This preview shows page 1. Sign up to view the full content.
Unformatted text preview: ⊕ K2 .
A known plaintext attack can be easily carried on: an eavesdropper that
observes the pair (L0 , R0 ), (L16 , R16 ) can easily obtain the two “keys” K1 ,
K2 by XORing R16 with L0 ⊕ R0 and L16 with R0 . Now the adversary
knows K1 and K2 and when he will see another ciphertext, he will be able
to easily recover the original message (again, by XORing the keys with
the ciphertext in the proper way).
(b) We know that the diﬀerence between the computation of DESk and DESk 1
is the order of the sub-keys. If the same 48-bit sub-key is used in every
round, then DESk and DESk 1 are clearly equal. That is, DESk (DESk (m)) = m
Thus, an adversary with oracle access can easily distinguish the cipher
from a random permutation. In fact, the distinguisher can query the
oracles with a random plaintext m. Now, to distinguish which one is the
cipher it will be enough to query the oracles on their previous outputs. The
one that will output (as its second output) the plaintext m is the cipher.
Only with probability 21 , both the oracles will output m. In such a case
it will be enough to repeat the process described above. The adversary
View Full Document
This document was uploaded on 02/24/2014.
- Spring '12