The original DES algorithm was specified in 1976 with a 56-bit key size: 256 possibilities for the key. There was criticism that an exhaustive search might be within the capabilities of large governments, particularly the United States' National Security Agency (NSA). One scheme to increase the key size of DES without substantially altering the algorithm was DES-X, proposed by Ron Rivest in May 1984.
The algorithm was included in RSA Security's BSAFE cryptographic library since the late 1980s.
The key size is thereby increased to 56 + 2 × 64 = 184 bits.
However, the effective key size (security) is only increased to 56+64-1-lb(M) = 119 - lb(M) = ~119 bits, where M is the number of known plaintext/ciphertext pairs the adversary can obtain, and lb denotes the binary logarithm. (Because of this, some implementations actually make K2 a strong one way function of K1 and K.)
DES-X also increases the strength of DES against differential cryptanalysis and linear cryptanalysis, although the improvement is much smaller than in the case of brute force attacks. It is estimated that differential cryptanalysis would require 261 chosen plaintexts (vs. 247 for DES), while linear cryptanalysis would require 260 known plaintexts (vs. 243 for DES.) Note that with 264 plaintexts (known or chosen being the same in this case), DES (or indeed any other block cipher with a 64 bit block size) is totally broken via the elementary codebook attack.
- Joe Kilian and Phillip Rogaway, How to protect DES against exhaustive key search (PostScript), Advances in Cryptology - Crypto '96, Springer-Verlag (1996), pp. 252–267.
- P. Rogaway, The security of DESX (PostScript), CryptoBytes 2(2) (Summer 1996).