Data Encryption

Standard (DES)
PREPARED BY: REEMA PATEL

DR. REEMA PATEL, B.TECH, SOT, PDPU, IS - 2019 1

The Data Encryption Standard (DES)
• Early 1970s: Horst Feistel designs Lucifer at IBM
◦ key-length = 128 bits ; block-length = 128 bits
• 1973: NBS asks for block cipher proposals.
◦ IBM submits variant of Lucifer.
• 1976: NBS adopts DES as a federal standard
◦ key-length = 56 bits ; block-length = 64 bits
• 1997: DES broken by exhaustive search
• 2000: NIST adopts Rijndael as AES to replace DES
Widely deployed in banking (ACH) and commerce

DR. REEMA PATEL, B.TECH, SOT, PDPU, IS - 2019 2

DES Block Cipher

DR. REEMA PATEL, B.TECH, SOT, PDPU, IS - 2019 3

General Structure of DES

DR. REEMA PATEL, B.TECH, SOT, PDPU, IS - 2019 4

DES: Core Idea – Feistel Network
Given functions f1, …, fd: {0,1}n {0,1}n

Goal: build invertible function F: {0,1}2n {0,1}2n

In symbols:

DR. REEMA PATEL, B.TECH, SOT, PDPU, IS - 2019 5

DR. REEMA PATEL, B.TECH, SOT, PDPU, IS - 2019 6
Initial and final permutation steps in DES
• DES has an initial permutation and a final permutation after 16 rounds.

• The initial and final permutations are straight P-boxes that are inverses
of each other.

• They have no cryptographic significance.

• The designers did not disclose their purpose.

DR. REEMA PATEL, B.TECH, SOT, PDPU, IS - 2019 7

Initial and final permutation steps in DES

DR. REEMA PATEL, B.TECH, SOT, PDPU, IS - 2019 8

Initial and Final Permutation Tables

DR. REEMA PATEL, B.TECH, SOT, PDPU, IS - 2019 9

Example
• Find the output of the initial permutation box when the input is given in hexadecimal as:

Binary form:
0000 0000 0000 0000 0000 0000 1000 0000 0000 0000 0000 0000 0000 0000 0000 0010
• Solution:
• Only bit 25 and bit 63 are 1s; the other bits are 0s. In the final permutation, bit 25
becomes bit 64 and bit 63 becomes bit 15. The result is

Binary form:
0000 0000 0000 0010 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0001

DR. REEMA PATEL, B.TECH, SOT, PDPU, IS - 2019 10

Example
• Prove that the initial and final permutations are the inverse of each other by finding the
output of the final permutation if the input is

• Solution:
• The input has only two 1s; the output must also have only two 1s. Using permutation
tables, we can find the output related to these two bits. Bit 15 in the input becomes bit 63
in the output. Bit 64 in the input becomes bit 25 in the output. So the output has only two
1s, bit 25 and bit 63. The result in hexadecimal is

DR. REEMA PATEL, B.TECH, SOT, PDPU, IS - 2019 11

General Structure of DES

DR. REEMA PATEL, B.TECH, SOT, PDPU, IS - 2019 12

Round Function
• DES uses 16 rounds.
• Each round of DES is a Feistel cipher.

DR. REEMA PATEL, B.TECH, SOT, PDPU, IS - 2019 13

DES Function

DR. REEMA PATEL, B.TECH, SOT, PDPU, IS - 2019 14

One Round
of DES

DR. REEMA PATEL, B.TECH, SOT, PDPU, IS - 2019 15

DES Expansion
• Since Ri−1 is a 32-bit input and Ki is a 48-bit key, we first need to expand Ri−1 to 48 bits.

• Input 32 bits , Output 48 Bits

• Duplicating half of the bits

• Input: (8 blocks, each of them consisting 4 bits) – 32 bits

• Output: (8 blocks, each of them consisting 6 bits) – 48 bits

• Each containing a copy of 4 corresponding input bits, plus a copy of the immediately adjacent bit
from each of the input pieces to either side.

DR. REEMA PATEL, B.TECH, SOT, PDPU, IS - 2019 16

Expansion Permutation - The E-box

DR. REEMA PATEL, B.TECH, SOT, PDPU, IS - 2019 17

DES Expansion
• Input 32 bits

0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15
16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31

• Output 48 bits
31 0 1 2 3 4 3 4 5 6 7 8
7 8 9 10 11 12 11 12 13 14 15 16
15 16 17 18 19 20 19 20 21 22 23 24
23 24 25 26 27 28 27 28 29 30 31 0

DR. REEMA PATEL, B.TECH, SOT, PDPU, IS - 2019 18

DES Expansion

DR. REEMA PATEL, B.TECH, SOT, PDPU, IS - 2019 19

One Round
of DES

DR. REEMA PATEL, B.TECH, SOT, PDPU, IS - 2019 20

Whitener (XOR)
• After the expansion permutation, DES uses the XOR operation on the expanded right
section and the round key.

• Both the right section and the key are 48-bits in length.

• The round key is used only in this operation.

