Markov Ciphers and Differential Cryptanalysis

This paper considers the security of iterated block ciphers against the di erential cryptanalysis introduced by Biham and Shamir. Di erential cryptanalysis is a chosen-plaintext attack on secret-key block ciphers that are based on iterating a cryptographically weak function r times (e.g., the 16-round Data Encryption Standard (DES) ). It is shown that the success of such attacks on an r-round cipher depends on the existence of (r-1)-round di erentials that have high probabilities, where an i-round di erential is de ned as a couple ( ; ) such that a pair of distinct plaintexts with di erence can result in a pair of i-th round outputs that have di erence , for an appropriate notion of \di erence". The probabilities of such di erentials can be used to determine a lower bound on the complexity of a di erential cryptanalysis attack and to show when an r-round cipher is not vulnerable to such attacks. The concept of \Markov ciphers" is introduced for iterated ciphers because of its signi cance in di erential cryptanalysis. If an iterated cipher is Markov and its round subkeys are independent, then the sequence of di erences at each round output forms a Markov chain. It follows from a result of Biham and Shamir that DES is a Markov cipher. It is shown that, for the appropriate notion of \di erence", the Proposed Encryption Standard (PES) of Lai and Massey, which is an 8-round iterated cipher, is a Markov cipher, as are also the mini-version of PES with block length 8, 16 and 32 bits. It is shown that PES(8) and PES(16) are immune to di erential cryptanalysis after su ciently many rounds. A detailed cryptanalysis of the full-size PES is given and shows that the very plausibly most probable 7-round di erential has a probability about 2 . A di erential cryptanalysis attack of PES(64) based on this di erential is shown to