DES History

In 1973, NBS (NIST) issues a public request for proposals for a national
cipher standard, which must be
Secure
Public
Completely specified
Easy to understand
Available to all users
Economic and efficient in hardware
Able to be validated
Exportable
IBM submitted LUCIFER (Feistel) (which was redesigned to become
the DES)
In 1977, adopted by NBS (NIST) as DES (Data Encryption Standard,
Federal Information Processing Standard 46 (FIPS PUB 46))

DES History

Chronolgy
1973: NBS publishes a first request for a standard encryption algorithm
1974: NBS publishes a second request for encryption algorithms
1975: DES is published in the Federal Register for comment
1976: First and second workshop on DES
1976: DES is approved as a standard
1977: DES is published as a FIPS standard FIPS PUB 46
1983: DES reaffirmed for the first time
1986: Videocipher II, a TV satellite scrambling system based upon DES
begins use by HBO
1988: DES is reaffirmed for the second time as FIPS 46-1, superseding
FIPS PUB 46
1992: Biham and Shamir publish the first theoretical attack with less
complexity than brute force: differential cryptanalysis. However, it requires
an unrealistic 247 chosen plaintexts
1993: DES is reaffirmed for the third time as FIPS 46-2

DES History
1994: The first experimental cryptanalysis of DES is performed using

linear cryptanalysis (Matsui, 1994)

1997: The DESCHALL Project breaks a message encrypted with DES for
the first time in public
1998: The Electronic Frontier Foundation (EFF)s DES cracker (Deep
Crack) breaks a DES key in 56 hours
1999: Together, Deep Crack and distributed.net break a DES key in 22 hours
and 15 minutes
1999: DES is reaffirmed for for the fourth time as FIPS 46-3, which
specifies the preferred use of Triple DES, with single DES permitted only in
legacy systems
2001: The Advanced Encryption Standard is published in FIPS 197
2002: The AES standard becomes effective
2004: The withdrawal of FIPS 46-3 (and a couple of related standards) is
proposed in the Federal Register
2005: NIST withdraws FIPS 46-3

Encryption and Decryption with DES

DES is a block cipher, as shown in Figure

General Structure of DES

The encryption process is made of two permutations (P-boxes),
which we call initial and final permutations, and sixteen Feistel
rounds.

DES Encryption Overview

56-bit Key

64-bit Plaintext

Initial Permutation
Iteration 1
Iteration 2

Iteration 16
32-bit Swap

Inverse Initial Permutation

64-bit Ciphertext

Permuted Choice 1

K1
K2

K16

Permuted Choice 2

Left Circular Shift

Permuted Choice 2

Left Circular Shift

Permuted Choice 2

Left Circular Shift

DES Encryption Overview

Initial and Final Permutation Steps in DES

Initial and Final Permutation tables

Problem No. 1
Find the output of the initial permutation box when the input is given in
hexadecimal as:
Input has only two 1s (Bit 15 and bit 64): the output must also have only two
1s(the nature straight permutation).
The bit 15 in the input becomes bit 63 in the output. Bit 64 in the input
becomes bit 25 in the output. So the output has only two 1s, bit 25 and bit 63.

6.2.1 Continued

Problem No. 2

Problem No. 2
Prove that the initial and final permutations are the inverse of each other by
finding the output of the final permutation if the input is

Solution: The bit 25 in the input becomes bit 64 in the output. Bit 63 in the input
becomes bit 15 in the output. So the output has only two 1s, bit 15 and bit 64.

A round in DES (encryption site)

DES uses 16 rounds. Each round of DES is a Feistel cipher.

DES Contd.

The computation consists of 16 iterations of a calculation

The cipher function f operates on two blocks, one of 32 bits and one of 48 bits,
and produces a block of 32 bits.
The input block is then LR, 32 bit block L followed by a 32 bit block R.
Let K be a block of 48 bits chosen from the 64-bit key. Then the output L'R' of an
iteration with input LR is defined by:
L' = R
R' = L (+) f (R,K)
L'R' is the output of the 16th iteration then R'L' is the preoutput block.
At each iteration a different block K of key bits is chosen from the 64-bit key
designated by KEY.
Let KS be a function which takes an integer n in the range from 1 to 16 and a 64bit block KEY as input and yields as output a 48-bit block Kn which is a permuted
selection of bits from KEY. That is
Kn = KS (n, KEY)

DES - Swapping of Left and Right Halves

Li-1

Ri-1

This can be described functionally as:

L(i) = R(i-1)
R(i) = L(i-1) P(S( E(R(i-1)) K(i) ))

