The Data Encryption Standard (DES) : ° Reproduction of Any Kind Requires Written Permission of The Author
The Data Encryption Standard (DES) : ° Reproduction of Any Kind Requires Written Permission of The Author
The Data Encryption Standard (DES) has been by far the most popular block cipher for almost 30 years. Even though it is nowadays not considered secure against a determined attacker (the DES key space is too small), it is still used in many applications and protocols. Furthermore, encrypting data three times in a row with DES a process referred to as 3DES or triple DES yields a very secure cipher which is widely used (see Section 2.5 for a description of 3DES.) In this chapter you will learn: The design process of a very popular block cipher, the Data Encryption Standard (DES). The encryption and decryption function of DES. The internal structure of DES, including: Feistel structure S-boxes permutations key schedule Important properties of modern block ciphers where we use DES as an example. Eciency of actual DES implementations. Security analysis of DES.
27
c Reproduction of any kind requires written permission of the author
e.g., the subsitution boxes which represent the heart of the cipher.
28
c Reproduction of any kind requires written permission of the author
released. With the quick spreading of personal computers (PCs) in the early 1980s and all specications of DES being publicly available it was possible for anyone to analyze the inner structure of a cipher which was designed in part by the NSA. Originally, DES was only standardized for 10 years, until 1987. Due to the wide use of DES and the lack of serious security weaknesses, the NBS (which became the NIST in the 1990s) rearmed the federal use of the cipher until 1999, when it was nally replaced by the Advanced Encryption Standard (AES).
29
c Reproduction of any kind requires written permission of the author
2.1.1
Example 2.1 Lets assume a toy-size block cipher with a block length of 8 bits. Encryption of two plain texts x1 and x2 , which are dierent in only one bit, should roughly result in something like this:
x1 = 00101011 x2 = 00001011 Block cipher y1 = 10111001 y2 = 01101100
Combining confusion with diusion is a common practice for obtaining a secure scheme. In most of todays block ciphers, one can directly identify the modules that are responsible for the confusion and diusion, respectively. They are then applied repeatedly to the plaintext, as symbolized in Figure 2.2. DES is a good example for this.
30
c Reproduction of any kind requires written permission of the author
x
Diffusion 1 Confusion 1
y
Diffusion 2 Confusion 2
Diffusion N Confusion N
y
Figure 2.2: Example of combining confusion with diusion
x
64 56
DES
64
y
Figure 2.3: DES block cipher
Moreover, DES is a symmetric cipher, i.e., the same algorithm and the same key are used for encryption and decryption. Figure 2.4 shows the principle function of DES from an extremely high level of abstraction. For each block of plaintext, encryption is handled in 16 rounds. Hence, DES belongs to the class of iterative ciphers. Virtually all modern block algorithms are iterative ciphers.
31
c Reproduction of any kind requires written permission of the author
K 1
16
y
Figure 2.4: Iterative structure of DES
As we shall see later, the only dierence between encryption and decryption is the order of round keys. Lets now have a more detailed view on DES, as shown in Figure 2.5.
The structure shown in Figure 2.5 is called a Feistel network . It is used in many (but certainly not in all) modern block ciphers. We will discuss the Feistel network in the following. After the initial bit-wise permutation IP of a 64-bit plaintext x, it is split into two 32-bit halves L0 and R0 . These two 32-bit halves are fed into a Feistel network which consists of 16 rounds. The right half Ri is fed into the function f . The output of the f function is XORed (denoted with the symbol ) with the left 32-bit half Li . Finally the right and left half are swapped. This process repeats in the next round. This process can be expressed as: Li = Ri1 , i = 1, . . . , 16 Ri = Li1 f (Ri1 , Ki ), i = 1, . . . , 16
32
c Reproduction of any kind requires written permission of the author
Message x
Key k
PC1
56
L0
32 32
R0
32 48
Transform 1 f k1
56
Round 1
32
L1
R1
L 15
32 32
R 15
32 48
Transform 16
k 16
Round 16
32
L 16
R 16
Final Permutation IP 1( )
Ciphertext y = DESk (x )
After round 16, the 32-bit halves L16 and R16 are swapped again and the nal permutation IP 1 nishes o the algorithm. The nal permutation IP 1 is the inverse of the initial permutation IP . In each round, a round key Ki is derived
33
c Reproduction of any kind requires written permission of the author
from the main 56-bit key using a key schedule algorithm. It is crucial to note that the Feistel structure really only encrypts (decrypts) half of the input bits per each round, namely the left half of the input. The right half is copied to the next round unchanged. In particular, the right half is not encrypted with the f function. In order to get a better feeling, the following interpretation of the working of a Feistel cipher helps: Think of the f function of a pseudo random generator with the two input parameters Ri1 and Ki . The output of the pseudo random generator is then used to encrypt the left half Li1 with the XOR operation. As we saw in the previous chapter on stream ciphers, if the output of the f function is not predictable for an attacker, this results in a strong encryption method. The two aforementioned basic properties of ciphers, i.e., confusion and diusion, are realized within the f -function. In order to thwart advanced analytical attacks, the f -function has to be designed extremely carefully. Once the f -function has been designed securely, the security of a Feistel cipher increases with the number of key bits used and the number of rounds. Before we discuss all modules of the Feistel network in detail, here is an algebraic description of the Feistel network for the mathematically inclined reader: The Feistel structure of each round bijectively maps a block of 64 input bits to 64 output bits (i.e., every possible input is mapped uniquely to exactly one output and vice versa). This mapping remains bijective for some arbitrary function f , i.e., even if the embedded function f is not bijective. In case of DES the function f is in fact a surjective (many-to-one) mapping. It uses non-linear building blocks and maps 32 input bits to 32 output bits using a 48-bit round key Ki , with 0 i 15.
