Introducci

on a la Criptografa y a
la Seguridad de la Informaci
on
Sesi
on 3
Data Encryption Standard
Yoan Pinz
on

c 2014

Session 3
Data Encryption Standard DES
Key Generator
Steps of DES Algorithm
PC-1
PC-2
IP
Inner Function f
E
P
S-Boxes
IP1
Example

Introdu i
on a la Criptograf
a y a la Seguridad de la Informa i
on

80

Data Encryption Standard (DES)

The Data Encryption Standard (DES) is a block cipher invented in the
early 1970s by IBM and the U.S. government (US patent 3,962,539).
It operates on blocks of 64 bits using a secret key that is 56 bits long.
M = C = {0, 1}64, K = {0, 1}56.

k
56

64

DES

56
64

DES-1

64

At the time it was believed that trying out all 72,057,594,037,927,936

(72 quadrillion) possible keys (a seven with 16 zeros) would be impossible
because computers could not possibly ever become fast enough.
DES has been replaced by AES as a standard. We will use DES to
illustrate the principles of modern symmetric ciphers

Introdu i
on a la Criptograf
a y a la Seguridad de la Informa i
on

81

Steps of DES Algorithm

The algorithm has 3 stages (18 steps):
Stage 1: Initial Permutation
Stage 2: 16 Operations (rounds)
Stage 3: Final Permutation

In 1998, the Electronic Frontier Foundation (EFF) built a machine

that could crack the DES algorithm by brute-force; called DES Deep
Crack, it could find a 56-bit DES key in an average of 4.5 days.

Introdu i
on a la Criptograf
a y a la Seguridad de la Informa i
on

82

Steps of DES Algorithm (cont.)

Plaintext (64bits)

Substitution 1
Substitution 2
Substitution 3
Substitution 4
Substitution 5
Substitution 6
Substitution 7
Substitution 8
Substitution 9
Substitution 10
Substitution 11
Substitution 12
Substitution 13
Substitution 14
Substitution 15
Substitution 16

Key (56bits)

Key
Generator

Stage 2: 16 Rounds

Stage 1: Initial Permutation

Stage 3: Final Permutation

Ciphertext (64bits)

Introdu i
on a la Criptograf
a y a la Seguridad de la Informa i
on

83

Key Generator
DES must first create 16 subkeys as follows:
1. From a given bitstring key k of length 64, of which 56 bits comprise
the key and 8 bits are parity-check bits(for error-detection), compute
k0 = P C-1(k) = C0D0, where C0 comprise the first 28 bits of P C-1(k)
and D0 the last 28 bits.
2. For i ranging 1 to 16, compute:
Ci = LSi(Ci1), Di = LSi(Di1), ki = P C-2(Ci Di).
LSi represents a cyclic shift (to the left) of either one or two positions,
depending on the value of i: by 1 if i = 1, 2, 9, 16, by 2 otherwise. P C-2
is another fixed permutation.
The bits in positions 8,16,24,32,40,48,56 and 64 of k are defined so
that each byte contains an odd number of 1s. Hence, a single error
can be detected within each group of 8 bits. The parity-check bits
are ignored in the computation of the key.
Introdu i
on a la Criptograf
a y a la Seguridad de la Informa i
on

84

Computation of the 16 DES-Subkeys

Key
64

k
64
PC-1
56

C0

D0

28
LS1
28

28
LS1
28

C1

D1

28
LS2
28

28
LS2
28

C2

D2

28
LS3
28

28
LS3
28

LS16
28

LS16
28

C16

D16

56

56

56

PC-2

PC-2

PC-2

48

k1

48

k2

48

k 16
85

Introdu i
on a la Criptograf
a y a la Seguridad de la Informa i
on

Permuted Choice 1 (PC-1)

64

-8

PC1

56

bit 01 02 03 04 05 06 07 08 09 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56
PC-1 57 49 41 33 25 17 09 01 58 50 42 34 26 18 10 02 59 51 43 35 27 19 11 03 60 52 44 36 63 55 47 39 31 23 15 07 62 54 46 38 30 22 14 06 61 53 45 37 29 21 13 05 28 20 12 04

