Data Encryption Standard (DES) was the most widely used encryption scheme.

DES was issued in 1977 by the National

Bureau of Standards, now the National Institute of Standards and Technology (NIST). The algorithm itself is referred to
as the Data Encryption Algorithm (DEA). For DEA, data are encrypted in 64-bit blocks using a 56-bit key. The
algorithm transforms 64-bit input in a series of steps into a 64-bit output. The same steps, with the same key, are used to
reverse the encryption. Over the years, DES became the dominant symmetric encryption algorithm, especially in
financial applications.
DES Encryption
The overall scheme for DES encryption is
illustrated in the figure. As with any encryption
scheme, there are two inputs to the encryption
function: the plaintext to be encrypted and the
key. In this case, the plaintext must be 64 bits in
length and the key is 56 bits in length. Looking at
the left-hand side of the figure, we can see that
the processing of the plaintext proceeds in three
phases.
First, the 64-bit plaintext passes through an initial
permutation (IP) that rearranges the bits to
produce the permuted input.
This is followed by a phase consisting of sixteen
rounds of the same function, which involves both
permutation and substitution functions.
The output of the last (sixteenth) round consists
of 64 bits that are a function of the input plaintext
and the key. The left and right halves of the
output are swapped to produce the preoutput.
Finally, the preoutput is passed through a
permutation that is the inverse of the initial
permutation function, to produce the 64-bit
ciphertext.
With the exception of the initial and final
permutations, DES has the exact structure of a
Feistel cipher. The right-hand portion of the
figure shows the way in which the 56-bit key is
used. Initially, the key is passed through a
permutation function. Then, for each of the sixteen rounds, a subkey (Ki) is produced by the combination of a left
circular shift and a permutation. The permutation function is the same for each round, but a different subkey is produced
because of the repeated shifts of the key bits.

DES Decryption
As with any Feistel cipher, decryption uses the same algorithm as encryption, except that the application of the subkeys
is reversed. Additionally, the initial and final permutations are reversed.

Properties
Two desired properties of a block cipher are the avalanche effect and the completeness.

Avalanche Effect
Avalanche effect means a small change in the plaintext (or key) should create a significant change in the ciphertext.
DES has been proved to be strong with regard to this property.

Completeness effect
Completeness effect means that each bit of the ciphertext needs to depend on many bits on the plaintext. The diffusion
and confusion produced by P-boxes and S-boxes in DES, show a very strong completeness effect.

Design Criteria
The design of DES was revealed by IBM in 1994. Many tests on DES have proved that it satisfies some of the required
criteria as claimed. We briefly discuss some of these design issues.

S-Boxes
The design provides confusion and diffusion of bits from each round to the next. According to this revelation and some
research, we can mention several properties of S-boxes.
1. The entries of each row are permutations of values between 0 and 15.
2. S-boxes are non-linear.
3. If we change a single bit in the input, two or more bits will be changed in the output.
4. If two inputs to an S-box differ only in two middle bits (bits 3 and 4), the output must differ in at least two bits. In
other words, S(x) and S(x ⊕ 001100) must differ in at least two bits where x is the input and S(x) is the output.
5. If two inputs to an S-box differ in the first two bits (bits 1 and 2) and are the same in the last two bits (5 and 6), the
two outputs must be different. In other words, we need to have the following relation S(x) ≠ S(x ⊕ 11bc00), in which b
and c are arbitrary bits.
6. There are only 32 6-bit input-word pairs (xi and xj), in which xi ⊕ xj ≠ (000000)2. These 32 input pairs create 32 4-
bit output-word pairs. If we create the difference between the 32 output pairs, d = yi ⊕ yj, no more than 8 of these d’s
should be the same.
7. A criterion similar to # 6 is applied to three S-boxes. 8. In any S-box, if a single input bit is held constant (0 or 1) and
the other bits are changed randomly, the differences between the number of 0s and 1s are minimized.

P-Boxes
Between two rows of S-boxes (in two subsequent rounds), there are one straight P-box (32 to 32) and one expansion P-
box (32 to 48). These two P-boxes together provide diffusion of bits. The following criteria were implemented in the
design of P-boxes to achieve this goal:
1. Each S-box input comes from the output of a different S-box (in the previous round).
2. No input to a given S-box comes from the output from the same box (in the previous round).
3. The four outputs from each S-box go to four different S-boxes (in the next round).
4. No two output bits from an S-box go to the same S-box (in the next round).
5. For each S-box, the two output bits go to the first or last two bits of an S-box in the next round. The other two output
bits go to the middle bits of an S-box in the next round.
6. If an output bit from Sj goes to one of the middle bits in Sk (in the next round), then an output bit from Sk cannot go
to the middle bit of Sj. If we let j = k, this implies that none of the middle bits of an S-box can go to one of the middle
bits of the same S-box in the next round.

Number of Rounds
DES uses sixteen rounds of Feistel ciphers. It has been proved that after eight rounds, each ciphertext is a function of
every plaintext bit and every key bit; the ciphertext is thoroughly a random function of plaintext and ciphertext.

DES Weaknesses
During the last few years critics have found some weaknesses in DES.

Weaknesses in Cipher Design

We will briefly mention some weaknesses that have been found in the design of the cipher.
S-boxes At least three weaknesses are mentioned in the literature for S-boxes.
1. In S-box 4, the last three output bits can be derived in the same way as the first output bit by complementing some of
the input bits.
2. Two specifically chosen inputs to an S-box array can create the same output.
3. It is possible to obtain the same output in a single round by changing bits in only three neighbouring S-boxes.

P-boxes
One mystery and one weakness were found in the design of P-boxes:
1. It is not clear why the designers of DES used the initial and final permutations; these have no security benefits.
2. In the expansion permutation (inside the function), the first and fourth bits of every 4-bit series are repeated.

