How to Protect DES Against Exhaustive Key Search (an Analysis of DESX)
- 143 Downloads
The block cipher \DESX is defined by \DESX k.k1.k2 (x) = k2\xor \DES k (k1\xor x) , where \xor denotes bitwise exclusive-or. This construction was first suggested by Rivest as a computationally cheap way to protect \DES against exhaustive key-search attacks. This paper proves, in a formal model, that the DESX construction is sound. We show that, when F is an idealized block cipher, \FX k.k1.k2 (x)=k2\xor F k (k1\xor x) is substantially more resistant to key search than is F . In fact, our analysis says that \FX has an effective key length of at least κ + n - 1 - \lg m bits, where κ is the key length of F , n is the block length, and m bounds the number of \langle x, \FX K (x)\rangle pairs the adversary can obtain.
Unable to display preview. Download preview PDF.