2. Objectives
Chapter 6
❏ To review a short history of DES
y
❏ To define the basic structure of DES
❏ To describe the details of building elements of DES
❏ To describe the round keys generation process
❏ To analyze DES
6.2
3. 6
6-
-1 INTRODUCTION
1 INTRODUCTION
The
The Data
Data Encryption
Encryption Standard
Standard (DES)
(DES) is
is a
a symmetric
symmetric-
-
k
k bl k
bl k i h
i h bli h d
bli h d b
b h
h N i l
N i l I i
I i f
f
key
key block
block cipher
cipher published
published by
by the
the National
National Institute
Institute of
of
Standards
Standards and
and Technology
Technology (NIST)
(NIST).
.
Topics discussed in this section:
Topics discussed in this section:
6.1.1 History
6.1.2 Overview
6.3
4. 6.1.1 History
In 1973, NIST published a request for proposals for a
national symmetric-key cryptosystem. A proposal from
y y yp y p p f
IBM, a modification of a project called Lucifer, was
accepted as DES. DES was published in the Federal
Register in March 1975 as a draft of the Federal
Information Processing Standard (FIPS).
6.4
5. 6.1.2 Overview
DES is a block cipher, as shown in Figure 6.1.
Figure 6.1 Encryption and decryption with DES
6.5
6. 6
6-
-2 DES STRUCTURE
2 DES STRUCTURE
The
The encryption
encryption process
process is
is made
made of
of two
two permutations
permutations
(P
(P-
-boxes),
boxes), which
which we
we call
call initial
initial and
and final
final
(P
(P boxes),
boxes), which
which we
we call
call initial
initial and
and final
final
permutations,
permutations, and
and sixteen
sixteen Feistel
Feistel rounds
rounds.
.
Topics discussed in this section:
Topics discussed in this section:
6.2.1 Initial and Final Permutations
6.2.2 Rounds
6.2.3 Cipher and Reverse Cipher
6.6
p p
6.2.4 Examples
8. 6.2.1 Initial and Final Permutations
Figure 6.3 Initial and final permutation steps in DES
6.8
9. 6.2.1 Continue
Table 6 1 Initial and final permutation tables
Table 6.1 Initial and final permutation tables
6.9
10. 6.2.1 Continued
Example 6.1
Find
Find the
the output
output of
of the
the initial
initial permutation
permutation box
box when
when the
the input
input
is
is given
given in
in hexadecimal
hexadecimal as
as:
:
Solution
Solution
Only
Only bit
bit 25
25 and
and bit
bit 64
64 are
are 1
1s
s;
; the
the other
other bits
bits are
are 0
0s
s.
. In
In the
the final
final
permutation,
permutation, bit
bit 25
25 becomes
becomes bit
bit 64
64 and
and bit
bit 63
63 becomes
becomes bit
bit 15
15.
.
The
The result
result is
is
The
The result
result is
is
6.10
11. 6.2.1 Continued
Example 6.2
Prove
Prove that
that the
the initial
initial and
and final
final permutations
permutations are
are the
the inverse
inverse
p
p
of
of each
each other
other by
by finding
finding the
the output
output of
of the
the final
final permutation
permutation if
if
the
the input
input is
is
Solution
Solution
The
The input
input has
has only
only two
two 1
1s
s;
; the
the output
output must
must also
also have
have only
only two
two
1
1s
s.
. Using
Using Table
Table 6
6.
.1
1,
, we
we can
can find
find the
the output
output related
related to
to these
these
two
two bits
bits Bit
Bit 15
15 in
in the
the input
input becomes
becomes bit
bit 63
63 in
in the
the output
output Bit
Bit
two
two bits
bits.
. Bit
Bit 15
15 in
in the
the input
input becomes
becomes bit
bit 63
63 in
in the
the output
output.
. Bit
Bit
64
64 in
in the
the input
input becomes
becomes bit
bit 25
25 in
in the
the output
output.
. So
So the
the output
output
has
has only
only two
two 1
1s,
s, bit
bit 25
25 and
and bit
bit 63
63.
. The
The result
result in
in hexadecimal
hexadecimal is
is
6.11
12. 6.2.1 Continued
Note
The initial and final permutations are
straight P-boxes that are inverses
of each other.
They have no cryptography significance in
DES.
6.12
13. 6.2.2 Rounds
DES uses 16 rounds. Each round of DES is a Feistel
cipher.
Fi 6 4
Figure 6.4
A round in DES
(encryption site)
6.13
14. 6.2.2 Continued
DES Function
The heart of DES is the DES function. The DES function
applies a 48-bit key to the rightmost 32 bits to produce a
32-bit output.
