This preview shows page 1. Sign up to view the full content.
Unformatted text preview: ⊕ K2 .
A known plaintext attack can be easily carried on: an eavesdropper that
observes the pair (L0 , R0 ), (L16 , R16 ) can easily obtain the two “keys” K1 ,
K2 by XORing R16 with L0 ⊕ R0 and L16 with R0 . Now the adversary
knows K1 and K2 and when he will see another ciphertext, he will be able
to easily recover the original message (again, by XORing the keys with
the ciphertext in the proper way).
−
(b) We know that the diﬀerence between the computation of DESk and DESk 1
is the order of the subkeys. If the same 48bit subkey is used in every
−
round, then DESk and DESk 1 are clearly equal. That is, DESk (DESk (m)) = m
Thus, an adversary with oracle access can easily distinguish the cipher
from a random permutation. In fact, the distinguisher can query the
oracles with a random plaintext m. Now, to distinguish which one is the
cipher it will be enough to query the oracles on their previous outputs. The
one that will output (as its second output) the plaintext m is the cipher.
Only with probability 21 , both the oracles will output m. In such a case
n
it will be enough to repeat the process described above. The adversary
wil...
View
Full
Document
This document was uploaded on 02/24/2014.
 Spring '12

Click to edit the document details