A cryptanalytic method of attack called “differential cryptanalysis” is described in this compact but useful book. The attack is applicable to a variety of cryptographic systems, and the book shows how it can be used with full versions and variants of the Data Encryption Standard (DES), FEAL, Khafre, DEDOC-II, REDOC-II, LOKI, and Lucifer, and with the hash functions Snefru and N-Hash. The book is an outgrowth of original research by the authors, the initial results of which were reported at CRYPTO ’90 in Santa Barbara, California.

Differential cryptanalysis is a chosen plaintext attack against an iterated or n-round cryptosystem, that is, a cryptosystem that iterates a given function n times. The method involves analyzing the effect of differences in plaintext pairs on their corresponding ciphertext pairs, where the differences are represented by the exclusive-or (XOR) of the pair. An attack aimed at finding a particular encryption key typically requires obtaining the ciphertext for many plaintext pairs that have the same difference. Ideally, these pairs are explicitly chosen, but they may also be obtained from a sufficiently large pool of known plaintexts. By exploiting the effect of differences in plaintext on the ciphertext, differential cryptanalysis may allow the key to be determined in less time than with exhaustive search over the key space.

The book has nine chapters and two appendices. Chapter1 is an introduction to iterated cryptosystems and methods of attacking them. The summary of attacks against DES and other cryptosystems is informative but not comprehensive. Chapter 2 is a brief summary of the results presented in the remainder of the book. Chapter 3 introduces the basic concepts of differential cryptanalysis, using the DES to illustrate the concepts. Beginning with this chapter, the material becomes more complex and challenging.

Chapter 4 shows how the method can be applied to several variants of the DES, including variants with fewer than 16 rounds and with modified operations and S-boxes. The authors show that most of the variants are vulnerable to differential attacks in less time than with exhaustive search. Chapter 5 describes differential cryptanalysis of the actual DES. The main result is that breaking the DES requires 2 ⁴⁷ chosen plaintexts or 2 ⁵⁵ known plaintexts. Since exhaustive search requires 2 ⁵⁵ encryptions (because of the complementation property of DES, the number of encryptions is reduced by a factor of 2 from 2 ⁵⁶), differential cryptanalysis outperforms exhaustive search for a chosen plaintext attack, though not for a known plaintext attack. Because it could be extremely difficult (if not impossible) for an adversary to obtain the ciphertexts for 2 ⁴⁷ chosen plaintexts, all encrypted under a particular key that was used to encrypt information of interest to the adversary, any differential attack on the DES is primarily theoretical, however.

Chapter 7 shows how differential cryptanalysis can be applied to other iterated cryptosystems, and chapter 8 shows its application to hash functions. Finally, chapter 9 describes some nondifferential attacks on DES with a small number of rounds. The appendices give a description of the DES and the difference distribution tables of the DES S-boxes, respectively.

Differential cryptanalysis is a powerful method of attack that has revealed weaknesses in several encryption algorithms. Thus, this book should be of interest to anyone who is engaged in the development or analysis of cryptosystems, as well as to those who simply enjoy the intellectual aspect of cryptography. The book is instructive, giving enough details to implement the attacks.