Chapter 2 The Data Encryption Standard (DES)

The Data Encryption Standard (DES) has been by far the most popular block cipher for almost 30 years. Even though it is nowadays not considered secure against a determined attacker (the DES key space is too small), it is still used in many applications and protocols. Furthermore, encrypting data three times in a row with DES a process referred to as 3DES or triple DES yields a very secure cipher which is widely used (see Section 2.5 for a description of 3DES.) In this chapter you will learn: The design process of a very popular block cipher, the Data Encryption Standard (DES). The encryption and decryption function of DES. The internal structure of DES, including: Feistel structure S-boxes permutations key schedule Important properties of modern block ciphers where we use DES as an example. Eciency of actual DES implementations. Security analysis of DES.

27
c Reproduction of any kind requires written permission of the author

2.1 Introduction to DES

2.1 Introduction to DES

In 1972, the US National Bureau of Standards (NBS), which is now called National Institute of Standards and Technology (NIST), initiated a request for proposals for a standardized cipher in the USA. The idea was to nd a single secure cryptographic algorithm which could be used for a variety of applications. The NBS received the most promising candidate in 1974 from a team of cryptographers working at IBM. The algorithm IBM submitted was based on the cipher LUCIFER which had been developed in the beginning of the 1970s. LUCIFER in turn originated from a project led by Horst Feistel in the late 1960s. It is a so-called Feistel cipher which encrypts (decrypts) blocks of 64-bits using a key size of 128 bits. IBMs original plan was the modication of LUCIFER in such a way that a hardware circuit would be small enough to t on a single chip. Hence, despite of its inner complexity, it was supposed to be easy to be implemented in hardware because it only relied on simple logical functions (such as XOR, rotations, and small look-up tables). Allegedly, the cipher was intended for hardware implementations only, not for software realizations. In order to investigate the security of the submitted ciphers, the NBS requested the help of the National Security Agency (NSA) , which did not even admit its existence at that point in time. It seems certain that the NSA has modied parts of the internal structure1 of the original IBM cipher until they regarded it as secure. This fact worried many people, because they feared (and few still do) that a secret trap door might have been the real reason for the NSA modications. Moreover, a major complaint was based on the fact that the NSA had reduced the key size from 128-bits down to 56-bits which contrasts the original intention of the NSA to make the algorithm more secure. According to the NSA and IBM the key size was reduced to t the cipher on a single chip. Some people conjectured that the NSA would be able to search through a key space of 256 elements, thus breaking it by brute force. Section ?? will provide more information about real and perceived security weaknesses of DES. Despite of all criticism and concerns, in 1977 the NBS nally released all specications of the modied IBM cipher as the Data Encryption Standard (FIPS PUB 46) to the public. However, even though the cipher is described down to the bit level in the standard, the motivation for parts of the DES design (the so-called design criteria), such as the choice of the substitution boxes, were never ocially
1

e.g., the subsitution boxes which represent the heart of the cipher.

28
c Reproduction of any kind requires written permission of the author

The Data Encryption Standard (DES)

released. With the quick spreading of personal computers (PCs) in the early 1980s and all specications of DES being publicly available it was possible for anyone to analyze the inner structure of a cipher which was designed in part by the NSA. Originally, DES was only standardized for 10 years, until 1987. Due to the wide use of DES and the lack of serious security weaknesses, the NBS (which became the NIST in the 1990s) rearmed the federal use of the cipher until 1999, when it was nally replaced by the Advanced Encryption Standard (AES).

29
c Reproduction of any kind requires written permission of the author

2.1 Introduction to DES

2.1.1

Confusion and Diffusion

Before we start with the details of DES, it is instructive to look at primitive operations which can be applied in order to achieve strong encryption. There are certain general building blocks which are relevant for the construction of a strong block cipher. According to Claude Shannon, there are two primitive operations for encryption: 1. Confusion: This is an encryption operation where the relationship between cleartext and ciphertext is obscured. Some examples are: the shift cipher the main operation is substitution. German Enigma (broken by Marian Rejewski and Alan Turing) the main operation is a very complex substitution rule. 2. Diusion: Encryption by spreading out the inuence of one cleartext letter over many ciphertext letters. An example is: permutations changing the positioning of the cleartext. In actual block ciphers, it is preferable that changing of one bit of plaintext results on average in the change of half the output bits.

