---

DES, the Data Encryption Standard, is the best known and most widely used civilian cryptosystem. It was developed by IBM and adopted as a US national standard in the mid 1970`s, and had resisted all attacks in the last 15 years. This book presents the first successful attack which can break the full 16 round DES faster than via exhaustive search. It describes in full detail, the novel technique of Differential Cryptanalysis, and demonstrates its applicability to a wide variety of cryptosystems and hash functions, including FEAL, Khafre, REDOC-II, LOKI, Lucifer, Snefru, N-Hash, and many modified versions of DES. The methodology used offers valuable insights to anyone interested in data security and cryptography, and points out the intricacies of developing, evaluating, testing, and implementing such schemes. This book was written by two of the field`s leading researchers, and describes state-of-the-art research in a clear and completely contained manner.

---

1 Introduction.- 2 Results.- 3 Introduction to Differential Cryptanalysis.- 3.1 Notations and Definitions.- 3.2 Overview.- 3.3 Characteristics.- 3.4 The Signal to Noise Ratio.- 3.5 Known Plaintext Attacks.- 3.6 Structures.- 4 Differential Cryptanalysis of DES Variants.- 4.1 DES Reduced to Four Rounds.- 4.2 DES Reduced to Six Rounds.- 4.3 DES Reduced to Eight Rounds.- 4.3.1 Enhanced Characteristic´s Probability.- 4.3.2 Extension to Nine Rounds.- 4.4 DES with an Arbitrary Number of Rounds.- 4.4.1 3R-Attacks.- 4.4.2 2R-Attacks.- 4.4.3 1R-Attacks.- 4.4.4 Summary.- 4.4.5 Enhanced Characteristic´s Probability.- 4.5 Modified Variants of DES.- 4.5.1 Modifying the P Permutation.- 4.5.2 Modifying the Order of the S Boxes.- 4.5.3 Replacing XORs by Additions.- 4.5.3.1 Replacing the XORs Within the F Function.- 4.5.3.2 Replacing All the XORs.- 4.5.3.3 Replacing All the XORs in an Equivalent DES Description.- 4.5.4 Random and Modified S Boxes.- 4.5.5 S Boxes with Uniform Difference Distribution Tables.- 4.5.6 Eliminating the E Expansion.- 4.5.7 Replacing the Order of the E Expansion and the XOR with the Subkeys.- 4.6 DES with Independent Keys.- 4.6.1 Eight Rounds.- 4.6.2 Sixteen Rounds.- 4.7 The Generalized DES Scheme (GDES).- 4.7.1 GDES Properties.- 4.7.2 Cryptanalysis of GDES.- 4.7.2.1 A Known Plaintext Attack for n = q.- 4.7.2.2 A Second Known Plaintext Attack for n = q.- 4.7.2.3 A Chosen Plaintext Attack for n = 2q ? 1.- 4.7.2.4 A Chosen Plaintext Attack for n = 3q ? 2.- 4.7.2.5 A Chosen Plaintext Attack for n = lq ? 1.- 4.7.2.6 The Actual Attack on the Recommended Variant.- 4.7.2.7 Summary.- 5 Differential Cryptanalysis of the Full 16-Round DES.- 5.1 Variants of the Attack.- 6 Differential Cryptanalysis of FEAL.- 6.1 Cryptanalysis of FEAL-8.- 6.1.1 Reducing FEAL-8 to Seven Rounds.- 6.1.2 Reducing the Seven-Round Cryptosystem to Six Rounds.- 6.1.3 Reducing the Cryptosystem to 5, 4, 3, 2 and 1 Rounds.- 6.1.4 Calculating the Key Itself.- 6.1.5 Summary.- 6.2 Cryptanalysis of FEAL-N and FEAL-NX with N ? 31 Rounds.- 6.3 Other Properties of FEAL.- 7 Differential Cryptanalysis of Other Cryptosystems.- 7.1 Cryptanalysis of Khafre.- 7.2 Cryptanalysis of REDOC-II.- 7.3 Cryptanalysis of LOKI.- 7.4 Cryptanalysis of Lucifer.- 7.4.1 First Attack.- 7.4.2 Second Attack.- 8 Differential Cryptanalysis of Hash Functions.- 8.1 Cryptanalysis of Snefru.- 8.2 Cryptanalysis of N-Hash.- 9 Non-Differential Cryptanalysis of DES with a Small Number of Rounds.- 9.1 Ciphertext Only Attacks.- 9.1.1 A Three-Round Attack.- 9.1.2 Another Three-Round Attack.- 9.1.3 A Four-Round Attack.- 9.2 Known Plaintext Attacks.- 9.2.1 A Three-Round Attack.- 9.3 Statistical Known Plaintext Attacks.- 9.3.1 A Three-Round Attack.- 9.3.2 A Four-Round Attack.- 9.3.3 A Five-Round Attack.- 9.3.4 A Six-Round Attack.- A Description of DES.- A.1 The Key Scheduling Algorithm.- A.2 DES Modes of Operation.- B The Difference Distribution Tables of DES.

---