[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: A little social engineering

Perry Metzger responded to my post as follows:
> Rich Graveman writes:
> > However, even having read the last two days' comments about performance,
> > I think we should take time to consider DESX, which also appears to have
> > the advantages above at single DES performance.
> If I remember correctly DESX just "whitens" DES with a repeated XOR of
> each block against a static key value. My gut instinct is that I don't
> trust that much. I think of it as multiple encryption of DES and a
> repeated XOR pad, and certainly given that the repeated XOR pad alone
> is completely trivial to break, I'm not sure why I would trust the
> combination of DES with a trivial algorithm...
> Anyway, it doesn't give me comfort.
> Perry

You are correct about what DESX does, but crucially for its design
it "whitens" the plaintext with one value and then the ciphertext
with another.

You are also correct in expressing a gut feeling that many may have
shared until Joe Kilian and Phillip Rogaway published a paper at
Crypto '96 giving a proof under reasonable assumptions that this design
indeed is a sound way to extend the effective key length. Quoting
from their abstract, p. 252 of the Proceedings,

	... This construction was first suggested by Ron Rivest as a
	computationally cheap way to protect DES against exhaustive
	key-search attacks.  This papaer proves, in a formal model,
	that the DESX construction is sound.

They go on to estimate the effective key length at around 110 bits.


Richard Graveman | V: +1 732 699 4611 | Bellcore 444 Hoes Lane, Rm. 1K-221
rfg@bellcore.com | F: +1 732 336 2828 | Piscataway, NJ 08854 USA