01 02 03 04 05 06 07 08 09 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64

PC-1

01 02 03 04 05 06 07 08 09 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56

Introdu i
on a la Criptograf
a y a la Seguridad de la Informa i
on

86

Permuted Choice 2 (PC-2)

56

-8

PC2

48

bit 01 02 03 04 05 06 07 08 09 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48
PC-2 14 17 11 24 01 05 03 28 15 06 21 10 23 19 12 04 26 08 16 07 27 20 13 02 41 52 31 37 47 55 30 40 51 45 33 48 44 49 39 56 34 53 46 42 50 36 29 32

01 02 03 04 05 06 07 08 09 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56

PC-2

01 02 03 04 05 06 07 08 09 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48

Introdu i
on a la Criptograf
a y a la Seguridad de la Informa i
on

87

Stage 1: Initial Permutation

Given a plaintext m, a bitstring m0 is constructed by permuting the bits
of m according to a (fixed) initial permutation IP.
We write m0 = IP (x) = L0R0, where L0 comprises the first 32 bits of
m0 and R0 the last 32 bits.
If the block is shorter than 64 bits, it should be padded with zeros.

Introdu i
on a la Criptograf
a y a la Seguridad de la Informa i
on

88

Initial Permutation (IP)

64

+0

IP

64

01 02 03 04 05 06 07 08 09 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64
58 50 42 34 26 18 10 02 60 52 44 36 28 20 12 04 62 54 46 38 30 22 14 06 64 56 48 40 32 24 16 08 57 49 41 33 25 17 09 01 59 51 43 35 27 19 11 03 61 53 45 37 29 21 13 05 63 55 47 39 31 23 15 07

IP

01 02 03 04 05 06 07 08 09 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64

IP

01 02 03 04 05 06 07 08 09 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64

IP-1

01 02 03 04 05 06 07 08 09 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64
01 02 03 04 05 06 07 08 09 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64
IP-1 40 08 48 16 56 24 64 32 39 07 47 15 55 23 63 31 38 06 46 14 54 22 62 30 37 05 45 13 53 21 61 29 36 04 44 12 52 20 60 28 35 03 43 11 51 19 59 27 34 02 42 10 50 18 58 26 33 01 41 09 49 17 57 25

89

Introdu i
on a la Criptograf
a y a la Seguridad de la Informa i
on

Stage 2: 16 Rounds
16 iterations of a certain function are computed.
We compute LiRi, for 1 i 16, according to the following rule:
Li = Ri1, Ri = Li1 f (Ri1, ki ),
where denotes the exclusive-or, f is the inner function of DES and its
described later, and k1, k2, . . . , k16 are the subkeys we already computed.

Li-1

Ri-1

32

32

48

ki

32

32

32

Li

Ri

Introdu i
on a la Criptograf
a y a la Seguridad de la Informa i
on

90

Inner Function f
The function f takes as input a first argument Ri1 of length 32, and a
second argument ki of length 48, and produces as output a bitstring of
length 32. The following steps are executed:
1. The first argument Ri1 is expanded to a bitstring of length 48 according to a fixed expansion function E. E(Ri1) consists of 32 bits
from Ri1, permuted in a certain way, with 16 of the bits appearing
twice.
2. Compute Ri1 ki and write the result as the concatenation of eight
6-bit strings B = B1B2B3B4B5B6B7B8.
3. Apply Sj (Bj ) to every block Bj . Sj is a fixed 416 array whose entries
come from the integers 0-15. For each Bj = b1b2b3b4b5b6, the two
bits b1b6 determine the binary representation of the row r of Sj (r, c)
and the four bits b2b3b4b5 determines the binary representation of the
column. Cj = Sj (Bj ) is defined to be the entry Sj (r, c), written in
binary as a bitstring of length four.
4. The bitstring C = C1C2C3C4C5C6C7C8 of length 32 is permuted
according to a fixed permutation P . f (Ri1, ki ) = P (C).

