Solutions_HW4_547 (1)

# If the same 48 bit sub key is used in every round

This preview shows page 1. Sign up to view the full content.

This is the end of the preview. Sign up to access the rest of the document.

Unformatted text preview: ⊕ K2 . A known plaintext attack can be easily carried on: an eavesdropper that observes the pair ￿(L0 , R0 ), (L16 , R16 )￿ can easily obtain the two “keys” K1 , K2 by XORing R16 with L0 ⊕ R0 and L16 with R0 . Now the adversary knows K1 and K2 and when he will see another ciphertext, he will be able to easily recover the original message (again, by XORing the keys with the ciphertext in the proper way). − (b) We know that the diﬀerence between the computation of DESk and DESk 1 is the order of the sub-keys. If the same 48-bit sub-key is used in every − round, then DESk and DESk 1 are clearly equal. That is, DESk (DESk (m)) = m Thus, an adversary with oracle access can easily distinguish the cipher from a random permutation. In fact, the distinguisher can query the oracles with a random plaintext m. Now, to distinguish which one is the cipher it will be enough to query the oracles on their previous outputs. The one that will output (as its second output) the plaintext m is the cipher. Only with probability 21 , both the oracles will output m. In such a case n it will be enough to repeat the process described above. The adversary wil...
View Full Document

## This document was uploaded on 02/24/2014.

Ask a homework question - tutors are online