Weakness in the Cipher Key

Several weaknesses have been found in the cipher key.
Key Size
Critics believe that the most serious weakness of DES is in its key size (56 bits). To do a brute-force attack on a given
ciphertext block, the adversary needs to check 256 keys.
a. With available technology, it is possible to check one million keys per second. This means that we need more than
two thousand years to do brute-force attacks on DES using only a computer with one processor.
b. If we can make a computer with one million chips (parallel processing), then we can test the whole key domain in
approximately 20 hours. When DES was introduced, the cost of such a computer was over several million dollars, but
the cost has dropped rapidly. A special computer was built in 1998 that found the key in 112 hours.
c. Computer networks can simulate parallel processing. In 1977 a team of researchers used 3500 computers attached to
the Internet to find a key challenged by RSA Laboratories in 120 days. The key domain was divided among all of these
computers, and each computer was responsible to check the part of the domain.
d. If 3500 networked computers can find the key in 120 days, a secret society with 42,000 members can find the key in
10 days.
The above discussion shows that DES with a cipher key of 56 bits is not safe enough to be used comfortably. We will
see later in the chapter that one solution is to use triple DES (3DES) with two keys (112 bits) or triple DES with three
keys (168 bits).

Weak Keys Four out of 256 possible keys are called weak keys. A weak key is the one that, after parity drop operation
(using Table 6.12), consists either of all 0s, all 1s, or half 0s and half 1s.

What is the disadvantage of using a weak key? If

we encrypt a block with a weak key and
subsequently encrypt the result with the same weak
key, we get the original block. The process creates
the same original block if we decrypt the block
twice. In other words, each weak key is the inverse
of itself Ek(Ek(P)) = P.
Semi-weak Keys
There are six key pairs that are called semi-weak keys. These six pairs are shown in Table 6.19 (64-bit format before
dropping the parity bits). A semi-weak key creates only two different round keys and each of them is repeated eight
times. In addition, the round keys created from each pair are the same with different orders.

MULTIPLE DES
As we have seen, the major criticism of DES regards its key length. With available technology and the possibility of
parallel processing, a brute-force attack on DES is feasible. One solution to improve the security of DES is to abandon
DES and design a new cipher. The second solution is to use multiple (cascaded) instances of DES with multiple keys;
this solution, which has been used for a while, does not require an investment in new software and hardware. We study
the second solution here.

Double DES
The first approach is to use double DES (2DES). In this approach, we use two instances of DES ciphers for encryption
and two instances of reverse ciphers for decryption. Each instance uses a different key, which means that the size of the
key is now doubled (112 bits). However, double DES is vulnerable to a known-plain text attack, known as the Meet-in-
the-as discussed in the next section.

Meet-in-the-Middle Attack

Triple DES
To improve the security of DES, triple DES (3DES) was proposed. This uses three stages of DES for encryption and
decryption. Two versions of triple DES are in use today: triple DES with two keys and triple DES with three keys.

Triple DES with Two Keys

In triple DES with two keys, there are only two keys: k1 and k2. The first and the third stages use k1; the second stage
uses k2. To make triple DES compatible with single DES, the middle stage uses decryption (reverse cipher) in the
encryption site and encryption (cipher) in the decryption site. In this way, a message encrypted with single DES with
key k can be decrypted with triple DES if k1= k2 = k. Although triple DES with two keys is also vulnerable to a known-
plaintext attack, it is much stronger than double DES. It has been adopted by the banking industry.

Triple DES with Three Keys

The possibility of known-plaintext attacks on triple DES with two keys has enticed some applications to use triple DES
with three keys. Although the algorithm can use three DES cipher stages at the encryption site and three reverse cipher
stages at the decryption site, to be compatible with single DES, the encryption site uses EDE and the decryption site
uses DED (E stands for encryption and D stands for decryption). Compatibility with single DES is provided by letting
k1 = k and setting k2 and k3 to the same arbitrary key chosen by the receiver. Triple DES with three keys is used by
many applications such as PGP.

SECURITY OF DES
DES, as the first important block cipher, has gone through much scrutiny. Among the attempted attacks, three are of
interest: brute-force, differential cryptanalysis, and linear cryptanalysis.
Brute-Force Attack
We have discussed the weakness of short cipher key in DES. Combining this weakness with the key complement
weakness, it is clear that DES can be broken using 255 encryptions. However, today most applications use either 3DES
with two keys (key size of 112) or 3DES with three keys (key size of 168). These two multiple-DES versions make
DES resistant to brute-force attacks.
Differential Cryptanalysis
DES is not immune to that kind of attack. However, it has been revealed that the designers of DES already knew about
this type of attack and designed S-boxes and chose 16 as the number of rounds to make DES specifically resistant to
this type of attack. Today, it has been shown that DES can be broken using differential cryptanalysis if we have 247
chosen plaintexts or 255 known plaintexts. Although this looks more efficient than a brute-force attack, finding 247
chosen plaintexts or 255 know plaintexts is impractical. Therefore, we can say that DES is resistant to differential
cryptanalysis. It has also been shown that increasing the number of rounds to 20 require more than 264 chosen
plaintexts for this attack, which is impossible because the possible number of plaintext blocks in DES is only 264.

Linear Cryptanalysis
Linear cryptanalysis is newer than differential cryptanalysis. DES is more vulnerable to linear cryptanalysis than to
differential cryptanalysis, probably because this type of attack was not known to the designers of DES. S-boxes are not
very resistant to linear cryptanalysis. It has been shown that DES can be broken using 243 pairs of known plaintexts.
However, from the practical point of view, finding so many pairs is very unlikely.