DR. REEMA PATEL, B.TECH, SOT, PDPU, IS - 2019 21

One Round
of DES

DR. REEMA PATEL, B.TECH, SOT, PDPU, IS - 2019 22

DES S-box (Substitution Box)
• The S-boxes do the real mixing (confusion).
• DES uses 8 S-boxes, each with a 6-bit input and a 4-bit output.

DR. REEMA PATEL, B.TECH, SOT, PDPU, IS - 2019 23

DES S-box

DR. REEMA PATEL, B.TECH, SOT, PDPU, IS - 2019 24

Working of S-Box

DR. REEMA PATEL, B.TECH, SOT, PDPU, IS - 2019 25

S-Box with Table entries in decimal

• What is the output if input is 101000?

• Row=10=2 (first and last bit - write in decimal)
• Column=0100=4 (four middle bits - write in decimal)
• Please refer William Stallings for all 8 S-Box

DR. REEMA PATEL, B.TECH, SOT, PDPU, IS - 2019 26

Properties of the S-Box
◦ The rows are permutations
◦ Change one bit of the input, and half of the output bits change (Avalanche Effect)
◦ For example: input: 101000 -> output: 13 : 1101
◦ Change 1 bit in input: 101001 -> output: 04 : 0100 (3 bits are changed)
◦ Each output bit is dependent on all the input bits

DR. REEMA PATEL, B.TECH, SOT, PDPU, IS - 2019 27

One Round
of DES

DR. REEMA PATEL, B.TECH, SOT, PDPU, IS - 2019 28

DES Straight P-box (Permutation Box)

Straight Permutation Table

DR. REEMA PATEL, B.TECH, SOT, PDPU, IS - 2019 29

One Round
of DES

DR. REEMA PATEL, B.TECH, SOT, PDPU, IS - 2019 30

DES Cipher and Reverse Cipher
• Using mixers and swappers, we can create the cipher and reverse cipher, each having 16 rounds.

• First Approach

• To achieve this goal, one approach is to make the last round (round 16) different from the others; it
has only a mixer and no swapper.

• In the first approach, there is no swapper in the last round.

DR. REEMA PATEL, B.TECH, SOT, PDPU, IS - 2019 31

DES cipher
and reverse
cipher for the
first approach

DR. REEMA PATEL, B.TECH, SOT, PDPU, IS - 2019 32

DES Cipher and Reverse Cipher
• Alternative Approach
• We can make all 16 rounds the same by including one swapper to the 16th round and add
an extra swapper after that (two swappers cancel the effect of each other).

DR. REEMA PATEL, B.TECH, SOT, PDPU, IS - 2019 33

DES Cipher and
Reverse Cipher-
Alternative
Approach

DR. REEMA PATEL, B.TECH, SOT, PDPU, IS - 2019 34

Key Generation

• 16 no of 48-bit subkeys—one
for each round —are derived
from the main key using the key
schedule

DR. REEMA PATEL, B.TECH, SOT, PDPU, IS - 2019 35

DES Subkey – Parity Bits Drop Table
• Input key size: 64 bits, in which 8 are parity
bits. (bits 08, 16, 24, 32, 40, 48, 56, 64 are
ignored)
• Parity bits are ignored
and Initial key permutation applied
• 56 bit DES key

DR. REEMA PATEL, B.TECH, SOT, PDPU, IS - 2019 36

DES Subkey
• For rounds 1, 2, 9 and 16 the shift is 1, and in all other rounds shift is 2
round
shift

• Compression permutation: generates 48 bit subkey Ki from 56 bits of LK and RK

• Bits 8,17,21,24 of LK omitted each round
• Bits 6,9,14,25 of RK omitted each round

• Key schedule generates subkey

DR. REEMA PATEL, B.TECH, SOT, PDPU, IS - 2019 37

Key Compression Table – Compression P-Box

DR. REEMA PATEL, B.TECH, SOT, PDPU, IS - 2019 38

One Round
of DES

DR. REEMA PATEL, B.TECH, SOT, PDPU, IS - 2019 39

DES

DR. REEMA PATEL, B.TECH, SOT, PDPU, IS - 2019 40

DES Some Points to Ponder
• An initial permutation P before round 1, and its inverse at the end.

• Halves are swapped after last round for alternative approach.

• A final permutation (inverse of P) is applied to (R16,L16) to generate ciphertext.

DR. REEMA PATEL, B.TECH, SOT, PDPU, IS - 2019 41

DES Example1
• We choose a random plaintext block and a random key, and determine what the ciphertext block
would be (all in hexadecimal):

DR. REEMA PATEL, B.TECH, SOT, PDPU, IS - 2019 42

Trace of data for Example 1

DR. REEMA PATEL, B.TECH, SOT, PDPU, IS - 2019 43

DES Decryption for Example 1
• Let us see how Bob, at the destination, can decipher the ciphertext received from Alice
using the same key.

