DES History

• In 1973, NBS (NIST) issues a public request for proposals for a national
cipher standard, which must be
– Secure
– Public
– Completely specified
– Easy to understand
– Available to all users
– Economic and efficient in hardware
– Able to be validated
– Exportable
• IBM submitted LUCIFER (Feistel) (which was redesigned to become
the DES)
• In 1977, adopted by NBS (NIST) as DES (Data Encryption Standard,
Federal Information Processing Standard 46 (FIPS PUB 46))
 DES History
• Chronolgy
• 1973: NBS publishes a first request for a standard encryption algorithm
• 1974: NBS publishes a second request for encryption algorithms
• 1975: DES is published in the Federal Register for comment
• 1976: First and second workshop on DES
• 1976: DES is approved as a standard
• 1977: DES is published as a FIPS standard FIPS PUB 46
• 1983: DES reaffirmed for the first time
• 1986: Videocipher II, a TV satellite scrambling system based upon DES
begins use by HBO
• 1988: DES is reaffirmed for the second time as FIPS 46-1, superseding
FIPS PUB 46
• 1992: Biham and Shamir publish the first theoretical attack with less
complexity than brute force: differential cryptanalysis. However, it requires
an unrealistic 247 chosen plaintexts
• 1993: DES is reaffirmed for the third time as FIPS 46-2
 DES History
• 1994: The first experimental cryptanalysis of DES is performed using
linear cryptanalysis (Matsui, 1994)
• 1997: The DESCHALL Project breaks a message encrypted with DES for
the first time in public
• 1998: The Electronic Frontier Foundation (EFF)’s DES cracker (Deep Crack)
breaks a DES key in 56 hours
• 1999: Together, Deep Crack and distributed.net break a DES key in 22 hours
and 15 minutes
• 1999: DES is reaffirmed for for the fourth time as FIPS 46-3, which
specifies the preferred use of Triple DES, with single DES permitted only in
legacy systems
• 2001: The Advanced Encryption Standard is published in FIPS 197
• 2002: The AES standard becomes effective
• 2004: The withdrawal of FIPS 46-3 (and a couple of related standards) is
proposed in the Federal Register
• 2005: NIST withdraws FIPS 46-3
 Encryption and Decryption with DES

DES is a block cipher, as shown in Figure

 General Structure of DES

The encryption process is made of two permutations (P-boxes),

which we call initial and final permutations, and sixteen Feistel
rounds.
 DES Encryption Overview

64-bit Plaintext 56-bit Key

… …
Initial Permutation Permuted Choice 1

K1
Iteration 1 Permuted Choice 2 Left Circular Shift
K2
Iteration 2 Permuted Choice 2 Left Circular Shift

K16
Iteration 16 Permuted Choice 2 Left Circular Shift

32-bit Swap

Inverse Initial
Permutation
…
64-bit Ciphertext
DES Encryption Overview
Initial and Final Permutation Steps in DES
 Initial and Final Permutation tables

Problem No. 1
Find the output of the initial permutation box when the input is given in
hexadecimal as:

Input has only two 1s (Bit 15 and bit 64): the output must also have only two
1s(the nature straight permutation).
The bit 15 in the input becomes bit 63 in the output. Bit 64 in the input
becomes bit 25 in the output. So the output has only two 1s, bit 25 and bit 63.
 6.2.1 Continued
Problem No. 2

Problem No. 2
Prove that the initial and final permutations are the inverse of each other by
finding the output of the final permutation if the input is

Solution: The bit 25 in the input becomes bit 64 in the output. Bit 63 in the input
becomes bit 15 in the output. So the output has only two 1s, bit 15 and bit 64.
 A round in DES (encryption site)

DES uses 16 rounds. Each round of DES is a Feistel cipher.

 DES Contd.

• The computation consists of 16 iterations of a calculation

• The cipher function f operates on two blocks, one of 32 bits and one of 48 bits,
and produces a block of 32 bits.
• The input block is then LR, 32 bit block L followed by a 32 bit block R.
• Let K be a block of 48 bits chosen from the 64-bit key. Then the output L'R' of
an iteration with input LR is defined by:
L' = R
R' = L (+) f (R,K)
• L'R' is the output of the 16th iteration then R'L' is the preoutput block.
• At each iteration a different block K of key bits is chosen from the 64-bit key
designated by KEY.
• Let KS be a function which takes an integer n in the range from 1 to 16 and a 64-
bit block KEY as input and yields as output a 48-bit block Kn which is a
permuted selection of bits from KEY. That is
Kn = KS (n, KEY)
 DES - Swapping of Left and Right Halves

Li-1 Ri-1

▪ This can be described functionally as:

