CNS 2201 9/5/2023

DES - History
• The Data Encryption Standard (DES) was developed in the 1970s by the National
Bureau of Standards with the help of the National Security Agency.

Data Encryption Standard • Its purpose is to provide a standard method for protecting sensitive commercial
and unclassified data.
• IBM created the first draft of the algorithm, calling it LUCIFER.
• DES officially became a federal standard in November of 1976.

1 2

Confusion and Diffusion Confusion and Diffusion

• According to the famous information theorist Claude Shannon, there are two • Ciphers which only perform confusion, such as the
primitive operations with which strong encryption algorithms can be built: Shift Cipher, are not secure.
confusion and diffusion
• Neither are ciphers which only perform diffusion.
• Confusion:
• An encryption operation where the relationship between key and ciphertext is obscured. • However, through the concatenation of such
• Today, a common element for achieving confusion is substitution, which is found in both DES operations, a strong cipher can be built.
and AES.
• The idea of concatenating several encryption
• Diffusion: operation was also proposed by Shannon.
• An encryption operation where the influence of one plaintext symbol is spread over many
ciphertext symbols with the goal of hiding statistical properties of the plaintext. • Such ciphers are known as product
• A simple diffusion element is the bit permutation, which is used frequently within DES. ciphers.

3 4
CNS 2201 9/5/2023

Overview of DES Algorithm Overview of DES Algorithm

• DES is a cipher which encrypts blocks of length of 64 bits with a key size of 56 bits
• DES is a symmetric cipher, i.e., the same same key is
used for encryption and decryption.
• DES is, like virtually all modern block ciphers, an
iterative algorithm.
• For each block of plaintext, encryption is handled in 16
rounds which all perform the identical operation.
• In every round a different subkey is used and all subkeys
ki are derived from the main key k.
• The structure consists of a Feistel network.
• In addition to its potential cryptographic strength, one
advantage of Feistel networks is that encryption and
decryption are almost the same operation

5 6

Overview of DES Algorithm - Feistel Structure Overview of DES Algorithm - Feistel Structure
of DES of DES

7 8
CNS 2201 9/5/2023

Overview of DES Algorithm Overview of DES Algorithm

• After the initial bitwise permutation IP of a 64-bit plaintext x, the plaintext is split • This process repeats in the next round and can be expressed as:
into two halves L0 and R0.
• These two 32-bit halves are the input to the Feistel network, which consists of 16
rounds.
• where i = 1,. . . ,16.
• The right half Ri is fed into the function f .
• After round 16, the 32-bit halves L16 and R16 are swapped again, and the final
• The output of the f function is XORed (as usually denoted by the symbol ⊕) with permutation IP−1 is the last operation of DES.
the left 32-bit half Li. • As the notation suggests, the final permutation IP−1 is the inverse of the initial
• Finally, the right and left half are swapped. permutation IP.
• In each round, a round key ki is derived from the main 56-bit key using what is
called the key schedule.

9 10

Overview of DES Algorithm Internal Structure of DES

• The two aforementioned basic properties of ciphers, i.e., confusion and diffusion, • Refer to Fesitel structure
are realized within the f -function. • The building blocks are:
• In order to thwart advanced analytical attacks, the f -function must be designed 1. The initial and final permutation,
extremely carefully. 2. The actual DES rounds with its core,
• Once the f -function has been designed securely, the security of a Feistel cipher 3. The f -function, and
increases with the number of key bits used and the number of rounds. 4. The key schedule.

11 12
CNS 2201 9/5/2023

Initial and Final Permutation Initial and Final Permutation

• Bit swaps for initial permutation • Bit swaps for final permutation

13 14

The f-function The f-function

• As mentioned earlier, the f -function plays a crucial role for the security of DES. • The structure of the f -function is shown
• In round i it takes the right half Ri-1 of the output of the previous round and the in the figure on the right.
current round key ki as input. • First, the 32-bit input is expanded to 48
• The output of the f -function is used as an XOR-mask for encrypting the left half bits by partitioning the input into eight
input bits Li-1. 4-bit blocks and by expanding each
block to 6 bits.
• This happens in the E-box, which is a
special type of permutation.

