DATA ENCRYPTION STANDARD (DES)

The Data Encryption Standard (DES) is a symmetric-key block cipher published by the National
Institute of Standards and Technology (NIST).

Overview

Stream Ciphers and Block Ciphers

 A stream cipher is one that encrypts a digital data stream one bit or one byte at a time.
 A block cipher is one in which a block of plaintext is treated as a whole and used to produce
a ciphertext block of equal length. Typically, a block size of 64 or 128 bits is used.
 DES is a block cipher, as shown in Figure 2.1.
 At the encryption site, DES takes a 64-bit plaintext and creates a 64-bit ciphertext; at the
decryption site, DES takes a 64-bit ciphertext and creates a 64-bit block of plaintext. The
same 56-bit cipher key is used for both encryption and decryption.

Figure 2.1 Encryption and decryption with DES

DES structure

Let us concentrate on encryption; later we will discuss decryption. The encryption process is
made of two permutations (P-boxes), which we call initial and final permutations, and sixteen
Feistel rounds. Each round uses a different 48-bit round key generated from the cipher key
according to a predefined algorithm described later in the chapter. Figure 2.2 shows the elements
of DES cipher at the encryption site.

Initial and Final Permutations

 The below diagram shows the initial and final permutations (P-boxes). Each of these
permutations takes a 64-bit input and permutes them according to a predefined rule.
 We have shown only a few input ports and the corresponding output ports.

1/11
 These permutations are keyless straight permutations that are the inverse of each other.
 For example, in the initial permutation, the 58th bit in the input becomes the 1st bit in the
output. Similarly, in the final permutation, the 1st bit in the input becomes the 58th bit in the
output.
 The initial and final permutation tables are shown in table 2.1.

Figure 2.2 General structure of DES

Figure 2.3 Initial and final permutation steps in DES

2/11
 Table 2.1 Initial and final permutation tables
Rounds

 DES uses 16 rounds. Each round of DES is a Feistel cipher as shown in figure 2.4.
 The round takes LI-1 and RI-1 from previous round (or the initial permutation box) and creates
LI and RI, which go to the next round (or final permutation box).
 We can assume that each round has two cipher elements (mixer and swapper). Each of these
elements is invertible.
 The swapper is obviously invertible. It swaps the left half of the text with the right half. The
mixer is invertible because of the XOR operation.
 All noninvertible elements are collected inside the function f (RI-1, KI).

Figure 2.4 A round in DES (encryption site)

DES Function
 The heart of DES is the DES function. The DES function applies a 48-bit key to the rightmost
32 bits (RI-1) to produce a 32-bit output.
 This function is made up of four sections: an expansion D-box, a whitener (that adds key), a
group of S-boxes, and a straight D-box as shown in figure 2.5.

3/11
 Expansion P-box
 Since RI-1 is a 32-bit input and KI is a 48-bit key, we first need to expand RI-1 to 48 bits. RI-1 is
divided into 8 4-bit sections. Each 4-bit section is then expanded to 6 bits. This expansion
permutation follows a predetermined rule.
 For each section, input bits 1, 2, 3, and 4 are copied to output bits 2, 3, 4, and 5, respectively.
 Output bit 1 comes from bit 4 of the previous section; output bit 6 comes from bit 1 of the next
section.
 If sections 1 and 8 can be considered adjacent sections, the same rule applies to bits 1 and 32.
Figure 6.6 shows the input and output in the expansion permutation.

Figure 2.5 DES function

Figure 2.6 Expansion permutation

Whitener (XOR) After the expansion permutation, DES uses the XOR operation on the expanded
right section and the round key. Note that both the right section and the key are 48-bits in length.
Also note that the round key is used only in this operation.

S-Boxes The S-boxes do the real mixing (confusion). DES uses 8 S-boxes, each with a 6-bit input and
a 4-bit output. See figure 2.7.

4/11
 Figure 2.7 S-boxes

Figure 2.8 S-box rule

Table 2.2 S-box 1

Table 2.2 shows the permutation for S-box 1. For the rest of the boxes see the textbook.

Example:
The input to S-box 1 is 100011. What is the output?

Solution:
If we write the first and the sixth bits together, we get 11 in binary, which is 3 in decimal. The
remaining bits are 0001 in binary, which is 1 in decimal. We look for the value in row 3, column 1,

5/11
in Table 2.2 (S-box 1). The result is 12 in decimal, which in binary is 1100. So, the input 100011
yields the output 1100.

Figure 2.9 DES cipher and reverse cipher.

Final Permutation
 The last operation in the DES function is a permutation with a 32-bit input and a 32-bit output.
 The input/output relationship for this operation is shown in Table 2.3 and follows the same
general rule as previous tables.
 For example, the seventh bit of the input becomes the second bit of the output.

6/11
 Table 2.3 Straight permutation table

Cipher and reverse cipher

 The last round (round 16) different from the others; it has only a mixer and no swapper. This
is shown in figure 2.9.
 Although the rounds are not aligned, the elements (mixer or swapper) are aligned.
 We proved in Chapter 5 that a mixer is a self-inverse; so is a swapper.
 The final and initial permutations are also inversing of each other.
 The left section of the plaintext at the encryption site, L 0, is enciphered as L16 at the encryption
site; L16 at the decryption is deciphered as L0 at the decryption site. The situation is the same
with R0 and R16.

