[Boneh-crypto-course] If DES were linear... what???
Jim Blandy
jimb at red-bean.com
Tue Mar 27 23:53:20 CDT 2012
On Mar 27, 2012 9:14 PM, "Jason Orendorff" <jason.orendorff at gmail.com>
wrote:
> You don't need to. M2 must in fact be lossy, being non-square, but
> that doesn't matter. Once you recover M2 ks, you've completely broken
> the cipher, and what's more it's not significantly better than
> Caesar's cipher.
>
> M1 m ⊕ M2 ks = c
>
> We're just scrambling the plaintext a little and XOR-ing it with a
> 64-bit key. It is totally trivial, and all it takes is a single
> plaintext-ciphertext pair, *any* pair, to break it.
>
> I think the lesson is that linear functions really don't make good
ciphers.
Okay, that's a relief. I did understand that the thing was trivial if
linear; he just says something about being able to recover the key with 832
chosen plaintexts, which I didn't grasp at all.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.red-bean.com/pipermail/boneh-crypto-course/attachments/20120327/e95ff1dc/attachment.html>
More information about the Boneh-crypto-course
mailing list