Figure 6.5
DES function
6.14
15. 6.2.2 Continue
Expansion P-box
Since RI−1 is a 32-bit input and KI is a 48-bit key, we first
need to expand RI−1 to 48 bits.
Figure 6.6 Expansion permutation
6.15
16. 6.2.2 Continue
Although the relationship between the input and output
can be defined mathematically, DES uses Table 6.2 to
define this P-box.
Table 6 6 Expansion P box table
Table 6.6 Expansion P-box table
6.16
17. 6.2.2 Continue
Whitener (XOR)
After the expansion permutation, DES uses the XOR
operation on the expanded right section and the round
key. Note that both the right section and the key are 48-
bits in length. Also note that the round key is used only in
this operation.
6.17
18. 6.2.2 Continue
S-Boxes
The S-boxes do the real mixing (confusion). DES uses 8
S-boxes, each with a 6-bit input and a 4-bit output. See
Figure 6.7.
Figure 6.7 S-boxes
6.18
20. Table 6 3 shows the permutation for S box 1 For the rest
6.2.2 Continue
Table 6.3 shows the permutation for S-box 1. For the rest
of the boxes see the textbook.
Table 6.3 S-box 1
6.20
21. Example 6.3
6.2.2 Continued
The
The input
input to
to S
S-
-box
box 1
1 is
is 1
10001
00011
1.
. What
What is
is the
the output?
output?
If
If we
we write
write the
the first
first and
and the
the sixth
sixth bits
bits together,
together, we
we get
get 11
11 in
in
bi
bi hi h
hi h i
i 3
3 i
i d i l
d i l Th
Th i i
i i bit
bit 0001
0001 i
i
Solution
Solution
binary,
binary, which
which is
is 3
3 in
in decimal
decimal.
. The
The remaining
remaining bits
bits are
are 0001
0001 in
in
binary,
binary, which
which is
is 1
1 in
in decimal
decimal.
. We
We look
look for
for the
the value
value in
in row
row 3
3,
,
column
column 1
1,
, in
in Table
Table 6
6.
.3
3 (S
(S-
-box
box 1
1)
).
. The
The result
result is
is 12
12 in
in decimal,
decimal,
which
which in
in binary
binary is
is 1100
1100.
. So
So the
the input
input 100011
100011 yields
yields the
the output
output
1100
1100.
.
6.21
22. Example 6.4
6.2.2 Continued
The
The input
input to
to S
S-
-box
box 8
8 is
is 000000
000000.
. What
What is
is the
the output?
output?
If
If we
we write
write the
the first
first and
and the
the sixth
sixth bits
bits together,
together, we
we get
get 00
00 in
in
bi
bi hi h
hi h i
i 0
0 i
i d i l
d i l Th
Th i i
i i bit
bit 0000
0000 i
i
Solution
Solution
binary,
binary, which
which is
is 0
0 in
in decimal
decimal.
. The
The remaining
remaining bits
bits are
are 0000
0000 in
in
binary,
binary, which
which is
is 0
0 in
in decimal
decimal.
. We
We look
look for
for the
the value
value in
in row
row 0
0,
,
column
column 0
0,
, in
in Table
Table 6
6.
.10
10 (S
(S-
-box
box 8
8)
).
. The
The result
result is
is 13
13 in
in decimal,
decimal,
which
which is
is 1101
1101 in
in binary
binary.
. So
So the
the input
input 000000
000000 yields
yields the
the output
output
1101
1101.
.
6.22
24. 6.2.3 Cipher and Reverse Cipher
Using mixers and swappers, we can create the cipher and
reverse cipher, each having 16 rounds.
First Approach
T hi thi l h i t k th l t
To achieve this goal, one approach is to make the last
round (round 16) different from the others; it has only a
mixer and no swapper
mixer and no swapper.
Note
In the first approach, there is no swapper in
Note
6.24
the last round.
30. 6.2.3 Continued
Alternative Approach
We can make all 16 rounds the same by including one
We can make all 16 rounds the same by including one
swapper to the 16th round and add an extra swapper after
that (two swappers cancel the effect of each other).
( pp ff f )
Key Generation
Key Generation
The round-key generator creates sixteen 48-bit keys out
of a 56 bit cipher key
of a 56-bit cipher key.
