2. Consider the above Feistel cipher with r = 2 rounds. Imagine a key scheduling algorithm that works as follows. Given K € K = {0, 13256, set k₁ to be the leftmost 128 bits of K, and k₂ to be the rightmost 128 bits of K, then define f(x) = xk₁. Show that this block cipher is totally insecure that is, given a single plaintext-ciphertext pair (m, c), the secret key K can be easily recovered. Hint: linearity is the problem here.

Cryptography

Transcribed Image Text:

= Consider a Feistel cipher with r rounds and n = 128 (half the block length); = 256 (the key bit size). Then M {0, 13256 (the plaintext space), C = {0, 13256 (the ciphertext space), and K = {0, 13256 (the key space). A key scheduling algorithm determines subkeys k₁, k₂ from a key KEK = {0, 13256. Each subkey k, determines a function f {0, 11128 {0, 1}128. Encryption takes r rounds: Plaintext is m = (mo, m₁) with mo, m₁ = {0, 1}128, Round 1: (mo, m₁)→ (m₁, m₂) with m₂ = mo fi(m₁). Round 2: (m₁, mą₂)→ (m₂, ma) with m3 = m₁ f2(m₂). ⠀ Round r: (m,-1, mr) → (Mr, Mr+1) with mr+1= mr-1 fr(mr). The ciphertext is c = (mr, mr+1). For the Feistel cipher described above:

Transcribed Image Text:

2. Consider the above Feistel cipher with r = 2 rounds. Imagine a key scheduling algorithm that works as follows. Given K € K = {0, 13256, set k₁ to be the leftmost 128 bits of K, and k₂ to be the rightmost 128 bits of K, then define f(x) = rk. Show that this block cipher is totally insecure that is, given a single plaintext-ciphertext pair (m, c), the secret key K can be easily recovered. Hint: linearity is the problem here.