91

Introdu i
on a la Criptograf
a y a la Seguridad de la Informa i
on

Inner Function f
Ri-1

ki

32

Expantion

48

E
48
48

B1 B2 B3 B4 B5 B6 B7 B8

8x6 bits (48)

S1 S2 S3 S4 S5 S6 S7 S8

S-boxes

C1 C2 C3 C4 C5 C6 C7 C8

8x4 bits (32)

32

Permutation

32

f(Ri-1,ki)
P(S(E(Ri-1) ki))
Introdu i
on a la Criptograf
a y a la Seguridad de la Informa i
on

92

Expansion (E)

+16

32

48

bit 01 02 03 04 05 06 07 08 09 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48
E 32 01 02 03 04 05 04 05 06 07 08 09 08 09 10 11 12 13 12 13 14 15 16 17 16 17 18 19 20 21 20 21 22 23 24 25 24 25 26 27 28 29 28 29 30 31 32 01
01 02 03 04 05 06 07 08 09 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32

01 02 03 04 05 06 07 08 09 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48

93

Introdu i
on a la Criptograf
a y a la Seguridad de la Informa i
on

Permutation (P)
P

32

+0

32

01 02 03 04 05 06 07 08 09 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32
16 07 20 21 29 12 28 17 01 15 23 26 05 18 31 10 02 08 24 14 32 27 03 09 19 13 30 06 22 11 04 25
01 02 03 04 05 06 07 08 09 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32

01 02 03 04 05 06 07 08 09 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32

Introdu i
on a la Criptograf
a y a la Seguridad de la Informa i
on

94

S-Box 1 (S1)

S1
00
r 01
02
03

00
14
00
04
15

01
04
15
01
12

02
13
07
14
08

03
01
04
08
02

04
02
14
13
04

05
15
02
06
09

06
11
13
02
01

c
07 08
08 03
01 10
11 15
07 05

09
10
06
12
11

10
06
12
09
03

11
12
11
07
14

-2

12
05
09
03
10

13
09
05
10
00

S1

14
00
03
05
06

15
07
08
00
13

Bj=b1 b2 b 3b 4b 5b6
r=b1 b6 [0..3]
c=b2 b3 b4 b5 [0..15]

Example: Compute S1(011000)