▪ L(i) = R(i-1)
▪ R(i) = L(i-1)  P(S( E(R(i-1))  K(i) )) Li-1  f (Ri-1, Ki)
▪ This forms one round in an S-P network

32 bits Li 32 bits Ri
 DES - Swapping of Left and Right Halves

Li-1 Ri-1

▪ This can be described functionally as:

▪ L(i) = R(i-1)
▪ R(i) = L(i-1)  P(S( E(R(i-1))  K(i) )) Li-1  f (Ri-1, Ki)

▪ This forms one round in an S-P network

32 bits Li 32 bits Ri
 Details of Each Iteration

32 bits 32 bits 28 bits 28 bits

Li-1 Ri-1 Ci-1 Di-1
32 bits
Expansion
Permutation Left Shift(s) Left Shift(s)
(E-Table)
48 bits
48 bits Permutation Choice
XOR Ki
(PC-2)
48 bits
Substitution Box
(S-Box)
32 bits
Permutation Box
(P)
32 bits

XOR
32 bits

Li Ri Ci Di
 6.2.2 Continued
DES Function

The heart of DES is the DES function. The DES function applies a 48-bit key to the
rightmost 32 bits to produce a 32-bit output.
 6.2.2 Continue
Expansion P-box
Since RI−1 is a 32-bit input and KI is a 48-bit key, we first need to expand RI−1 to 48
bits.
 Expansion Permutation Table

32 1 2 3 4 5
4 5 6 7 8 9
8 9 10 11 12 13
12 13 14 15 16 17
16 17 18 19 20 21
20 21 22 23 24 25
24 25 26 27 28 29
28 29 30 31 32 1
 6.2.2 Continue
Whitener (XOR)

After the expansion permutation, DES uses the XOR operation on the
expanded right section and the round key. Note that both the right section
and the key are 48-bits in length. Also note that the round key is used only
in this operation.
 S-Boxes
The S-boxes do the real mixing (confusion). DES uses 8 S-boxes, each with a 6-bit
input and a 4-bit output.

6.20
 S-Box 1
Table shows the permutation for S-box 1. For the rest of the boxes see the textbook.

Problem No. 3
The input to S-box 1 is 100011.
What is the output?
 S-Box Structure

S1
0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15
00(1) 14 4 13 1 2 15 11 8 3 10 6 12 5 9 0 7
01(2) 0 15 7 4 14 2 13 1 10 6 12 11 9 5 3 8
10(3) 4 1 14 8 13 6 2 11 15 12 9 7 3 10 5 0
11(4) 15 12 8 2 4 9 1 7 5 11 3 14 10 0 6 13

For example, for input 011011 the row is 01, that is row 1, and
the column is determined by 1101, that is column 13. In row 1
column 13 appears 5 so that the output is 0101.
S-Box Structure
 S-Box Structure

The input to S-box 8 is 000000. What is the output?

 Solution

If we write the first and the sixth bits together, we get 00 in binary, which is 0
in decimal. The remaining bits are 0000 in binary, which is 0 in decimal. We
look for the value in row 0, column 0, in Table 6.10 (S-box 8). The result is 13
in decimal, which is 1101 in binary. So the input 000000 yields the output
1101.
Straight Permutation
 Cipher and Reverse Cipher

Using mixers and swappers, we can create the cipher and reverse
cipher, each having 16 rounds.

First Approach
To achieve this goal, one approach is to make the last round
(round 16) different from the others; it has only a mixer and no
swapper.
6.2.3 Continued
DES Cipher and Reverse Cipher
Key Generation
 Permutation 1

PC-1
57 49 41 33 25 17 9
1 58 50 42 34 26 18
10 2 59 51 43 35 27
19 11 3 60 52 44 36

63 55 47 39 31 23 15
7 62 54 46 38 30 22
14 6 61 53 45 37 29
21 13 5 28 20 12 4
 PC-1

IP 58 50 42 34 26 18 10 2 57 49 41 33 25 17 9
60 52 44 36 28 20 12 4 1 58 50 42 34 26 18
62 54 46 38 30 22 14 6 10 2 59 51 43 35 27
64 56 48 40 32 24 16 8 19 11 3 60 52 44 36
57 49 41 33 25 17 9 1 63 55 47 39 31 23 15
59 51 43 35 27 19 11 3 7 62 54 46 38 30 22
61 53 45 37 29 21 13 5 14 6 61 53 45 37 29
63 55 47 39 31 23 15 7 21 13 5 28 20 12 4
 Permutation Choice 2

PC-2
14 17 11 24 1 5
3 28 15 6 21 10
23 19 12 4 26 8
16 7 27 20 13 2
41 52 31 37 47 55
30 40 51 45 33 48
44 49 39 56 34 53
46 42 50 36 29 32
 Key Rotation Schedule

Round 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16
Number
Number of 1 1 2 2 2 2 2 2 1 2 2 2 2 2 2 1
Left Shifts
Total Number 1 2 4 6 8 10 12 14 15 17 19 21 23 25 27 28
of Shifts

Iteration Corresponds to Left Shifts

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16
1 1 2 2 2 2 2 2 1 2 2 2 2 2 2 1
 Avalanche Effect

DES exhibits strong avalanche, where a change of one input or key

bit results in changing approx half output bits.

