MD$5$x$3$with

$=====$

MD$5$x$3$ is a block cipher that has a $3-$round Feistel structure and its round function is based on the MD$5$ hash function. The block size of MD$5$x$3$ is $32$ bytes and its key length is $48$ bits $(6$ bytes$).$ The encryption operation is illustrated in the figure below, where $|$ means concatenation of byte strings and $(+)$ denotes the XOR operation:

X $=$ L$0|$R$0$

L$0$ R$0$

$||$

$|+-----+|$

$|||<---$ K$0|$

$(+)<---|$ MD$5|<--------+$

$|||<---$ K$1|$

$|+-----+|$

$||$

$|+-----+|$

$|$ K$2--->|||$

$+-------->|$ MD$5|--->(+)$

$|$ K$3--->|||$

$|+-----+|$

$||$

$|+-----+|$

$|||<---$ K$4|$

$(+)<---|$ MD$5|<--------+$

$|||<---$ K$5|$

$|+-----+|$

$||$

L$3$ R$3$

Y $=$ L$3|$R$3$

The input block X is first divided into $2$ halves, L$0$ and R$0,16$ bytes each. The right half R$0$ is hashed together with the first $2$ bytes K$0,$ K$1$ of the key $($see figure$),$ the result MD$5($K$0|$R$0|$K$1)$ is XORed with the left half L$0,$ and then the two halves are swapped. This makes up one round. The same operation is repeated in the remaining $2$ rounds, except that the swap of the two halves is omitted at the end of the last round, and each round uses the next $2$ bytes from the key, i$.$e$.,$ K$2,$ K$3,$ and K$4,$ K$5.$ We obtain the output Y by concatenating the two halves at the end.

A Python implementation of MD$5$x$3$ is provided for your convenience in md$5$x$3.$py$.$ It is written in Python $3$ and it uses the MD$5$ implementation and string XORing from the PyCryptodome package as a dependence.

The following test plaintext block $($without apostrophes$)$

$\text{'}*$THIS$\_$IS$\_$A$\_$TEST$\_$INPUT$\_$FOR$\_$MD$5$X$3*\text{'}$

was encrypted with an unknown key, and the resulting ciphertext block in hex format is

$`$f$1$eba$0$e$1$e$77269$c$82$f$29$b$7$a$695$dc$7$ae$4899991$ebcbeafe$1$c$6$a$5$fdb$873621$f$750`$

Break the cipher and figure out the $6-$byte key!

### Note

As the round function of MD$5$x$3$ is based on MD$5,$ you need to install PyCryptodome in order to use the $`$md$5$x$3.$py$`$ script or the RF function from it$.$ To install PyCryptodome, run

$```$bash

pip$3$ install pycryptodome

$```$

Hint:

Hints for challenge MD$5$x$3$

$=========================$

A key observation is that the rounds of MD$5$x$3$ use independent subsets of the key: the first round uses the first $2$ bytes of the key, the second round uses the next $2$ bytes, and finally, the third round uses the last $2$ bytes of the key. Also, by looking at the internal structure of the cipher, we can see that

L$0+$ MD$5($K$0|$R$0|$K$1)=$ L$3+$ MD$5($K$4|$R$3|$K$5)$

where L$0,$ R$0,$ L$3,$ R$3$ are known $($as L$0|$R$0$ is the test plaintex block and L$3|$R$3$ is the corresponding ciphertext block$).$

We can mount a meet$-$in$-$the$-$middle attack and determine K$0,$ K$1,$ K$4,$ K$5$ in the following way: First, we compute and store L$0+$ MD$5($K$0|$R$0|$K$1)$ for all possible $2^16$ values of $($K$0,$ K$1).$ Then, we compute L$3+$ MD$5($K$4|$R$3|$K$5)$ for all possible values of $($K$4,$ K$5),$ and for each computed value, we check if it is among the previously computed values of L$0+$ MD$5($K$0|$R$0|$K$1).$ When a match is found, we have both the right $($K$0,$ K$1)$ and the right $($K$4,$ K$5).$

The remianing $2$ bytes $($K$2,$ K$3)$ can be found by brute force...

md$5$x$3.$py:

from Crypto.Hash import MD$5$

from Crypto.Util.strxor import strxor

class TypeError$($Exception$)$:

def $\_\_$init$\_\_($self$,$ message$)$:

self.message $=$ message

class LengthError$($Exception$)$:

def $\_\_$init$\_\_($self$,$ message$)$:

self.message $=$ message

def RF$($L$,$ R$,$ RK$)$:

md$5=$ MD$5.$new$()$

md$5.$update$($RK$[0$:$1]+$R$+$RK$[1$:$2])$

return strxor$($L$,$ md$5.$digest$()),$ R

def ENC$($X$,$ K$)$:

if type$($K$)!=$ bytes:

raise TypeError$("$Key must be of type bytes!"$)$

return

if len$($K$)!=6$:

raise LengthError$("$Key length must be of length $6$ bytes!"$)$

return

if type$($X$)!=$ bytes:

raise TypeError$("$Input block must be of type bytes!"$)$

return

if len$($X$)!=32$:

raise LengthError$("$Block length must be of length $32$ bytes!"$)$

return

K$0=$ K$[0$:$2]$

K$1=$ K$[2$:$4]$

K$2=$ K$[4$:$6]$

L$,$ R $=$ X$[0$:$16],$ X$[16$:$32]$

L$,$ R $=$ RF$($L$,$ R$,$ K$0)$

L$,$ R $=$ R$,$ L

L$,$ R $=$ RF$($L$,$ R$,$ K$1)$

L$,$ R $=$ R$,$ L

L$,$ R $=$ RF$($L$,$ R$,$ K$2)$

Y $=$ L $+$ R

return Y

def DEC$($Y$,$ K$)$:

if type$($K$)!=$ bytes:

raise TypeError$("$Key must be of type bytes!"$)$

return

if len$($K$)!=6$:

raise LengthError$("$Key length must be of length $6$ bytes!"$)$

return

if type$($Y$)!=$ bytes:

raise TypeError$("$Input block must be of type bytes!"$)$

return

if len$($Y$)!=32$:

raise LengthError$("$Block length must be of length $32$ bytes!"$)$

return

K$0=$ K$[0$:$2]$

K$1=$ K$[2$:$4]$

K$2=$ K$[4$:$6]$