I he Data by D. Coppersmith Encryption Standard (DES) and its strength against attacks The Data Encryption Standard (DES) was During the early 1970s, it became apparent that the developed by an IBM team around 1974 and commercial sector also has a legitimate need for adopted as a national standard in 1977. Since cryptography. Corporate secrets must be transmitted that time, many cryptanalysts have attempted between distant sites, without the possibility of to find shortcuts for breaking the system. In eavesdropping by industrial spies. Personal data on this paper, we examine one such attempt, the databases need to be protected against espionage and method of differential cryptanalysis, published alteration. by Blham and Shamir. We show some of the A familiar example is the communication between an safeguards against differential cryptanalysis automatic teller machine (ATM) and a central computer. that were built into the system from the The user inserts a magnetic card and types a few numbers. beginning, with the result that more than1015 The ATM sends messages to the computer. The computer bytes of chosen plaintext are required for this checks the account balance and returns a message attack to succeed. authorizing the ATM to dispense funds. Obviously, if these messages are unprotected, a thief can tap the wires, find the message authorizing the dispensing of funds, and send Introduction multiple copies of that message to the ATM, thereby Cryptography has long been in use by governments, “cleaning out’’ the supply of cash from the ATM. particularly in the realms of military and diplomatic In the early 1970s, a banking customer asked IBM to communication. It is hard to imagine military develop a system for encrypting ATM data. With this communication without cryptography; cryptanalysis, or problem as a starting point, a team was formed from secretly deciphering the opponent’s messages, is perhaps Disclaimer of even greater value. Much has been written about The present author participated in the design and test of DES, particularly in the cryptography in the military; see reference [l]for design of the S-boxes and in strengthening them against differential cryptanalysis. Naturally, this author has strong opinions about DES and its history. Any opinions example. in this paper are those of the author and are not necessarily shared by IBM. 0Copyrlght 1994 by International Business Machines Corporation. Copying in printed form for private use is permitted without payment of royalty provided that (1) each reproduction is done without alteration and (2) the Journal reference and IBM copyright notice are included on the first page. The title and abstract, but no other portions, of this paper may be copied or distributed royalty free without further permission by computer-based and other information-servicesystems. Permission to republish any other portion of this paper must be obtained from the Editor. 243 IBM J. RES. DEVELOP. VOL. 38 NO. 3 MAY 1994 D. COPPERSMITH people at two IBM sites (Kingston and Yorktown Heights, m,, , mI7are then created in sixteen rounds, according New York). Developers included Roy Adler, Don to the procedure described below. Finally, the 64-bit Coppersmith, Horst Feistel, Edna Grossman, Alan ciphertext c is generated by applying the inverse Konheim, Carl Meyer, Bill Notz, Lynn Smith, Walt permutation IP” to the two message halves m,,, m16. Tuchman, and Bryant Tuckerman. This team, along with (Notice the inversion: ml,, mI6rather than the natural several consultants, developed a cryptographic algorithm. order. This is to allow decryption and encryption to use This algorithm was then submitted to the National Bureau the same hardware.) of Standards (NBS, which later became the National The plaintext message halves and intermediate message Institute of Standards and Technology, or NIST) and halves m,, m,, m,, * , mI7are related as follows: was adopted in 1977 as a national standard: the Data Encryption Standard, or DES. The National Security mi+l = mi-l 0 f(k,,, mi) i = 1, 2, , 16. Agency (NSA) also provided technical advice to IBM. Here k is the secret 56-bit key, and i is the number of the The entire algorithm was published in the Federal round (from 1 through 16). Also, kp)is a selection of 48 Register [2], but the design considerations, which we bits from the 56 bits of k; this selection, or key schedule present here, were not published at that time. The design (described in [2]), depends on the round number, i. The took advantage of knowledge of certain cryptanalytic symbol 0denotes bit-by-bit “exclusive OR” (addition techniques, most prominently the technique of “differential modulo 2), which we call “XOR” in the