S1(011000) = S1(00, 1100) = S1(0, 12) = 5 = 0101
S1(011000) = 0101

95

Introdu i
on a la Criptograf
a y a la Seguridad de la Informa i
on

S-Boxes 18 (S1,S2,S3,S4,S5,S6,S7,S8)
c

S1
00
01
02
03
S2
00
01
02
03
S3
00
01
02
03
S4
00
01
02
03

00
14
00
04
15
00
15
03
00
13
00
10
13
13
01
00
07
13
10
03

01
04
15
01
12
01
01
13
14
08
01
00
07
06
10
01
13
08
06
15

02
13
07
14
08
02
08
04
07
10
02
09
00
04
13
02
14
11
09
00

03
01
04
08
02
03
14
07
11
01
03
14
09
09
00
03
03
05
00
06

04
02
14
13
04
04
06
15
10
03
04
06
03
08
06
04
00
06
12
10

05
15
02
06
09
05
11
02
04
15
05
03
04
15
09
05
06
15
11
01

06
11
13
02
01
06
03
08
13
04
06
15
06
03
08
06
09
00
07
13

07
08
01
11
07
07
04
14
01
02
07
05
10
00
07
07
10
03
13
08

08
03
10
15
05
08
09
12
05
11
08
01
02
11
04
08
01
04
15
09

09
10
06
12
11
09
07
00
08
06
09
13
08
01
15
09
02
07
01
04

10
06
12
09
03
10
02
01
12
07
10
12
05
02
14
10
08
02
03
05

11
12
11
07
14
11
13
10
06
12
11
07
14
12
03
11
05
12
14
11

12
05
09
03
10
12
12
06
09
00
12
11
12
05
11
12
11
01
05
12

13
09
05
10
00
13
00
09
03
05
13
04
11
10
05
13
12
10
02
07

14
00
03
05
06
14
05
11
02
14
14
02
15
14
02
14
04
14
08
02

15
07
08
00
13
15
10
05
15
09
15
08
01
07
12
15
15
09
04
14

Introdu i
on a la Criptograf
a y a la Seguridad de la Informa i
on

S5
00
01
02
03
S6
00
01
02
03
S7
00
01
02
03
S8
00
01
02
03

00
02
14
04
11
00
12
10
09
04
00
04
13
01
06
00
13
01
07
02

01
12
11
02
08
01
01
15
14
03
01
11
00
04
11
01
02
15
11
01

02
04
02
01
12
02
10
04
15
02
02
02
11
11
13
02
08
13
04
14

03
01
12
11
07
03
15
02
05
12
03
14
07
13
08
03
04
08
01
07

04
07
04
10
01
04
09
07
02
09
04
15
04
12
01
04
06
10
09
04

05
10
07
13
14
05
02
12
08
05
05
00
09
03
04
05
15
03
12
10

06
11
13
07
02
06
06
09
12
15
06
08
01
07
10
06
11
07
14
08

07
06
01
08
13
07
08
05
03
10
07
13
10
14
07
07
01
04
02
13

08
08
05
15
06
08
00
06
07
11
08
03
14
10
09
08
10
12
00
15

09
05
00
09
15
09
13
01
00
14
09
12
03
15
05
09
09
05
06
12

10
03
15
12
00
10
03
13
04
01
10
09
05
06
00
10
03
06
10
09

11
15
10
05
09
11
04
14
10
07
11
07
12
08
15
11
14
11
13
00

12
13
03
06
10
12
14
00
01
06
12
05
02
00
14
12
05
00
15
03

13
00
09
03
04
13
07
11
13
00
13
10
15
05
02
13
00
14
03
05

14
14
08
00
05
14
05
03
11
08
14
06
08
09
03
14
12
09
05
06

15
09
06
14
03
15
11
08
06
13
15
01
06
02
12
15
07
02
08
11

96

Stage 1: Final Permutation

Apply the inverse permutation IP 1 to the bitstring R16L16.
Obtain the ciphertext c = IP 1(R16L16).
Note the inverted order of L16 and R16.

97

Introdu i
on a la Criptograf
a y a la Seguridad de la Informa i
on

Encryption/Decryption
m

64
IP
64

64
IP
64

L0

R16

R0
32

32

48

32

k1

32

32

L16
f

32
32

32

R2

R15

2~15 Rounds
L15

L15

2~15 Rounds

R15

R1
f

R16

k 16

32

32

L1

48

L1

k 16

L16

L0

R0

IP-1

IP-1

Encryption

Decryption

Introdu i
on a la Criptograf
a y a la Seguridad de la Informa i
on

k1

98

Example
Let m = 0123456789ABCDEF and k = 133457799BBCDFF1, where m and k are
in hexadecimal (base 16) format.
Part 1: Create 16 subkeys:
k = 133457799BBCDFF1.
This gives us as the binary key (setting 1 = 0001, 3 = 0011, etc., and
grouping together every eight bits, of which the last one in each group
will be unused):
k = 00010011 00110100 01010111 01111001 10011011 10111100 11011111 11110001
Compute k = P C-1(k)
k = 1111000 0110011 0010101 0101111 0101010 1011001 1001111 0001111

99

Introdu i
on a la Criptograf
a y a la Seguridad de la Informa i
on

Next, split this key into left and right halves, C0 and D0, where each half
has 28 bits.
C0 = 1111000 0110011 0010101 0101111 D0 = 0101010 1011001 1001111 0001111
Now, compute Ci = LSi(Ci1), Di = LSi(Di1) for i = 1, 2, . . . , 16
C0 =
C1 =
C2 =
C3 =
C4 =
C5 =
C6 =
C7 =
C8 =
C9 =
C10 =
C11 =
C12 =
C13 =
C14 =
C15 =
C16 =

