Differential Cryptanalysis of the full 16-round DES

of n, if p > 2 ?40:2 then the number of analyzed plaintexts is two and the complexity of the data analysis phase is 2 32. However, using about four times as many chosen plaintexts, we can use the clique algorithm (described in 1]) and reduce the time complexity of the data analysis phase to less than a second on a personal computer. The known plaintext attacks need about 2 32 p ?0:5 known plaintexts (in this case the symmetry does not help). The application of the known plaintext attack to eight rounds needs a pool of 2 38:5 known plaintexts. The application to 12 rounds needs a pool of 2 47:2 known plaintexts. The application to 15 rounds needs a pool of 2 55:6 known plaintexts and the application to the full 16-round DES needs a pool of 2 55:1 known plaintexts. This is slightly worse than the 2 55 complexity of exhaustive search (which in the case of a known plaintext attack requires about 2 33 plaintexts in order to generate a complementary pair via the birthday paradox). This speciic attack is not directly applicable to plaintexts consisting solely of ASCII characters since such plaintexts cannot give rise to the desired XOR diierences. By using several other iterative characteristics we can attack the full 16-round DES with a pool of about 2 49 chosen ASCII plaintexts (out of the 2 56 possible ASCII plaintexts).