article

How to Protect DES Against Exhaustive Key Search (an Analysis of DESX)

Authors:

Phillip RogawayAuthors Info & Claims

Journal of Cryptology, Volume 14, Issue 1

Pages 17 - 35

https://doi.org/10.1007/s001450010015

Published: 01 January 2001 Publication History

Abstract

The block cipher \DESX is defined by \DESXk.k1.k2(x) = k2\xor \DESk (k1\xor x), where \xor denotes bitwise exclusive-or. This construction was first suggested by Rivest as a computationally cheap way to protect \DES against exhaustive key-search attacks. This paper proves, in a formal model, that the DESX construction is sound. We show that, when F is an idealized block cipher, \FXk.k1.k2(x)=k2\xor Fk(k1\xor x) is substantially more resistant to key search than is F . In fact, our analysis says that \FX has an effective key length of at least + n - 1 - \lg m bits, where is the key length of F, n is the block length, and m bounds the number of \langle x, \FXK(x)\rangle pairs the adversary can obtain.

References

[1]

W. Aiello, M. Bellare, G. Di Crescenzo, and R. Venkatesan, Security amplification by composition: the case of doubly-iterated, ideal ciphers. Advances in Cryptology--CRYPTO' 98. Lecture Notes in Computer Science, vol. 1462, pp. 390-407, H. Krawczyk, ed., Springer-Verlag, Berlin (1998).

Digital Library

[2]

E. Biham and A. Biryukov, How to strengthen DES using existing hardware. Advances in Cryptology-- ASIACRYPT ' 94, pp. 398-412, Springer-Verlag, New York (1994).

Digital Library

[3]

E. Biham and A. Shamir, Differential Cryptanalysis of the Data Encryption Standard . Springer-Verlag, New York (1993).

Digital Library

[4]

A. Biryukov and D. Wagner, Advanced slide attacks. Advances in Cryptology--Eurocrypt ' 00. Lecture Notes in Computer Science, vol. 1807, pp. 589-606, B. Preneel, ed., Springer-Verlag, Berlin (2000).

Digital Library

[5]

M. Blaze, A cryptographic file system for UNIX. Proceedings of the 1 st ACM Conference on Computer and Communications Security , pp. 9-16 (November 1993).

Digital Library

[6]

D. Coppersmith, D. Johnson, and M. Matyas, A proposed mode for triple-DES encryption. IBM Journal of Research and Development , vol. 40, no. 2, pp. 253-261 (1996).

Digital Library

[7]

J. Daemen, Limitations of the Even-Mansour construction (abstract of a rump-session talk). Advances in Cryptology--ASIACRYPT ' 91. Lecture Notes in Computer Science, vol. 739, pp. 495-498, Springer-Verlag, Berlin (1992).

Digital Library

[8]

W. Diffie and M. Hellman, Exhaustive cryptanalysis of the NBS Data Encryption Standard. Computer , vol. 10, no. 6, pp. 74-84 (June 1977).

Digital Library

[9]

Electronic Frontier Foundation, Cracking DES : Secrets of Encryption Research , Wiretap Politics , & Chip Design . O'Reilly, Cambridge, MA (1998).

Digital Library

[10]

S. Even and Y. Mansour, A construction of a cipher from a single pseudorandom permutation. Journal of Cryptology , vol. 10, no. 3, pp. 151-162 (Summer 1997). Earlier version in Advances in Cryptology-ASIACRYPT ' 91. Lecture Notes in Computer Science, vol. 739, pp. 210-224, Springer-Verlag, Berlin (1992).

Digital Library

[11]

B. Kaliski, Personal communication (April 1996).

[12]

B. Kaliski and M. Robshaw, Multiple encryption: weighing security and performance, Dr . Dobb's Journal , vol. 21, no. 1, pp. 123-127 (January 1996).

[13]

J. Kilian and P. Rogaway, How to protect DES against exhaustive key search. Advances in Cryptology-- CRYPTO ' 96. Lecture Notes in Computer Science, vol. 1109, pp. 252-267, Springer-Verlag, Berlin (1996). Earlier version of this paper.

