Data Encryption Standard
Data Encryption Standard
The Data Encryption Standard (DES) is a symmetric-key block cipher published by the National
Institute of Standards and Technology (NIST).
Overview
A stream cipher is one that encrypts a digital data stream one bit or one byte at a time.
A block cipher is one in which a block of plaintext is treated as a whole and used to produce
a ciphertext block of equal length. Typically, a block size of 64 or 128 bits is used.
DES is a block cipher, as shown in Figure 2.1.
At the encryption site, DES takes a 64-bit plaintext and creates a 64-bit ciphertext; at the
decryption site, DES takes a 64-bit ciphertext and creates a 64-bit block of plaintext. The
same 56-bit cipher key is used for both encryption and decryption.
DES structure
Let us concentrate on encryption; later we will discuss decryption. The encryption process is
made of two permutations (P-boxes), which we call initial and final permutations, and sixteen
Feistel rounds. Each round uses a different 48-bit round key generated from the cipher key
according to a predefined algorithm described later in the chapter. Figure 2.2 shows the elements
of DES cipher at the encryption site.
1/11
These permutations are keyless straight permutations that are the inverse of each other.
For example, in the initial permutation, the 58th bit in the input becomes the 1st bit in the
output. Similarly, in the final permutation, the 1st bit in the input becomes the 58th bit in the
output.
The initial and final permutation tables are shown in table 2.1.
2/11
Table 2.1 Initial and final permutation tables
Rounds
DES uses 16 rounds. Each round of DES is a Feistel cipher as shown in figure 2.4.
The round takes LI-1 and RI-1 from previous round (or the initial permutation box) and creates
LI and RI, which go to the next round (or final permutation box).
We can assume that each round has two cipher elements (mixer and swapper). Each of these
elements is invertible.
The swapper is obviously invertible. It swaps the left half of the text with the right half. The
mixer is invertible because of the XOR operation.
All noninvertible elements are collected inside the function f (RI-1, KI).
DES Function
The heart of DES is the DES function. The DES function applies a 48-bit key to the rightmost
32 bits (RI-1) to produce a 32-bit output.
This function is made up of four sections: an expansion D-box, a whitener (that adds key), a
group of S-boxes, and a straight D-box as shown in figure 2.5.
3/11
Expansion P-box
Since RI-1 is a 32-bit input and KI is a 48-bit key, we first need to expand RI-1 to 48 bits. RI-1 is
divided into 8 4-bit sections. Each 4-bit section is then expanded to 6 bits. This expansion
permutation follows a predetermined rule.
For each section, input bits 1, 2, 3, and 4 are copied to output bits 2, 3, 4, and 5, respectively.
Output bit 1 comes from bit 4 of the previous section; output bit 6 comes from bit 1 of the next
section.
If sections 1 and 8 can be considered adjacent sections, the same rule applies to bits 1 and 32.
Figure 6.6 shows the input and output in the expansion permutation.
Whitener (XOR) After the expansion permutation, DES uses the XOR operation on the expanded
right section and the round key. Note that both the right section and the key are 48-bits in length.
Also note that the round key is used only in this operation.
S-Boxes The S-boxes do the real mixing (confusion). DES uses 8 S-boxes, each with a 6-bit input and
a 4-bit output. See figure 2.7.
4/11
Figure 2.7 S-boxes
Table 2.2 shows the permutation for S-box 1. For the rest of the boxes see the textbook.
Example:
The input to S-box 1 is 100011. What is the output?
Solution:
If we write the first and the sixth bits together, we get 11 in binary, which is 3 in decimal. The
remaining bits are 0001 in binary, which is 1 in decimal. We look for the value in row 3, column 1,
5/11
in Table 2.2 (S-box 1). The result is 12 in decimal, which in binary is 1100. So, the input 100011
yields the output 1100.
Final Permutation
The last operation in the DES function is a permutation with a 32-bit input and a 32-bit output.
The input/output relationship for this operation is shown in Table 2.3 and follows the same
general rule as previous tables.
For example, the seventh bit of the input becomes the second bit of the output.
6/11
Table 2.3 Straight permutation table
A very important point we need to remember about the cipher is that the round keys (K 1 to K16)
should be applied in the reverse order. At the encryption site, round 1 uses K1, and round 16
uses K16; at the decryption site, round 1 uses K16 and round 16 uses K1.
Key Generation
The round-key generator creates sixteen 48-bit keys out of a 56-bit cipher key. However, the cipher key
is normally given as a 64-bit key in which 8 extra bits are the parity bits, which are dropped before
the actual key-generation process, as shown in figure 2.10
Parity Drop
The preprocess before key expansion is a compression transposition step that we call parity
bit drop.
It drops the parity bits (bits 8, 16, 24, 32, …64) from the 64-bit key and permutes the rest of
the bits according to Table
The remaining 56-bit value is the actual cipher key which is used to generate round keys. The
parity drop step (a compression D-box) is shown in Table 2.4.
7/11
Figure 2.10 Key generation
Compression D-Box The compression D-box changes the 58 bits to 48 bits, which are used as a
key for a round. The compression step is shown in Table 2.6.
8/11
Table 2.6 Key-compression table
Strength of DES
9/11
o They are associated to the public key algorithms. In this it can maintain information about
the key or the plaintext is acquired by observing how long it takes to implement decryptions
on several ciphertexts.
o A timing attack accomplish the fact that on encryption or decryption, algorithm takes
different amount of time on multiple inputs.
o Timing attacks and related attacks can be secured against to some degree by “blinding” the
devices implementing encryption and decryption computations so that all computations
have the same performance, regardless of the specific key and message being utilized.
Security of DES
DES, as the first important block cipher, has gone through much scrutiny. Among the
attempted attacks, three are of interest: brute-force, differential cryptanalysis, and linear
cryptanalysis.
Brute-Force Attack
We have discussed the weakness of short cipher key in DES. Combining this weakness with the key
complement weakness, it is clear that DES can be broken using 2 55 encryptions. However, today
most applications use either 3DES with two keys (key size of 112) or 3DES with three keys (key
size of 168). These two multiple- DES versions make DES resistant to brute-force attacks.
Differential cryptanalysis
DES is not immune to that kind of attack. However, it has been revealed that the designers of
DES already knew about this type of attack and designed S-boxes and chose 16 as the number
of rounds to make DES specifically resistant to this type of attack.
Today, it has been shown that DES can be broken using differential cryptanalysis if we have
247 chosen plaintexts or 255 known plaintexts.
Although this looks more efficient than a brute-force attack, finding 247 chosen plaintexts or
255 know plaintexts is impractical.
Therefore, we can say that DES is resistant to differential cryptanalysis. It has also been
shown that increasing the number of rounds to 20 require more than 2 64 chosen plaintexts
for this attack, which is impossible because the possible number of plaintext blocks in DES is
only 264.
Linear Cryptanalysis
DES is more vulnerable to linear cryptanalysis than to differential cryptanalysis, probably because
this type of attack was not known to the designers of DES. S-boxes are not very resistant to linear
cryptanalysis. It has been shown that DES can be broken using 243 pairs of known plaintexts.
However, from the practical point of view, finding so many pairs are very unlikely.
10/11
11/11