Also known as: differential cryptanalysis

Differential cryptanalysis examines how a fixed difference between two plaintexts propagates through a cipher to a difference between their ciphertexts.¹ Because the absolute values cancel, the propagation isolates the cipher’s nonlinear behavior; non-uniform (“biased”) propagation leaks structure and, ultimately, key bits. It was introduced publicly by Eli Biham and Adi Shamir around 1990.

Holding everything fixed but one difference makes the output difference depend only on how the cipher treats that change.

How it works

The analyst collects pairs that differ in exactly one position — adjacent lengths, a single changed character, or a one-bit flip — and tabulates the resulting output differences. If a particular input difference maps to a particular output difference far more often than chance, that “differential characteristic” constrains the internal transform and can be propagated to recover round keys or table entries. It is most powerful in the chosen-plaintext setting, where the analyst can manufacture the exact pairs needed, but useful minimal pairs sometimes occur in a passive known-plaintext corpus.

Relevance to SDR

Naturally occurring minimal pairs help reverse-engineer an obfuscation. In GopherTrunk’s clean-room analysis of the Motorola P25 talker-alias scheme (issue #773), same-length aliases that shared a prefix but differed later showed that one character change perturbs all downstream ciphertext — direct evidence the encoder carries feedback state — and the same alias seen under two radio IDs, differing only in a trailing CRC, exposed the framing.

Sources

1. Differential cryptanalysis — Wikipedia, for input/output differences and the Biham–Shamir origin. ↩

See also

• Chosen-plaintext attack
• Known-plaintext attack
• Algebraic attack
• Brute-force attack (exhaustive key search)
• Cyclic redundancy check (CRC)