Solutions_HW4_547 (1)

# Then the variant of des des described above can be

This preview shows page 1. Sign up to view the full content.

This is the end of the preview. Sign up to access the rest of the document.

Unformatted text preview: . Exercise 5.14 Consider a variant of DES where the key-schedule is as follows: the left half of the master key is used to derive all the sub-keys in rounds 1-8, while the right half of the master key is used to derive all the sub-keys in rounds 9-16. Let k be the master key and k1 , k2 respectively the left half and the right half of k . Then the variant of DES, DES￿ , described above can be formalized as follows: k DES￿ (x) = DESk2 (DESk1 (x)), k where DESk1 and DESk2 are 8-rounds DES with a block length of 64 bits and k1 and k2 being their 28-bit master keys. On this modiﬁed scheme, we can ﬁnd an attack that runs in time roughly 228 . This attack is called “meet-in-the-middle attack”. Suppose that the adversary knows a single plaintext/ciphertext pair (x, y ), where y = DESk2 (DESk1 (x)). Then the adversary can reason as follows: 1. First, he will set S to be equal to the ∅; 2. For each k1 ∈ {0, 1}28 , compute z := DESk1 (x) and store the pair (z, k1 ) in a list L 1 ; − 3. For each k2 ∈ {0, 1}28 , compute z := DESk21 (y ) and store the pair (z, k2 ) ￿ in a list L ; 4. Then sort L and L￿ by their ﬁrst components;...
View Full Document

## This document was uploaded on 02/24/2014.

Ask a homework question - tutors are online