Example 2.1 Lets assume a toy-size block cipher with a block length of 8 bits. Encryption of two plain texts x1 and x2 , which are dierent in only one bit, should roughly result in something like this:
x1 = 00101011 x2 = 00001011 Block cipher y1 = 10111001 y2 = 01101100

Figure 2.1: Confusion and diusion of a block cipher

Combining confusion with diusion is a common practice for obtaining a secure scheme. In most of todays block ciphers, one can directly identify the modules that are responsible for the confusion and diusion, respectively. They are then applied repeatedly to the plaintext, as symbolized in Figure 2.2. DES is a good example for this.

30
c Reproduction of any kind requires written permission of the author

The Data Encryption Standard (DES)

x
Diffusion 1 Confusion 1

y
Diffusion 2 Confusion 2

Diffusion N Confusion N

y
Figure 2.2: Example of combining confusion with diusion

2.2 Overview of the DES Algorithm

DES is a cipher which encrypts blocks of length of 64 bits with a key of size of 56 bits (see Figure 2.3).

x
64 56

DES
64

y
Figure 2.3: DES block cipher

Moreover, DES is a symmetric cipher, i.e., the same algorithm and the same key are used for encryption and decryption. Figure 2.4 shows the principle function of DES from an extremely high level of abstraction. For each block of plaintext, encryption is handled in 16 rounds. Hence, DES belongs to the class of iterative ciphers. Virtually all modern block algorithms are iterative ciphers.

31
c Reproduction of any kind requires written permission of the author

2.2 Overview of the DES Algorithm

Initial Permutation Encryption Round 1

K 1

Encryption Round 16 Final Permutation

16

y
Figure 2.4: Iterative structure of DES

As we shall see later, the only dierence between encryption and decryption is the order of round keys. Lets now have a more detailed view on DES, as shown in Figure 2.5.

The structure shown in Figure 2.5 is called a Feistel network . It is used in many (but certainly not in all) modern block ciphers. We will discuss the Feistel network in the following. After the initial bit-wise permutation IP of a 64-bit plaintext x, it is split into two 32-bit halves L0 and R0 . These two 32-bit halves are fed into a Feistel network which consists of 16 rounds. The right half Ri is fed into the function f . The output of the f function is XORed (denoted with the symbol ) with the left 32-bit half Li . Finally the right and left half are swapped. This process repeats in the next round. This process can be expressed as: Li = Ri1 , i = 1, . . . , 16 Ri = Li1 f (Ri1 , Ki ), i = 1, . . . , 16

32
c Reproduction of any kind requires written permission of the author

The Data Encryption Standard (DES)

Message x

Key k

Initial Permutation IP(x)

PC1

56

L0
32 32

R0
32 48

Transform 1 f k1
56

Round 1

32

L1

R1

L 15
32 32

R 15
32 48

Transform 16

k 16

Round 16

32

L 16

R 16

Final Permutation IP 1( )

Ciphertext y = DESk (x )

Figure 2.5: The Feistel structure of DES

After round 16, the 32-bit halves L16 and R16 are swapped again and the nal permutation IP 1 nishes o the algorithm. The nal permutation IP 1 is the inverse of the initial permutation IP . In each round, a round key Ki is derived

33
c Reproduction of any kind requires written permission of the author

2.2 Overview of the DES Algorithm

from the main 56-bit key using a key schedule algorithm. It is crucial to note that the Feistel structure really only encrypts (decrypts) half of the input bits per each round, namely the left half of the input. The right half is copied to the next round unchanged. In particular, the right half is not encrypted with the f function. In order to get a better feeling, the following interpretation of the working of a Feistel cipher helps: Think of the f function of a pseudo random generator with the two input parameters Ri1 and Ki . The output of the pseudo random generator is then used to encrypt the left half Li1 with the XOR operation. As we saw in the previous chapter on stream ciphers, if the output of the f function is not predictable for an attacker, this results in a strong encryption method. The two aforementioned basic properties of ciphers, i.e., confusion and diusion, are realized within the f -function. In order to thwart advanced analytical attacks, the f -function has to be designed extremely carefully. Once the f -function has been designed securely, the security of a Feistel cipher increases with the number of key bits used and the number of rounds. Before we discuss all modules of the Feistel network in detail, here is an algebraic description of the Feistel network for the mathematically inclined reader: The Feistel structure of each round bijectively maps a block of 64 input bits to 64 output bits (i.e., every possible input is mapped uniquely to exactly one output and vice versa). This mapping remains bijective for some arbitrary function f , i.e., even if the embedded function f is not bijective. In case of DES the function f is in fact a surjective (many-to-one) mapping. It uses non-linear building blocks and maps 32 input bits to 32 output bits using a 48-bit round key Ki , with 0 i 15.

