Professional Documents
Culture Documents
Lecture 5 - DES II
Lecture 5 - DES II
Modern Cryptology
Lecture 5
Brute-force attack to find out the key requires 256 ≈ 1017 operations.
Frequency analysis based methods do not work at all since variations
in frequencies are flattened out by 64 bit blocksize and a sequence of
linear transformations.
We can assume stronger forms of attacks: known-plaintext, chosen
plaintext etc.
We start with easier versions of DES by restricting number of rounds.
Since γi is known, we can look up the table for Si to find out which
inputs can produce γi as output.
As already observed, table for each Si has exactly four occurrences of
γi .
Let Xi be the set of inputs to Si that produce γi as output.
We have: |Xi | = 4.
String βi ∈ Xi .
Let Ki = {αi ⊕ β | β ∈ Xi }.
Since k1,i = αi ⊕ βi , we have k1,i ∈ Ki , and |Ki | = 4.