Data Encryption Standard -

DES

DES was developed as a standard for

communications and data protection by an IBM
research team, in response to a public request for
proposals by the NBS - the National Bureau of
Standards (which is now known as NIST).
1
DES - History
The Data Encryption Standard (DES) was
developed in the 1970s by the National Bureau of
Standards with the help of the National Security
Agency.
Its purpose is to provide a standard method for
protecting sensitive commercial and unclassified
data.
IBM created the first draft of the algorithm,
calling it LUCIFER with a 128-bit key.
DES officially became a federal standard in
November of 1976.
2
DES - History
In May 1973, and again in Aug 1974 the
NBS (now NIST) called for possible
encryption algorithms for use in
unclassified government applications.
Response was mostly disappointing,
however, IBM submitted their LUCIFER
design.
Following a period of redesign and
comment it became the Data Encryption
Standard (DES).
3
DES - As a Federal Standard
DES was adopted as a (US) federal
standard in November 1976, published by
NBS as a hardware only scheme in January
1977 and by ANSI for both hardware and
software standards in ANSI X3.92-1981
(also X3.106-1983 modes of use) .
Subsequently DES has been widely
adopted and is now published in many
standards around the world.
4
DES - Basics
DES uses the two basic techniques of
cryptography - confusion and diffusion.
At the simplest level, diffusion is achieved
through numerous permutations and
confusions is achieved through the XOR
operation.
This is also called an S-P network.

5
The S-P Network

6
DES in a
Nutshell

7
 DES - The 16 Rounds
The basic process in
enciphering a 64-bit data
block and a 56-bit key
using the DES consists
of:
 An initial permutation (IP)
 16 rounds of a complex
key dependent calculation
f
 A final permutation, being
the inverse of IP

8
The 16 Rounds of F Consist
Of:

9
DES - Swapping of Left and
Right Halves
The 64-bit block being enciphered is broken into
two halves.
The right half goes through one DES round, and
the result becomes the new left half.
The old left half becomes the new right half, and
will go through one round in the next round.
This goes on for 16 rounds, but after the last
round the left and right halves are not swapped,
so that the result of the 16th round becomes the
final right half, and the result of the 15th round
(which became the left half of the 16th round) is
the final left half.
10
DES - Swapping of Left and
Right Halves
 This can be described
functionally as
L(i) = R(i-1)
R(i) = L(i-1) 
P(S( E(R(i-1))
 K(i) ))
This forms one round
in an S-P network

11
DES - Basics
 Fundamentally DES performs only two operations on
its input, bit shifting (permutation), and bit
substitution.
 The key controls exactly how this process works.
 By doing these operations repeatedly and in a non-
linear manner you end up with a result which can not
be used to retrieve the original without the key.
 Those familiar with chaos theory should see a great
deal of similarity to what DES does. By applying
relatively simple operations repeatedly a system can
achieve a state of near total randomness.

12
Each Iteration Uses a
Different Sub-key
DES works on 64 bits of data at a time.
Each 64 bits of data is iterated on from 1
to 16 times (16 is the DES standard).
For each iteration a 48 bit subset of the 56
bit key is fed into the encryption block
Decryption is the inverse of the encryption
process.

13
DES Key Processing
The key is usually stored as a 64-bit
number, where every eighth bit is a parity
bit.
The parity bits are pitched during the
algorithm, and the 56-bit key is used to
create 16 different 48-bit subkeys - one for
each round.
DES Subkeys: K1, K2, K3, … K16

14
DES Key Processing -
Subkeys Generation
In order to generate 16 48-bit subkeys from the
56-bit key, the following process is used.
First, the key is loaded according to the PC-1 and
then halved.
Then each half is rotated by 2 bits in every round
except the first, second, 9th and last rounds.
The reason for this is that it makes it secure
against related-key cryptanalysis.
Then 48 of the 56 bits are chosen according to a
compression permutation - PC-2.
15
The Key Schedule
 The subkeys used by the 16 rounds are
formed by the key schedule which
consists of:
 An initial permutation of the key (PC1) which
selects 56-bits in two 28-bit halves
 16 stages consisting of
 selecting 24-bits from each half and permuting
them by PC2 for use in function f,
 rotating each half either 1 or 2 places depending on
the key rotation schedule KS
 this can be described functionally as:
K(i) = PC2(KS(PC1(K),i))
16
Permuted Choice 1 -- PC-1

17
Permuted Choice 2 -- PC-2

18
 Key Rotation Schedule
 The key rotation schedule KS is specified as:
Round 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16

KS 1 1 2 2 2 2 2 2 1 2 2 2 2 2 2 1

Total Rot 1 2 4 6 8 10 12 14 15 17 19 21 23 25 27 28

19
DES Operation - Plaintext
The block to be encrypted is halved - the
right half goes through several steps
before being XOR-ed with the left half and,
except after the last round, trading places
with the left half.

