The book asserts that to store a completely general mapping takes (about) 2 to the 70th bits. So we should look for schemes like that. Fortunately there is a very simple scheme. Form an array with 2 to the 64th entries, indexed by the 64-bit strings (or equivalently, by the nonnegative integers less than 2 to the 64th). In each array entry, place the 64-bit string to which the array index maps.
This uses 2 to the 70th bits, and computing the mapping for any specific input requires an array lookup (which takes time proportional to the logarithm of the number of entries in the array. If decrypting is also needed, one can build a second array which gives the inverse map.
It is possible that some space can be saved by compressing this array, but it is hard to see how to preserve the fast access using a compressed representation.
If we follow the description in the book exactly, each round of DES simply interchanges the left and right halves when the mangler function is fixed at zero. Thus if we do 16 rounds in succession, the mapping is the identity. Preceding this with the permutation, and following it by the inverse permutation, still yields the identity.
There is a confusion in the presentation in the book, so the answer given above looks correct but is not (I accepted that answer anyways). If one checks carefully, the final inverse permutation is applied not to L16R16, but rather to R16L16. So, in this sneaky way, one extra swap of left and right halves is introduced. Then the mapping is really Inverse Permutation(Swap Left and Right Halves(Permutation(Input))). You can figure out what this is by looking at the permutation.
Bits are not used equally. Each round 8 bits are left out. After 16 rounds totally 8*16 = 128 bits are left out. Since the key size (56 bits) does not divide 128 bits that are left out, each bit can not be used equal number of times. By working out the algorithm that generates round keys (I wrote a simple C program) the bits that are not used for each of the 16 keys are as follows:
| round # | Bits |
|---|---|
| 1 | 6 7 11 12 43 46 50 52 |
| 2 | 3 4 35 38 42 44 61 62 |
| 3 | 19 22 26 45 46 52 55 57 |
| 4 | 3 6 10 29 30 36 39 41 |
| 5 | 13 14 23 25 49 52 53 59 |
| 6 | 7 9 28 33 36 37 43 61 |
| 7 | 12 17 21 27 45 49 54 58 |
| 8 | 1 5 11 29 33 38 42 63 |
| 9 | 3 21 25 28 30 34 55 58 |
| 10 | 5 9 12 14 18 39 42 52 |
| 11 | 2 20 23 26 36 58 61 63 |
| 12 | 4 7 10 42 45 47 49 51 |
| 13 | 26 29 31 33 35 54 55 59 |
| 14 | 10 13 15 17 19 38 39 43 |
| 15 | 1 3 22 23 27 28 59 62 |
| 16 | 14 15 19 20 51 54 58 60 |
The important thing to notice is that OFB is calculated by a simple application of DES. Now DES is an encryption function, and so it is reversible. In other words, not only does every input map to a unique output, but also every output is mapped to from a unique input.
The answer is yes. Suppose to the contrary that the answer is no, and suppose that we start with IV to form the sequence b0, b1, b2, ... but that bi is the first value to repeat and i is not 0. But bi is the output for only one input, and we know that it is the output for the input b(i-1). So if bi repeats, and i is not 0, then b(i-1) repeats just before it. This is a contradiction, so b0=IV must be the first value to repeat.
Easy answer: You've got plaintext P and ciphertext C. Pick an arbitrary key K1 and compute Q=encrypt(P,K1). Now we want to find a pair of keys that map Q to C. But if we only want two keys, we have exactly a double DES problem to solve, and we can use the meet-in-the-middle attack to find the two keys. We can expect this to succeed with high probability for Q and C, but if it were to fail we could go back and choose a different K1.
Better answer: Unlike the standard meet-in-the-middle attack, you don't care whether you find the `correct' keys, just any set of keys that works. So you can do the following:
For ECB, C_i = E(M_i). Hence, M_i = D(C_i). Therefore, any error in C_i will only affer M_i.
For OFB, C_i = M_i XOR b_i where b_i = E(b_{i-1}). Hence, M_i=C_i XOR b_i. Any error in C_i will only affect M_i. For CBC, C_i = E(c_{i-1} XOR m_i). This implies M_{i} = D(C_{i}) XOR C_{i-1}. Therefore, every C_{i} will affect 2 messages. For CFB, C_{i} = M_i XOR E(C_{i-1}). Therefore M_{i} = (C_i XOR E(C_{i-1}). Therefore, every C_{i} affects 2 M_{i}.
The final permutation is the inverse of the initial permutation. Therefore, the input for the first round of DES round is R_{16}|L_{16}. (Note that it is swap.) For input A|B in a round, the output is B|(A XOR M(B,K)) where K is the per round key. Suppose the input of a round is R_{i}|L_{i} and the key is K_{i}. We can compute the output as L_{i}|(R_{i} XOR M(L_{i},K_{i}). Now, remember by the DES round and the definition of L_i and R_i. We have L_{i}=R_{i-1} and R_{i}=L_{i-1} XOR M(L_{i},K_{i}). We can simplify the output of the round to R_{i-1}|L_{i-1}. Therefore, at the end of the 16 rounds, we should have R_{0}|L_{0}. Now we swap the L and R according to R and apply IP^{-1}, and this will give the orginal message.
We let I denote that all one vector of length either 32, 56 or 64 (depending the context). So c(x)=I-x = I+x and c(K)=I-K = I+K (mod 2!!!) We analyze the input of x and c(x) to DES. In the IP, since we just shuffle the bits, the output of IP are complement to each other. Similarly, the per round keys for K and per round keys for c(K) is just bit-wise complement of each other. By the same token, (the final permutation is the same too), we just need to analyze the per round operation. If the input in a round is L_{i}|R_{i}, then the output is R_{i}| L_{i} XOR (m(R_{i},K_{i}). We first note that the "expansion" of the 32 bits to 48 bits also preserve the bitwise complement. We denote the expanded input of R_{i} as RR_{i}. The output of the round can be re-written as R_{i}| L_{i} XOR (m(RR_{i} XOR K_{i}). Now, if the input were c(L_{i})|c(R_{i}) with key c(K_i), the the output is c(R_{i})| c(L_{i}) XOR (m(c(RR_{i}) XOR c(K_{i})). Now c(RR_{i}) XOR c(K_{i}) = I+RR_{i} XOR I + K_{i} = RR_{i} XOR K_{i}. Therefore, the output is c(R_{i})| c(L_{i}) XOR (m(RR_{i} XOR K_{i}). Next, we can easily see that L_{i} XOR (m(RR_{i} XOR K_{i}) and c(L_{i}) XOR (m(RR_{i} XOR K_{i}) are bitwise complement of each other since adding them would become zero. Therefore, after each round, the output is bit-wise complement of each other. Hence, we are done.
a) If C_{0} and D_{0} were either all 0 or all 1, then, when we generate the per-round keys. All 16 keys are the same since C_{i} and D_{i} are the same. Now, since all keys are the same, we must have K_{17-i}=K_{i} for all i. By problem 7, decrypting with the key schedule reverse is the same as encrypting. Therefore E_{K1}(E_{K1}(x)) = D_K1(E_K1(x))=x. Hence K1 is self dual.
b) when the key is 0101010101010101, since it is represented as hexadecimal. All bits multiple of 8 are not used. Hence, the key is 56 bits of 0 in binary representation. Therefore, C_0=0 and D_0=0. By a, this key is self-dual.