I'm referring to a 2000 paper by J. Kelsey, B. Schneier, D. Wagner and
C. Hall. In Section 6 they work out a Hamming-weight cryptanalysis
against DES. They qualify this as a kind of ciphertext-only attack
One point of the attack which is not clear to me is the following: at
some point (last par. of p. 13), the attacker has to guess the 6 bits
secret key entering the first SBox and then "compute the Hamming
weight of that S-Box's output". This last task, however, would seem to
require knowledge of the first 6 bit of *plaintext* on the part of the
attacker. If this is true, I do not understand in what sense this
attack can be classified as cipertext-only.
Any clarification on this point would be most welcome.