### Homework #3

#### Due: Mar 10th, 2014

1. Fix some integer $n > 0$. Let the set $A = [0 \ldots 2^n - 1].$ As we know, a function $F : A \rightarrow A$ is a permutation if and only if $F$ is one-to-one and onto. A permutation $P : A \rightarrow A$ is a bit mixing permutation if and only if for all $x$ in $A$, $P(x)$ is a reordering of the bits of $x$. More precisely, if we write out $x$ in binary as $b(1) b(2) b(3) ... b(n)$, then $P(x) = b(Q(1)) b(Q(2)) .... b(Q(n))$ for some permutation $Q : [1..n] \rightarrow [1..n]$.

Prove the following: if $P$ is a bit mixing permutation then for all $x$ and $y$ in $A$, $P(x \oplus y) = P(x) \oplus P(y)$.

2. Give an example of a permutation that does not have the property of problem #1. That is, a permutation $P$ where $P(x \oplus y) \neq P(x) \oplus P(y)$.

3. Explain why the result in Problem 1 is relevant for the 3-round differential attack on DES we did in class.

4. This problem has two parts; the first part is the easier.

• Define $c(x)$ as the one's complement of $x$. Prove that for all 56-bit keys K and all 64-bit inputs $X$, we have that DES$(K, X) = c(DES(c(K),c(X)))$.
• Describe an attack on DES that uses this property to cut down the number of keys we have to try when exhaustively searching the keyspace.

5. Look up the full description of DES and read it. You'll see that I mostly wasn't lying (the only thing I didn't mention in class was IP, its inverse, and the final-reverse at the end).
Feel free to use hwdes.c for this problem. We will use the differential attack given in class for 3 rounds of DES. In particular, use the following pairs (by adding this code to hwdes.c):

"hw3.html" 119L, 4539C                                                                                          1,0-1         Top
int pairs[] = {
{
{ {0x748502cd, 0x38451097}, {0x2e48787d, 0xfb8509e6} },
{ {0x38747564, 0x38451097}, {0xfc19cb45, 0xb6d9f494} }
},
{
{ {0x48691102, 0x6acdff31}, {0xac777016, 0x3ddc98e1} },
{ {0x375bd31f, 0x6acdff31}, {0x7d708f6d, 0x4bc7ef16} }
},
{
{ {0x357418da, 0x013fec86}, {0x5a799643, 0x9823cf12} },
{ {0x12549847, 0x013fec86}, {0xae46e276, 0x16c26b04} }
}
};

Now mount a differential attack using these three pairs to completely
recover the key.  Note that you will have to do an exhaustive key search
after the initial differential attack is done. Note that IP and its inverse
along with FINAL_REVERSE were all set to 0 for the above pt/ct pairs.

Turn in your code as usual along with an execution.  Note that this problem
is time-consuming and you should try and get an early start.

6. Let's construct a blockcipher $E$ with a 64-bit block size.
The round function $f(A, J)$ takes
a 32-bit input A and a 32-bit round-key J.  We define $f(A, J) = A^2 + J \bmod 2^{32}$.  Now define $E$ as 16 Feistel rounds using $f$ with
16 independent and random round keys.

Break $E$ in the sense of IND-CPA using a differential attack.

7. (EXTRA CREDIT) Do this problem only if you have finished all
other problems, you are caught up in your other school, work and life
obligations, and you really want to tackle something hard.  Also, you
will need to have some familiarity with linear algebra in order to do
this problem.  You can get an A in this class without doing this problem.

The idea of this exercise is to show that, with bad S-boxes, DES is
easily broken.  This supports the claim in class that DES's security
relies on its S-box design.  Here it is:

Change DES to WDES, a "Weakened DES", as follows:  take the DES code given
above and set it to 16 rounds, but leave off the IP and IPI and
FINAL_REVERSE switches. Now, modify all 8 S-boxes to be the identity
map in all four rows.  (In other words, each row is 0, 1, 2, ..., 15.)
We can now recover the WDES key with a single plaintext/ciphertext pair!
Find the key for plaintext (9237bca1, f62011da) and
ciphertext (a35498dc, 1b44aaa9).
Turn in your code as usual along with an execution.