## Differential Cryptanalysis

Now, we're finally reaching the point where the block-cipher stuff gets really fun: block cryptanalysis.

As I've explained before, the key properties of a really good
encryption system are:

1. It's easy to compute the ciphertext given the plaintext and the key;
2. It's easy to compute the plaintext given the ciphertext and the key;
3. It's hard to compute the plaintext given the ciphertext
but not the key;
4. It's hard to compute the key.

That last property is actually a bit of a weasel. There are really a wide variety of attacks that try to crack an encryption
system - meaning, basically, to discover the key. What makes that
statement of the property so weasely is that it omits the information available to the person trying to crack it. In the first three properties, I clearly stated what information you had available to produce a result. In the last, I didn't.

There's a reason that I weaseled that. Partly, it's because a correct statement of it would be ridiculously long and incomprehensible; and partly because it's often deliberately set up differently for different encryption systems. You can design systems that are extremely strong against certain attacks, but not so good against others. There's no universally ideal encryption system: it's always a matter of tradeoffs, where you can handle some scenarios better than others.

Today we're going to look at one particularly fascinating attack that's used against block ciphers. It's called differential cryptanalysis.