1111000011001100101010101111
1110000110011001010101011111
1100001100110010101010111111
0000110011001010101011111111
0011001100101010101111111100
1100110010101010111111110000
0011001010101011111111000011
1100101010101111111100001100
0010101010111111110000110011
0101010101111111100001100110
0101010111111110000110011001
0101011111111000011001100101
0101111111100001100110010101
0111111110000110011001010101
1111111000011001100101010101
1111100001100110010101010111
1111000011001100101010101111

Introdu i
on a la Criptograf
a y a la Seguridad de la Informa i
on

D0 =
D1 =
D2 =
D3 =
D4 =
D5 =
D6 =
D7 =
D8 =
D9 =
D10 =
D11 =
D12 =
D13 =
D14 =
D15 =
D16 =

0101010101100110011110001111
1010101011001100111100011110
0101010110011001111000111101
0101011001100111100011110101
0101100110011110001111010101
0110011001111000111101010101
1001100111100011110101010101
0110011110001111010101010110
1001111000111101010101011001
0011110001111010101010110011
1111000111101010101011001100
1100011110101010101100110011
0001111010101010110011001111
0111101010101011001100111100
1110101010101100110011110001
1010101010110011001111000111
0101010101100110011110001111

100

We now form the keys ki = P C-2(Ci Di) for i = 1, 2, 3, . . . , 16.

k1 =
k2 =
k3 =
k4 =
k5 =
k6 =
k7 =
k8 =
k9 =
k10 =
k11 =
k12 =
k13 =
k14 =
k15 =
k16 =

000110
011110
010101
011100
011111
011000
111011
111101
111000
101100
001000
011101
100101
010111
101111
110010

110000
011010
011111
101010
001110
111010
001000
111000
001101
011111
010101
010111
111100
110100
111001
110011

001011
111011
110010
110111
110000
010100
010010
101000
101111
001101
111111
000111
010111
001110
000110
110110

101111
011001
001010
010110
000111
111110
110111
111010
101011
000111
010011
110101
010001
110111
001101
001011

111111
110110
010000
110110
111010
010100
111101
110000
111011
101110
110111
100101
111110
111100
001111
000011

000111
111100
101100
110011
110101
000111
100001
010011
011110
100100
101101
000110
101011
101110
010011
100001

000001
100111
111110
010100
001110
101100
100010
101111
011110
011001
001110
011111
101001
011100
111100
011111

110010
100101
011001
011101
101000
101111
111100
111011
000001
001111
000110
101001
000001
111010
001010
110101

Introdu i
on a la Criptograf
a y a la Seguridad de la Informa i
on

101

Part 2: Encode each 64-bit block of data.

Rewriting m=0123456789ABCDEF in binary format, we get the 64-bit block
of text:
m = 0000000100100011010001010110011110001001101010111100110111101111
Compute m=IP (m)
m = 1100110000000000110011001111111111110000101010101111000010101010
Here the 58th bit of m is 1, which becomes the first bit of m. The
50th bit of m is 1, which becomes the second bit of m. The 7th bit
of m is 0, which becomes the last bit of m .
Next divide the permuted block IP into a left half L0 of 32 bits, and a
right half R0 of 32 bits.
L0 = 1100 1100 0000 0000 1100 1100 1111 1111
R0 = 1111 0000 1010 1010 1111 0000 1010 1010

Introdu i
on a la Criptograf
a y a la Seguridad de la Informa i
on

102

We now proceed through 16 iterations, for 1 i 16, using function f

which operates on two blocks a data block of 32 bits and a key ki of
48 bits to produce a block of 32 bits. Then for i going from 1 to 16
we calculate:
Li = Ri1, Ri = Li1 f (Ri1, ki ),
For i = 1, we have
k1 = 000110 110000 001011 101111 111111 000111 000001 110010
L1 = R0 = 1111 0000 1010 1010 1111 0000 1010 1010
R1 = L0 f (R0, K1)
We calculate E(R0) from R0 as follows:
R0 = 1111 0000 1010 1010 1111 0000 1010 1010
E(R0) = 011110 100001 010101 010101 011110 100001 010101 010101
Note that each block of 4 original bits has been expanded to a block
of 6 output bits.