Li-1 f (Ri-1, Ki)

This forms one round in an S-P network

32 bits Li

32 bits Ri

DES - Swapping of Left and Right Halves

Li-1

This can be described functionally as:

L(i) = R(i-1)

Ri-1

Li-1 f (Ri-1, Ki)

R(i) = L(i-1) P(S( E(R(i-1)) K(i) ))

This forms one round in an S-P network

32 bits Li

32 bits Ri

Details of Each Iteration

32 bits

32 bits

28 bits

28 bits

Li-1

Ri-1

Ci-1

Di-1

Left Shift(s)

Left Shift(s)

32 bits
Expansion
Permutation
(E-Table)

48 bits

XOR

48 bits

Permutation Choice
(PC-2)

Ki

48 bits
Substitution Box
(S-Box)
32 bits
Permutation Box
(P)

32 bits

XOR
32 bits

Li

Ri

Ci

Di

6.2.2 Continued

DES Function

The heart of DES is the DES function. The DES function applies a 48-bit key to
the rightmost 32 bits to produce a 32-bit output.

6.2.2 Continue

Expansion P-box

Since RI1 is a 32-bit input and KI is a 48-bit key, we first need to expand R I1 to 48
bits.

Expansion Permutation Table

32

10

11

12

13

12

13

14

15

16

17

16

17

18

19

20

21

20

21

22

23

24

25

24

25

26

27

28

29

28

29

30

31

32

6.2.2 Continue

Whitener (XOR)

After the expansion permutation, DES uses the XOR operation on the
expanded right section and the round key. Note that both the right section
and the key are 48-bits in length. Also note that the round key is used only
in this operation.

S-Boxes
The S-boxes do the real mixing (confusion). DES uses 8 S-boxes, each with a 6-bit
input and a 4-bit output.

6.20

S-Box 1
Table shows the permutation for S-box 1. For the rest of the boxes see the
textbook.

Problem No. 3
The input to S-box 1 is 100011.
What is the output?

S-Box Structure
S1
00(0)
01(2)
10(3)
11(4)

0
14
0
4
15

1
4
15
1
12

2
13
7
14
8

3
1
4
8
2

4 5
2 15
14 2
13 6
4 9

6 7 8 9 10 11 12
11 8 3 10 6 12 5
13 1 10 6 12 11 9
2 11 15 12 9 7 3
1 7 5 11 3 14 10

13 14 15
9 0 7
5 3 8
10 5 0
0 6 13

For example, for input 011011 the row is 01, that is row 1, and
the column is determined by 1101, that is column 13. In row 1
column 13 appears 5 so that the output is 0101.

6.2.2 Continued

Solution to Problem No. 2

If we write the first and the sixth bits together, we get 11 in binary, which is 3
in decimal. The remaining bits are 0001 in binary, which is 1 in decimal. We
look for the value in row 3, column 1, (S-box 1). The result is 12 in decimal,
which in binary is 1100. So the input 100011 yields the output 1100.

S-Box Structure

S-Box Structure

The input to S-box 8 is 000000. What is the output?

Solution
If we write the first and the sixth bits together, we get 00 in binary, which is 0
in decimal. The remaining bits are 0000 in binary, which is 0 in decimal. We
look for the value in row 0, column 0, in Table 6.10 (S-box 8). The result is 13
in decimal, which is 1101 in binary. So the input 000000 yields the output
1101.

Straight Permutation

Cipher and Reverse Cipher

Using mixers and swappers, we can create the cipher and reverse cipher, each
having 16 rounds.

First Approach
To achieve this goal, one approach is to make the last round (round 16)
different from the others; it has only a mixer and no swapper.

6.2.3 Continued
DES Cipher
and Reverse Cipher for the First Approach

Key Generation

Permutation 1
PC-1
57
1
10
19

49
58
2
11

41
50
59
3

33
42
51
60

25
34
43
52

17
26
35
44

9
18
27
36

63
7
14
21

55
62
6
13

47
54
61
5

39
46
53
28

31
38
45
20

23
30
37
12

15
22
29
4

PC-1

58 50 42 34

IP

26 18 10 2
60 52 44 36 28 20
12 4
62 54 46 38 30 22
14 6
64 56 48 40 32 24
16 8
57 49 41 33 25 17

