differential attack;linear attack;exhausitive search;security;cipher;toolkits">
G-DES was devised by Schaumuller-Bichl to improve on the performance of DES by defining a cipher based on DES with a larger block size, but without an increase in the amount of computation required [Sch83]. It was claimed that G-DES was as secure as DES since the cipher was based on DES. However, Biham and Shamir showed that G-DES with the recommended parameter sizes is easily broken and that any alterations of G-DES parameters that result in a cipher faster than DES are less secure than DES [BS93b].
DESX, another variant of DES, is supported by RSA Data Security's toolkits (see Question 173). The only difference between DES and DESX is that the input plaintext is exclusive-ored with 64 bits of key material before encryption with DES and the output is exclusive-ored with 64 bits of either related or unrelated key material. The security of DESX against differential and linear attack (see Question 58 and Question 59) is equivalent to that of DES with independent subkeys (see Question 71), while the security against exhaustive search is greatly increased.