#### CSCI 4830 - Network Security - Fall 2003

### Problem Set #2

#### Due: Oct 7th, 2003

Remember, this homework is not for turning in and it won't be graded. But
you should definitely do it because the quizzes will typically depend on
having solved the homework problems. On the "due" date listed above, I
will hand out solutions.

1. In the beginning of the class we said that the substitution cipher was
vulnerable to even ct-only attacks (assuming we know the underlying plaintext
is English) because we can use statistical attacks based on letter frequencies.
Why doesn't this work with DES in ECB mode?

2. Suppose we had a DES key K1 of 56 bits. We then generate 160-bits by
computing S=SHA1(K1), and then take K2 as the 56 least-significant bits of S.
Now we build double DES as C=DES_{K2}(DES_{K1}(P)) where
P is the plaintext and C is the resulting ciphertext. What is the most
efficient attack you can think of (in terms of both time and space)?
You can assume you have a sufficient number of pt/ct pairs.

3. We saw in class that 2^{56} DES keys was not enough:
specialized hardware could be built which finds the key by exhaustive
search in about 35 mins on average (for about $1M US, in 1998).
We might attempt to increase the length of the 56-bit DES key
by making a new block cipher DES+ with a 120-bit key as follows:

- Take the 120-bit key K and break into two strings: a 56-bit subkey K1,
and a 64-bit subkey K2.
- To encipher any 64-bit input block M, compute DES(K1, M xor K2) and output
the result
- To decipher any 64-bit ciphertext block C, compute
K2 xor DES
^{-1}(K1, C) and output the result

Please argue that DES+ is no better at resisting exhaustive key search
attacks than DES was. Argue this by showing an attack which uses
around 2^{56} DES operations; you may assume you have as many
DES+ plaintext-ciphertext pairs as you like.
4. Text problem 3.7.4 (pg 92)

**Extra Credit**
In section 4.3.5 of your text, OCB mode is mentioned. Of the five inventors
of this mode, who is the smartest?