Data Encryption Standard

(DES)
Introduction
 The Data Encryption Standard (DES) is a symmetric-key block cipher
published by the National Institute of Standards and Technology (NIST).
 In 1973, NIST published a request for proposals for a national symmetric-
key cryptosystem.
 A proposal from IBM, a modification of a project called Lucifer, was
accepted as DES.
 DES was published in the Federal Register in March 1975 as a draft of the
Federal Information Processing Standard (FIPS).
 Heavily criticized: Small key length (56 bits) and Concern about some hidden
design behind the internals of DES.
 Finally, published as “FIPS46” in Federal Register in Jan 1977.
 Most popular symmetric key block cipher.
 However, DES is insecure, due to small key size.
 Later, NIST issued a new standard (FIPS 46-3), recommending the use of
triple DES (repeat DES three times), which is secure.
 According to the famous information theorist Claude Shannon, there
are two primitive operations with which strong encryption algorithms
can be built:
 Confusion is an encryption operation where the relationship between key
and ciphertext is obscured.
 Today, a common element for achieving confusion is substitution, which is found
in both DES and AES. 2.

 Diffusion is an encryption operation where the influence of one plaintext

symbol is spread over many ciphertext symbols with the goal of hiding
statistical properties of the plaintext.
 A simple diffusion element is the bit permutation, which is used frequently within
DES.
 AES uses the more advanced Mixcolumn operation.
Overview of DES Algorithm
 DES Structure
 The encryption process is made of two permutations (P-boxes), which we call
initial and final permutations, and sixteen Feistel rounds.

 The structure is called a

Feistel Network.
 Feistel network can lead to
strong cipher.
 Encryption and decryption
are almost the same
operation.
 However, the Feistel
network is not used is all
modern block ciphers, e.g.,
AES.
 Initial and Final Permutations
 Takes 64 bits input and permutes them according to a predefined
rule.
 These permutations are keyless permutation that are inverse of
each other.
 E.g., 58th bit in the input (initial permutation) becomes the 1st bit in
the output. In the final permutation, the 1st bit in the input becomes
the 58th bit in the output.
Initial and Final Permutations
 Initial and Final Permutations

Initial and final permutation tables

Initial and Final Permutations

Example
Find the output of the final permutation box when
the input is given in hexadecimal as:

Solution
Only bit 25 and bit 63 are 1s; the other bits are 0s. In
the final permutation, bit 25 becomes bit 64 and bit
63 becomes bit 15. The result is
Initial and Final Permutations
Example
Prove that the initial and final permutations are the
inverse of each other by finding the output of the
initial permutation if the input is

Solution
The input has only two 1s; the output must also have
only two 1s. Using the final permutation table, we
can find the output related to these two bits. Bit 15 in
the input becomes bit 63 in the output. Bit 64 in the
input becomes bit 25 in the output. So the output has
only two 1s, bit 25 and bit 63. The result in
hexadecimal is
 Rounds in DES

A round in DES (encryption site)

Rounds in DES

 DES Function
 The heart of DES is the DES
function.
 The DES function applies a
48-bit key to the rightmost 32
bits to produce a 32-bit
output.
 Four sections:
 An expansion Box
 Whitener (that adds key)
 A group of S-boxes.
 A straight Box
 Rounds in DES: Expansion P-box
 Expansion P-box
 Since RI−1 is a 32-bit input and KI is a 48-bit key, we first need to expand
RI−1 to 48 bits.
 RI−1 is divided into 8 4-bit sections (8X4=32 bits).
 Each 4 bit is then expanded to 6 bits (32 + 2X8=48 bits), following a
predefined rule.
 For each section:
 Input bits 1, 2, 3, and 4 are copied to output bits 2, 3, 4, and 5.
 Bit 1 of output comes from bit 4 of the previous section.
 Bit 6 ………………………… bit 1 ……… next section.
 Rounds in DES: Expansion P-box
 Although the relationship between the input and output can be defined
mathematically, DES uses the following table to define this P-box.

Expansion P-box table

Rounds in DES: Whitener (XOR)
 Whitener (XOR)
 After the expansion permutation, DES uses the
XOR operation on the expanded right section
and the round key.
 Note that both the right section and the key
are 48-bits in length.
 Also note that the round key is used only in this
operation.
 Rounds in DES: S-Boxes

 S-Boxes: The S-boxes do the real mixing (confusion).

