Abstract
The block cipher DESX is defined by DESXk.k1.k2(x) = k2 ⊕ DESk(k1 ⊕ x), where ⊕ denotes bitwise exclusive-or. This construction was first suggested by Ron Rivest as a computationally-cheap way to protect DES against exhaustive key-search attacks. This paper proves, in a formal model, that the DESX construction is sound. We show that, when F is an idealized block cipher, FXk.k1.k2(x) = k2 ⊕ F k(k1 ⊕ x) is substantially more resistant to key search than isF. In fact, our analysis says that FX has an effective key length of at least k + n− 1 − lg m bits, where k is the key length of F, n is the block length, and mbounds the number of pairs the adversary can obtain.
Cite
CITATION STYLE
Kilian, J., & Rogaway, P. (1996). How to protect DES against exhaustive key search. In Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics) (Vol. 1109, pp. 252–267). Springer Verlag. https://doi.org/10.1007/3-540-68697-5_20
Register to see more suggestions
Mendeley helps you to discover research relevant for your work.
