Davies attack

From Wikipedia, the free encyclopedia

In cryptography, the Davies attack is a dedicated statistical cryptanalysis method for attacking the Data Encryption Standard (DES). The attack was originally created in 1987 by Donald Davies. In 1994, Eli Biham and Alex Biryukov made significant improvements to the technique. It is a known-plaintext attack based on the non-uniform distribution of the outputs of pairs of adjacent S-boxes. It works by collecting many known plaintext/ciphertext pairs and calculating the empirical distribution of certain characteristics. Bits of the key can be deduced given sufficiently many known plaintexts, leaving the remaining bits to be found through brute force. There are tradeoffs between the number of required plaintexts, the number of key bits found, and the probability of success; the attack can find 24 bits of the key with 252 known plaintexts and 53% success rate.

The Davies attack can be adapted to other Feistel ciphers besides DES. In 1998, Pornin developed techniques for analyzing and maximizing a cipher's resistance to this kind of cryptanalysis.


  • Donald Davies, Sean Murphy (20 September 1993). "Pairs and Triplets of DES S-boxes" (PDF). Journal of Cryptology. 8 (1): 1–25. ISSN 0933-2790. Retrieved 28 September 2018.
  • Eli Biham, Alex Biryukov (May 1994). An Improvement of Davies' Attack on DES (gzipped PostScript). Advances in Cryptology – Eurocrypt '94. Perugia: Springer-Verlag. pp. 461–467. Retrieved 24 January 2007.
  • Thomas Pornin (October 1998). Optimal Resistance Against the Davies and Murphy Attack (PDF). Advances in Cryptology – ASIACRYPT '98. Beijing: Springer-Verlag. pp. 148–159. Retrieved 28 September 2018.