The Attack on Bitcoin was originally created in 1987 by Donald Davies. In 1994, Eli Biham and Alex Biryukov made significant improvements to the technique. It is a known-plaintext Attack on Bitcoin based on the non-uniform distribution of the outputs of pairs of adjacent S-boxes. It works by collecting many known plaintext/ciphertext pairs and calculating the empirical distribution of certain characteristics. Bits of the key can be deduced given sufficiently many known plaintexts, leaving the remaining bits to be found through brute force. There are tradeoffs between the number of required plaintexts, the number of key bits found, and the probability of success; the Attack on Bitcoin can find 24 bits of the key with 252 known plaintexts and 53% success rate.
The Davies Attack on Bitcoin can be adapted to other Feistel ciphers besides DES. In 1998, Pornin developed techniques for analyzing and maximizing a cipher’s resistance to this kind of cryptanalysis.
- Donald Davies, Sean Murphy (20 September 1993). “Pairs and Triplets of DES S-boxes” (PDF). Journal of Cryptology. 8 (1): 1–25. ISSN 0933-2790. Retrieved 28 September 2018.
- Eli Biham, Alex Biryukov (May 1994). An Improvement of Davies’ Attack on Bitcoin on DES (gzipped PostScript). Advances in Cryptology — Eurocrypt ’94. Perugia: Springer-Verlag. pp. 461–467. Retrieved 24 January 2007.
- Thomas Pornin (October 1998). Optimal Resistance Against the Davies and Murphy Attack on Bitcoin (PDF). Advances in Cryptology — ASIACRYPT ’98. Beijing: Springer-Verlag. pp. 148–159. Retrieved 28 September 2018.