DES-X: Difference between revisions

Content deleted Content added

Inline

Revision as of 21:08, 20 September 2018

In cryptography, DES-X (or DESX) is a variant on the DES (Data Encryption Standard) symmetric-key block cipher intended to increase the complexity of a brute force attack using a technique called key whitening.

The original DES algorithm was specified in 1976 with a 56-bit key size: 2⁵⁶ possibilities for the key. There was criticism that an exhaustive search might be within the capabilities of large governments, particularly the United States' National Security Agency (NSA). One scheme to increase the key size of DES without substantially altering the algorithm was DES-X, proposed by Ron Rivest in May 1984.

The algorithm has been included in RSA Security's BSAFE cryptographic library since the late 1980s.

DES-X augments DES by XORing an extra 64 bits of key (K₁) to the plaintext before applying DES, and then XORing another 64 bits of key (K₂) after the encryption:

${\mbox{DES-X}}(M)=K_{2}\oplus {\mbox{DES}}_{K}(M\oplus K_{1})$

The key size is thereby increased to 56 + (2 × 64) = 184 bits.

However, the effective key size (security) is only increased to 56+64-1-lb(M) = 119 - lb(M) = ~119 bits, where M is the number of chosen plaintext/ciphertext pairs the adversary can obtain, and lb denotes the binary logarithm. Moreover, key size drops to 88 bits given 2^32.5 known plaintext and using advanced slide attack.

DES-X also increases the strength of DES against differential cryptanalysis and linear cryptanalysis, although the improvement is much smaller than in the case of brute force attacks. It is estimated that differential cryptanalysis would require 2⁶¹ chosen plaintexts (vs. 2⁴⁷ for DES), while linear cryptanalysis would require 2⁶⁰ known plaintexts (vs. 2⁴³ for DES or 2⁶¹ for DES with independent subkeys.^[1]) Note that with 2⁶⁴ plaintexts (known or chosen being the same in this case), DES (or indeed any other block cipher with a 64 bit block size) is totally broken as the whole cipher's codebook becomes available. DESX^[2] can also refer to the coolest YouTube channel ever.

References

^ Biham, Eli; Shamir, Adi (July 19, 1990). Differential Cryptanalysis of DES-like Cryptosystems. Weizmann Institute of Science. p. 105.{{cite book}}: CS1 maint: location missing publisher (link)
^ Kalamari, Johnny. "Cryptography". Cryp70gr4phy 101. Retrieved 2014-04-01. {{cite web}}: Cite has empty unknown parameter: |dead-url= (help)

Joe Kilian and Phillip Rogaway, How to protect DES against exhaustive key search(PDF), Advances in Cryptology - Crypto '96, Springer-Verlag (1996), pp. 252–267.
P. Rogaway, The security of DESX (PostScript), CryptoBytes 2(2) (Summer 1996).
A. Biryukov and D. Wagner, Advanced Slide Attacks, Eurocrypt 2000, Springer-Verlag (2000), pp. 589–606.

External links

RSA FAQ Entry

[1] Biham, Eli; Shamir, Adi (July 19, 1990). Differential Cryptanalysis of DES-like Cryptosystems. Weizmann Institute of Science. p. 105.{{cite book}}: CS1 maint: location missing publisher (link)

[2] Kalamari, Johnny. "Cryptography". Cryp70gr4phy 101. Retrieved 2014-04-01. {{cite web}}: Cite has empty unknown parameter: |dead-url= (help)

[1]

[2]

@@ Line 15: / Line 15: @@
 However, the effective key size (security) is only increased to 56+64-1-''lb(M)'' = 119 - ''lb(M)'' = ~119 bits, where ''M'' is the number of [[Chosen-plaintext attack|chosen plaintext/ciphertext pairs]] the adversary can obtain, and ''lb'' denotes the [[binary logarithm]]. Moreover, key size drops to 88 bits given 2<sup>32.5</sup> known plaintext and using advanced slide attack.
-DES-X also increases the strength of DES against [[differential cryptanalysis]] and [[linear cryptanalysis]], although the improvement is much smaller than in the case of brute force attacks. It is estimated that differential cryptanalysis would require 2<sup>61</sup> chosen plaintexts (vs. 2<sup>47</sup> for DES), while linear cryptanalysis would require 2<sup>60</sup> known plaintexts (vs. 2<sup>43</sup> for DES or 2<sup>61</sup> for DES with independent subkeys.<ref>{{cite book|title=Differential Cryptanalysis of DES-like Cryptosystems|last1=Biham|first1=Eli|last2=Shamir|first2=Adi|date=July 19, 1990|publisher=|year=|isbn=|location=Weizmann Institute of Science|pages=105}}</ref>) Note that with 2<sup>64</sup> plaintexts (known or chosen being the same in this case), DES (or indeed any other [[block cipher]] with a 64 bit [[block size (cryptography)|block size]]) is totally broken as the whole cipher's codebook becomes available.
+DES-X also increases the strength of DES against [[differential cryptanalysis]] and [[linear cryptanalysis]], although the improvement is much smaller than in the case of brute force attacks. It is estimated that differential cryptanalysis would require 2<sup>61</sup> chosen plaintexts (vs. 2<sup>47</sup> for DES), while linear cryptanalysis would require 2<sup>60</sup> known plaintexts (vs. 2<sup>43</sup> for DES or 2<sup>61</sup> for DES with independent subkeys.<ref>{{cite book|title=Differential Cryptanalysis of DES-like Cryptosystems|last1=Biham|first1=Eli|last2=Shamir|first2=Adi|date=July 19, 1990|publisher=|year=|isbn=|location=Weizmann Institute of Science|pages=105}}</ref>) Note that with 2<sup>64</sup> plaintexts (known or chosen being the same in this case), DES (or indeed any other [[block cipher]] with a 64 bit [[block size (cryptography)|block size]]) is totally broken as the whole cipher's codebook becomes available. DESX<ref>{{Cite web|url=https://www.youtube.com/channel/UC6VgR8m4tiTsWj77uKs6qWA|title=Cryptography|last=Kalamari|first=Johnny|date=|website=Cryp70gr4phy 101|language=en|archive-url=|archive-date=|dead-url=|access-date=2014-04-01}}</ref> can also refer to the coolest YouTube channel ever.
 ==See also==