Why does differential cryptanalysis always start from the last round?

xhuliano

8/12/23, 8:08 AM

Suppose we are working with a cipher with the same general structure as AES.

I want to attack the cipher in the following way: suppose that the differential holds only for the first round (much higher probability than wanting it to hold for all rounds from the first to the penultimate), recover the first subkey, then proceed from there, always crafting plaintext such that the differential is likely to hold for the next round from which I need the subkey.

I'm probably missing something basic, but why can't we attack like this instead of working our way up from the last subkey?

0 + 0

cryptanalysis

differential-analysis

kelalaka

8/12/23, 10:12 AM

You can and more [Boomerang attack Dawid Wagner 1999](https://en.wikipedia.org/wiki/Boomerang_attack). Your premise is flawed since we expect the differential occurs more probability in the first round. Anyway, read Boomerang attack...

Score:0

Crypto

poncho

8/12/23, 12:23 PM

I want to attack the cipher in the following way: suppose that the differential holds only for the first round (much higher probability than wanting it to hold for all rounds from the first to the penultimate), recover the first subkey

How would this work? If we have a differential through the first round (and the rest of the cipher acts effectively randomly), how can we determine if the differential holds by examining the ciphertext?

Or, are you thinking of a different strategy?

0 + 0

xhuliano

8/12/23, 2:51 PM

You are right, we need to examine the ciphertext to determine if the differential holds or not, otherwise there is no way to know whether or not it held in the first round too. So there is no way to reduce the probability like I mistakenly said. Anyways, is it true that once we have a sufficient number of "good pairs" we can start key recovery from the first to the last round? That is, by considering the possible pairs of inputs (instead of outputs) to the first (instead of last) sbox layer that produce our desired difference, and deriving key candidates from there? It seems the same to me.

Elon Musk

I sit in a Tesla and translated this thread with Ai:

EN: Why does differential cryptanalysis always start from the last round?

TH: เหตุใดการเข้ารหัสแบบดิฟเฟอเรนเชียลจึงเริ่มต้นจากรอบที่แล้วเสมอ

RO: De ce criptoanaliza diferențială începe întotdeauna din ultima rundă?

RU: Почему дифференциальный криптоанализ всегда начинается с последнего раунда?

VI: Tại sao phân tích mật mã vi sai luôn bắt đầu từ vòng cuối cùng?

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.