DES-X (or DESX) DES-X is a 64-bit block cipher with a 2 64 + 56 = 184-bit key, which is a simple extension of DES. The construction was· suggested by Rivest in 1984 in order to overcome the problem of the short 56-bit key-size which made the cipher vulner- able to exhaustive key search attack. The idea is just to XOR a secret 64-bit key K1 to the input of DES and to XOR another 64-bit secret key K2 to the out- put of DES: C = K2 DESK (P K1). The keys K1,K2 are called whitening keys and are a popular⊕ element of⊕ modern cipher design. The construction itself goes back to the work of Shannon [5, pp.713], who suggested to use fixed mix- ing permutation whose input and output are masked by the secret keys. This construction has been shown to have provable security by Even-Mansour [4] if the underlying permutation is pseudorandom (i.e. computationally indistin- guishable from a random permutation). A thorough study of DES-X was given in the work of Kilian-Rogaway, which builds on [4] and uses a blackbox model of security. Currently best attack on DES-X is a known-plaintext slide attack discovered by Biryukov-Wagner [1] which has complexity of 232.5 known plain- texts and 287.5 time of analysis. Moreover the attack is easily converted into a ciphertext-only attack with the same data complexity and 295 offline time complexity. These attacks are mainly of theoretical interest due to their high time complexities. However, the attack is generic and would work for any cipher F used together with post- and pre-whitening with complexity 2(n+1)/2 known plaintexts and 2k+(n+1)/2 time steps (here n is the block size, and k is the key- size of the internal cipher F . A related key-attack on DES-X is given in [6]. Best conventional attack, which exploits the internal structure of DES, would be a linear cryptanalysis attack, using 261 known plaintexts [2]. –Alex Biryukov. References [1] A. Biryukov, D. Wagner, Advanced Slide Attacks Lecture Notes in Computer Sci- ence 1807, Advances in Cryptology – EUROCRYPT’2000, pp.589–606, Springer- Verlag, 2000. [2] B. Kaliski, M. Robshaw, Multiple encryption: weighing security and performance, Dr. Dobb’s Journal, pp.123–127, Vol.1, 1996. [3] J. Kilian, P. Rogaway, How to Protect Against Exhaustive Key Search, Lecture Notes in Computer Science 1109, Advances in Cryptology – CRYPTO’96, pp.252– 267, Springer-Verlag, 1996. [4] S. Even, Y. Mansour, A Construction of a Cipher from a Single Pseudorandom Permutation, Journal of Cryptology, Vol.10, No.3, pp.151–161, Springer-Verlag, 1997. [5] C. Shannon, Communication Theory of Secrecy Systems, Bell Sys. Tech. J., Vol. 28, pp. 656–715, October 1949. (A declassified report from 1945.) [6] J. Kelsey, B. Schneier, D. Wagner, Related-Key Cryptanalysis of 3-WAY, Biham- DES,CAST, DES-X, NewDES, RC2, and TEA, proceedings of ICICS, pp.233– 246, 1997. 1 Ciphertext-Only Attack Ciphertext-Only attack scenario assumes that the attacker has only passive capability to listen to the encrypted communication. The attacker thus only knows ciphertexts Ci,i = 1,...N but not their corresponding plaintexts. He may however rely on certain redundancy assumptions about the plaintexts, for example that plaintext is ASCII encoded English text. This scenario is the weak- est in terms of capabilities of the attacker and thus it is the most practical in real life applications. In certain cases conversion of a known-plaintext attack [2] or even chosen plaintext attack [1] into a ciphertext-only attack is possible. References [1] A. Biryukov and E. Kushilevitz, “From differential cryptanalysis to ciphertext-only attacks,” in Advances in Cryptology – CRYPTO’98 (H. Krawczyk, ed.), vol. 1462 of Lecture Notes in Computer Science, pp. 72–88, Springer-Verlag, 1998. [2] M. Matsui, “Linear cryptanalysis method for DES cipher,” in Advances in Cryptol- ogy – EUROCRYPT’93 (T. Helleseth, ed.), vol. 765 of Lecture Notes in Computer Science, pp. 386–397, Springer-Verlag, 1993. 1 Codebook Attack Codebook attack is an example of a known plaintext attack scenario in which the attacker is given access to a set of plaintexts and their corresponding encryp- tions (for a fixed key): (Pi, Ci),i =1,...N. These pairs constitute a code-book which he could use to listen to further communication and which could help him partially decrypt the future messages even without the knowledge of the secret key. He could also use this knowledge in a replay attack by replacing blocks in the communication or by constructing miningfull messages from the blocks of the codebook. Codebook attack may even be applied in a passive trafic analysis scenario, i.e. as a ciphertext-only attack, which would start with frequency anal- ysis of the received blocks and attempts to guess their meaning. Ciphers with small block-size are vulnerable to the Codebook attack, especially if used in the simplest Electronic Codebook mode of operation. Already with N =2n/2 known pairs, where n is the block-size of the cipher, the attacker has good chances to observe familiar blocks in the future communications of size O(2n/2), due to the birthday paradox. If communication is redundant the size of the codebook required may be even smaller. Modern block ciphers use 128-bit block size to make such attacks harder to mount. A better way to combat such attacks is to use chaining modes of operation like Cipher-Block Chaining mode (which makes further blocks of ciphertext dependent on all the previous blocks) together with the authentication of the ciphertext. 