| So what's DESX? DESX is a modification of DES which uses a 64+56+64 bit key, with what is called "pre- and post-whitening". Specifically, break the key into three pieces, 64 bit K1, 56 bit K2, 64 bit K3. Then DESX is defined by: C = K1 xor DES (K2, K3 xor P) where P is plaintext, C is ciphertext, and DES (K, P) is the DES encryption of P under key K. The encryption then has three steps: - XOR the input with K3 - DES encrypt that with K2 - XOR the result with K1 The first and last steps are called "whitening" because by xoring with a random value, any structure is destroyed. White light is a uniform and unstructured mixture of all colors. Whitening has been adopted as a general tool in constructing ciphers these days and many of the AES candidates use it. It makes things more difficult for the cryptanalyst as he won't know exactly what values are being fed into the guts of the cipher.
On Sun, Oct 11, 1998 at 12:06:14AM +0200, Anonymous wrote:
| So what's DESX?
DESX is a modification of DES which uses a 64+56+64 bit key, with what is called "pre- and post-whitening". Specifically, break the key into three pieces, 64 bit K1, 56 bit K2, 64 bit K3. Then DESX is defined by:
C = K1 xor DES (K2, K3 xor P)
where P is plaintext, C is ciphertext, and DES (K, P) is the DES encryption of P under key K.
The encryption then has three steps:
- XOR the input with K3 - DES encrypt that with K2 - XOR the result with K1
The first and last steps are called "whitening" because by xoring with a random value, any structure is destroyed. White light is a uniform and unstructured mixture of all colors.
Anybody have any estimate as to how much actual strength this adds to DES ? How would one break it in a practical cracker machine ? -- Dave Emery N1PRE, die@die.com DIE Consulting, Weston, Mass. PGP fingerprint = 2047/4D7B08D1 DE 6E E1 CC 1F 1D 96 E2 5D 27 BD B0 24 88 C3 18
Dave Emery <die@die.com>:
Anybody have any estimate as to how much actual strength this adds to DES ?
You might want to read "The Security of DESX" by Phillip Rogaway in CryptoBytes Vol. 2 Number 2 (Summer 1996) pp 8-11, which is available somewhere on RSADSI's web site <URL:http://www.rsa.com> (possibly <URL:http://www.rsa.com/PUBS/> might be a good starting point) or the underlying research paper "How to protect DES against exhaustive key search" by Kilian and Rogaway in CRYPTO '96: [The] results don't say that it's impossible to build a machine which would break DESX in a reasonable amount of time. But they do imply that such a machine would have to employ some radically new idea: it couldn't be a machine implementing a key-search attack, in the general sense which we've described. (Quoted from the CryptoBytes article.)
How would one break it in a practical cracker machine ?
Maybe not at all; see above.
participants (3)
-
Anonymous -
Bodo_Moeller@public.uni-hamburg.de -
Dave Emery