34
c Reproduction of any kind requires written permission of the author
IP(x)
1 2 40
z
1 2 40
IP 1(z)
1 50 58 64
The exact details of transformation IP are is given in the Table 2.1. This table, like all other tables in this chapter, should be read from left to right, top to bottom. Moreover, the bit indices begin with 1 and end with 64, thus, the initial
35
c Reproduction of any kind requires written permission of the author
permutation maps plaintext bit 58 to position 1, plaintext bit 50 to position 2, and so on.
IP 58 60 62 64 57 59 61 63 50 52 54 56 49 51 53 55 42 44 46 48 41 43 45 47 34 36 38 40 33 35 37 39 26 28 30 32 25 27 29 31 18 20 22 24 17 19 21 23 10 12 14 16 9 11 13 15 2 4 6 8 1 3 5 7
IP 1 40 39 38 37 36 35 34 33 8 7 6 5 4 3 2 1 48 47 46 45 44 43 42 41 16 15 14 13 12 11 10 9 56 55 54 53 52 51 50 49 24 23 22 21 20 19 18 17 64 63 62 61 60 59 58 57 32 31 30 29 28 27 26 25
36
c Reproduction of any kind requires written permission of the author
9 10 11 12 13 14
47 48
As can be seen from the Table 2.3, 16 bits of the 32 input bits appear twice in the expansion permutation, however, a bit never appears twice in the same 6-bit block. This results in a diusion of the 32 input bits, since 16 of the 32 inputs bits propagate into two dierent six bit blocks.
E 32 4 8 12 16 20 24 28 1 5 9 13 17 21 25 29 2 6 10 14 18 22 26 30 3 7 11 15 19 23 27 31 4 8 12 16 20 24 28 32 5 9 13 17 21 25 29 1
37
c Reproduction of any kind requires written permission of the author
R i1
32
ki
48
f function
S1
4
S2
4
S3
4
S4
4
S5
4
S6
4
S7
4
S8
4
32
Permutation P
32
As next, the 48-bit result of the expansion is XORed with the round key ki and the eight 6-bit blocks are fed into eight dierent substition boxes (S-boxes) . Each S-box maps a six bit input to a four bit output and can be regarded as a table with 16 columns and 4 rows. The S-boxes are listed in Tables 2.4 to 2.11. The tables are to be read as indicated in Figure 2.10: the most signicant bit (MSB) and the least signicant bit (LSB) of each 6-bit input select the row of the table, while the four inner bits select the column. The integers 0,1,...,15 of each entry in the table represents the decimal notation of a 4-bit value.
Example 2.2 The S-box input b = (100101) indicates row = (11)2 = 3 (forth row, starting with (00)2 ) and column = (0010)2 = 2 (third column, starting with (0000)2 ). If the input b is fed into S-box 1, the output is S1 (37 = 1001012 ) = 8 = 10002 .