Digital Library

[14]

P. Kocher, Breaking DES. RSA Laboratories , CryptoBytes Technical Newsletter , vol. 4, no. 2 (Winter 1999). Available from http://www.rsasecurity.com/

[15]

M. Matsui, The first experimental cryptanalysis of the data encryption standard. Advances in Cryptology-- CRYPTO ' 94. Lecture Notes in Computer Science, vol. 839, pp. 1-11, Springer-Verlag, Berlin (1994).

Digital Library

[16]

R. Rivest, Personal communication (1995, 1996).

[17]

RSA Data Security, Inc. Product documentation, Mailsafe Note #3.

[18]

C. Shannon, Communication theory of secrecy systems. Bell Systems Technical Journal , vol. 28, no. 4, pp. 656-715 (1949).

[19]

P. van Oorschot and M. Wiener, Parallel collision search with cryptanalytic applications. Journal of Cryptology , vol. 12, no. 1, pp. 1-28 (1999). Earlier version in Proceedings of the 2 nd ACM Conference on Computer and Communications Security , pp. 210-218 (1994).

Digital Library

[20]

M. Wiener, Efficient DES key search. Technical Report TR-244, School of Computer Science, Carleton University (May 1994). Reprinted in Practical Cryptography for Data Internetworks , W. Stallings, ed., IEEE Computer Society Press, Los Alamitos, CA, pp. 31-79 (1996). Also see Efficient DES key search-- an update. RSA Laboratories , CryptoBytes Technical Newsletter , vol. 3, no. 2 (Autumn 1997). Available from http://www.rsasecurity.com/

[21]

Y. Yin, Future directions for block ciphers. The 1995 RSA Laboratories Seminar Series. Seminar proceedings (p. 23) for a talk given in Redwood Shores, CA (August 1995).

Cited By

Anand RGhosh SIsobe TShiba R(2024)Quantum Key Recovery Attacks on 4-Round Iterated Even-Mansour with Two KeysInformation Security10.1007/978-3-031-75757-0_5(87-103)Online publication date: 24-Oct-2024
https://dl.acm.org/doi/10.1007/978-3-031-75757-0_5
Naito YSasaki YSugawara T(2024)The Exact Multi-user Security of 2-Key Triple DESTopics in Cryptology – CT-RSA 202410.1007/978-3-031-58868-6_5(112-135)Online publication date: 6-May-2024
https://dl.acm.org/doi/10.1007/978-3-031-58868-6_5
Kim SHa JSon MLee BMoon DLee JLee SKwon JCho JYoon HLee JMeng WJensen CCremers CKirda E(2023)AIM: Symmetric Primitive for Shorter Signatures with Stronger SecurityProceedings of the 2023 ACM SIGSAC Conference on Computer and Communications Security10.1145/3576915.3616579(401-415)Online publication date: 15-Nov-2023
https://dl.acm.org/doi/10.1145/3576915.3616579
Show More Cited By

How to Protect DES Against Exhaustive Key Search (an Analysis of DESX)

Recommendations

Improved Related-key Attacks on DESX and DESX+

In this article, we present improved related-key attacks on the original DESX, and DESX+, a variant of the DESX with its pre-and post-whitening XOR operations replaced with addition modulo 264. Compared to previous results, our attack on DESX has ...
How to Protect DES Against Exhaustive Key Search
CRYPTO '96: Proceedings of the 16th Annual International Cryptology Conference on Advances in Cryptology

The block cipher DESX is defined by DESX_k.k1.ka(x) = k2 ⊕ DES_k(k1 ⊕ x), where ⊕ denotes bitwise exclusive-or. This construction was first suggested by Ron Rivest as a computationally-cheap way to protect DES against exhaustive key-search attacks. This ...
A methodology for differential-linear cryptanalysis and its applications

Differential and linear cryptanalyses are powerful techniques for analysing the security of a block cipher. In 1994 Langford and Hellman published a combination of differential and linear cryptanalysis under two default independence assumptions, known ...

