DES ANALYSIS

Critics have used a strong magnifier to analyze DES. Tests have been done to measure the
strength of some desired properties in a block cipher. The elements of DES have gone
through scrutinies to see if they have met the established criteria. We discuss some of these in
this section.
Properties
Two desired properties of a block cipher are the avalanche effect and the completeness.

Avalanche Effect
Avalanche effect means a small change in the plaintext (or key) should create a significant
change in the ciphertext. DES has been proved to be strong with regard to this property.
Completeness effect
Completeness effect means that each bit of the ciphertext needs to depend on many
bits on the plaintext. The diffusion and confusion produced by P-boxes and S-boxes in
DES, show a very strong completeness effect.

THE STRENGTH OF DES

Since its adoption as a federal standard, there have been lingering concerns about
the level of security provided by DES. These concerns, by and large, fall into two
areas: key size and the nature of the algorithm.

The Use of 56-Bit Keys

With a key length of 56 bits, there are 256 possible keys, which is approximately
7.2 * 1016 keys. Thus, on the face of it, a brute-force attack appears impractical.
Assuming that, on average, half the key space has to be searched, a single machine
performing one DES encryption per microsecond would take more than a
thousand years to break the cipher.
However, the assumption of one encryption per microsecond is overly
conservative. As far back as 1977, Diffie and Hellman postulated that the
technology existed to build a parallel machine with 1 million encryption devices,
each of which could perform one encryption per microsecond [DIFF77]. This would
bring the average search time down to about 10 hours. The authors estimated that
the cost would be about $20 million in 1977 dollars.
With current technology, it is not even necessary to use special, purpose-built
hardware. Rather, the speed of commercial, off-the-shelf processors threaten the
security of DES. A 2008 paper from Seagate Technology [SEAG08] suggests that
a rate of 1 billion (109) key combinations per second is reasonable for today’s
 multicore computers. Recent offerings confirm this. Both Intel and AMD now
offer hardware-based instructions to accelerate the use of AES. Tests run on a
contemporary multicore Intel machine resulted in an encryption rate of about half
a billion encryptions per second [BASU12]. Another recent analysis suggests that
with contemporary supercomputer technology, a rate of 1013 encryptions per
second is reasonable [AROR12].
With these results in mind, Table 4.5 shows how much time is required for a
brute-force attack for various key sizes. As can be seen, a single PC can break DES in
about a year; if multiple PCs work in parallel, the time is drastically shortened.
And today’s supercomputers should be able to find a key in about an hour.
Key sizes of 128 bits or greater are effectively unbreakable using simply a
brute-force approach. Even if we managed to speed up the attacking system by a
factor of 1 trillion (1012), it would still take over 100,000 years to break a code
using a 128-bit key.
Fortunately, there are a number of alternatives to DES, the most important of
which are AES and triple DES, discussed in Chapters 6 and 7, respectively.
Table 4.5 Average Time Required for Exhaustive Key Search

Number of Time
9
Alternative Time Required at 10 Required at
Key Size (bits) Cipher Keys Decryptions/s 1013
Decryptions/s
56 DES 256 ≈ 7.2 * 1016 255 ns = 1.125 years 1 hour
≈ 3.4 * 10 ns = 5.3 * 10 years
127 21
128 AES 2 128 38 2 5.3 * 1017 years
2168 ≈ 3.7 * 1050 2 ns = 5.8 * 10 years
167 33
168 Triple DES 5.8 * 1029 years
2192 ≈ 6.3 * 1057 2 ns = 9.8 * 10 years
191 40
192 AES 9.8 * 1036 years
2256 ≈ 1.2 * 1077 2 ns = 1.8 * 10 years
255 60
256 AES 1.8 * 1056 years
26 characters Monoalphabetic 2! = 4 * 1026 2 * 1026 ns = 6.3 * 109 6.3 * 106 years
(permutation) years