Introdu i
on a la Criptograf
a y a la Seguridad de la Informa i
on

103

Next in the f calculation, we XOR the output E(Ri1) with the key ki :
k1 = 000110 110000 001011 101111 111111 000111 000001 110010
E(R0) = 011110 100001 010101 010101 011110 100001 010101 010101
k1 E(R0) = 011000 010001 011110 111010 100001 100110 010100 100111
Write the previous result, which is 48 bits in the form ki E(Ri1) =
B1B2B3B4B5B6B7B8, where each Bi is a group of six bits.
k1 E(R0) = 011000 010001 011110 111010 100001 100110 010100 100111
We now calculate
S1(B1)S2(B2)S3(B3 )S4(B4)S5(B5)S6(B6)S7(B7)S8(B8)
where Si(Bi ) referres to the output of the i-th S-box.
S1(B1)S2(B2)S3(B3 )S4(B4)S5(B5)S6(B6)S7(B7)S8(B8) = 0101 1100 1000 0010
1011 0101 1001 0111
The final stage in the calculation of f is to do permutation P , we get

Introdu i
on a la Criptograf
a y a la Seguridad de la Informa i
on

104

f = 0010 0011 0100 1010 1010 1001 1011 1011

So R1 = L0 f (R0, k1)
= 1100 1100 0000 0000 1100 1100 1111 1111 0010 0011 0100 1010 1010 1001 1011 1011
= 1110 1111 0100 1010 0110 0101 0100 0100
After the first round we get
L1 = 11110000101010101111000010101010
R1 = 11101111010010100110010101000100
Now we simply repeat this simple process 15 more times.

105

Introdu i
on a la Criptograf
a y a la Seguridad de la Informa i
on

L2 =
L3 =
L4 =
L5 =
L6 =
L7 =
L8 =
L9 =
L10 =
L11 =
L12 =
L13 =
L14 =
L15 =
L16 =

11101111010010100110010101000100
11001100000000010111011100001001
10100010010111000000101111110100
01110111001000100000000001000101
10001010010011111010011000110111
11101001011001111100110101101001
?00001?00100?0101?11?0?0000?000?
11010101011010010100101110010000
00100100011111001100011001111010
10110111110101011101011110110010
11000101011110000011110001111000
01110101101111010001100001011000
00011000110000110001010101011010
11000010100011001001011000001101
01000011010000100011001000110100

R2 =
R3 =
R4 =
R5 =
R6 =
R7 =
R8 =
R9 =
R10 =
R11 =
R12 =
R13 =
R14 =
R15 =
R16 =

11001100000000010111011100001001
10100010010111000000101111110100
01110111001000100000000001000101
10001010010011111010011000110111
11101001011001111100110101101001
?00001?00100?0101?1110?0000?000?
11010101011010010100101110010000
00100100011111001100011001111010
10110111110101011101011110110010
11000101011110000011110001111000
01110101101111010001100001011000
00011000110000110001010101011010
11000010100011001001011000001101
01000011010000100011001000110100
00001010010011001101100110010101

We then reverse the order of the two blocks R16L16 and apply IP 1 with
the following result:
c =10000101 11101000 00010011 01010100 00001111 00001010 10110100 00000101
which in hexadecimal format is 85E813540F0AB405.
Therefore, the encrypted form of m = 0123456789ABCDEF is c =
85E813540F0AB405.

Introdu i
on a la Criptograf
a y a la Seguridad de la Informa i
on

106