 DES uses 8 S-boxes, each with a 6-bit input and a 4-bit
output.

 Each 6-bit chunk is fed into a S-box  result is a 4 bit

chunk  resulting in a 32 bit output.
 The substitution in each block follows a predefined rule
based on 4 rows and 16 columns.
Rounds in DES: S-Boxes

S-box rule
 S-Box Rule:
 Use the 1st and 6th bit
of the input for one
of the four rows.
 Use bits 2-to-5 of the
input for one of the
columns.
 Rounds in DES: S-Boxes
6.18
 Table below shows the permutation for S-box 1.
For the rest of the boxes see the textbook.
 The values are given in decimal.

S-box 1
Rounds in DES: S-Boxes

Example
The input to S-box 1 is 100011. What is the output?

Solution
If we write the first and the sixth bits together, we get
11 in binary, which is 3 in decimal. The remaining bits
are 0001 in binary, which is 1 in decimal. We look for
the value in row 3, column 1, in Table 6.3 (S-box 1).
The result is 12 in decimal, which in binary is 1100. So
the input 100011 yields the output 1100.
Final Permutation
 Straight Permutation
 Last operation in DES, is to permutes 32-bit input to a
32-bit output.
 The table below shows the input/output relationship,
which is same as before.
 E.g., 7th bit of the input becomes  2nd bit of the
output.
Straight permutation table
 Cipher and Reverse Cipher
 Using mixers and
swappers, we can
create the cipher
and reverse cipher,
each having 16
rounds.
 One approach is to
make the last round
(round 16) different
from the others; it
has only a mixer and
no swapper.
 NOTE: There is no
swapper in the last
round.
 The round key
should be applied in
the reverse order.
 Cipher and Reverse Cipher
Pseudocode for DES cipher

Initial Permutation
Split in Left and Right sub-blocks of 32 bits
16 rounds

Mixer
Swapper

Combine 2 32 bit blocks

Final Permutation
 Cipher and Reverse Cipher
Pseudocode for DES cipher (Continued)

f(RI-1,KI)
Cipher and Reverse Cipher
Pseudocode for DES cipher (Continued)

S-Boxes
Cipher and Reverse Cipher
 Cipher and Reverse Cipher

 Alternative Approach: We can make all 16 rounds the

same by including one swapper to the 16th round
and add an extra swapper after that (two
swappers cancel the effect of each other).
 DES: Key generation

 Key Generation: The round-key

generator creates sixteen 48-bit
keys out of a 56-bit cipher key.
 The cipher key is normally
given as a 64-bit key, in which 8
extra bits are the parity bits.
 First, we drop the parity bits to
get 56 bits.
 DES: Key generation
 Parity Drop: Key preprocessing
 Drops the parity bits 8, 16, 24, 32, …, 64 and permutes the
remaining 56 bits according to the permutation table given
below.
 Used for generating the round keys.

Parity-bit drop table

 DES: Key generation
 Shift Left: After parity drop, the key is divided into 28-bit parts, say
two halves C0 and D0 .
 Each part is shifted left (circular shift) one or two bits.
 In round 1, 2, 9 and 16, shifting is one bit; in other rounds, it is shifted
by two bits.
 The two parts are then combined to form 56-bits.

Number of bits shifts at each round

 The total number of rotation positions is 4·1+12·2 = 28.

 This leads to the interesting property that C0 = C16 and D0 = D16.
6.30
DES: Key generation

 Key Compression: The compression D-Box changes the

58 bits to 48 bits, which are used as a key for each round.

Key-compression table
 DES: Key generation

Algorithm for round-key generation

DES: Key generation

Algorithm for round-key generation (Continue)

 DES: Example
Example: Encryption
We choose a random plaintext block and a random key, and determine
what the ciphertext block would be (all in hexadecimal):

Trace of data for Example

 DES: Example
Example: Encryption
Trace of data for Example 6.5 (Continued)
 DES: Example
Example: Decryption

Let us see how Bob, at the destination, can decipher the

ciphertext received from Alice using the same key.
 DES Decryption

 Why is the decryption function essentially the same as the

encryption function?
 The basic idea is that the decryption function reverses the DES
encryption in a round-by-round manner.
 That means that decryption round 1 reverses encryption round 16,
 Decryption round 2 reverses encryption round 15, and so on.
DES Decryption
DES Encryption DES Decryption

 Note: The above DES design uses Approach 2.

