From: Bodo_Moeller@public.uni-hamburg.de (Bodo Moeller)
Date: Wed, 14 Oct 1998 07:41:20 +0800
To: cypherpunks@sirius.infonex.com
Subject: Re: DESX
In-Reply-To: <19981010215151.A628@die.com>
Message-ID: <m0zTAQ4-0003b7C@ulf.mali.sub.org>
MIME-Version: 1.0
Content-Type: text/plain



Dave Emery <die@die.com>:

> 	Anybody have any estimate as to how much actual strength this
> adds to DES ?

You might want to read "The Security of DESX" by Phillip Rogaway in
CryptoBytes Vol. 2 Number 2 (Summer 1996) pp 8-11, which is available
somewhere on RSADSI's web site <URL:http://www.rsa.com> (possibly
<URL:http://www.rsa.com/PUBS/> might be a good starting point) or the
underlying research paper "How to protect DES against exhaustive key
search" by Kilian and Rogaway in CRYPTO '96:

     [The] results don't say that it's impossible to build a machine
     which would break DESX in a reasonable amount of time.  But they
     do imply that such a machine would have to employ some radically
     new idea: it couldn't be a machine implementing a key-search
     attack, in the general sense which we've described.

(Quoted from the CryptoBytes article.)

>                How would one break it in a practical cracker machine ?

Maybe not at all; see above.