34
c Reproduction of any kind requires written permission of the author

The Data Encryption Standard (DES)

2.3 Internal Structure of DES

The structure of DES as depicted in Figure 2.5 shows several internal functions which we will discuss in this section. The most important building blocks are: initial and nal permutation, the actual DES rounds with its core, the f -function, and the key schedule of DES.

2.3.1 Inital and Final Permutation

As shown in Figure 2.6 and 2.7, the initial permutation IP and the nal permutation IP 1 are bit-wise permutations. They simply permute the 64 input and output bits, respectively. A bit-wise permutation can simply be implemented in hardware by wiring. However, it is rather cumbersome to implement in software. Note that both permutations do not increase the security of DES at all. Therefore, it is widely assumed that initially their main purpose was to arrange the plaintext (ciphertext) bits in a byte-wise manner to make data fetches easier for hardware architectures with 8-bit data busses.
1 50 58 64

IP(x)
1 2 40

Figure 2.6: Bit swapping examples of the initial permutation

z
1 2 40

IP 1(z)
1 50 58 64

Figure 2.7: Bit swapping examples of the nal permutation

The exact details of transformation IP are is given in the Table 2.1. This table, like all other tables in this chapter, should be read from left to right, top to bottom. Moreover, the bit indices begin with 1 and end with 64, thus, the initial

35
c Reproduction of any kind requires written permission of the author

2.3 Internal Structure of DES

permutation maps plaintext bit 58 to position 1, plaintext bit 50 to position 2, and so on.

IP 58 60 62 64 57 59 61 63 50 52 54 56 49 51 53 55 42 44 46 48 41 43 45 47 34 36 38 40 33 35 37 39 26 28 30 32 25 27 29 31 18 20 22 24 17 19 21 23 10 12 14 16 9 11 13 15 2 4 6 8 1 3 5 7

Table 2.1: Initial permutation IP

IP 1 40 39 38 37 36 35 34 33 8 7 6 5 4 3 2 1 48 47 46 45 44 43 42 41 16 15 14 13 12 11 10 9 56 55 54 53 52 51 50 49 24 23 22 21 20 19 18 17 64 63 62 61 60 59 58 57 32 31 30 29 28 27 26 25

Table 2.2: Final permutation IP 1

36
c Reproduction of any kind requires written permission of the author

The Data Encryption Standard (DES)

2.3.2 Core Iteration / f-Function

As mentioned earlier, at the core of the round function of DES is the f -function . It takes the right half Ri1 of the output of the previous round i 1 and the current round key Ki as input. The output of the f -function is used as an XORmask for encrypting the left half input bits Li1 . The structure of the f -function is shown in Figure 2.9. First, the 32-bit input is expanded to 48 bits by partitioning the input into eight 4-bit blocks and by expanding each block to 6 bits.
1 2 3 4 5 6 7 8 9 32

9 10 11 12 13 14

47 48

Figure 2.8: Expansion function E of DES

As can be seen from the Table 2.3, 16 bits of the 32 input bits appear twice in the expansion permutation, however, a bit never appears twice in the same 6-bit block. This results in a diusion of the 32 input bits, since 16 of the 32 inputs bits propagate into two dierent six bit blocks.