DR. REEMA PATEL, B.TECH, SOT, PDPU, IS - 2019 44

DES Analysis
• Two desirable properties
◦ Avalanche effect
◦ Completeness

DR. REEMA PATEL, B.TECH, SOT, PDPU, IS - 2019 45

DES Analysis - Avalanche Effect
• To check the avalanche effect in DES, let us encrypt two plaintext blocks (with the same
key) that differ only in one bit and observe the differences in the number of bits in each
round.

DR. REEMA PATEL, B.TECH, SOT, PDPU, IS - 2019 46

DES Analysis - Avalanche Effect
• Ciphertext blocks differ in 29 bits.
◦ i.e. changing approximately 1.5 percent of the plaintext creates a change of approximately 45
percent in the ciphertext.

Number of bit differences for Previous Example

DR. REEMA PATEL, B.TECH, SOT, PDPU, IS - 2019 47

DES Analysis - Completeness
• Completeness effect means that each bit of the ciphertext needs to depend on many bits
on the plaintext.
◦ S-Box
◦ P-Box
◦ 16 rounds of fiestel blocks

DR. REEMA PATEL, B.TECH, SOT, PDPU, IS - 2019 48

DES Analysis
• During the last few years critics have found some Weaknesses in Key

DR. REEMA PATEL, B.TECH, SOT, PDPU, IS - 2019 49

DES Weakness
• Weak keys:
• A weak key is the one which after
parity drop operation, consists either of
all 0’s, all 1’s or half 0’s and half 1’s.

• Four out of the 256 keys are weak keys

DR. REEMA PATEL, B.TECH, SOT, PDPU, IS - 2019 50

Consequence of weak keys
• The round keys created from any of these weak keys are the same.
◦ For example, for the first weak key, all the round keys are 0.
◦ The second key leads to half 0s, and half 1s.

• Since all the subkeys are identical, and DES is a Feistel network, the encryption function is
self-inverting; that is, encrypting twice produces the original plaintext

• If we encrypt a block with a weak key and subsequently encrypt the result with the same
weak key, we get the original block.

DR. REEMA PATEL, B.TECH, SOT, PDPU, IS - 2019 51

DES Weak Keys – Double Encryption
• Example:
◦ After two encryptions with the same weak key the original plaintext block is created.
◦ Note that encryption algorithm is used two times, not one encryption followed by another
decryption.

DR. REEMA PATEL, B.TECH, SOT, PDPU, IS - 2019 52

DES Weak Keys – Double Encryption

DR. REEMA PATEL, B.TECH, SOT, PDPU, IS - 2019 53

Semi Weak Keys
• A semi weak key creates only two different round keys and each of them is repeated eight
times.

• There are six key pairs that are called semi weak keys.

• The round keys created from each pair are the same in different order.

DR. REEMA PATEL, B.TECH, SOT, PDPU, IS - 2019 54

Semi weak keys

DR. REEMA PATEL, B.TECH, SOT, PDPU, IS - 2019 55

A Sample round key generation using Semi Weak Key

DR. REEMA PATEL, B.TECH, SOT, PDPU, IS - 2019 56

A pair of semi-weak keys in encryption and decryption

DR. REEMA PATEL, B.TECH, SOT, PDPU, IS - 2019 57

DES Key Weakness
• What is the probability of randomly selecting a weak, a semi-weak, or a possible weak
key?

• DES has a key domain of 256. The total number of the above keys are 64 (4 + 12 + 48). The
probability of choosing one of these keys is 8.8 × 10−16, almost impossible.

DR. REEMA PATEL, B.TECH, SOT, PDPU, IS - 2019 58

Multiple DES
• The major criticism against DES is the key length.

• So, we may try cascading several DES applications.

DR. REEMA PATEL, B.TECH, SOT, PDPU, IS - 2019 59

2DES
• Uses two applications of the DES cipher.

• The total key size is 56x2=112 bits.

• However 2DES is vulnerable to a known plaintext attack.

DR. REEMA PATEL, B.TECH, SOT, PDPU, IS - 2019 60

2DES

DR. REEMA PATEL, B.TECH, SOT, PDPU, IS - 2019 61

Meet in the
middle attack

DR. REEMA PATEL, B.TECH, SOT, PDPU, IS - 2019 62

Meet in the Middle Attack

DR. REEMA PATEL, B.TECH, SOT, PDPU, IS - 2019 63

Security of 2 DES
• Then the attacker checks for a match in the table in the value of M.
◦ He notes the key pair (K1,K2)

• If there are more than one keys, he takes another (P,C) pair.

• The attacker continues until there is only key left.

• Thus attack complexity is around 257.

DR. REEMA PATEL, B.TECH, SOT, PDPU, IS - 2019 64

Triple DES
• Since 2DES was a bad design, people consider 3 applications of DES.

• The first and third stages use K1 as key.

• The second stage use K2 as the key.

• Also, the middle stage uses decryption.

• Thus, setting K1=K2 we have simple DES.

DR. REEMA PATEL, B.TECH, SOT, PDPU, IS - 2019 65

Triple DES
Triple DES with three
keys is used by many
applications such as PGP

DR. REEMA PATEL, B.TECH, SOT, PDPU, IS - 2019 66