 A very important point we need to remember about the cipher is that the round keys (K 1 to K16)
should be applied in the reverse order. At the encryption site, round 1 uses K1, and round 16
uses K16; at the decryption site, round 1 uses K16 and round 16 uses K1.
Key Generation
The round-key generator creates sixteen 48-bit keys out of a 56-bit cipher key. However, the cipher key
is normally given as a 64-bit key in which 8 extra bits are the parity bits, which are dropped before
the actual key-generation process, as shown in figure 2.10

Parity Drop
 The preprocess before key expansion is a compression transposition step that we call parity
bit drop.
 It drops the parity bits (bits 8, 16, 24, 32, …64) from the 64-bit key and permutes the rest of
the bits according to Table
 The remaining 56-bit value is the actual cipher key which is used to generate round keys. The
parity drop step (a compression D-box) is shown in Table 2.4.

Table 2.4 Parity-bit drop table

7/11
 Figure 2.10 Key generation

Circular left shift

After the straight permutation, the key is divided into two 28-bit parts. Each part is shifted left
(circular shift) one or two bits. In rounds 1, 2, 9, and 16, shifting is one bit; in the other rounds, it
is two bits. The two parts are then combined to form a 56-bit part. Table 2.5 shows the number of
shifts for each round.

Table 2.5 Number of bit shifts

Compression D-Box The compression D-box changes the 58 bits to 48 bits, which are used as a
key for a round. The compression step is shown in Table 2.6.

8/11
 Table 2.6 Key-compression table

Strength of DES

The strength of DES is as follows −

 Use of 56-bit keys
o 56-bit key can be frequently used in encryption. There are 256 possible keys. A brute
force attack on such number of keys is impossible.
o A machine implementing one DES encryption per microsecond would take more than
thousands of years to divide the cipher.
o The assumption of one encryption per microsecond is excessively moderate. Diffie and
Hellman postulated that the technology existed to develop a parallel machine with one
million encryption equipment, each of which can implement one encryption per
microsecond.
o It is necessary that there is more to key-search attack than easily running through all
possible keys. If the message is only plaintext in English, thus the result pops out simply,
although the task of identifying English would have to be automated.
o If the text message has been compressed before encryption, then identification is more
complex.
 The nature of algorithm
o Cryptanalyst can implement cryptanalysis by exploiting the features of DES (Data
Encryption Standard) algorithm.
o It can be exploring the weakness of eight substitution tables or S-boxes that are utilized in
each iteration.
o Much of the work has been completed and the number of regularities and unexpected
behaviors of the S-boxes have been found but no one has succeeded in discovering out the
weaknesses in the S-box.
o This contention is tantalizing, and over the years a multiple regularities and unexpected
behavior of the S-boxes have been found.
 Timing Attacks
o A timing attack is a security exploit that allows an attacker to spot vulnerabilities in a local
or a remote system to extract potentially responsive or secret data by acquiring the
concerned system's response time to several inputs. A timing attack is a type of a broader
class of attacks known as Side channel attacks.
o Timing attacks allows an attacker to extract secrets maintained in a security system by
acquiring the time it takes the system to respond to several queries.
o Kocher designed a timing attack to reveal secret keys utilized for RSA decryption. These
attacks were only used in the context of hardware security tokens including smartcards.

9/11
 o They are associated to the public key algorithms. In this it can maintain information about
the key or the plaintext is acquired by observing how long it takes to implement decryptions
on several ciphertexts.
o A timing attack accomplish the fact that on encryption or decryption, algorithm takes
different amount of time on multiple inputs.
o Timing attacks and related attacks can be secured against to some degree by “blinding” the
devices implementing encryption and decryption computations so that all computations
have the same performance, regardless of the specific key and message being utilized.

Security of DES

DES, as the first important block cipher, has gone through much scrutiny. Among the
attempted attacks, three are of interest: brute-force, differential cryptanalysis, and linear
cryptanalysis.

Brute-Force Attack

We have discussed the weakness of short cipher key in DES. Combining this weakness with the key
complement weakness, it is clear that DES can be broken using 2 55 encryptions. However, today
most applications use either 3DES with two keys (key size of 112) or 3DES with three keys (key
size of 168). These two multiple- DES versions make DES resistant to brute-force attacks.

Differential cryptanalysis

 DES is not immune to that kind of attack. However, it has been revealed that the designers of
DES already knew about this type of attack and designed S-boxes and chose 16 as the number
of rounds to make DES specifically resistant to this type of attack.
 Today, it has been shown that DES can be broken using differential cryptanalysis if we have
247 chosen plaintexts or 255 known plaintexts.
 Although this looks more efficient than a brute-force attack, finding 247 chosen plaintexts or
255 know plaintexts is impractical.
 Therefore, we can say that DES is resistant to differential cryptanalysis. It has also been
shown that increasing the number of rounds to 20 require more than 2 64 chosen plaintexts
for this attack, which is impossible because the possible number of plaintext blocks in DES is
only 264.

Linear Cryptanalysis

Linear cryptanalysis is newer than differential cryptanalysis.

DES is more vulnerable to linear cryptanalysis than to differential cryptanalysis, probably because
this type of attack was not known to the designers of DES. S-boxes are not very resistant to linear
cryptanalysis. It has been shown that DES can be broken using 243 pairs of known plaintexts.
However, from the practical point of view, finding so many pairs are very unlikely.

10/11
11/11