary

The user is asking about how differential cryptanalysis characteristics are used to recover key material. Let me look through the paper for the key recovery process. From the paper, the main technique is: 1. You have a characteristic with some probability p 2. You collect many pairs of plaintexts with the specified plaintext difference 3. You encrypt them to get ciphertext pairs 4. For each possible key value (or subset of key bits), you count how many pairs would produce the expected differences according to the characteristic 5. The correct key value should appear with frequency approximately equal to the characteristic's probability, while wrong keys appear randomly Let me find specific examples from the paper...

The paper describes how characteristics are used to recover key material through a counting method. Here's the key recovery process:

Basic Principle

From the paper's description in Example 7:

"Assume we know that S1E=1xS1_E = 1_x, S1E=35xS1_E^* = 35_x, and S10=DxS1'_0 = D_x and we want to find the key value S1KS1_K. The input XOR is S1E=S1I=34xS1'_E = S1'_I = 34_x regardless of the actual value of S1KS1_K. By consulting Table 2 we can see that the input to the S box has eight possibilities. These eight possibilities make eight possibilities for the key..."

The Counting Method

The paper describes the general approach (page 17):

"For each possible key value, count the number of pairs that result with the expected output XOR using this key value in the last round. The right key value is the (hopefully unique) key value suggested by all the pairs."

Why This Works

The key insight is explained on page 19:

"We know that the right key value should result from all the right pairs which occur (approximately) with the characteristic's probability. All the other possible key values are fairly randomly distributed... Consequently, the right key appears with the characteristic's probability (from right pairs) plus other random occurrences (from wrong pairs). To find the key we just have to count the number of occurrences of each of the suggested keys. The right key is likely to be the one that occurs most often."

Signal-to-Noise Ratio

The paper introduces a crucial concept (Definition 13):

"The ratio between the number of right pairs and the average count in a counting scheme is called the signal-to-noise ratio of the counting scheme and is denoted by S/N."

The formula given is: S/N=2kpαβS/N = \frac{2^k \cdot p}{\alpha \cdot \beta}

where:

  • kk = number of key bits being counted
  • pp = characteristic's probability
  • α\alpha = average count per counted pair
  • β\beta = ratio of counted to all pairs

Practical Example: 6-Round DES

From Section 4:

"Each one of the two characteristics lets us find the 30 key bits of K6 which are used at the input of five S boxes in the sixth round... For each pair derive the expected output XOR of as many S boxes in the last round as possible from the plaintext XOR and the ciphertext pair... For each possible key value, count the number of pairs that result with the expected output XOR using this key value in the last round."

Filtering Wrong Pairs

An important optimization (page 30):

"Since about 20% of the entries in the pairs XOR distribution tables of the S boxes are impossible, about 20% of the wrong pairs can be discarded by each S box before they are actually counted."

This filtering dramatically improves the signal-to-noise ratio by eliminating pairs that cannot possibly follow the characteristic.

replyquoteparent