The Nature of the DES Algorithm

Another concern is the possibility that cryptanalysis is possible by exploiting the
characteristics of the DES algorithm. The focus of concern has been on the eight
substitution tables, or S-boxes, that are used in each iteration. Because the design
criteria for these boxes, and indeed for the entire algorithm, were not made public,
there is a suspicion that the boxes were constructed in such a way that
cryptanalysis is possible for an opponent who knows the weaknesses in the S-
boxes. This assertion is tantalizing, and over the years a number of regularities and
unexpected behaviors of the S-boxes have been discovered. Despite this, no one has
so far succeeded in discovering the supposed fatal weaknesses in the S-boxes.
Timing Attacks
We discuss timing attacks in more detail in Part Three, as they relate to public-key
algorithms. However, the issue may also be relevant for symmetric ciphers. In essence,
a timing attack is one in which information about the key or the plaintext is obtained by
observing how long it takes a given implementation to perform decryptions on various
ciphertexts. A timing attack exploits the fact that an encryption or decryption algorithm
often takes slightly different amounts of time on different inputs. [HEVI99] reports on
an approach that yields the Hamming weight (number of bits equal to one) of the secret
key. This is a long way from knowing the actual key, but it is an intriguing first step.
The authors conclude that DES appears to be fairly resistant to a successful timing
attack but suggest some avenues to explore. Although this is an interesting line of attack,
it so far appears unlikely that this technique will ever be successful against DES or more
powerful symmetric ciphers such as triple DES and AES.

BLOCK CIPHER DESIGN PRINCIPLES

Although much progress has been made in designing block ciphers that are
cryptographically strong, the basic principles have not changed all that much since the
work of Feistel and the DES design team in the early 1970s.

In this section we look at three critical aspects of block cipher design: the number of
rounds, design of the function F, and key scheduling.

Number of Rounds
The cryptographic strength of a Feistel cipher derives from three aspects of the
design: the number of rounds, the function F, and the key schedule algorithm. Let
us look first at the choice of the number of rounds.
The greater the number of rounds, the more difficult it is to perform
cryptanalysis, even for a relatively weak F. In general, the criterion should be that
the number of rounds is chosen so that known cryptanalytic efforts require
greater effort than a simple brute-force key search attack. This criterion was
certainly used in the design of DES. Schneier [SCHN96] observes that for 16-round
DES, a differential cryptanalysis attack is slightly less efficient than brute force: The
differential cryptanalysis attack requires 2 55.1 operations, whereas brute force requires
255. If DES had 15 or fewer rounds, differential cryptanalysis would require less
effort than a brute-force key search.
This criterion is attractive, because it makes it easy to judge the strength of
an algorithm and to compare different algorithms. In the absence of a cryptanalytic
breakthrough, the strength of any algorithm that satisfies the criterion can be judged
solely on key length.

Design of Function F
The heart of a Feistel block cipher is the function F, which provides the element of
 confusion in a Feistel cipher. Thus, it must be difficult to “unscramble” the
substitution performed by F. One obvious criterion is that F be nonlinear, as we
discussed previously. The more nonlinear F, the more difficult any type of
cryptanalysis will be. There are several measures of nonlinearity, which are beyond
the scope of this book. In rough terms, the more difficult it is to approximate F by a
set of linear equations, the more nonlinear F is.
Several other criteria should be considered in designing F. We would like the
algorithm to have good avalanche properties. Recall that, in general, this means
that a change in one bit of the input should produce a change in many bits of the
output. A more stringent version of this is the strict avalanche criterion (SAC)
[WEBS86], which states that any output bit j of an S-box should change with
probability 1/2 when any single input bit i is inverted for all i, j. Although SAC is
expressed in terms of S-boxes, a similar criterion could be applied to F as a whole.
This is important when considering designs that do not include S-boxes.
Another criterion proposed in [WEBS86] is the bit independence criterion
(BIC), which states that output bits j and k should change independently when any
single input bit i is inverted for all i, j, and k. The SAC and BIC criteria appear to
strengthen the effectiveness of the confusion function.

