Unformatted text preview: output bits from each S-box in round i are distributed so that 2 of them affect the middle-bits of S-boxes at roundi + 1 and the other 2 affect end bits. — The 4 output bits from each S-box affect six different S-boxes; no 2 affect the same S-box. — If the output bit from one S-box affects a middle bit of another S-box, then an output bit from that other S-box cannot affect a middle bit of the first S-box. The paper goes on to discuss the criteria. Generating S-boxes is pretty easy today, but was a complicated task in the early 1970s. Tuchman has been quoted as saying that they ran computer programs for months cooking up the S-boxes. 12.6 DES Variants Multiple DES
Some DES implementations use triple-DES (see Figure 12.10) . Since DES is not a group, then the resultant ciphertext is much harder to break using exhaustive search: 2112 attempts instead of 256 attempts. See Section 15.2 for more details. Figure 12.10 Triple-DES. DES with Independent Subkeys
Another variation is to use a different subkey for each round, instead of generating them from a single 56-bit key . Since 48 key bits are used in each of 16 rounds, this means that the key length for this variant is 768 bits. This variant would drastically increase the difficulty of a brute-force attack against the algorithm; that attack would have a complexity of 2768. However, a meet-in-the-middle attack (see Section 15.1) would be possible. This would reduce the complexity of attack to 2384; still long enough for any conceivable security needs. Although independent subkeys foil linear cryptanalysis, this variant is susceptible to differential cryptanalysis and can be broken with 261 chosen plaintexts (see Table 12.15) [167,172]. It would seem that any modification of the key schedule cannot make DES much stronger. DESX
DESX is a DES variant from RSA Data Security, Inc. that has been included in the MailSafe electronic mail security program since 1986 and the BSAFE toolkit since 1987. DESX uses a technique called whitening (see Section 15.6) to obscure the inputs and outputs to DES. In addition to a 56-bit DES key, DESX has an additional 64-bit whitening key. These 64 bits are XORed to the plaintext before the first round of DES. An additional 64 bits, computed as a one-way function of the entire 120-bit DES key, is XORed to the ciphertext after the last round . Whitening makes DESX much stronger than DES against a brute-force attack; the attack requires (2120)/n operations with n kno...
View Full Document
- Fall '10
- Cryptography, Bruce Schneier, Applied Cryptography, EarthWeb, Search Search Tips