Again suppose DES used the simplified S box of the previous two exercises, and also assume we perform only a single round of encryption.
(a) Suppose an attacker has both the plaintext {L0, R0 } and the ciphertext { L1, R1}. How much does this tell the attacker about the key K1? How about K? (This is not intended to suggest a weakness in the real DES, but rather as a justification for the S box DES actually uses.)
(b) Being able to recover the key given a plaintext and ciphertext would be bad enough for any encryption mechanism; explain why it would be particularly fatal for public key cryptosystems.