This preview shows page 1. Sign up to view the full content.
Unformatted text preview: . Exercise 5.14
Consider a variant of DES where the keyschedule is as follows: the left half of
the master key is used to derive all the subkeys in rounds 18, while the right
half of the master key is used to derive all the subkeys in rounds 916. Let k
be the master key and k1 , k2 respectively the left half and the right half of k .
Then the variant of DES, DES , described above can be formalized as follows:
k
DES (x) = DESk2 (DESk1 (x)),
k
where DESk1 and DESk2 are 8rounds DES with a block length of 64 bits and k1
and k2 being their 28bit master keys. On this modiﬁed scheme, we can ﬁnd an
attack that runs in time roughly 228 . This attack is called “meetinthemiddle
attack”. Suppose that the adversary knows a single plaintext/ciphertext pair
(x, y ), where y = DESk2 (DESk1 (x)). Then the adversary can reason as follows:
1. First, he will set S to be equal to the ∅;
2. For each k1 ∈ {0, 1}28 , compute z := DESk1 (x) and store the pair (z, k1 )
in a list L 1 ;
−
3. For each k2 ∈ {0, 1}28 , compute z := DESk21 (y ) and store the pair (z, k2 )
in a list L ; 4. Then sort L and L by their ﬁrst components;...
View
Full
Document
This document was uploaded on 02/24/2014.
 Spring '12

Click to edit the document details