 In this, we use an additional swapper at the end to cancel the swapper at round 16.
 The result of both approaches are the same.
 DES Decryption

DES Encrypt - Round 16 DES Decrypt – Round 1

Next, we show that Round 16 of DES Encryption is the inverse of Round 1 of DES
Decryption.

The same is TRUE for all the other rounds.

DES Decryption
 Note that the right and left halves are swapped in the last
round of DES:
 (𝐿𝑑0 , 𝑅0𝑑 ) = IP Y = IP IP −1 𝑅16 , 𝐿16 = 𝑅16 , 𝐿16

 Thus, we can say that

 𝐿𝑑0 = 𝑅16 , and
 𝑅0𝑑 = 𝐿16 = 𝑅15
 The above equation says that the input of the first round of
decryption is the output of the last round of encryption, as the
final and initial permutations cancel each other out.

 Next, we show that the first decryption round reverses the last
encryption round.
DES Decryption

 Note that: (easy case)

 𝐿𝑑1 = 𝑅0𝑑 = 𝐿16 = 𝑅15

 We now look at how 𝑅1𝑑 is computed:

 𝑅1𝑑 = 𝐿𝑑0 ⊕ 𝑓 𝑅0𝑑 , 𝑘16 = 𝑅16 ⊕ 𝑓 𝐿16 , 𝑘16

 𝑅1𝑑 = [𝐿15 ⊕ 𝑓 𝑅15 , 𝑘16 ] ⊕ 𝑓 𝑅15 , 𝑘16

 𝑅1𝑑 = 𝐿15 ⊕ 𝑓 𝑅15 , 𝑘16 ⊕ 𝑓 𝑅15 , 𝑘16 = 𝐿15

 DES Analysis
 Critics have used a strong magnifier to analyze DES.
 Tests have been done to measure the strength of some desired
properties in a block cipher.

 Two desired properties of a block cipher are the avalanche

effect and the completeness.

Example
To check the avalanche effect in DES, let us encrypt two plaintext blocks (with
the same key) that differ only in one bit and observe the differences in the
number of bits in each round.
 DES Analysis
Example Continued

Although the two plaintext blocks differ only in the rightmost bit, the ciphertext
blocks differ in 29 bits.
This means that changing approximately 1.5 percent of the plaintext creates a
change of approximately 45 percent in the ciphertext.

Number of bit differences for Example

 DES Analysis
 Completeness effect means that each bit of the ciphertext needs to depend
on many bits on the plaintext.
 The diffusion and confusion produced by D-boxes and S-boxes in DES, show a
very strong completeness effect.
 Weakness in the cipher key
 Critics believe that the most serious weakness of DES is in the key
size (56 bits).
 To do an attack, attacker needs to check 256 keys.

 If we can check one million keys per second, we may need two
thousand years to do a brute-force attack on DES using a
computer with one processor.
 However, if we make a computer with one million chips, then we
can check the whole key domain in approx. 20 hours.
 A special computer built in 1998 can find the key in 112 hours.

 Plain DES with 56 bit key not safe.

 Weakness in the cipher key

 Weak Key: Four out of 256 keys are called weak keys.
 A weak key is one that, after parity drop operation, ends up with all
0s, all 1s, or half 0s and half 1s.
 Table below lists the weak keys.

 The round keys created from any of these weak keys are the same
and have the same pattern as the cipher key.
 E.g. the 16 keys created from the first key is all made of 0s and one
with the 2nd key is made of half 0s and half 1s.
 Weakness in the cipher key

 Problem with weak keys is that if we encrypt a block with a weak

key and subsequently encrypt the result with the same weak key,
we get the original block.
Double encryption and decryption with a weak key

 Thus, each weak key is the inverse of itself. Ek(Ek(P)) = P.

 Weakness in the cipher key

Example
 Let us try the first weak key in Table shown above to encrypt a block
two times. After two encryptions
 with the same key the original plaintext block is created. Note that we
have used the encryption algorithm two times, not one encryption
followed by another decryption.
 Weakness in the cipher key
 Semi-Weak Key: There are 6 key pairs that are called semi-weak
keys, as shown below (all 64 bit format).

