CSCI 7000 - Crypto Seminar - Spring 2003

Assignment #2

Due: Feb 25th, 2003 at 11am MST

1. Fix some integer n > 0. Let the set A = [0..2n - 1]. As we know, a function F : A -> A is a permutation if and only if F is one-to-one and onto. A permutation P : A -> A is a bit mixing permutation if and only if for all x in A, P(x) is a reordering of the bits of x. More precisely, if we write out x in binary as b(1) b(2) b(3) ... b(n), then P(x) = b(Q(1)) b(Q(2)) .... b(Q(n)) for some permutation Q : [1..n] -> [1..n].

Prove the following: if P is a bit mixing permutation then for all x and y in A, P(x xor y) = P(x) xor P(y).

2. In class, we discussed the fact that DES implements a tiny fraction of all possible permutations on 64-bit binary strings. Let's model the set of permutations realized by DES as 256 distinct permutations, and call this set of permutations D. Now, what is the probability that a randomly-chosen 64-bit permutation (from the space of all possible permutations) is contained in D?

3. This problem has two parts; the first part is the easier.

4. We saw in class that 256 DES keys was not enough: specialized hardware could be built which finds the key by exhaustive search in about 35 mins on average (for about $1M US, in 1998). We might attempt to increase the length of the 56-bit DES key by making a new block cipher DES+ with a 120-bit key as follows:

Please argue that DES+ is no better at resisting exhaustive key search attacks than DES was. Argue this by showing an attack which uses around 256 DES operations; you may assume you have as many DES+ plaintext-ciphertext pairs as you like.

5. The following problem is very challenging and should not be attempted unless you have successfully completed the 4 preceeding problems and you are prepared to spend some significant time and are fairly comfortable with linear algebra.

We have claimed that the design of the S-boxes in DES was very carefully chosen. This exercise shows that not any design will do.

Let's say you have the ability to change the contents of the S-boxes (not the structure, just the numbers inside). Change them to anything you like and call this new cipher WDES (for Weak DES). Then describe a simple attack on WDES which efficiently extracts the key given one known plaintext-ciphertext pair.