E 32 4 8 12 16 20 24 28 1 5 9 13 17 21 25 29 2 6 10 14 18 22 26 30 3 7 11 15 19 23 27 31 4 8 12 16 20 24 28 32 5 9 13 17 21 25 29 1

Table 2.3: Expansion permutation E

37
c Reproduction of any kind requires written permission of the author

2.3 Internal Structure of DES

R i1
32

Expansion E(R i1)

48 48

ki
48

f function

S1
4

S2
4

S3
4

S4
4

S5
4

S6
4

S7
4

S8
4

32

Permutation P
32

Figure 2.9: Core function of DES

As next, the 48-bit result of the expansion is XORed with the round key ki and the eight 6-bit blocks are fed into eight dierent substition boxes (S-boxes) . Each S-box maps a six bit input to a four bit output and can be regarded as a table with 16 columns and 4 rows. The S-boxes are listed in Tables 2.4 to 2.11. The tables are to be read as indicated in Figure 2.10: the most signicant bit (MSB) and the least signicant bit (LSB) of each 6-bit input select the row of the table, while the four inner bits select the column. The integers 0,1,...,15 of each entry in the table represents the decimal notation of a 4-bit value.

Example 2.2 The S-box input b = (100101) indicates row = (11)2 = 3 (forth row, starting with (00)2 ) and column = (0010)2 = 2 (third column, starting with (0000)2 ). If the input b is fed into S-box 1, the output is S1 (37 = 1001012 ) = 8 = 10002 .

38
c Reproduction of any kind requires written permission of the author

The Data Encryption Standard (DES)

1 1 1 0 0 1 0 1

forth row

0010

third column

Figure 2.10: Decoding of S-box entry.

S1 0 1 2 3

0 14 00 04 15

1 04 15 01 12

2 13 07 14 08

3 01 04 08 02

4 02 14 13 04

5 15 02 06 09

6 11 13 02 01

7 08 01 11 07

8 03 10 15 05

9 10 06 12 11

10 06 12 09 03

11 12 11 07 14

12 05 09 03 10

13 09 05 10 00

14 00 03 05 06

15 07 08 00 13

Table 2.4: S-box S1

S2 0 1 2 3

0 15 03 00 13

1 01 13 14 08

2 08 04 07 10

3 14 07 11 01

4 06 15 10 03

5 11 02 04 15

6 03 08 13 04

7 04 14 01 02

8 09 12 05 11

9 07 00 08 06

10 02 01 12 07

11 13 10 06 12

12 12 06 09 00

13 00 09 03 05

14 05 11 02 14

15 10 05 15 09

Table 2.5: S-box S2

S3 0 1 2 3

0 10 13 13 01

1 00 07 06 10

2 09 00 04 13

3 14 09 09 00

4 06 03 08 06

5 03 04 15 09

6 15 06 03 08

7 05 10 00 07

8 01 02 11 04

9 13 08 01 15

10 12 05 02 14

11 07 14 12 03

12 11 12 05 11

13 04 11 10 05

14 02 15 14 02

15 08 01 07 12

Table 2.6: S-box S3

39
c Reproduction of any kind requires written permission of the author

2.3 Internal Structure of DES

S4 0 1 2 3

0 07 13 10 03

1 13 08 06 15

2 14 11 09 00

3 03 05 00 06

4 00 06 12 10

5 06 15 11 01

6 09 00 07 13

7 10 03 13 08

8 01 04 15 09

9 02 07 01 04

10 08 02 03 05

11 05 12 14 11

12 11 01 05 12

13 12 10 02 07

14 04 14 08 02

15 15 09 04 14

Table 2.7: S-box S4

S5 0 1 2 3

0 02 14 04 11

1 12 11 02 08

2 04 02 01 12

3 01 12 11 07

4 07 04 10 01

5 10 07 13 14

6 11 13 07 02

7 06 01 08 13

8 08 05 15 06

9 05 00 09 15

10 03 15 12 00

11 15 10 05 09

12 13 03 06 10

13 00 09 03 04

14 14 08 00 05

15 09 06 14 03

Table 2.8: S-box S5

S6 0 1 2 3

0 12 10 09 04

1 01 15 14 03

2 10 04 15 02

3 15 02 05 12

4 09 07 02 09

5 02 12 08 05

6 06 09 12 15

7 08 05 03 10

8 00 06 07 11

9 13 01 00 14

10 03 13 04 01

11 04 14 10 07

12 14 00 01 06

13 07 11 13 00

14 05 03 11 08

15 11 08 06 13

Table 2.9: S-box S6

S7 0 1 2 3

0 04 13 01 06

1 11 00 04 11

2 02 11 11 13

3 14 07 13 08

4 15 04 12 01

5 00 09 03 04

6 08 01 07 10

7 13 10 14 07

8 03 14 10 09

9 12 03 15 05

10 09 05 06 00

11 07 12 08 15

12 05 02 00 14

13 10 15 05 02

14 06 08 09 03

15 01 06 02 12

Table 2.10: S-box S7

40
c Reproduction of any kind requires written permission of the author

The Data Encryption Standard (DES)

