**(1)** Using the Baby DES cryptosystem with 3 rounds, encrypt the plaintexts 000000111111, and 111111111111. Use the key K = 000111000. Show the outcome of each round. More precisely, for each of the two encryptions show:

L_0 R_0,

L_1 R_1, K1

L_2 R_2, K2

and

L_3 R_3, K3

also show the work

**(2)** In this part you are asked to execute the differential attack on Baby DES with 3 rounds that we discussed in class. For that use the above two plaintexts (i.e., 000000111111 and 111111111111) and the ciphertexts that you have obtained in part (1). Next run the differential attack using the method discussed in class. You should, of course, pretend that you do not know the key K. Show all the steps. Do all these for the left half and the right half and derive the possibilities for K_3.

You need to present the following:

- The 16 pairs of inputs having the desired XOR (for the left half and the right half),

- The pairs that yield after the S-box substitutions the desired output (for the left half and the right half),

- List all the possibilities for K_3.

- List all the possibilities for K. If you worked correctly, the actual K should be on this list.

Organize your write-up neatly so that the grader can follow what you did.

Notes: Some elements of Baby DES and of the differential attack for BabyDES with 3 rounds:

Recall the notation: L_i is the left half after round i, and R_i is the right half. K_i is the key for round i. We use + for bitwise XOR (which is the same as addition modulo 2).

One round follows the Feistel structure which means that

L_i = R_(i-1) and R_i = L_(i-1) + f( R_(i-1), K_i )

The function f(R,K) is defined as follows.

- Expand R, obtaining E(R)
- E(R ) + K
- The left 4 bits are substituted using S_1 and the right 4 bits are substituted using S_2.

The expander (from a 6-bit string to a 8-bit string) in Baby DES is

( 1 2 3 4 5 6) à ( 1 2 4 3 4 3 5 6)

For example 001011 becomes after extension 00010111.

The S_1 table is

( 101 010 001 110 011 100 111 000)

( 001 100 110 010 000 111 101 011)

The S_2 table is

(100 000 110 101 111 001 011 010

101 011 000 111 110 010 001 100)

The S_1 table defines a substation from 4-bit strings to 3-bit strings as follows.

Let b_1 b_2 b_3b_4 be the 4-bit string. We look in S_1 at row b_1 and column b_2 b_3 b_4 and substitute b_1b_2b_3b_4 with what we see at that location.

S_2 works in the same way.

K_i is obtained from K, by taking 8 bits from K starting with the i-th position (where the leftmost bit is in position 1). For example if K = 000 111 000, then K_3 = 01110000.

The differential attack is a chosen plaintext attack. For Baby DES with 3 rounds, the main steps are as follows.

We choose 2 plaintexts L_0 R_0 and L*_0 R*_0 with R_0 = R*_0.

We get the corresponding 2 ciphertexts L_3 R_3 and L*_3 R*_3.

Let us denote A = L_0 + L*_0 + R_3 + R*_3, a string which we have. The goal is to find K_3.

It holds 9we showed this in class) that A = f(L_3, K_3) + f(L*_3, K_3).

This implies that the

left 4-bit half of E(L_3) + K_3 and

the left 4-bit half of E(L*_3) + K_3

when entered as input to the S_1 substitution produce two strings whose XOR is the left half of A.

Thus, for the S_1 substitution, we know the XOR of 2-inputs (because when we XOR the two inputs above, the two K_3 cancel each other) and the XOR of their outputs. This allows us to get a few candidates for the left half of K_3 in the following way: we look at the list of pairs whose XOR is E(L_3) + E(L*_3) (the left 4 bits) and output XOR is left half of A. We know that the pair (E(L_3) + K_3, E(L*_3) + K3) (left 4 bits) is on this list. From here we find the possibilities for K_3 (left 4 bits).

Then we do the same thing for the right half, using S_2.