#### CSCI 7000 - Crypto Seminar -
Spring 2003

### Assignment #2

##### Due: Feb 25th, 2003 at 11am MST

1. Fix some integer n > 0. Let the set A = [0..2^{n} - 1].
As we know, a function F : A -> A is a **permutation** if and only if
F is one-to-one and onto. A permutation P : A -> A is a ** bit mixing
permutation** if and only if for all x in A, P(x) is a reordering of the
bits of x. More precisely, if we write out x in binary as
b(1) b(2) b(3) ... b(n), then P(x) = b(Q(1)) b(Q(2)) .... b(Q(n)) for
some permutation Q : [1..n] -> [1..n].
Prove the following: if P is a bit mixing permutation then
for all x and y in A, P(x xor y) = P(x) xor P(y).

2. In class, we discussed the fact that DES implements a tiny fraction
of all possible permutations on 64-bit binary strings. Let's model the
set of permutations realized by DES as 2^{56} distinct permutations,
and call this set of permutations D. Now, what is the probability that
a randomly-chosen 64-bit permutation (from the space of all possible
permutations) is contained in D?

3. This problem has two parts; the first part is the easier.

- Define c(x) as the one's complement of x.
Prove that for all 56-bit keys K and all 64-bit
inputs X, we have that DES(K, X) = c(DES(c(K),c(X))).
- Describe an attack on DES that uses this property to cut down the
number of keys we have to try when exhaustively searching the keyspace.

4. We saw in class that 2^{56} DES keys was not enough:
specialized hardware could be built which finds the key by exhaustive
search in about 35 mins on average (for about $1M US, in 1998).
We might attempt to increase the length of the 56-bit DES key
by making a new block cipher DES+ with a 120-bit key as follows:

- Take the 120-bit key K and break into two strings: a 56-bit subkey K1,
and a 64-bit subkey K2.
- To encipher any 64-bit input block M, compute DES(K1, M xor K2) and output the result
- To decipher any 64-bit ciphertext block C, compute
K2 xor DES
^{-1}(K1, C) and output the result

Please argue that DES+ is no better at resisting exhaustive key search
attacks than DES was. Argue this by showing an attack which uses
around 2^{56} DES operations; you may assume you have as many
DES+ plaintext-ciphertext pairs as you like.
5. The following problem is **very** challenging and should not be
attempted unless you have successfully completed the 4 preceeding
problems and you are prepared to spend some significant time and are
fairly comfortable with linear algebra.

We have claimed that the design of the S-boxes in DES was
very carefully chosen. This exercise shows that not any design will do.

Let's say you have the ability to change the contents of the S-boxes (not
the structure, just the numbers inside). Change them to anything you
like and call this new cipher WDES (for Weak DES). Then describe a
simple attack on WDES which efficiently
extracts the key given one known plaintext-ciphertext pair.