S8 0 1 2 3

0 13 01 07 02

1 02 15 11 01

2 08 13 04 14

3 04 08 01 07

4 06 10 09 04

5 15 03 12 10

6 11 07 14 08

7 01 04 02 13

8 10 12 00 15

9 09 05 06 12

10 03 06 10 09

11 14 11 13 00

12 05 00 15 03

13 00 14 03 05

14 12 09 05 06

15 07 02 08 11

Table 2.11: S-box S8

The S-boxes are the core of DES in terms of cryptographic strength. Even though the entire specication of DES was released by NBS/NIST in 1977, the design criteria of the S-boxes were never completely revealed by the NSA. This often gave rise to many speculations2 . Nevertheless, by now it is for sure that the S-boxes were designed according to the criteria listed below. Note that some of these design criteria were not revealed until the 1990s. More information about this issue will be provided in Section ??.

1. Each S-box has six input bits and four output bits (common register length of microchips in the mid 1970s). 2. No single output bit should be too close to a linear combination of the input bits. 3. If the lowest and the highest bits of the input are xed and the four middle bits are varied, each of the possible 4-bit output values must occur exactly once. 4. If two inputs to an S-box dier in exactly one bit, their outputs must dier in at least two bits. 5. If two inputs to an S-box dier in the two middle bits, their outputs must dier in at least two bits. 6. If two inputs to an S-box dier in their rst two bits and are identical in their last two bits, the two outputs must be dierent. 7. For any nonzero 6-bit dierence between inputs, no more than eight of the thirty-two pairs of inputs exhibiting that dierence may result in the same output dierence.
E.g., regarding a secret back door or some other intentionally constructed weakness, which could possibly be exploited by the NSA.
2

41
c Reproduction of any kind requires written permission of the author

2.3 Internal Structure of DES

8. A collision (zero output dierence) at the 32-bit output of the eight S-boxes is only possible for three adjacent S-boxes.

The S-boxes are the most crucial elements of DES because they introduce a nonlinear function to the algorithm, i.e., S(a) S(b) = S(a b). Without a non-linear building block, DES could easily be broken. Moreover, the S-boxes were carefully designed in order to thwart an advanced mathematical attack called dierential cryptanalysis. Interestingly, dierentially cryptanalysis was rst discovered in the research community in 1990. At this point, the IBM team declared that the attack had been known to the designers, and that DES was especially designed to withstand dierential cryptanalysis. Finally, the 32-bit output is permuted bit-wise according to the P permutation. Unlike the initial permutation IP and its inverse IP 1 , the permutation P introduces diusion because the four output bits of each S-box are permuted in such a way that they aect six dierent S-boxes in the following round. The diusion caused by the expansion, S-boxes and the permutation P guarantees that every bit at the end of the fth round is a function of every plaintext bit and every key bit3 .

2.3.3 Key Schedule

The key schedule algorithm derives 16 round keys Ki of size 48 bits from the original 56-bit key. First, note that DES keys are often stated as 64-bit keys, however, this is due to the fact that every eighth bit is used as an odd parity bit. It is not quite clear why DES was specied that way. In any case, the eight parity bits are not actual key bits and do not increase the security. DES is a 56-bit cipher, not a 64-bit one. As shown in Figure 2.11, the 64-bit key is rst reduced to 56 bits by ignoring every eighth bit, i.e., the parity bits are stripped in the P C 1 permutation. Hence, the parity bits certainly do not increase the key space! The resulting 56-bit key is split into two halves C0 and D0 . Then, the two 28-bit halves are
3

This is also called the avalanche eect .

42
c Reproduction of any kind requires written permission of the author