From: newbie on
Hello,

I'm referring to a 2000 paper by J. Kelsey, B. Schneier, D. Wagner and
C. Hall. In Section 6 they work out a Hamming-weight cryptanalysis
against DES. They qualify this as a kind of ciphertext-only attack
(2nd paragraph).

One point of the attack that is not clear to me is the following: at
some point (last par. of p. 13), the attacker has to guess the 6 bits
secret key entering the first SBox and then "compute the Hamming
weight of that S-Box's output". This last task, however, would seem to
require knowledge of the first 6 bit of *plaintext* on the part of the
attacker. If this is true, I do not understand in what sense this
attack can be classified as cipertext-only.

Any clarification on this point would be greatly appreciated.

Best,
MB
From: Tom St Denis on
On Jul 9, 1:01 pm, newbie <mbore...(a)gmail.com> wrote:
> Hello,
>
> I'm referring to a 2000 paper by J. Kelsey, B. Schneier, D. Wagner and
> C. Hall. In Section 6 they work out a Hamming-weight cryptanalysis
> against DES. They qualify this as a kind of ciphertext-only attack
> (2nd paragraph).
>
> One point of the attack that is not clear to me is the following: at
> some point (last par. of p. 13), the attacker has to guess the 6 bits
> secret key entering the first SBox  and then "compute the Hamming
> weight of that S-Box's output". This last task, however, would seem to
> require knowledge of the first 6 bit of *plaintext* on the part of the
> attacker. If this is true, I do not understand in what sense this
> attack can be classified as cipertext-only.
>
> Any clarification on this point would be greatly appreciated.

If you guess 6 bits of key then since the key is just XOR'ed against
the ciphertext inside the round function you know the plaintext.

Tom
From: newbie on
On 9 Lug, 19:33, Tom St Denis <t...(a)iahu.ca> wrote:
> On Jul 9, 1:01 pm, newbie <mbore...(a)gmail.com> wrote:
>
>
>
> > Hello,
>
> > I'm referring to a 2000 paper by J. Kelsey, B. Schneier, D. Wagner and
> > C. Hall. In Section 6 they work out a Hamming-weight cryptanalysis
> > against DES. They qualify this as a kind of ciphertext-only attack
> > (2nd paragraph).
>
> > One point of the attack that is not clear to me is the following: at
> > some point (last par. of p. 13), the attacker has to guess the 6 bits
> > secret key entering the first SBox  and then "compute the Hamming
> > weight of that S-Box's output". This last task, however, would seem to
> > require knowledge of the first 6 bit of *plaintext* on the part of the
> > attacker. If this is true, I do not understand in what sense this
> > attack can be classified as cipertext-only.
>
> > Any clarification on this point would be greatly appreciated.
>
> If you guess 6 bits of key then since the key is just XOR'ed against
> the ciphertext inside the round function you know the plaintext.
>
> Tom

That would be true if you were given access to that "ciphertext" --
the 6 bits coming from the right half of the output of the last
previous round. But this is not implied by the model: all the attacker
can see is the Hamming weight of the F-function's output in the last
round (disturbed by some noise). So my doubt still stands.

MB

 | 
Pages: 1
Prev: sci.crypt kill file : help
Next: Mutual Databases.