Cryptography Reference
In-Depth Information
3
=
=
!
Figure 10.4
The DESX construction.
are added modulo 2 to the plaintext message
m
before and after the DES encryption
takes place. Consequently, the DESX encryption of a plaintext message
m
using
keys
k
,
k
1
,and
k
2
can be formally expressed as follows:
c
=
k
2
⊕
DES
k
(
m
⊕
k
1
)
DESX requires a total of 56 + 64 + 64 = 184 bits of keying material. As
such, it improves resistance against exhaustive key search considerably (e.g., [12]).
It does not, however, improve resistance against other cryptanalytical attacks, such
as differential or linear cryptanalysis (protection against such attacks has not been a
design goal of DESX).
10.2.1.6
TDEA
As mentioned earlier, a possibility to address (or solve) the small key length problem
is to iterate DES multiple times. There are two points to make:
•
First, multiple iterations with the same key are not much more secure than a
single encryption. This is because an adversary can also iterate the encryption
functions multiple times. If, for example, DES is iterated twice (with the same
key), then each step of testing a key is also twice as much work (because the
adversary has to do a double encryption). A factor of two for the adversary is
not considered much added security, especially because the legitimate users
have their work doubled, as well. Consequently, multiple iterations must
always be done with different keys to improve security.
•
Second, it was shown that the DES encryption functions are not closed with
regard to concatenation (i.e., they do not provide a group) [13]. If the DES
encryption functions provided a group, then there would exist a DES key
k
3
for all pairs (
k
1
,k
2
) of DES keys, such that
DES
k
3
=
DES
k
1
◦
DES
k
2
.This
would be unfortunate, and the iterated use of the DES would not provide any
security advantage.
