How do we find differentials in differential cryptanalysis when we don't the details about the S-boxes

Question

I m new to cryptanalysis and trying to understand differential cryptanalysis. I have read the paper by Howard M. Heys. I understood the concept of differentials but I m not able to understand how to calculate the probability of a differential to occur when we don't know any information regarding the S-boxes.

It is given that, we give 2 inputs with a difference of say, x to an S-box and get outputs of difference y and in this way, we calculate the probabilities of all the differentials possible.

• But in general, the details of the S-boxes of a cipher are not disclosed (as far as I know, pls correct me if I m wrong), so how do we calculate these probabilities for each S-box?

• Can we somehow use differential cryptanalysis even if we don't know the details of S-boxes used in the cipher?

Answer 1

In Cryptography we play with the Kerckhoffs's principles, in short, we can say that everything is known but not the secret key.

$$\text{There is no security with obscurity!}$$

Therefore;

The details of the S-boxes of a cipher are not disclosed

This is completely false. The designers don't need to give the full details of their s-boxes, however, usually, they provide, as we see in the AES case;

• The Design of Rijndael: The Advanced Encryption Standard (AES)

It is the attacker side to analyze even more than the designer to see a weakness in their design, or one may see errors on the calculations and provide the correct one, as in OCB2, the history full of examples.

Can we somehow use differential cryptanalysis even if we don't know the details of S-boxes used in the cipher?

Yes, that is possible, however, that will be impractical and will not provide a better attack than the bruteforce ( since it is a blackbox).

For the beginners of Differential and Linear attack a tutorial and a book is a must;

• A Tutorial on Linear and Differential Cryptanalysis, by Howard M. Heys

• The Block Cipher Companion book by Lars R. KnudsenMatthew and J.B. Robshaw

The Sbox package of the SageMath is the helper to analyze the S-Boxes.

And, if you want to study this field, always read the original paper, too;

• Linear Cryptanalysis Method for DES Cipher, Matsui, 1994
• Differential Cryptanalysis of DES-like Cryptosystems, E. Biham and A. Shamir, 1991

Answer 2

There's an interesting case study here with the AES finalist Twofish. Twofish uses key dependent S-boxes and so we do not know the S-boxes, only their means of construction. Nevertheless several papers have proposed differential attacks on the design (Murphy and Robshaw, Shiho Moriai and Yiun Lisa Yin, Ferguson).