#### CSCI 7000 - Cryptography - Spring 2010

### Problem Set #2

#### Due: Mar 01st, 2010 at 4pm

1. Fix some integer n > 0. Let the set A = [0..2^{n} - 1].
As we know, a function F : A -> A is a **permutation** if and only if
F is one-to-one and onto. A permutation P : A -> A is a ** bit mixing
permutation** if and only if for all x in A, P(x) is a reordering of the
bits of x. More precisely, if we write out x in binary as
b(1) b(2) b(3) ... b(n), then P(x) = b(Q(1)) b(Q(2)) .... b(Q(n)) for
some permutation Q : [1..n] -> [1..n].
Prove the following: if P is a bit mixing permutation then
for all x and y in A, P(x xor y) = P(x) xor P(y).

2. Give an example of a permutation that does not have the property of
problem #1. That is, a permutation P where P(x xor y) ≠ P(x) xor P(y).

3. Explain why the result in Problem 1 is relevant for the 3-round
differential attack on DES we did in class.

4. This problem has two parts; the first part is the easier.

- Define c(x) as the one's complement of x.
Prove that for all 56-bit keys K and all 64-bit
inputs X, we have that DES(K, X) = c(DES(c(K),c(X))).
- Describe an attack on DES that uses this property to cut down the
number of keys we have to try when exhaustively searching the keyspace.

5. Feel free to use hwdes.c for this problem.
We will use the differential given in class for 3 rounds of DES.
In particular, use the following pairs (by adding this code to hwdes.c):

int pairs[][2][2][2] = {
{
{ {0x748502cd, 0x38451097}, {0x2e48787d, 0xfb8509e6} },
{ {0x38747564, 0x38451097}, {0xfc19cb45, 0xb6d9f494} }
},
{
{ {0x48691102, 0x6acdff31}, {0xac777016, 0x3ddc98e1} },
{ {0x375bd31f, 0x6acdff31}, {0x7d708f6d, 0x4bc7ef16} }
},
{
{ {0x357418da, 0x013fec86}, {0x5a799643, 0x9823cf12} },
{ {0x12549847, 0x013fec86}, {0xae46e276, 0x16c26b04} }
}
};

Now mount a differential attack using these three pairs to completely
recover the key. Note that you will have to do an exhaustive key search
after the initial differential attack is done.
Turn in your code as usual along with an execution.

6. Let's construct a blockcipher E. The round function f(A, J) takes
a 32-bit input A and a 32-bit round-key J. We define f(A, J) = A^{2}
+ J mod 2^{32}. Now define E as 16 Feistel rounds using f with
16 indepedent and random round keys.

Break E in the sense of IND-CPA using a differential attack.