 A semi-weak keys creates only two different round keys and each of
them is repeated eight times.
 In addition, the round keys created from each pair are the same with
different orders.
 Weakness in the cipher key
 Round keys created from the first pair are shown below.
 There are 8 equal round keys in each semi-week key.
 In addition, round key 1 in the 1st set is same as the round key 16 in the 2nd. Same is true for
round key 2 in the 1st set and round key 15 in the 2nd, and so on.

 This means that the keys are inverse of each other. Ek2(Ek1(P)) = P.
 To see this, assume 𝑘1 = 9153𝐸54319𝐵𝐷 6𝐸𝐴𝐶1𝐴𝐵𝐶𝐸642 and 𝑘2 = 6𝐸𝐴𝐶1𝐴𝐵𝐶𝐸642 9153𝐸54319𝐵𝐷
 Notice that the last round key in the encryption (i.e., 𝑘2 ) is the first round key of Decryption
(i.e., 𝑘1 ).
Weakness in the cipher key
 Possible Weak Keys: In addition, there are 48 keys that
are called possible weak keys.
 A possible weak keys is a key that creates only four
distinct round keys.

Example 6.9
What is the probability of randomly selecting a weak, a semi-
weak, or a possible weak key?

Solution
DES has a key domain of 256. The total number of the above
keys are 64 (4 + 12 + 48). The probability of choosing one of
these keys is 8.8 × 10−16, almost impossible.
 Weakness in the cipher key
 Key Complement: In the key domain (256 ), definitely half of the
keys are complement of the other half.
 A key complement can be made by inverting (0  1 and 1  0) each
bot in the key.
 Question: Does key complement simplify the job of cryptanalysis?
 It does. Attacker can use only half of the possible keys (255 ) to perform
brute-force attack.
 This is because: 𝐶 = 𝐸 𝐾, 𝑃 → 𝐶 ′ = 𝐸(𝐾 ′ , 𝑃′)
 In other words, if we encrypt the complement of PT with the
complement of the key, we get the complement of the CT.
 So, attacker can just test only half of the 256 possible keys and then
complement the result.
 Weakness in the cipher key

Example
Let us test the claim about the complement keys. We have used an arbitrary key and
plaintext to find the corresponding ciphertext. If we have the key complement and the
plaintext, we can obtain the complement of the previous ciphertext
 DES Attacks
 Exhaustive Key Search (Brute-force attack): It is clear that DES can
be broken in 255 tries.
 In 1977, Whitfield Diffie and Martin Hellman estimated that it was
possible to build an exhaustive key-search machine for approx.
$20,000,000.
 At CRYPTO 1993 conference, Michael Wiener proposed the design
of a very efficient key-search machine using pipelining techniques
for DES.
 He estimated the cost of his design at approximately $1,000,000, and
the time required to find the key at 1.5 days.
 This was a proposal only, and the machine was not built.
 In 1998, however, the EFF (Electronic Frontier Foundation) built the
hardware machine Deep Crack, which performed a brute-force
attack against DES in 56 hours.
 The average search time of Deep Crack was 15 days, and the
machine was built for less than $250,000
DES Attacks

 Deep Crack: the hardware exhaustive key-search machine that broke DES in
1998
 The successful break with Deep Crack was considered the official demonstration
that DES is no longer secure against determined attacks by many people.
DES Attacks
 Dictionary attack:
 Each plaintext may result in 264 different ciphertexts, but there
are only 256 possible different key values.
 Encrypt the known plaintext with all possible keys.
 Keep a look up table of size 256
 Given a Plaintext/Ciphertext pair (P,C), look up C in the table.

 Problem with this attack is the size of the lookup table can
be very large.
 i.e., Number of known PT characters (of 64 bits = 8 bytes) times
256 , in the worst case.
 DES Attacks

 Analytical Attack:
 In 1990, Eli Biham and Adi Shamir discovered what is called
differential cryptanalysis (DC). This is a powerful attack which is in
principle applicable to any block cipher
 However, it turned out that the DES S-boxes are particularly resistant
against this attack.
It has been revealed that the designers of DES already knew about
this type of attack and designed S-boxes and chose 16 as the
number of rounds to make DES specifically resistant to this type of
attack.
 Today it is shown that DES can be broken using DC if we have 247
chosen plaintexts or 255 known plaintexts.
 The assumption is impractical as it requires terabytes of PT-CT pair (recall
that 1 Terabyte = 240 bytes) .
 DES Attacks
 In 1993 a related but distinct analytical attack was published by
Mitsuru Matsui, which was named linear cryptanalysis (LC).
 Similar to differential cryptanalysis, the effectiveness of this
attack also heavily depends on the structure of the S-boxes.
 It has been shown that DES can be broken by LC using 243 pairs
of known plaintexts.
 Again, not practical.

