Consider a Feistel cipher with r rounds and n=128 (half the block length); ℓ=256(the key bit size). Then M={0,1} 24
(the plaintext space), C={0,1} 276
(the ciphertext space), and K={0,1} 2%
(the key space). A key scheduling algorithm determines subkeys k 1
,k 2
from a key K∈K={0,1} 206
. Each subkey k i
determines a function f i
:{0,1} 12×
→{0,1} 12×
. Eneryptio. takes r rounds: - Plaintext is m=(m 0
,m 1
) with m 0
,m 1
∈{0,1} 12κ
, - Round 1: (m 0
,m 1
)→(m 1
,m 2
) with m 2
=m 0
⊕f 1
(m 1
). - Round 2: (m 1
,m 2
)→(m 2
,m 3
) with m 3
=m 1
⊕f 2
(m 2
). - Round r: (m r−1
,m r
)→(m r
,m r+1
) with m r+1
=m r−1
⊕f r
(m r
). - The ciphertext is c=(m r
,m r+1
). For the Feistel cipher described above: Exercise 2 (Security of Feistel ciphers 1. Consider the above Feistel cipher with r=2 rounds. Is this Feistel cipher secure against an exhaustive key search attack, in the known-plaintext attack model? What does the complexity of such an attack depend on? Explain. 2. Consider the above Feistel cipher with r=2 rounds. Imagine a key scheduling algorithm that works as follows. Given K∈K={0,1} 2π
, set k 1
to be the leftmost 128 bits of K, and k 2
to be the rightmost 128 bits of K, then define f i
(x)=x∈
/
k i
. Show that this block cipher is totally insecure - that is, given a single plaintext-ciphertext pair (m,c), the secret key K can be easily recovered. Hint: linearity is the problem here.