6.30
36. Example 6.5
6.2.4 Examples
We
We choose
choose a
a random
random plaintext
plaintext block
block and
and a
a random
random key,
key, and
and
determine
determine what
what the
the ciphertext
ciphertext block
block would
would be
be (all
(all in
in
hexadecimal)
hexadecimal):
:
Table 6.15 Trace of data for Example 6.5
6.36
38. Example 6.6
6.2.4 Continued
Let
Let us
us see
see how
how Bob,
Bob, at
at the
the destination,
destination, can
can decipher
decipher the
the
ciphertext
ciphertext received
received from
from Alice
Alice using
using the
the same
same key
key.
. Table
Table 6
6.
.16
16
shows
shows some
some interesting
interesting points
points.
.
6.38
39. 6
6-
-3 DES ANALYSIS
3 DES ANALYSIS
Critics
Critics have
have used
used a
a strong
strong magnifier
magnifier to
to analyze
analyze DES
DES.
.
Tests
Tests have
have been
been done
done to
to measure
measure the
the strength
strength of
of some
some
Tests
Tests have
have been
been done
done to
to measure
measure the
the strength
strength of
of some
some
desired
desired properties
properties in
in a
a block
block cipher
cipher.
.
Topics discussed in this section:
Topics discussed in this section:
6.3.1 Properties
6.3.2 Design Criteria
6.3.3 DES Weaknesses
6.39
40. 6.3.1 Properties
Two desired properties of a block cipher are the
avalanche effect and the completeness.
Example 6.7
To
To check
check the
the avalanche
avalanche effect
effect in
in DES,
DES, let
let us
us encrypt
encrypt two
two
plaintext
plaintext blocks
blocks (with
(with the
the same
same key)
key) that
that differ
differ only
only in
in one
one bit
bit
d
d b
b h
h diff
diff i
i h
h b
b f
f bi
bi i
i h
h
and
and observe
observe the
the differences
differences in
in the
the number
number of
of bits
bits in
in each
each
round
round.
.
6.40
41. Example 6.7
6.3.1 Continued
Continued
Although
Although the
the two
two plaintext
plaintext blocks
blocks differ
differ only
only in
in the
the rightmost
rightmost
bit,
bit, the
the ciphertext
ciphertext blocks
blocks differ
differ in
in 29
29 bits
bits.
. This
This means
means that
that
bit,
bit, the
the ciphertext
ciphertext blocks
blocks differ
differ in
in 29
29 bits
bits.
. This
This means
means that
that
changing
changing approximately
approximately 1
1.
.5
5 percent
percent of
of the
the plaintext
plaintext creates
creates a
a
change
change of
of approximately
approximately 45
45 percent
percent in
in the
the ciphertext
ciphertext.
.
Table 6.17 Number of bit differences for Example 6.7
6.41
42. 6.3.1 Continued
Completeness effect
Completeness effect means that each bit of the ciphertext
Completeness effect means that each bit of the ciphertext
needs to depend on many bits on the plaintext.
6.42
43. 6.3.2 Design Criteria
S-Boxe
The design provides confusion and diffusion of bits from
h d t th t
each round to the next.
P-Boxes
h id diff i f bi
They provide diffusion of bits.
Number of Rounds
DES uses sixteen rounds of Feistel ciphers. the ciphertext
i th hl d f ti f l i t t d
is thoroughly a random function of plaintext and
ciphertext.
6.43
44. 6.3.3 DES Weaknesses
During the last few years critics have found some
weaknesses in DES.
Weaknesses in Cipher Design
1. Weaknesses in S-boxes
2 Weaknesses in P boxes
2. Weaknesses in P-boxes
3. Weaknesses in Key
6.44
45. Example 6.8
6.3.3 Continued
Let
Let us
us try
try the
the first
first weak
weak key
key in
in Table
Table 6
6.
.18
18 to
to encrypt
encrypt a
a block
block
two
two times
times.
. After
After two
two encryptions
encryptions
with
with the
the same
same key
key the
the original
original plaintext
plaintext block
block is
is created
created.
. Note
Note
that
that we
we have
have used
used the
the encryption
encryption algorithm
algorithm two
two times,
times, not
not
one
one encryption
encryption followed
followed by
by another
another decryption
decryption.
.
yp
yp y
y yp
yp
6.45
50. Example 6.9
6.3.3 Continued
What
What is
is the
the probability
probability of
of randomly
randomly selecting
selecting a
a weak,
weak, a
a semi
semi-
-
weak,
weak, or
or a
a possible
possible weak
weak key?
key?
,
, p
p y
y
Solution
Solution
56
56
DES
DES has
has a
a key
key domain
domain of
of 2
256
56.
. The
The total
total number
number of
of the
the above
above
keys
keys are
are 64
64 (
(4
4 +
+ 12
12 +
+ 48
48)
).
. The
The probability
probability of
of choosing
choosing one
one of
of
these
these keys
keys is
is 8
8.