 Summary:
 With today’s computational power, we can use Brute-force attack
to crack DES in days.
 Other types of attack, i.e. DC or LC, is not practical.
 DES is insecure.
DES Alternatives
 One proposed solution: double DES or 2-DES.
 Although, 3-DES is generally considered as a secure
alternative DES.
 Why not 2-DES?

 In 2-DES, we apply DES twice using two keys, K1 and K2.

 Encryption: C = EK2[EK1 [P]]
 Decryption: P = DK2[DK1 [C]]

 This leads to a 2𝑥56 = 112 bit key, so it is more secure than

DES.
 But, is it……..!!!
Meet-in-the-Middle Attack in 2-DES
 To improve the security of a block cipher, one might get the
(naive) idea to simply use two independent keys to encrypt the
data twice.
 𝐶 = 𝐸𝐾2 𝐸𝐾1 𝑃
 Naively, one might think that this would square the security of the
double-encryption scheme.
 In fact, an exhaustive search of all possible combinations of keys
would take 22𝑛 attempts (if each key 𝐾1 , 𝐾2 is 𝑛 bits long),
compared to the 2𝑛 attempts required for searching a single key.
 Meet-in-the-Middle Attack in 2-DES
 Assume the attacker knows a set of Plaintext (P) and Ciphertext (C).
That is, 𝐶 = 𝐸𝐾2 𝐸𝐾1 𝑃 where E is the encryption function (cipher),
and K1 and K2 are the two keys. Attack wants to find the key pair
𝐾1 , 𝐾2 . For this the attacker does the following:
 1) The attacker can first compute 𝐸𝐾1 𝑃 for all possible keys 𝐾1 and store the
results in memory (in a lookup table).
 2) Afterwards he can decrypt the ciphertext by computing 𝐷𝐾2 𝐶 for each
𝐾2 .
 3) Any matches between these two resulting sets are likely to reveal the
correct keys.
 Once the matches are discovered, they can be verified with a second
test set of Plaintext and Ciphertext.
 So, if the key-size is 𝑛, this attack uses only 2𝑛+1 (for Double DES,
2 56+1 = 257 ) encryptions/decryptions (and 𝑂 2𝑛 memory space) in
contrast to the naive attack, which needs 22𝑛 encryptions/decryptions
(but only 𝑂(1) space).
Meet-in-the-Middle Attack in 2-DES
 3-DES
 Use three different keys:
 Encrypt: 𝐶 = 𝐸𝐾3 𝐷𝐾2 𝐸𝐾1 𝑃

 Decrypt: 𝑃 = 𝐷𝐾1 𝐸𝐾2 𝐷𝐾3 𝐶

 The standard specifies three keying options:

 1) Keying option 1: All three keys are independent.
 2) Keying option 2: 𝐾1 and 𝐾2 are independent, and 𝐾3 = 𝐾1 .
 3) Keying option 3: All three keys are identical, i.e. 𝐾1 = 𝐾2 = 𝐾3 .

 Using keying option 1: the key space is 56 x 3 = 168 bits

 No known practical attack against it.
 Many protocols/applications use 3DES
 The electronic payment industry uses Triple DES and continues to
develop and promulgate standards based upon it (e.g. Europay-
Visa-Mastercard).
3-DES

Triple DES with two keys

 3-DES
 Question: if we use three completely different keys 𝐾1 ≠ 𝐾2 ≠
𝐾3 …
 Encrypt: 𝐶 = 𝐸𝐾3 𝐷𝐾2 𝐸𝐾1 𝑃

 Decrypt: 𝑃 = 𝐷𝐾1 𝐸𝐾2 𝐷𝐾3 𝐶

Then… will the effective strength be that of 56x3= 168 bits?

 Keying option 2 provides less security than option 1, with 2 × 56 =
112 key bits.
 However, this option is stronger than double DES (with K_1 and
K_2), because it protects against meet-in-the-middle attacks.
 Note that this option is designated by NIST to have only 80 bits of real
security
 Keying option 3 is equivalent to DES, with only 56 key bits. This
option provides backward compatibility with DES.