1. Fix some integer n > 0. Let the set A = [0..2

Prove the following: if P is a bit mixing permutation then for all x and y in A, P(x xor y) = P(x) xor P(y).

2. Give an example of a permutation that does not have the property of problem #1. That is, a permutation P where P(x xor y) ≠ P(x) xor P(y).

3. In class, we discussed the fact that DES implements a tiny fraction
of all possible permutations on 64-bit binary strings. Let's model the
set of permutations realized by DES as 2^{56} distinct permutations,
and call this set of permutations D. Now, what is the probability that
a randomly-chosen 64-bit permutation (from the space of all possible
permutations) is contained in D?

4. This problem has two parts; the first part is the easier.

- Define c(x) as the one's complement of x. Prove that for all 56-bit keys K and all 64-bit inputs X, we have that DES(K, X) = c(DES(c(K),c(X))).
- Describe an attack on DES that uses this property to cut down the number of keys we have to try when exhaustively searching the keyspace.

5. Feel free to use hwdes.c for this problem. We will use the differential given in class (Fig 3.10 of Stinson). In particular, use the following pairs (by adding this code to hwdes.c):

int pairs[][2][2][2] = { { { {0x748502cd, 0x38451097}, {0x03c70306, 0xd8a09f10} }, { {0x38747564, 0x38451097}, {0x78560a09, 0x60e6d4cb} } }, { { {0x48691102, 0x6acdff31}, {0x45fa285b, 0xe5adc730} }, { {0x375bd31f, 0x6acdff31}, {0x134f7915, 0xac253457} } }, { { {0x357418da, 0x013fec86}, {0xd8a31b2f, 0x28bbc5cf} }, { {0x12549847, 0x013fec86}, {0x0f317ac2, 0xb23cb944} } } };Now mount a differential attack using these three pairs to completely recover the key. Note that you will have to do an exhaustive key search after the initial differential attack is done.

Turn in your code as usual along with an execution.

6. The following problem is **very** challenging and should not be
attempted unless you have successfully completed the 5 preceeding
problems and you are prepared to spend some significant time and are
fairly comfortable with linear algebra.

We have claimed that the design of the S-boxes in DES was very carefully chosen. This exercise shows that not any design will do.

Let's say you have the ability to change the contents of the S-boxes (not the structure, just the numbers inside). Change them to anything you like and call this new cipher WDES (for Weak DES). Then describe a simple attack on WDES which efficiently extracts the key given one known plaintext-ciphertext pair.