Exercise 3.6 from Cryptography and Engineering Consider a new block cipher, DES2, that consists only of
two rounds of the DES block cipher. DES2 has the same block and key
size as DES. For this question you should consider the DES F function
as a black box that takes two inputs, a 32-bit data segment and a
48-bit round key, and that produces a 32-bit output. Suppose you have
a large number of plaintext-ciphertext pairs for DES2 under a single,
unknown key. Give an algorithm for recovering the 48-bit round key for
round 1 and the 48-bit round key for round 2. Your algorithm should
require fewer operations than an exhaustive search for an entire
56-bit DES key. Can your algorithm be converted into a distinguishing
attack against DES2?
My idea was if we have plaintext-ciphertext pair we do the following.
We split our ciphertext C in two 32bits. We have to guess K2 with 2^48 operations and then XOR L with output of F(K2,C) and compare with R of plaintext. If its equal we know K2 was correct. To make sure K2 was really correct, we can use other pairs to confirm it. Now we have to find K1, again with 2^48 operations. In total we need 2*2^48 operations rather 2^48 * 2^48 or better 2^56 operations. And we could easily use a distinguishing attack, by using weak keys of DES? and trying to find this L and R equality by only 2^48 operations. I might be totally wrong from the ground. Did I even draw the "2DES" cipher correctly?