P1: FAW/SPH P2: FAW/SPH QC: FAW/SPH T1: FAW KI194-Tilborg April 22, 2005 10:40 D DATA ENCRYPTION word Ri is fed to a function f and the result is STANDARD (DES) added to the first word Li . Then both words are swapped and the algorithm proceeds to the next View metadata, citationThe and Data similar Encryptionpapers at core.ac.uk Standard (DES) [31] has iteration. brought to you by CORE been around for more than 25 years. During this The function f is key-dependentprovided by Open Repository and and consists Bibliography - Luxembourg time the standard was revised three times: as of four stages (see Figure 2). Their description is FIPS-46-1 in 1988, as FIPS-46-2 in 1993 and given below. Note that all bits in DES are num- as FIPS-46-3 in 1999. DES was an outcome of a bered from left to right, i.e., the leftmost bit of a call for primitives in 1974, which did not result block (the most significant bit) is bit 1. in many serious candidates except for a prede- 1. Expansion (E). The 32-bit input word is first cessor of DES, Lucifer [15, 36] designed by IBM expanded to 48 bits by duplicating and reorder- around 1971. It took another year for a joint IBM– ing half of the bits. The selection of bits is spec- NSA effort to turn Lucifer into DES. The struc- ified by Table 1. The first row in the table refers ture of Lucifer was significantly altered: since to the first 6 bits of the expanded word, the sec- the design rationale was never made public and ond row to bits 7–12, and so on. Thus bit 41 of the secret key size was reduced from 128-bit to the expanded word, for example, gets its value 56-bits, this initially resulted in controversy, and from bit 28 of the input word. some distrust among the public. After some de- 2. Key mixing. The expanded word is XORed lay, FIPS-46 was published by NBS (National with a round key constructed by selecting 48 Bureau of Standards)—now NIST (National In- bits from the 56-bit secret key. As explained be- stitute of Standards and Technology)—on Jan- low, a different selection is used in each round. uary 15, 1977 [31] (see [35] for a discussion of the standardization process). INPUT However, in spite of all the controversy it is hard to underestimate the role of DES [31]. DES was INITIAL PERMUTATION one of the first commercially developed (as opposed to government developed) ciphers whose structure PERMUTED L R INPUT O O was fully published. This effectively created a com- K1 munity of researchers who could analyse it and + f propose their own designs. This lead to a wave of public interest in cryptography, from which much L = R R = L + f(R , K ) of the cryptography as we know it today was born. 1 0 1 0 O 1 K2 + f DESCRIPTION OF DES: The Data Encryption Standard, as specified in FIPS Publication 46- = = + 3 [31], is a block cipher operating on 64-bit data L2 R1 R2 L1 f(R1, K2) blocks. The encryption transformation depends on Kn a 56-bit secret key and consists of sixteen Feistel + f iterations surrounded by two permutation layers: an initial bit permutation IP at the input, and its − 1 = = + inverse IP at the output. The structure of the L15 R14 R15 L14 f(R14, K15) cipher is depicted in Figure 1. The decryption pro- K16 cess is the same as the encryption, except for the + f order of the round keys used in the Feistel iter- PREOUTPUT R = L + f(R , K ) L = R ations. As a result, most of the circuitry can be 16 15 15 16 16 15 reused in hardware implementations of DES. The 16-round Feistel network, which consti- INVERSE INITIAL PERM tutes the cryptographic core of DES, splits the 64- OUTPUT bit data blocks into two 32-bit words (denoted by L0 and R0). In each iteration (or round), the second Fig. 1. The encryption function 129 P1: FAW/SPH P2: FAW/SPH QC: FAW/SPH T1: FAW KI194-Tilborg April 22, 2005 10:40 130 Data encryption standard (DES) R (32 BITS) according to a permutation PC1 (see Table 4). The result is split into two 28-bit words C0 and D0, E which are cyclically rotated over 1 position to the left after rounds 1, 2, 9, 16, and over 2 positions af- 48 BITS K (48 BITS) ter all other rounds (the rotated words are denoted by Ci and Di ). The round keys are constructed + by repeatedly extracting 48 bits from Ci and Di at 48 fixed positions determined by a table PC2 (see Table 4). A convenient feature of this key S1 S2 S3 S4 S5 S6 S7 S8 scheduling algorithm is that the 28-bit words C0 and D0 are rotated over exactly 28 positions after 16 rounds. This allows hardware implementations P to efficiently compute the round keys on-the-fly, both for the encryption and the decryption. 