Journal of Cryptology

, Volume 14, Issue 1, pp 17–35 | Cite as

How to Protect DES Against Exhaustive Key Search (an Analysis of DESX)

  • Joe Kilian
  • Phillip  Rogaway


The block cipher \DESX is defined by \DESX k.k1.k2 (x) = k2\xor \DES k (k1\xor x) , where \xor denotes bitwise exclusive-or. This construction was first suggested by Rivest as a computationally cheap way to protect \DES against exhaustive key-search attacks. This paper proves, in a formal model, that the DESX construction is sound. We show that, when F is an idealized block cipher, \FX k.k1.k2 (x)=k2\xor F k (k1\xor x) is substantially more resistant to key search than is F . In fact, our analysis says that \FX has an effective key length of at least κ + n - 1 - \lg m bits, where κ is the key length of F , n is the block length, and m bounds the number of \langle x, \FX K (x)\rangle pairs the adversary can obtain.

Key words. Cryptanalysis, DES, DESX, Export controls, Key search. 


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

Copyright information

© International Association for Criptologic Research 2000

Authors and Affiliations

  • Joe Kilian
    • 1
  • Phillip  Rogaway
    • 2
  1. 1.NEC Research Institute, 4 Independence Way, Princeton, NJ 08540, U.S.A. {}US
  2. 2.Department of Computer Science, University of California at Davis, Davis, CA 95616, U.S.A. rogaway@cs.ucdavis.eduUS

Personalised recommendations