DESX algorithm (Menu Crypt/Decrypt \ Symmetric (modern) \ Further)

Since the DES algorithm was announced in the 1970s it was criticized for its short key length of 56 bit. In order to enlarge the key space of DES, Ron Rivest (the "R" in RSA) came up with the DESX proposal already in the mid-1980s. A message that is to be DESX encrypted is XORed with a 64-bit pre-whitening key K1 before it is encrypted with DES using a 56-bit key KDES. Finally, the result is XORed with a post-whitening key K2.

DESX(x) = K2 + DESKDES(x + K1)

The key space is extended to 184 bits due to the two 64-bit pre- and post-whitening keys. However, Kilian and Rogaway proved in [KR96] that the security level of DESX equals a key length of 118 bits. Compared to a 56-bit security level of the original DES this is still a remarkable improvement.

The simplicity of DESX is one of its main advantages: Just two simple XOR gates are additionally required. XOR gates can be implemented very efficiently both in hardware and in software without a significant loss of performance. Furthermore, when K1 = K2 = 0 is chosen, DESX is compliant to DES.

DESX is used with a slightly modified key in the SAFER security toolkit by RSA. The 64-bit pre-whitening key K1 and the DES key KDES are concatenated and fed into a one-way function. The output of this one-way function serves as the post-whitening key K2.

For further information see: http://www.crypto.rub.de/en_publications.html

References:

[KR96a] www.cs.ucdavis.edu/~rogaway/papers/desx.ps

[KR96b] Phillip Rogaway, RSA Laboratories' CryptoBytes, Summer 1996
www.cs.ucdavis.edu/~rogaway/papers/cryptobytes.ps

Also see: DESL, DESXL