57

49

41

33

25

17

58

50

42

34

26

18

10

59

51

43

35

27

19

11

60

52

44

36

63

55

47

39

31

23

15

62

54

46

38

30

22

14

61

53

45

37

29

21

13

28

20

12

Permutation Choice 2

PC-2
14
3
23
16
41
30
44
46

17
28
19
7
52
40
49
42

11
15
12
27
31
51
39
50

24
6
4
20
37
45
56
36

1
5
21 10
26
8
13
2
47 55
33 48
34 53
29 32

Key Rotation Schedule

Round
Number

10 11 12 13 14 15 16

Number
of 1
Left Shifts

Total Number 1
of Shifts

10 12 14 15 17 19 21 23 25 27 28

Iteration Corresponds to Left Shifts

1 2 3
1 1 2

4 5 6 7
2 2 2 2

8
2

9 10
1 2

11 12 13 14 15 16
2 2 2 2 2 1

Avalanche Effect
DES exhibits strong avalanche, where a change of one input or
key bit results in changing approx half output bits

Avalanche Effect
DES exhibits strong avalanche, where a change of one input or key bit results in
changing approx half output bits.
Two desired properties of a block cipher are the avalanche effect and the
completeness.
To check the avalanche effect in DES, let us encrypt two plaintext blocks (with
the same key) that differ only in one bit and observe the differences in the number
of bits in each round.

6.3.1 Continued

Avalanche Effect Contd.

Although the two plaintext blocks differ only in the rightmost bit, the
ciphertext blocks differ in 29 bits. This means that changing
approximately 1.5 percent of the plaintext creates a change of
approximately 45 percent in the ciphertext.

Completeness Effect

Completeness effect means that each bit of the ciphertext needs to depend
on many bits on the plaintext. The diffusion and Confusion produced by
P-boxes and S-boxes in DES shows a very strong completeness effect.

Design Criteria of S-boxes

The design provides confusion and diffusion of bits from each round to
the next.

The entries of each row are permutation of values are between

0 and 15.

If there is a single bit change in the input, two or more bits

will be changed in the output.

If two inputs to an S-box differ only in the two middle bits

(bit 3 and bit 4), the output must differ in at least two bits.

Design Criteria of S-boxes Contd.

If two inputs to an S-box differ in the first two bits (bit 1 and bit 2) and are the
same in the last two bits (5 and 6), the two outputs must be different.
There are only 32 6-bit input word pairs(X i and Xj ) in which XiXj (000000)2.
These 32 input pairs create 32 4-bit output word pair. If we create the difference
between the 32 output pair d = Yi Yj , no more than 8 of these d should be the
same.

Design Criteria for P-boxes

Between two rounds of S-boxes, there are one straight P-box (32 bit to
32 bit) and one Expansion P-box (32 bit to 48 bit). These two P-boxes
together provide diffusion of bits.

Each S-box input comes from the output of a different S- box

(in the previous round).

The four outputs from each S-box go to six different S-boxes

(in the next round).

No two output bits from an S-box go the same S-boxes (in

the next round).

For each S-box, the two output bits go to the first or last two
bits of an S-box in the next round. The other two output bits
go
the middle bits of an S-box in the next round.
6.40

Design Criteria for P-boxes Contd.

If we number the eight S-boxes, S1, S2, S3, , S8

An output of Sj-2 goes to one of the first two bits of Sj

(in the next round).

An output bit from Sj-1 goes to one of the last two bits
of Sj (in the next round).

An output of Sj+1 goes to one of the two middle bits of

Sj ( in the next round)

6.41

DES Weaknesses
During the last few years critics have found some
weakness in DES
Weakness in S-Boxes

At least three weaknesses are mentioned in the

literature for
S-boxes

In S-box 4, the last three output bits can be

derived in the
same way as the first output bit by
complementing some of
the input bits.

Two specifically chosen inputs to an S-box array

can create the same output.

It is possible to obtain the same output in a

single 6.42
round by
changing bits in only three

Weakness in P-boxes

It is not clear why the designer of DES used

the initial and
final permutation; these have no
security benefits.

In the expansion permutation (inside the

function), the first
and fourth bits of every 4-bit
series are repeated.
Number of Rounds
DES uses sixteen rounds of Feistel ciphers. the
ciphertext is thoroughly a random function of plaintext
and ciphertext.

6.43

Weakness in Keys

Let us try the first weak key in Table 6.18 to encrypt

a block two times. After two encryptions with the
same key the original plaintext block is created.
Note that we have used the encryption algorithm
two times, not one encryption followed by another
decryption.

6.44

Double Encryption and Decryption with a

Weak Key

6.45

Semi Weak Keys

There are six key pairs that are called semi weak keys and they
are shown in the below table. A semi weak key creates only two
different round keys and each of them is repeated eight times. In
addition, the round keys created from each pair are the same with
different orders.

