Computer Science and Engineering, UCSD
Spring 11
CSE 207:
Modern Cryptography
Instructor:
Mihir Bellare
Problem Set 1
March 28, 2011
Problem Set 1
Due:
Wednesday April 6, 2011, in class.
Problem 1. [30 points]
Let
K
be a 56bit
DES
key, let
L
be a 64bit string, and let
M
be a
64bit plaintext. Let
DESY
(
K
bardbl
L,M
) =
DES
(
K,L
⊕
M
)
DESW
(
K
bardbl
L,M
) =
L
⊕
DES
(
K,M
)
.
This defines block ciphers
DESY
,
DESW
:
{
0
,
1
}
120
×{
0
,
1
}
64
→{
0
,
1
}
64
.
Present the best possible keyrecovery attacks that you can on these block ciphers. Your attacks
should use very few inputoutput examples, not more than three. State the running time of your
attacks.
Problem 2. [50 points]
The goal of a keysearch attack (such as exhaustive key search) is to find
the target key, but, as discussed in the notes and in class, such an attack might find a key that is
consistent with the inputoutput examples but is not the target key. We glossed over this, saying
it “usually” does not happen. This problem gives a sense of how cryptographers arrive at this type
of conclusion and estimate what “usually” means.
We use what is called the
ideal cipher model.
Let
k,n
≥
1 be integers. Let
K
= 2
k
and
N
= 2
n
and
let
T
1
,...,T
K
be some enumeration of the elements of
{
0
,
1
}
k
. We consider a thought experiment
in which a block cipher is chosen at random.
By this we mean that for each key
T
This preview has intentionally blurred sections. Sign up to view the full version.
View Full Document
This is the end of the preview.
Sign up
to
access the rest of the document.
 Winter '08
 daniele
 Computer Science, Cryptography, Block cipher, Adveks, game eks

Click to edit the document details