32 BITS CRYPTANALYSIS OF DES: DES has been sub- Fig. 2. The function f ject to very intensive cryptanalysis. Initial at- tempts [16] did not identify any serious weak- 3. Substitution. The 48-bit result is split into nesses except for the short key-size. It was noted eight 6-bit words which are substituted in eight that DES has a complementation property, i.e., parallel 6 × 4-bit S-boxes. All eight S-boxes, given an encryption of the plaintext P into the ciphertext C under the secret key K: EK (P) = C, called S1, S2,...,S8, are different but have the same special structure, as appears from their one knows that the complement of the plaintext specifications in Table 2. Each row of the S- will be encrypted to the complement of the cipher- = box tables consists of a permutation of the 4-bit text under the complement of the key: EK¯ (P) values 0,...,15. The 6-bit input word is sub- C (by complement we mean flipping of all the stituted as follows: first a row is selected ac- bits). Another feature was the existence of four cording to the value of the binary word formed weak keys, for which the cipher is an involution: = by concatenating the first and the sixth input EK (EK (m)) m (for these keys the contents of the bit. The algorithm then picks the column given key-schedule registers C and D is either all zeros by the value of the four middle bits and outputs or all ones), and six additional pairs of semi-weak = the corresponding 4-bit word. keys for which EK1(EK2(m)) m. The complemen- 4. Permutation (P). The resulting 32 bits are re- tation and the weak-key properties are the result ordered according to a fixed permutation spec- of interaction of the key-schedule, which splits the ified in Table 1 before being sent to the output. key-bits into two separate registers and the Feistel As before, the first row of the table refers to the structure of the cipher. A careful study of the cycle first four bits of the output. structure of DES for weak and semi-weak keys has The selection of key bits in each round is deter- been given by Moore and Simmons [30]. See the mined by a simple key scheduling algorithm. The book of Davies and Price [11] for a more detailed algorithm starts from a 64-bit secret key which in- account on these and other features of DES iden- cludes 8 parity bits that are discarded after verifi- tified prior to 1989. The properties of the group cation (the parity of each byte needs to be odd). The generated by DES permutations have also been remaining 56 secret key bits are first permuted studied intensively. Coppersmith and Grossman have shown [9] that in principle DES-like com- ponents can generate any permutation from the Table 1. Expansion E and permutation P alternating group A264 (all even permutations, i.e., those that can be represented with an even num- EP ber of transpositions). However, DES implements 3212345 1672021only 256 permutations, which is a tiny fraction of 456789 29122817all the even permutations. If the set of 256 DES 891011 12 13 1 15 23 26 permutations was closed under composition, then 12 13 14 15 16 17 5 18 31 10 multiple encryption as used, for example in Triple- 16 17 18 19 20 21 2 8 24 14 DES would be equivalent to single encryption and 20 21 22 23 24 25 32 27 3 9 thus would not provide any additional strength. 24 25 26 27 28 29 19 13 30 6 A similar weakness would be present if the size 28 29 30 31 32 1 22 11 4 25 of the group generated by the DES permutations P1: FAW/SPH P2: FAW/SPH QC: FAW/SPH T1: FAW KI194-Tilborg April 22, 2005 10:40 Data encryption standard (DES) 131 Table 2. DES S-boxes S1 : 0123456789101112131415 0: 14 41312151183106125907 1: 0157414213110612119538 2: 4114813621115129731050 3: 15 12824917511314100613 S2 :0123456789101112131415 0: 1518146113497213120510 1: 3 134715281412011069115 2: 0147111041315812693215 3: 13 8 1013154211671205149 S3 :0123456789101112131415 0: 1009146315511312711428 1: 1370934610285141211151 2: 1364981530111212510147 3: 1101306987415143115212 S4 :0123456789101112131415 0: 7131430691012851112415 1: 13 81156150347212110149 2: 1069012117131513145284 3: 3150610113894511127214 S5 :0123456789101112131415 0: 2124171011685315130149 1: 14 11 212471315015103986 2: 4211110137815912563014 3: 11 81271142136150910453 S6 :0123456789101112131415 0: 12 11015926801334147511 1: 10 15427129561131401138 2: 9141552812370410113116 3: 4321295151011141760813 S7 :0123456789101112131415 0: 4112141508133129751061 1: 13 01174911014351221586 2: 1411131237141015680592 3: 6111381410795015142312 S8 :0123456789101112131415 0: 1328461511110931450127 1: 1151381037412561101492 2: 7114191214206101315358 3: 2114741081315129035611 P1: FAW/SPH P2: FAW/SPH QC: FAW/SPH T1: FAW KI194-Tilborg April 22, 2005 10:40 132 Data encryption standard (DES) Table 3.