20
DES - Expansion Permutation
First the right half goes through an expansion
permutation which expands it from 32 to 48 bits.
This makes it the same length as the subkey to
allow the XOR, but it also demonstrates an
important concept in cryptography. In expanding
to 1.5 times its size, several bits are repeated (no
new bits are introduced - all the existing bits are
shifted around, and some are used twice).
Because of this some of the input bits affect two
output bits instead of one, the goal being to have
every output bit in DES depend upon every input
bit as quickly as possible. This is known as the
avalanche effect.
21
Expansion Permutation Table

22
DES Operation - E(Ri)  Ki
The result of the expansion permutation is XOR-
ed with the subkey, and then goes through the S-
boxes.
There are 8 S-boxes, each of which takes a 6-bit
input an spits out a 4-bit output.
This step is non-linear. For a given input i1, i2 ...
i6, the output is determined by using the
concatenation of i1 and i6, and the concatenation
of i2… i5, and using these as the indices to the
table which is the S-box.

23
S-box Permutations
 The S-boxes are somewhat different from the other
permutations. While all the others are set up
according to "bit x goes to bit y", the input bits can
be viewed differently for the S-boxes.
 If the input is {d1,d2,d3,d4,d5,d6} then the two-bit
number {d1,d6} and the the four-bit number
{d2,d3,d4,d5} are used as indices to the table.
 For the 48-bit word {d1,d2..d48}, the word {d1… d6}
is sent to S-box 1, the word {d7… d12} to S-box 2,
etc. The output of S-box 1, {o1… o4}, that of S-box
2, {o5..o8} etc. are concatenated to form the output.
24
S-box Permutations

25
S1 Box Truth Table

26
The 8 DES S
Boxes

27
DES Operation - P Box
The output of each of the 8 S-boxes is
concatenated to form a 32-bit number,
which is then permutated with a P-box.
This P-box is a straight permutation, and
the resulting number is XOR-ed with the
left half of the input block with which we
started at the beginning of this round.
Finally, if this is not the last round, we
swap the left and right halves and start
again.
28
P Box

29
DES Permutations
The initial and final permutations in DES serve no
cryptographic function. They were originally
added in order to make it easier to load the 64-
bit blocks into hardware - this algorithm after all
predates 16-bit busses - and is now often omitted
from implementations.
However the permutations are a part of the
standard, and therefore any implementation not
using the permutations is not truly DES.

30
DES Permutations
Using the Initial Permutation a DES chip loads a
64-bit block one bit at a time (this gets to be very
slow in software).
The order in which it loads the bits is shown
below.
The final permutation is the inverse of the initial
(for example, in the final permutation bit 40 goes
to bit 1, whereas in the initial permutation bit 1
goes to bit 40).

31
  bit goes to bit bit goes to bit
 58 1 57 33
 50 2 49 34
 42 3 41 35

Initial 


34
26
18
4
5
6
33
25
17
36
37
38

Permutation 


10
2
60
7
8
9
9
1
59
39
40
41
 52 10 51 42
 44 11 43 43
 36 12 35 44
 28 13 27 45
 20 14 19 46
 12 15 11 47
 4 16 3 48
 62 17 61 49
 54 18 53 50
 46 19 45 51
 38 20 37 52
 30 21 29 53
 22 22 21 54
 14 23 13 55
 6 24 5 56
 64 25 63 57
 56 26 55 58
 48 27 47 59
 40 28 39 60
 32 29 31 61
 24 30 23 62
 16 31 15 63
 8 32 7 64 32
DES Initial and Final
Permutations

33
Weak Keys
There are a few keys which are considered
weak for the DES algorithm. They are so
few, however, that it is trivial to check for
them during key generation.

34