Comments

Information & Contributors

Information

Published In

cover image Journal of Cryptology

Journal of Cryptology Volume 14, Issue 1

January 2001

72 pages

ISSN:0933-2790

Issue’s Table of Contents

Copyright © Copyright © 2000 International Association for Criptologic Research.

Publisher

Springer-Verlag

Berlin, Heidelberg

Publication History

Published: 01 January 2001

Author Tags

Qualifiers

Article

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

42
Total Citations
View Citations
0
Total Downloads

Downloads (Last 12 months)0
Downloads (Last 6 weeks)0

Reflects downloads up to 13 Jan 2025

Other Metrics

View Author Metrics

Citations

Cited By

Anand RGhosh SIsobe TShiba R(2024)Quantum Key Recovery Attacks on 4-Round Iterated Even-Mansour with Two KeysInformation Security10.1007/978-3-031-75757-0_5(87-103)Online publication date: 24-Oct-2024
https://dl.acm.org/doi/10.1007/978-3-031-75757-0_5
Naito YSasaki YSugawara T(2024)The Exact Multi-user Security of 2-Key Triple DESTopics in Cryptology – CT-RSA 202410.1007/978-3-031-58868-6_5(112-135)Online publication date: 6-May-2024
https://dl.acm.org/doi/10.1007/978-3-031-58868-6_5
Kim SHa JSon MLee BMoon DLee JLee SKwon JCho JYoon HLee JMeng WJensen CCremers CKirda E(2023)AIM: Symmetric Primitive for Shorter Signatures with Stronger SecurityProceedings of the 2023 ACM SIGSAC Conference on Computer and Communications Security10.1145/3576915.3616579(401-415)Online publication date: 15-Nov-2023
https://dl.acm.org/doi/10.1145/3576915.3616579
Zhang ZWu WSui HWang B(2023)Post-quantum security on the Lai–Massey schemeDesigns, Codes and Cryptography10.1007/s10623-023-01225-591:8(2687-2704)Online publication date: 29-Apr-2023
https://dl.acm.org/doi/10.1007/s10623-023-01225-5
Guo CWang LLin D(2023)Impossibility of Indifferentiable Iterated Blockciphers from 3 or Less Primitive CallsAdvances in Cryptology – EUROCRYPT 202310.1007/978-3-031-30634-1_14(408-439)Online publication date: 23-Apr-2023
https://dl.acm.org/doi/10.1007/978-3-031-30634-1_14
Menda SLen JGrubbs PRistenpart T(2023)Context Discovery and Commitment AttacksAdvances in Cryptology – EUROCRYPT 202310.1007/978-3-031-30634-1_13(379-407)Online publication date: 23-Apr-2023
https://dl.acm.org/doi/10.1007/978-3-031-30634-1_13
Naito YSasaki YSugawara TYasuda KYin HStavrou ACremers CShi E(2022)The Multi-User Security of Triple Encryption, RevisitedProceedings of the 2022 ACM SIGSAC Conference on Computer and Communications Security10.1145/3548606.3560674(2323-2336)Online publication date: 7-Nov-2022
https://dl.acm.org/doi/10.1145/3548606.3560674
Shinagawa KIwata T(2022)Quantum attacks on Sum of Even-Mansour pseudorandom functionsInformation Processing Letters10.1016/j.ipl.2021.106172173:COnline publication date: 1-Jan-2022
https://dl.acm.org/doi/10.1016/j.ipl.2021.106172
Zhang LWu WMao Y(2022)Impossible Differential Cryptanalysis on Reduced-Round PRINCEcoreInformation Security and Cryptology – ICISC 202210.1007/978-3-031-29371-9_4(61-77)Online publication date: 30-Nov-2022
https://dl.acm.org/doi/10.1007/978-3-031-29371-9_4
Beyne TChen Y(2022)Provably Secure Reflection CiphersAdvances in Cryptology – CRYPTO 202210.1007/978-3-031-15985-5_9(234-263)Online publication date: 15-Aug-2022
https://dl.acm.org/doi/10.1007/978-3-031-15985-5_9
Show More Cited By

View Options

View options

Media

Figures

Other

Tables

View Issue’s Table of Contents