[Next] [Up] [Previous] [Index]

Variations of DES

DES, being the best known of a whole class of ciphers, has inspired many suggestions for variations of it.

The initial permutation and inverse initial permutation, and perhaps also permuted choice 1, could be removed, to obtain a cipher of equivalent intrinsic strength, but simpler to perform on a computer.

The sixteen subkeys could be supplied directly as a key, instead of being derived from a short 56-bit key. However, a result reported in Bruce Schneier's book Applied Cryptography shows that the strength of that is only a slight improvement on that of regular DES, essentially equivalent to using a 65-bit key.

If the eight S-boxes are moved, from their regular positions so that the order in which they are applied to the successive six-bit groups of their input is 2, 4, 6, 7, 3, 1, 5, and 8, without altering the permutation P, DES remains highly resistant to differential cryptanalysis, but becomes resistant to linear cryptanalysis as well. (Any re-ordering of the S-boxes in which S-boxes 1, 7, and 4 are consecutive and in that order can make DES very weak against differential cryptanalysis, as noted in Biham and Shamir's original paper on differential cryptanalysis.)

RSA Data Security has recommended DESX, which is simply DES strengthened by performing an XOR against additional key bits at the beginning and at the end of encipherment.

One way in which DES might be strengthened by a simple modification that has occurred to me is this: retain the initial and inverse initial permutations, but perform them after rounds 4 and 12 of the cipher respectively. This way, they are contributing something to its strength. Perhaps it would even be possible to use a 112-bit key, as follows: for the first 56 bits, generate the regular key schedule, and use it during rounds 1 through 4 and 13 through 16. For the last 56 bits, use the decrypting key schedule from those bits during rounds 5 through 12. Unlike DESX, though, this kind of modification is only applicable if one is performing DES encryption in software, not when using existing DES hardware.

Another possible way of using a 112-bit key would be by enhancing DES with an idea I use in QUADIBLOC: use 32 subkeys, by applying the f-function twice, first to the right half of the block, then to the first f-function output, before XORing the result to the right half. This propagates changes in the block more quickly.

Also, it would seem to me that one could obtain a very strong cipher by alternating pairs of rounds of DES with rounds of SAFER, a block cipher based on very different principles.

A more economical way to realize increased strength would be, perhaps, to take the variation suggested above, with IP after round 4, and IIP after round 12, and apply, before and after each of these permutations a user-supplied substitution, part of the key, acting on the eight bytes of the block. The inverse of this substitution would be used on deciphering. Since differential cryptanalysis depends on substitutions being known, this would seem to improve the strength of the cipher against that kind of attack; and, since a random substitution on the possible byte values from 0 to 255 takes quite a bit more than 56 bits to describe it, key size is also increased. Applying the substitution at the beginning and end of the block cipher would probably be advisable as well; this would increase the amount of this extra key that is actually used, and it would protect all sixteen, rather than just the middle eight, rounds of the block cipher from outside scrutiny.

[Next] [Up] [Previous] [Index]

Chapter Start
Table of Contents
Main Page Home Page