Key Schedule Algorithm

With any Feistel block cipher, the key is used to generate one subkey for each round. In
general, we would like to select subkeys to maximize the difficulty of deducing
individual subkeys and the difficulty of working back to the main key. No general
principles for this have yet been promulgated.
Adams suggests [ADAM94] that, at minimum, the key schedule should guarantee
key/ciphertext Strict Avalanche Criterion and Bit Independence Criterion.

The above discussion shows that DES with a cipher key of 56 bits is not safe enough to be
used comfortably. We will see later in the chapter that one solution is to use triple DES
(3DES) with two keys (112 bits) or triple DES with three keys (168 bits).
The reason is that the key-generation algorithm first divides the cipher key into two halves.
Shifting or permutation of a block does not change the block if it is made of all 0s or all 1s.
MULTIPLE DES
As we have seen, the major criticism of DES regards its key length. With available
technology and the possibility of parallel processing, a brute-force attack on DES is
feasible.

One solution to improve the security of DES is to abandon DES and design a new cipher.
We will see this solution in next Chapter with the advent of AES.

The second solution is to use multiple (cascaded) instances of DES with multiple keys;
this solution, which has been used for a while, does not require an investment in new
software and hardware. We study the second solution here.
As we learned in Chapter 5, a substitution that maps every possible input to
every possible output is a group, with the mappings as the set elements and the
composition as the operator. In this case, using two consecutive mappings is useless
because we can always find the third mapping that is equivalent to the composition of the
two (closure property). This means that if DES is a group, using double DES with two
keys k1 and k2 is useless because a single DES with key k3 does the same thing (Figure
6.13).

This means that we can use double or triple DES to increase the key size.
Double DES
The first approach is to use double DES (2DES). In this approach, we use two instances
of DES ciphers for encryption and two instances of reverse ciphers for decryption. Each
instance uses a different key, which means that the size of the key is now doubled (112
bits). However, double DES is vulnerable to a known-plain text attack.
Meet-in-the-Middle Attack

At first glance, it looks like double DES increases the number of tests for key search from
256 (in single DES) to 2112 (in double DES). However, using a known-plaintext attack
called meet-in-the-middle attack proves that double DES improves this vulnerability
slightly (to 257 tests), but not tremendously (to 2112). Figure 6.14 shows the diagram for the
double DES. Alice uses two keys, k1 and k2, to decrypt plaintext P into ciphertext C; Bob
uses ciphertext C and two keys, k2 and k1, to recover P.

Triple DES
To improve the security of DES, triple DES (3DES) was proposed. This uses three stages
of DES for encryption and decryption. Two versions of triple DES are in use today: triple
DES with two keys and triple DES with three keys.

Triple DES with Two Keys

In triple DES with two keys, there are only two keys: k 1 and k2. The first and the third
stages use k1; the second stage uses k2. To make triple DES compatible with single DES,
the middle stage uses decryption (reverse cipher) in the encryption site and encryption
(cipher) in the decryption site. In this way, a message encrypted with single DES with key
k can be decrypted with triple DES if k1= k2 = k. Although triple DES with two keys is
also vulnerable to a known-plaintext attack, it is much stronger than double DES. It has
been adopted by the banking industry. Figure 6.16 shows triple DES with two keys.
Triple DES with Three Keys

The possibility of known-plaintext attacks on triple DES with two keys has enticed some
applications to use triple DES with three keys. Although the algorithm can use three DES
cipher stages at the encryption site and three reverse cipher stages at the decryption site,
to be compatible with single DES, the encryption site uses EDE and the decryption site
uses DED (E stands for encryption and D stands for decryption). Compatibility with
single DES is provided by letting k1 = k and setting k2 and k3 to the same arbitrary key
chosen by the receiver. Triple DES with three keys is used by many applications such as
PGP (See Chapter 16).