6.46

6.3.3 Continued

Semi Weak Keys

6.47

Semi Weak Keys

A pair of semi-weak keys in Encryption and Decryption

What is the probability of randomly selecting a weak, a semiweak, or a possible weak key?

6.3.3 Continued

Solution

DES has a key domain of 256. The total number of the above keys
are 64 (4 + 12 + 48). The probability of choosing one of these
keys is 8.8 1016, almost impossible.

6.3.3 Continued

Key Complement

6.51

Let us test the claim about the complement keys. We have used an
arbitrary key and plaintext to find the corresponding ciphertext. If we
have the key complement and the plaintext, we can obtain the
complement of the previous ciphertext (Table 6.20).

6.52

Problem 1

This problem provides a numerical example of encryption using

one-round version of DES. We start with the same bit pattern for
the key and the plaintext, namely in hexadecimal
0123456789ABCDEF
Derive the K1 the first round subkey
derive L0 and R0
Expand R0 to get E[R0] where E[.] is the expansion function of
given figure
Calculate A=E[R0] x K1

Solution
a. First, pass the 64-bit input through PC-1 to produce a 56-bit
result. Then perform a left circular shift separately on the two
28-bit halves. Finally, pass the 56-bit result through PC-2 to
produce the 48-bit
K1.: in binary notation: 0000 1011 0000 0010 0110 0111 1001
1011 0100 1001 1010 0101
in hexadecimal notation: 0 B 0 2 6 7 9 B 4 9 A 5
b. L0, R0 are derived by passing the 64-plaintext through IP
L0 = 1100 1100 0000 0000 1100 1100 1111 1111
R0 = 1111 0000 1010 1010 1111 0000 1010 1010
c. The E table (Table 3.2c) expands R0 to 48 bits:
E(R0) = 01110 100001 010101 010101 011110 100001 010101
010101
d. A = 011100 010001 011100 110010 111000 010101 110011
110000

Solution to Problem No. 3.7

In the solution given below the following general properties of the XOR function
are used:
A Ex-OR 1 = A'
(A Ex-OR B)' = A Ex-OR B = A Ex-OR B'
A' Ex-OR B' = A Ex-OR B
Where A' = the bitwise complement of A.
a.

F (Rn, Kn+1) = 1
We have
Ln+1 = Rn; Rn+1 = Ln Ex-OR F (Rn, Kn+1) = Ln Ex-OR 1 = Ln'
Thus
Ln+2 = Rn+1 = Ln' ; Rn+2 = Ln+1 = Rn'
i.e., after each two rounds we obtain the bit complement of the original
input, and every four rounds we obtain back the original input:
Ln+4 = Ln+2' = Ln ; Rn+2 = Rn+2' = Rn
6.55

Solution to Problem No. 3.7

Therefore,
L16 = L0; R16 = R0
An input to the inverse initial permutation is R16 L16.
Therefore, the transformation computed by the modified DES
can be represented as follows:
C = IP1(SWAP(IP(M))), where SWAP is a permutation
exchanging the position of two halves of the input: SWAP(A, B)
= (B, A).
This function is linear (and thus also affine). Actually, this is a
permutation, the product of three permutations IP, SWAP, and
IP1. This permutation is however different from the identity
permutation.

6.56

Solution to Problem No. 3.7

b.

F (Rn, Kn+1) = Rn'

Ex-OR Rn'

We have
Ln+1 = Rn; Rn+1 = Ln Ex-OR F(Rn, Kn+1) = Ln

Ln+2 = Rn+1 = Ln Ex-OR Rn'

Rn+2 = Ln+1 Ex-OR F(Rn+1, Kn+2)
= Rn (Ln Ex-OR Rn')
= Rn Ex-OR Ln Ex-OR Rn'' = Ln
Ln+3 = Rn+2 = Ln
Rn+3 = Ln+2 Ex-OR F (Rn+2, Kn+3)
= (Ln Rn') Ex-OR Ln'
= Rn' Ex-OR 1
= Rn
i.e., after each three rounds we come back to the original
input.
L15 = L0; R15 = R0
and
L16 = R0
(1)
R16 = L0 Ex-OR R0' ..
(2)

Solution to Problem No 3.10 (William

Stallings)

Solution to a.

T16(L15 || R15) = L16 || R16

T17(L16 || R16) = R16 || L16
IP [IP1 (R16 || L16)] = R16 || L16
TD1(R16 || L16) = R15 || L15

Solution b.
T16(L15 || R15) = L16 || R16
IP [IP1 (L16 || R16)] = L16 || R16
TD1(R16 || L16) = R16 || L16 Ex-OR f(R16, K16)
L15 || R15

6.58