Abstract
The block cipher DESX is defined by DESX k.k1.k2(x) = k2 ⊕ DESk(k1 ⊕ x), where ⊕ denotes bitwise exclusive-or. This construction was first suggested by Ron Rivest as a computationally-cheap way to protect DES against exhaustive key-search attacks. This paper proves, in a formal model, that the DESX construction is sound. We show that, when F is an idealized block cipher, FX k.k1.k2(x) = k2 ⊕ F k(k1 ⊕ x) is substantially more resistant to key search than is F. In fact, our analysis says that FX has an effective key length of at least k + n − 1 − lg m bits, where k is the key length of F, n is the block length, and m bounds the number of <x, FX K (x)> pairs the adversary can obtain.
Chapter PDF
Similar content being viewed by others
Keywords
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.
References
E. Biham and A. Biryukov, “How to strengthen DES using existing hardware.” Advance in Cryptology—ASIACRYPT’ 94. Springer-Verlag (1994).
E. Biham and A. Shamir, Differential Cryptanalysis of the Data Encryption Standard. Springer-Verlag (1993).
M. Blaze, “A cryptographic file system for UNIX.” 1st ACM Conference on Computer and Communications Security, 9–16 (November 1993).
D. Coppersmith, D. Johnson and M. Matyas, “Triple DES cipher block chaining with output feedback masking.” These proceedings.
J. Daemen, “Limitations of the Even-Mansour construction” (abstract of a rumpsession talk). Advances in Cryptology— ASIACRYPT’ 91. Lecture Notes in Computer Science, vol. 739, 495–498, Springer-Verlag (1992).
W. Diffie and M. Hellman, “Exhaustive cryptanalysis of the NBS Data Encryption Standard.” Computer, vol. 10, no. 6, 74–84 (June 1977).
S. Even and Y. Mansour, “A construction of a cipher from a single pseudorandom permutation.” Advances in Cryptology— ASIACRYPT’ 91. Lecture Notes in Computer Science, vol. 739, 210–224, Springer-Verlag (1992).
B. Kaliski, personal communication (April 1996).
J. Kilian and P. Rogaway, “How to protect DES against exhaustive key search.” Full version of this paper. http://wwwcsif.cs.ucdavis.edu/~rogaway/
M. Matsui, “The first experimental cryptanalysis of the data encryption standard.” Advances in Cryptology— CRYPTO’ 94. Lecture Notes in Computer Science, vol. 839, 1–11, Springer-Verlag (1994).
R. Rivest, personal communication (1995, 1996).
RSA Data Security, Inc., Product documentation, “Mailsafe Note #3.”
C. Shannon, “Communication theory of secrecy systems.” Bell Systems Technical Journal, 28(4), 656–715 (1949).
P. van Oorschot and M. Wiener, “Parallel collision search with cryptanalytic applications.” Manuscript (December 19, 1995). Earlier version in 2nd ACM Conference on Computer and Communications Security, 210–218 (1994).
M. Wiener, “Efficient DES key search.” Technical Report TR-244, School of Computer Science, Carleton University (May 1994). Reprinted in Practical Cryptography for Data Internetworks, W. Stallings, editor, IEEE Computer Society Press, 31–79 (1996).
Y. Yin, The 1995 RSA Laboratories Seminar Series, “Future directions for block ciphers.” Seminar proceedings (page 23) for a talk given in Redwood Shores, California (August 1995).
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 1996 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Kilian, J., Rogaway, P. (1996). How to Protect DES Against Exhaustive Key Search. In: Koblitz, N. (eds) Advances in Cryptology — CRYPTO ’96. CRYPTO 1996. Lecture Notes in Computer Science, vol 1109. Springer, Berlin, Heidelberg. https://doi.org/10.1007/3-540-68697-5_20
Download citation
DOI: https://doi.org/10.1007/3-540-68697-5_20
Published:
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-540-61512-5
Online ISBN: 978-3-540-68697-2
eBook Packages: Springer Book Archive