Differential cryptanalysis is a type of attack that can be mounted on iterative block ciphers. These techniques were first introduced by Murphy [Mur90] in an attack on FEAL-4 (see Question 79), but they were later improved and perfected by Biham and Shamir [BS91a] [BS93b] who used them to attack DES (see Question 64). Differential cryptanalysis is basically a chosen plaintext attack (see Question 63) and relies on an analysis of the evolution of the differences between two related plaintexts as they are encrypted under the same key. By careful analysis of the available data, probabilities can be assigned to each of the possible keys and eventually the most probable key is identified as the correct one.
Differential cryptanalysis has been used against a great many ciphers with varying degrees of success. In attacks against DES, its effectiveness is limited by what was very careful design of the S-boxes during the design of DES in the mid-1970s [Cop92]. Studies on protecting ciphers against differential cryptanalysis have been conducted by Nyberg and Knudsen [NK95] as well as Lai, Massey and Murphy [LMM92]. Differential cryptanalysis has also been useful in attacking other cryptographic algorithms such as hash functions.