Let us assume that we have a very large number of known plaintexts.
How can we prove that $c= DES(K1,M \oplus K2)$ offers no advantage compared to DES?
Asked
Active
Viewed 731 times
1
-
1Hint: to prove that this DES variation has almost no advantage compared to DES in term of resistance to brute force, exhibit an attack recovering K1 and K2 assuming two or three distinct plaintext/ciphertext pairs, with cost only about twice that of attacking DES with one or two plaintext/ciphertext pairs. – fgrieu Dec 04 '16 at 19:11
-
Thank you for the replay. To be honest , I don't have much experience at that topic . Could you please elaborate a bit ? – user3697730 Dec 04 '16 at 19:14
-
2$D(C_1) \oplus D(C_2) = P_1 \oplus P_2$ – CodesInChaos Dec 04 '16 at 19:46
-
What CodesInChaos meant: Basically you're using a multi-time-pad before encrypting with DES. And that is bad - it means your scheme is just DES and nothing else. If you state "$K_2$ is only used once", you could just use OTP directly instead. – tylo Dec 05 '16 at 13:45
-
@tylo if we try to solve $D(C_1) \oplus D(C_2) = P_1 \oplus P_2$ we need to precompute all the $2^{56}$ D(C_1) (for the different k1's) and all the D(c2) and then try to find the two that xoring them will give $P_1 \oplus P_2$ . But to find those two we still need $2^{56} \times 2^{56}$ so it actually increases complexity , doesn't it? – tonythestark Feb 07 '23 at 20:02
-
@tonythestark No, you only need to cycle through K1 once, and check the equation for each. So it's $2^{56} \cdot 2$ decryptions at most. No need to store anything, or match anything. The question said, there's a large number of known plaintext (+ ciphertext obviously) - but only two are required. Btw., the question is over 6 years old. – tylo Feb 14 '23 at 07:16