3.2.8 What are some other DES variants?
G-DES is a variant on DES devised by Schaumuller-Bichl to improve on the performance of DES by defining a cipher based on DES with a larger block size, but without an increase in the amount of computation required [Sch83]. It was claimed that G-DES was as secure as DES since the cipher was based on DES. However, Biham and Shamir showed that G-DES with the recommended parameter sizes is easily broken and that any alterations of G-DES parameters that result in a cipher faster than DES are less secure than DES [BS93b].
Another variant of DES uses independent subkeys. The DES algorithm derives sixteen 48-bit subkeys, for use in each of the 16 rounds, from the 56-bit secret key supplied by the user. It is interesting to consider the effect of using a 768-bit key (divided into 16 48-bit subkeys) in place of the 16 related 48-bit keys that are generated by the key schedule in the DES algorithm.
While the use of independent subkeys would obviously vastly increase the effort required for exhaustive key search, such a change to the cipher would make it only moderately more secure against differential and linear cryptanalytic attack (see Question 2.4.5) than ordinary DES. Biham estimated that 261 chosen plaintexts are required for a differential attack on DES with independent subkeys, while 260 known plaintexts are required for linear cryptanalysis [Bih95].