38
c Reproduction of any kind requires written permission of the author
1 1 1 0 0 1 0 1
forth row
0010
third column
S1 0 1 2 3
0 14 00 04 15
1 04 15 01 12
2 13 07 14 08
3 01 04 08 02
4 02 14 13 04
5 15 02 06 09
6 11 13 02 01
7 08 01 11 07
8 03 10 15 05
9 10 06 12 11
10 06 12 09 03
11 12 11 07 14
12 05 09 03 10
13 09 05 10 00
14 00 03 05 06
15 07 08 00 13
S2 0 1 2 3
0 15 03 00 13
1 01 13 14 08
2 08 04 07 10
3 14 07 11 01
4 06 15 10 03
5 11 02 04 15
6 03 08 13 04
7 04 14 01 02
8 09 12 05 11
9 07 00 08 06
10 02 01 12 07
11 13 10 06 12
12 12 06 09 00
13 00 09 03 05
14 05 11 02 14
15 10 05 15 09
S3 0 1 2 3
0 10 13 13 01
1 00 07 06 10
2 09 00 04 13
3 14 09 09 00
4 06 03 08 06
5 03 04 15 09
6 15 06 03 08
7 05 10 00 07
8 01 02 11 04
9 13 08 01 15
10 12 05 02 14
11 07 14 12 03
12 11 12 05 11
13 04 11 10 05
14 02 15 14 02
15 08 01 07 12
39
c Reproduction of any kind requires written permission of the author
S4 0 1 2 3
0 07 13 10 03
1 13 08 06 15
2 14 11 09 00
3 03 05 00 06
4 00 06 12 10
5 06 15 11 01
6 09 00 07 13
7 10 03 13 08
8 01 04 15 09
9 02 07 01 04
10 08 02 03 05
11 05 12 14 11
12 11 01 05 12
13 12 10 02 07
14 04 14 08 02
15 15 09 04 14
S5 0 1 2 3
0 02 14 04 11
1 12 11 02 08
2 04 02 01 12
3 01 12 11 07
4 07 04 10 01
5 10 07 13 14
6 11 13 07 02
7 06 01 08 13
8 08 05 15 06
9 05 00 09 15
10 03 15 12 00
11 15 10 05 09
12 13 03 06 10
13 00 09 03 04
14 14 08 00 05
15 09 06 14 03
S6 0 1 2 3
0 12 10 09 04
1 01 15 14 03
2 10 04 15 02
3 15 02 05 12
4 09 07 02 09
5 02 12 08 05
6 06 09 12 15
7 08 05 03 10
8 00 06 07 11
9 13 01 00 14
10 03 13 04 01
11 04 14 10 07
12 14 00 01 06
13 07 11 13 00
14 05 03 11 08
15 11 08 06 13
S7 0 1 2 3
0 04 13 01 06
1 11 00 04 11
2 02 11 11 13
3 14 07 13 08
4 15 04 12 01
5 00 09 03 04
6 08 01 07 10
7 13 10 14 07
8 03 14 10 09
9 12 03 15 05
10 09 05 06 00
11 07 12 08 15
12 05 02 00 14
13 10 15 05 02
14 06 08 09 03
15 01 06 02 12
40
c Reproduction of any kind requires written permission of the author
S8 0 1 2 3
0 13 01 07 02
1 02 15 11 01
2 08 13 04 14
3 04 08 01 07
4 06 10 09 04
5 15 03 12 10
6 11 07 14 08
7 01 04 02 13
8 10 12 00 15
9 09 05 06 12
10 03 06 10 09
11 14 11 13 00
12 05 00 15 03
13 00 14 03 05
14 12 09 05 06
15 07 02 08 11
The S-boxes are the core of DES in terms of cryptographic strength. Even though the entire specication of DES was released by NBS/NIST in 1977, the design criteria of the S-boxes were never completely revealed by the NSA. This often gave rise to many speculations2 . Nevertheless, by now it is for sure that the S-boxes were designed according to the criteria listed below. Note that some of these design criteria were not revealed until the 1990s. More information about this issue will be provided in Section ??.
1. Each S-box has six input bits and four output bits (common register length of microchips in the mid 1970s). 2. No single output bit should be too close to a linear combination of the input bits. 3. If the lowest and the highest bits of the input are xed and the four middle bits are varied, each of the possible 4-bit output values must occur exactly once. 4. If two inputs to an S-box dier in exactly one bit, their outputs must dier in at least two bits. 5. If two inputs to an S-box dier in the two middle bits, their outputs must dier in at least two bits. 6. If two inputs to an S-box dier in their rst two bits and are identical in their last two bits, the two outputs must be dierent. 7. For any nonzero 6-bit dierence between inputs, no more than eight of the thirty-two pairs of inputs exhibiting that dierence may result in the same output dierence.
E.g., regarding a secret back door or some other intentionally constructed weakness, which could possibly be exploited by the NSA.
2
41
c Reproduction of any kind requires written permission of the author
8. A collision (zero output dierence) at the 32-bit output of the eight S-boxes is only possible for three adjacent S-boxes.
The S-boxes are the most crucial elements of DES because they introduce a nonlinear function to the algorithm, i.e., S(a) S(b) = S(a b). Without a non-linear building block, DES could easily be broken. Moreover, the S-boxes were carefully designed in order to thwart an advanced mathematical attack called dierential cryptanalysis. Interestingly, dierentially cryptanalysis was rst discovered in the research community in 1990. At this point, the IBM team declared that the attack had been known to the designers, and that DES was especially designed to withstand dierential cryptanalysis. Finally, the 32-bit output is permuted bit-wise according to the P permutation. Unlike the initial permutation IP and its inverse IP 1 , the permutation P introduces diusion because the four output bits of each S-box are permuted in such a way that they aect six dierent S-boxes in the following round. The diusion caused by the expansion, S-boxes and the permutation P guarantees that every bit at the end of the fth round is a function of every plaintext bit and every key bit3 .
42
c Reproduction of any kind requires written permission of the author