15 16
CNS 2201 9/5/2023

The f-function The f-function

• Figures here show expansion of • Next, the 48-bit result of the
32 bits to 48 bits.
• The first block consists of the expansion is XORed with the round
bits (1,2,3,4), the second one
of (5,6,7,8), etc.
key ki, and the eight 6-bit blocks are
• As can be seen from the table,
fed into eight different substitution
exactly 16 of the 32 input bits boxes, which are often referred to as
appear twice in the output.
S-boxes.
• However, an input bit never
appears twice in the same 6-bit • Each S-box is a lookup table that
output block.
• The expansion box increases maps a 6-bit input to a 4-bit output.
the diffusion behavior of DES
since certain input bits
influence two different output
locations.

17 18

Substitution Box Example Key Schedule

• The key schedule derives 16
round keys ki, each consisting
of 48 bits, from the original
56-bit key.
• Another term for round key
is subkey.
• The 64-bit key is first reduced
to 56 bits by ignoring every
eighth bit
• The parity bits are stripped in
the initial PC -1 permutation.
• The name PC -1 stands for
“permuted choice one”.
• The exact bit connections are
shown in the table.

19 20
CNS 2201 9/5/2023

Key Schedule Key Schedule

• The resulting 56-bit key is split into two • To derive the 48-bit round keys ki,
halves C0 and D0, and the actual key the two halves are permuted
schedule. bitwise again with PC -2, which
• The two 28-bit halves are cyclically shifted, stands for “permuted choice 2”.
i.e., rotated, left by one or two bit positions • PC -2 permutes the 56 input
depending on the round i according to the bits coming from Ci and Di and
following rules: ignores 8 of them.
• In rounds i = 1,2,9,16, the two halves are
rotated left by one bit. • The exact bit-connections of
• In the other rounds where i ≠ 1,2,9,16, the two PC -2 are given in the table here.
halves are rotated left by two bits.

21 22

Key Schedule Decryption

• Note that every round key is a selection of 48 permuted bits of the input key k.
• The key schedule is merely a method of realizing the 16 permutations
systematically.
• Especially in hardware, the key schedule is very easy to implement.
• One advantage of DES is that decryption is essentially the same function as
encryption.
• This is because DES is based on a Feistel network.
• Compared to encryption, only the key schedule is reversed, i.e., in decryption
round 1, subkey 16 is needed; in round 2, subkey 15; etc.
• Thus, when in decryption mode, the key schedule algorithm has to generate the
round keys as the sequence k16,k15,...,k1

23 24
CNS 2201 9/5/2023

Decryption - Reversed Key Schedule Decryption in Feistel Networks

• We have not addressed the core question: Why is the decryption function
essentially the same as the encryption function?
• The basic idea is that the decryption function reverses the DES encryption in a
round-by-round manner.
• That means that decryption round 1 reverses encryption round 16, decryption
round 2 reverses encryption round 15, and so on.
• Note that the right and left halves are swapped in the last round of DES
• The subsequent round keys k14,k13,...,k1 are derived via right shifts in a similar
fashion.
• The number of bits shifted right for each round key in decryption mode are as
follows:
o In decryption round 1, the key is not rotated.
o In decryption rounds 2, 9, and 16 the two halves are rotated right by one bit.
o In the other rounds 3, 4, 5, 6, 7, 8, 10, 11, 12, 13, 14 and 15 the two halves are
rotated right by two bits.
25 26

Decryption in Feistel Decryption in Feistel Networks

Networks The first decryption round reverses the last
encryption round. This is an iterative process which
continues in the next 15 decryption rounds and that
can be expressed as:

The first decryption

round reverses the
last encryption
round.

