### Problem Set #2

#### Due: Oct 7th, 2003

Remember, this homework is not for turning in and it won't be graded. But you should definitely do it because the quizzes will typically depend on having solved the homework problems. On the "due" date listed above, I will hand out solutions.

1. In the beginning of the class we said that the substitution cipher was vulnerable to even ct-only attacks (assuming we know the underlying plaintext is English) because we can use statistical attacks based on letter frequencies. Why doesn't this work with DES in ECB mode?

2. Suppose we had a DES key K1 of 56 bits. We then generate 160-bits by computing S=SHA1(K1), and then take K2 as the 56 least-significant bits of S. Now we build double DES as C=DESK2(DESK1(P)) where P is the plaintext and C is the resulting ciphertext. What is the most efficient attack you can think of (in terms of both time and space)? You can assume you have a sufficient number of pt/ct pairs.

3. We saw in class that 256 DES keys was not enough: specialized hardware could be built which finds the key by exhaustive search in about 35 mins on average (for about \$1M US, in 1998). We might attempt to increase the length of the 56-bit DES key by making a new block cipher DES+ with a 120-bit key as follows:

• Take the 120-bit key K and break into two strings: a 56-bit subkey K1, and a 64-bit subkey K2.
• To encipher any 64-bit input block M, compute DES(K1, M xor K2) and output the result
• To decipher any 64-bit ciphertext block C, compute K2 xor DES-1(K1, C) and output the result
Please argue that DES+ is no better at resisting exhaustive key search attacks than DES was. Argue this by showing an attack which uses around 256 DES operations; you may assume you have as many DES+ plaintext-ciphertext pairs as you like.

4. Text problem 3.7.4 (pg 92)

Extra Credit

In section 4.3.5 of your text, OCB mode is mentioned. Of the five inventors of this mode, who is the smartest?