1 Dictionary Attack Dictionary attack is an exhaustive cryptanalysis approach in which the attacker computes and stores a table of plaintext-ciphertext pairs (P, Ci = EKi (P ),Ki) sorted by the ciphertexts Ci. Here the plaintext P is chosen in advance among the most often encrypted texts like “login:”, “Hello John”, etc. and the key runs through all the possible keys Ki. If P is encrypted later by the user and the attacker observes its resulting ciphertext Cj , the attacker may search his table for the corresponding ciphertext and retrieve the secret key Kj. The term dictionary attack is also used in the area of password guessing, but with a different meaning. 1 Known Plaintext Attack Known plaintext attack is a scenario in which the attacker has access to the pairs (Pi, Ci),i = 1,...N of known plaintexts and their corresponding cipher- texts. This attack is considered to be highly practical, especially if the amount of pairs N is not too large. This attack scenario is more practical than the chosen plaintext attack. Probable word method which is a popular technique for solving classical simple substitution or transposition ciphers is an example of a known-plaintext attack. Another example is the cryptanalysis of the German Enigma cipher [1] using the so called bombs. It relied heavily on the properly guessed opening words of the cryptograms (which were at the time called cribs). One of the most popular cribs was “Nothing to report”. In modern cryptography linear cryptanalysis is a typical example of a known plaintext attack. References [1] C. A. Deavours, L. Kruh, Machine Cryptography and Modern Cryptanalysis, Artech House, 1985. 1 Chosen Plaintext Attack Chosen plaintext attack is a scenario in which the attacker has the ability to chose plaintexts Pi and to view their corresponding encryptions – ciphertexts Ci. This attack is considered to be less practical then the known plaintext attack, but still a very dangerous attack. If the cipher is vulnerable to a known plaintext attack it is automatically vulnerable to a chosen plaintext attack as well, but not necessarily the opposite. In modern cryptography differential cryptanalysis is a typical example of a chosen plaintext attack. It is also a rare technique for which conversion from chosen plaintext to known plaintext is possible (due to its work with pairs of texts). If chosen plaintext differential attack uses m pairs of texts for an n bit block cipher, then it can be converted to a known-plaintext n attack which will require 2 2 √2m known plaintexts, due to birthday paradox- n like arguments. Furthermore as shown in [1] the factor 2 2 may be considerably reduced if the known plaintexts are redundant (for ex. for the case of ASCII en- n−r coded English text to about 2 2 where r is redundancy of the text), which may even lead to a conversion of differential chosen-plaintext attack into a differential ciphertext-only attack. References [1] A. Biryukov and E. Kushilevitz, “From differential cryptanalysis to ciphertext-only attacks,” in Advances in Cryptology – CRYPTO’98 (H. Krawczyk, ed.), vol. 1462 of Lecture Notes in Computer Science, pp. 72–88, Springer-Verlag, 1998. 1 Chosen Ciphertext Attack Chosen plaintext attack is a scenario in which the attacker has ability to choose ciphertexts Ci and to view their corresponding decryptions – plaintexts Pi. It is essentially the same scenario as a chosen plaintext attack but applied to a decryption function, instead of the encryption function. The attack is considered to be less practical in real life situations than chosen ciphertext attacks. However there is no direct correspondence between complexities of chosen plaintext and chosen ciphertext attacks. A cipher may be vulnerable to one but not to the other and the opposite. Chosen ciphertext attack is a very important scenario in the public key cryptography, where known plaintext and even chosen plaitnext sce- narios are always available to the attacker due to publicly known encryption key. For example, plain RSA is not secure against adaptive chosen ciphertext attack.