DES-X

Incryptography,DES-X(orDESX) is a variant on theDES(Data Encryption Standard)symmetric-key block cipherintended to increase the complexity of abrute-force attack.The technique used to increase the complexity is calledkey whitening.

The original DES algorithm was specified in 1976 with a 56-bitkey size:2⁵⁶possibilities for thekey.There was criticism that an exhaustive search might be within the capabilities of large governments, particularly the United States'National Security Agency(NSA). One scheme to increase the key size of DES without substantially altering the algorithm was DES-X, proposed byRon Rivestin May 1984.

The algorithm has been included inRSA Security'sBSAFEcryptographic library since the late 1980s.

DES-X augments DES byXORingan extra 64 bits of key (K₁) to theplaintextbeforeapplying DES, and then XORing another 64 bits of key (K₂)afterthe encryption:

${\mbox{DES-X}}(M)=K_{2}\oplus {\mbox{DES}}_{K}(M\oplus K_{1})$

The key size is thereby increased to 56 + (2 × 64) = 184 bits.

However, the effective key size (security) is only increased to 56+64−1−lb(M)= 119 −lb(M)= ~119 bits, whereMis the number ofchosen plaintext/ciphertext pairsthe adversary can obtain, andlbdenotes thebinary logarithm.Moreover, effective key size drops to 88 bits given 2^32.5known plaintext and using advanced slide attack.

DES-X also increases the strength of DES againstdifferential cryptanalysisandlinear cryptanalysis,although the improvement is much smaller than in the case of brute force attacks. It is estimated that differentialcryptanalysiswould require 2⁶¹chosen plaintexts (vs. 2⁴⁷for DES), while linear cryptanalysis would require 2⁶⁰known plaintexts (vs. 2⁴³for DES or 2⁶¹for DES with independent subkeys.^[1]) Note that with 2⁶⁴plaintexts (known or chosen being the same in this case), DES (or indeed any otherblock cipherwith a 64 bitblock size) is totally broken as the whole cipher's codebook becomes available.

Although the differential and linear attacks, currently best attack on DES-X is a known-plaintext slide attack discovered by Biryukov-Wagner^[2]which has complexity of 2^32.5known plaintexts and 2^87.5time of analysis. Moreover the attack is easily converted into a ciphertext-only attack with the same data complexity and 2⁹⁵offline time complexity.

References

^Biham, Eli; Shamir, Adi (1991)."Differential cryptanalysis of DES-like cryptosystems".Journal of Cryptology.4:3–72.doi:10.1007/BF00630563.S2CID 33202054.
^Biryukov, Alex; Wagner, David (2000). "Advanced Slide Attacks".Advances in Cryptology — EUROCRYPT 2000(PDF).Lecture Notes in Computer Science. Vol. 1807. pp. 589–606.doi:10.1007/3-540-45539-6_41.ISBN 978-3-540-67517-4.

Kilian, Joe; Rogaway, Phillip (1996). "How to Protect DES Against Exhaustive Key Search".Advances in Cryptology — CRYPTO '96.Lecture Notes in Computer Science. Vol. 1109. pp. 252–267.doi:10.1007/3-540-68697-5_20.ISBN 978-3-540-61512-5.
P. Rogaway,The security of DESX(PDF), CryptoBytes2(2) (Summer 1996).

External links

RSA FAQ Entry

[1] Biham, Eli; Shamir, Adi (1991)."Differential cryptanalysis of DES-like cryptosystems".Journal of Cryptology.4:3–72.doi:10.1007/BF00630563.S2CID 33202054.

[2] Biryukov, Alex; Wagner, David (2000). "Advanced Slide Attacks".Advances in Cryptology — EUROCRYPT 2000(PDF).Lecture Notes in Computer Science. Vol. 1807. pp. 589–606.doi:10.1007/3-540-45539-6_41.ISBN 978-3-540-67517-4.

[1]

[2]

See also

References

External links