27 28
CNS 2201 9/5/2023

Decryption in Feistel Networks Security of DES

• Note that all variables in the decryption routine are marked with the superscript • Two major criticism of DES:
d, whereas the encryption variables do not have superscripts. • Exhaustive key search vulnerability: The key space (56 bits) is too small, i.e., the algorithm is
vulnerable against brute-force attacks.
• The derived equation simply says that the input of the first round of decryption is
• Analytical attacks possible
the output of the last round of encryption because final and initial permutations
cancel each other out.

29 30

Security of DES – Exhaustive Key search
• IBM had proposed 128 bits key for DES – would have made DES more secure
• Cut down to 56 bits to make hardware implementation easy
Security of DES – Exhaustive Key search
• Regular computers are not particularly well suited to perform the 256 key tests
necessary, but special-purpose key-search machines are an option.
• Large (government) institutions have long been able to build such bruteforce
crackers, which can break DES in a matter of days.
• Therefore key size of 56 bits is too short to encrypt confidential data nowadays.
• Hence, single DES should only be used for applications where only short-term
security is needed — say, a few hours — or where the value of the encrypted
data is very low.
• However, variants of DES, in particular 3DES, are still secure.

31 32
CNS 2201 9/5/2023

Security of DES – Analytical Attacks Security of DES – Analytical Attacks

• Vulnerable against two kinds of analytical attacks: • What does this imply?
• Differential cryptanalysis (DC): applicable to block ciphers • First, an attacker needs to know an extremely large number of plaintexts, i.e.,
• Linear cryptanalysis (LC): Linear cryptanalysis works on a single bit (one bit at a time). pieces of data which are supposedly encrypted and thus hidden from the
• What is the practical relevance of these two analytical attacks against DES? attacker.
• It turns out that an attacker needs 247 plaintext–ciphertext pairs for a successful • Second, collecting and storing such an amount of data takes a long time and
differential cryptanalysis attack. requires considerable memory resources.
• In the case of LC, an attacker needs 243 plaintext–ciphertext pairs. • Third, the attack only recovers one key.
• As a result of all these arguments, it does not seem likely that DES can be broken
with either DC or LC in real-world systems.

33 34

Implementation in Software and Hardware Implementation – Software Implementation

• When we talk about software, we refer to DES implementations running on
desktop CPUs or embedded microprocessors like smart cards or cell phones.
• Hardware refers to DES implementations running on integrated circuits
• A straightforward software implementation which follows the data flow of most
DES descriptions, such as the one we have discussed, results in a very poor
performance.
• This is due to the fact that many of the atomic DES operations involve bit
permutation which are slow in software.
• Similarly, small S-boxes such as used in DES are efficient in hardware but only
moderately efficient on modern CPUs.
• There have been numerous methods proposed for accelerating DES software
implementations.
• The general idea is to use tables with precomputed values of several DES
operations

35 36
CNS 2201 9/5/2023

Implementation – Hardware DES Alternatives

• One design criterion for DES was its efficiency in hardware.
• Permutations such as the E, P, IP and IP−1 permutations are very easy to
implement in hardware, as they only require wiring but no logic.
• The small 6-by-4 S-boxes are also relatively easily realizable in hardware.
• Typically, they are implemented with Boolean logic, i.e., logic gates.
• Advanced Encryption Standard (AES)
• To be discussed in detail later
• AES has three key lengths of 128, 192 and 256 bits
• Secure against brute-force attacks for several decades
• There are no analytical attacks with any reasonable chance of success known.

37 38

DES Alternatives DES Alternatives

• Triple DES • Triple DES
• 3DES seems resistant to both brute-force attacks and any analytical attack
imaginable at the moment.
• DES is very efficient in hardware but not particularly in software.
• It is popular in financial applications as well as for protecting biometric
information in electronic passports.

39 40