DES-X (or DESX)

DES-X is a 64-bit block cipher with a 2 · 64 + 56 = 184-bit key, which is a simple extension of DES. The construction was suggested by Rivest in 1984 in order to overcome the problem of the short 56-bit key-size which made the cipher vulnerable to exhaustive key search attack. The idea is just to XOR a secret 64-bit key K1 to the input of DES and to XOR another 64-bit secret key K2 to the output of DES: C = K2 ⊕ DES K (P ⊕ K1). The keys K1, K2 are called whitening keys and are a popular element of modern cipher design. The construction itself goes back to the work of Shannon [5, pp.713], who suggested to use fixed mixing permutation whose input and output are masked by the secret keys. This construction has been shown to have provable security by Even-Mansour [4] if the underlying permutation is pseudorandom (i.e. computationally indistinguishable from a random permutation). A thorough study of DES-X was given in the work of Kilian-Rogaway, which builds on [4] and uses a blackbox model of security. Currently best attack on DES-X is a known-plaintext slide attack discovered by Biryukov-Wagner [1] which has complexity of 2 32.5 known plain-texts and 2 87.5 time of analysis. Moreover the attack is easily converted into a ciphertext-only attack with the same data complexity and 2 95 offline time complexity. These attacks are mainly of theoretical interest due to their high time complexities. However, the attack is generic and would work for any cipher F used together with post-and pre-whitening with complexity 2 (n+1)/2 known plaintexts and 2 k+(n+1)/2 time steps (here n is the block size, and k is the key-size of the internal cipher F. A related key-attack on DES-X is given in [6]. Best conventional attack, which exploits the internal structure of DES, would be a linear cryptanalysis attack, using 2 61 known plaintexts [2]. –Alex Biryukov.