Two desired properties of a block cipher are the avalanche effect and
the completeness.

To check the avalanche effect in DES, let us encrypt two plaintext

blocks (with the same key) that differ only in one bit and observe the
differences in the number of bits in each round.
 6.3.1 Continued
Avalanche Effect Contd.

Although the two plaintext blocks differ only in the rightmost bit, the
ciphertext blocks differ in 29 bits. This means that changing
approximately 1.5 percent of the plaintext creates a change of
approximately 45 percent in the ciphertext.

Completeness Effect
Completeness effect means that each bit of the ciphertext needs to depend
on many bits on the plaintext. The Diffusion and Confusion produced
by P-boxes and S-boxes in DES shows a very strong completeness effect.
 Design Criteria of S-boxes
The design provides confusion and diffusion of bits from each round
to the next.

• The entries of each row are permutation of values are

between 0 and 15.

• If there is a single bit change in the input, two or more bits

will be changed in the output.

• If two inputs to an S-box differ only in the two middle bits

(bit 3 and bit 4), the output must differ in at least two bits.
 Design Criteria of S-boxes Contd.

If two inputs to an S-box differ in the first two bits (bit 1 and bit
2) and are the same in the last two bits (5 and 6), the two outputs
must be different.

There are only 32 6-bit input word pairs(Xi and Xj ) in which

XiƟXj ≠ (000000)2. These 32 input pairs create 32 4-bit output
word pair. If we create the difference between the 32 output pair
d = YiƟ Yj , no more than 8 of these d should be the same.
 Design Criteria for P-boxes
Between two rounds of S-boxes, there are one straight P-box (32 bit to 32
bit) and one Expansion P-box (32 bit to 48 bit). These two P-boxes
together provide diffusion of bits.

• Each S-box input comes from the output of a different S-box (in
the previous round).

• The four outputs from each S-box go to six different S-boxes

(in the next round).

• No two output bits from an S-box go the same S-boxes (in

the next round).

• For each S-box, the two output bits go to the first or last two bits
of an S-box in the next round. The other two output bits go the
middle
6.38 bits of an S-box in the next round.
 Design Criteria for P-boxes Contd.

If we number the eight S-boxes, S1, S2, S3, …, S8

• An output of Sj-2 goes to one of the first two bits of Sj

(in the next round).

• An output bit from Sj-1 goes to one of the last two bits
of Sj (in the next round).

• An output of Sj+1 goes to one of the two middle bits of

Sj ( in the next round).

6.39
 DES Weaknesses
During the last few years critics have found some weakness in DES

Weakness in S-Boxes
• At least three weaknesses are mentioned in the literature for
S-boxes.

• In S-box 4, the last three output bits can be derived in the

same way as the first output bit by complementing some of
the input bits.

• Two specifically chosen inputs to an S-box array can create

the same output.

• It is possible to obtain the same output in a single round by

changing bits in only three neighboring S-boxes.
 Weakness in P-boxes

• It is not clear why the designer of DES used the initial and
final permutation; these have no security benefits.

• In the expansion permutation (inside the function), the first

and fourth bits of every 4-bit series are repeated.

Number of Rounds
DES uses sixteen rounds of Feistel ciphers. the ciphertext is
thoroughly a random function of plaintext and ciphertext.

6.41
 Weakness in Keys

Let us try the first weak key in Table 6.18 to encrypt a block two
times. After two encryptions with the same key the original
plaintext block is created. Note that we have used the encryption
algorithm two times, not one encryption followed by another
decryption.

6.42
Double Encryption and Decryption with a Weak Key

6.43
 Semi Weak Keys

There are six key pairs that are called semi weak keys and they
are shown in the below table. A semi weak key creates only two
different round keys and each of them is repeated eight times. In
addition, the round keys created from each pair are the same with
different orders.

6.44
6.3.3 Continued
Semi Weak Keys

6.45
 Semi Weak Keys

A pair of semi-weak keys in Encryption and Decryption

What is the probability of randomly selecting a weak, a semi-

weak, or a possible weak key?
 6.3.3 Continued
Solution

DES has a key domain of 256. The total number of the above keys
are 64 (4 + 12 + 48). The probability of choosing one of these
keys is 8.8 × 10−16, almost impossible.