.8
8 ×
× 10
10−
−16
16,
, almost
almost impossible
impossible.
.
y
y ,
, p
p
6.50
52. Example 6.10
6.3.3 Continued
Let
Let us
us test
test the
the claim
claim about
about the
the complement
complement keys
keys.
. We
We have
have
used
used an
an arbitrary
arbitrary key
key and
and plaintext
plaintext to
to find
find the
the corresponding
corresponding
y
y y
y p
p p g
p g
ciphertext
ciphertext.
. If
If we
we have
have the
the key
key complement
complement and
and the
the plaintext,
plaintext,
we
we can
can obtain
obtain the
the complement
complement of
of the
the previous
previous ciphertext
ciphertext
(Table
(Table 6
6 20
20)
)
(Table
(Table 6
6.
.20
20)
).
.
6.52
53. 6
6-
-4 Multiple DES
4 Multiple DES
The
The major
major criticism
criticism of
of DES
DES regards
regards its
its key
key length
length.
.
Fortunately
Fortunately DES
DES is
is not
not a
a group
group.
. This
This means
means that
that we
we
Fortunately
Fortunately DES
DES is
is not
not a
a group
group.
. This
This means
means that
that we
we
can
can use
use double
double or
or triple
triple DES
DES to
to increase
increase the
the key
key size
size.
.
6.4.1 Double DES
6 4 4 T i l DES
Topics discussed in this section:
Topics discussed in this section:
6.53
6.4.4 Triple DES
54. 6
6-
-4 Continued
4 Continued
A
A substitution
substitution that
that maps
maps every
every possible
possible input
input to
to every
every
possible
possible output
output is
is a
a group
group.
.
Figure 6.13 Composition of mapping
6.54
55. 6.4.1 Double DES
The first approach is to use double DES (2DES).
Meet-in-the-Middle Attack
Meet in the Middle Attack
However, using a known-plaintext attack called meet-in-
the-middle attack proves that double DES improves this
vulnerability slightly (to 257 tests), but not tremendously
(to 2112).
6.55
56. 6.4.1 Continued
Figure 6 14 Meet-in-the-middle attack for double DES
Figure 6.14 Meet-in-the-middle attack for double DES
6.56
59. 6.4.2 Continuous
Triple DES with Three Keys
The possibility of known-plaintext attacks on triple DES
with two keys has enticed some applications to use triple
DES with three keys. Triple DES with three keys is used
by many applications such as PGP (See Chapter 16)
by many applications such as PGP (See Chapter 16).
6.59
60. 6
6-
-5 Security of DES
5 Security of DES
DES,
DES, as
as the
the first
first important
important block
block cipher,
cipher, has
has gone
gone
through
through much
much scrutiny
scrutiny Among
Among the
the attempted
attempted attacks
attacks
through
through much
much scrutiny
scrutiny.
. Among
Among the
the attempted
attempted attacks,
attacks,
three
three are
are of
of interest
interest:
: brute
brute-
-force,
force, differential
differential
cryptanalysis,
cryptanalysis, and
and linear
linear cryptanalysis
cryptanalysis.
.
yp y
yp y yp y
yp y
Topics discussed in this section:
Topics discussed in this section:
6.5.1 Brute-Force Attack
6.5.2 Differential Cryptanalysis
6.5.3 Linear Cryptanalysis
6.60
yp y
61. 6.5.1 Brute-Force Attack
We have discussed the weakness of short cipher key in
DES. Combining this weakness with the key complement
k it i l th t DES b b k i 255
weakness, it is clear that DES can be broken using 255
encryptions.
6.61
62. 6.5.2 Differential Cryptanalysis
It has been revealed that the designers of DES already
knew about this type of attack and designed S-boxes and
h 16 th b f d t k DES
chose 16 as the number of rounds to make DES
specifically resistant to this type of attack.
Note
We show an example of DES differential
cryptanalysis in Appendix N
cryptanalysis in Appendix N.
6.62
63. 6.5.3 Linear Cryptanalysis
Linear cryptanalysis is newer than differential
cryptanalysis. DES is more vulnerable to linear
cryptanalysis than to differential cryptanalysis S boxes
cryptanalysis than to differential cryptanalysis. S-boxes
are not very resistant to linear cryptanalysis. It has been
shown that DES can be broken using 243 pairs of known
s ow t at S ca be b o e usi g pai s of ow
plaintexts. However, from the practical point of view,
finding so many pairs is very unlikely.
Note
We show an example of DES linear
cryptanalysis in Appendix N
6.63
cryptanalysis in Appendix N.