text. cryptanalysis,” which were not known in the published Now we describe the function f. There are eight literature. After discussions with NSA, it was decided that S-boxes, SI, , S,, described in the standard. Each disclosure of the design considerations would reveal the S-box is a table lookup, using six bits as input and technique of differential cryptanalysis, a powerful providing four bits as output. For each S-box, say S,, technique that can be used against many ciphers. This in six consecutive bits are selected from the 48 bits of turn would weaken the competitive advantage the United namely bits 6j - 5, 6j - 4, * * , 6j. Also, six States enjoyed over other countries in the field of consecutive bits are selected from mi, namely bits cryptography. 4j - 4j - 3, , 4j 1 (mod32). The “mod 32” is Many people speculated, however, that the lack of 4, + shorthand for the convention that for j = 1 the bits are disclosure was due to some “trap door” or hidden 32, 1, 2, 3, 4, 5, and for j = 8 the bits are 28, 29, 30, 31, weakness in the DES. One of the purposes of the present 32, 1. Two adjacent S-boxes share two message bits; for paper is to dispel this notion and to indicate that, in fact, instance, uses message bits 32, 1, 2, 3, 4, while the reason for not publishing the criteria lay in the hidden SI 5, S, strengths of the algorithm, not hidden weaknesses. uses message bits 4, 5, 6, 7, 8, 9, and they share bits 4 and 5. (Key bits are not shared among S-boxes on one round.) Contents of this paper S, and S, are considered to be “adjacent” because they We begin by describing DES, giving enough detail to share message bits 32 and 1. understand what follows. We then describe the attack The six key bits and the six message bits are XORed based on differential cryptanalysis. We continue with a together bitwise, and the resulting six bits are used as disclosure of the design criteria of the S-boxes and input for a table lookup. That is, the six inputs to S-box Sj permutation, and a discussion of the role of these criteria at round i are in defeating differential cryptanalysis. Description of DES We give here a brief description of DES, primarily to ... establish terminology. We do not provide the various tables that are necessary for a full description of the mi[4j + 11 0 +,[6jl, standard; for those, see [2] or [3]. or, written another way, We wish to encipher a 64-bit plaintext message block m under the 56-bit key k, to produce a 64-bit ciphertext m1[4j - 4, 4j - 3, 4j - 2, 4j - 1, 4j, 4j + 13 message block c = E,(m). (The sizes of message blocks 0 k(J6j - 5, 6j - 4, 6j - 3, 6j - 2, 6j - 1, 6jl. and keys, 64 bits and 56 bits respectively, are specified in the standard.) Decipherment, or recovering plaintext from Each of the eight S-boxes implements a different table, ciphertext, is denoted m = Dk(c). each with 26 entries of four bits each. These tables are The plaintext message block m is subjected to an initial described in the standard. permutation IP, and the result is broken into two 32-bit The eight S-boxes together put out 8 X 4 = 32 bits. 244 message halves, m, and m,. Intermediate message halves These bits are permuted according to a permutation P that D. COPPERSMITH IBM J. RES. DEVELOP. VOL. 38 NO. 3 MAY 1994 is fixed for all rounds i. The resulting 32-bit quantity is the That is, value off(k(,,, m,). Am = m @ m’. In summary, the 64-bit message undergoes a permutation ZP to produce two 32-bit message halves m, He considers the difference between the intermediate and m,. Then we compute the 32-bit quantityf(k(,,, m,), message halves: and XOR that quantity with m, to produce m2. We use this Am, = mi @ m:. new quantity m2 to compute f(k(,,, mJ, and XOR that quantity with m, to produce m3. We continue in a like The input to S-box S,, for example, at round i of the fashion until m16and m,, have been computed. These two encipherment of message m is message halves are interchanged and then subjected to the mi[32,1,2,3,4,51 k,,[1,2,3,4,5,61, permutation ZP-’, to produce the ciphertext c. 0 Decryption is easily accomplished by a user in and the input to SIat round i of the encipherment of possession of the same key k. First, one applies the message m ’ is permutation ZP to c to produce the message halves m17, m16.Next, one computesf(k(,,,, m16)and XORs m,’[32,1,2,3,4,51 0 kiiJ1,2,3,4,5,61. that quantity with m,, to recover mIj. Recalling that From the identity (a@c) 0 (b@c) = aab, we see that the XOR of these two inputs is m17 = m1.5 0 flk(16), m16)> we have (mi[32,1,2,3,4,51 0 k,,1[l,2,3,4,5,61) 0 (mJ32,1,2,3,4,51 0 k,,[1,2,3,4,5,61) m17 flk(16)’ m16) = m,[32,1,2,3,4,5] @ m([32,1,2,3,4,5] = Km1j @ flk(16)7 m16)l 0 flk(16)’ m16) = ml, 3 = Ami[32,1,2,3,4,5].