1

I was learning DES when it occurred to me that there could be a possible case where a (key, plainText) pair could result in an encryptedText such that, plainText == encryptedText.

Quickly I found out that there exists weak keys (especially for DES!) that make it quite vulnerable. So, the worst that can happen with these weak keys is that double encryption would return the original plainText.

I want to look at one example where the output of the DES would be same as input.

What I've already tried:

  • A brute force: wrote a generator for random [key, pText] pairs and DES over them to see if the eText is same as pText. Got a C Language implementation from here. Specs: len(pText) = 64b, len(key) = 56b, Generated random cases: 10M. I do understand that the number of cases barely scratches the surface, but I was hoping (naively I guess) I'd find at lease one such case.
  • Gave a little thought and realised that, if the crypto function in the Feistel Structure returns 0 in every round, at the end of 16 rounds, we'd have the same output. This depends upon the inputs to that function (which are in-turn derived from the talked about pair)
  • Yet another thought is that: if the input is small enough (yes assuming we have padding enabled) the output would also be of the same size, which means that there's a very high probability that the pText is same as eText. Just to make my thoughts more clear, if input is of size 1 bit, say 1, the output could be 0 or 1, implying, the chances of my case occurring is 50%!

May be I should see the mathematical model of the DES and infer if it's possible, but I feel like I've already spent too much time on this!

Please suggest me how do I go about cracking this case!

Thanks! :)

Harsh
  • 155
  • 4

2 Answers2

1

For a fixed key, a block cipher is presumed to behave like a pseudo-random permutation (PRP) over messages. What we are interested in is if the permutation contains a fixed point, i.e. if it is a derangement or not. What we find is that there is about a 63% chance that there is at least one fixed point, and the expected number follows a Poisson distribution (i.e. there shouldn't be many).

Your argument about short messages doesn't apply to block ciphers used in practice, since they don't operate on messages smaller than a block.

bmm6o
  • 1,067
  • 6
  • 17
0

Yes, it seems quite likely that there is a (key, plainText) pair leading to encryptedText == plainText.

If we consider a random mapping over any positive number of values, the expected number of values leading to itself is precisely 1 (that's the exact average for all possible mappings; except for very low number of values, some mapping have 0 such values, many have 1, some have 2 or more). Therefore, on the heuristically justifiable assumption that DES with a random fixed key is appropriately modeled by a random mapping, we have reasonable hope to find a suitable (key, plainText) pair by taking a random key and trying all plaintext (if we had $2^{64}$ bits of fast memory we could spare some encryption work by noticing that a single encryption allows to rule out two values). If we are unlucky, we can try with another one. We expect to succeeds with about $2^{64}$ encryptions.

Yet I do not know that it has been done.

fgrieu
  • 140,762
  • 12
  • 307
  • 587
  • I disagree with a part of your answer. We know that DES is invertible. This implies that we'll never have a value mapped by two values. And since we know that the value space is same before the encryption and after the encryption, there must be a strict one-one mapping (this leaves out the possibility of 0 mapped values). – Harsh Sep 04 '15 at 18:02
  • @Harsh: You've misunderstood. For a fixed key, the map is one to one. fgrieu is talking about a (key,plaintext) pair. – kodlu Sep 05 '15 at 02:08