Extra Credit.
In class we explained that given a set of known plaintext and ciphertext pairs encrypted with a 56-bit DES key, it is possible to find the key using O(256) operations. Technically, the attacker would try to decrypt one of the ciphertexts with all possible keys until he/she uses a key that decrypts one of the ciphertexts to the corresponding known plaintext. The attacker would then verify that this is indeed the correct key by trying it on the other known plaintext and ciphertext pairs.
We also discussed 2DES: to encrypt a block M with 2DES, compute EK1(EK2(M)), where K1 and K2 are both 56 bit DES keys (the total key length for 2DES is therefore 112 bits).
The extra credit problem is to show that an attacker can still find the keys K1 and K2 using O(256) operations (technically, O(256)
trial DES encryptions or decryptions).