DATA ENCRYPTION STANDARD (DES)

 The DES (Data Encryption Standard) algorithm is a symmetric-key block cipher created in
the early 1970s by an IBM team and adopted by the National Institute of Standards and
Technology (NIST).
 A scheme from IBM, a modification of a project known as Lucifer, and was approved as
DES. DES was invented in the Federal Register in March 1975 as a plan of the Federal
Information Processing Standard (FIPS).
 The Data Encryption Standard (DES), also called the Data Encryption Algorithm (DEA) by
ANSI and DEA-1 by ISO, has been a cryptographic algorithm used for over two decades.
 Of late, DES has been found vulnerable against very powerful attacks, and therefore, the
popularity of DES has been slightly on the decline.
 DES is a Feistel Block Cipher implementation, called a LUCIFER. It need a Feistel
structure with 16 rounds, where a different key can be used for each round. It depends on
LUCIFER (also called a Feistel block cipher algorithm) which is a direct predecessor of the
DES algorithm.
 Feistel Block Cipher
 Feistel Cipher is not a specific scheme of block cipher. It is a design model from which
many different block ciphers are derived. DES is just one example of a Feistel Cipher. A
cryptographic system based on Feistel cipher structure uses the same algorithm for both
encryption and decryption.
 Many symmetric block encryption algorithms, including DES, have a structure first
described by Horst Feistel of IBM in 1973.
 Horst Feistel, working at IBM Thomas J Watson Research Labs devised a suitable
invertible cipher structure in early 70's.
 One of Feistel's main contributions was the invention of a suitable structure which adapted
Shannon's S-P network in an easily inverted structure. It partitions input block into two
halves which are processed through multiple rounds which perform a substitution on left
data half, based on round function of right half & subkey, and then have permutation
swapping halves. Essentially the same h/w or s/w is used for both encryption and
decryption, with just a slight change in how the keys are used. One layer of S-boxes and
the following P-box are used to form the round function.

 Feistel Cipher Structure
 Horst Feistel devised the Feistel cipher
 based on concept of invertible product cipher
 partitions input block into two halves
 process through multiple rounds which
 perform a substitution on left data half
 based on round function of right half & subkey
 then have permutation swapping halves
 implements Shannon’s S-P net concept
Feistel Cipher Structure
 Feistel Block Cipher Operations
 The input block to each round is divided into two halves that can be denoted as L and R for the left half
and the right half.
 In each round, the right half of the block, R, goes through unchanged. But the left half, L, goes through an
operation that depends on R and the encryption key. First, we apply an encrypting function ‘f’ that takes
two input − the key K and R. The function produces the output f(R,K). Then, we XOR the output of the
mathematical function with L.
 In real implementation of the Feistel Cipher, such as DES, instead of using the whole encryption key
during each round, a round-dependent key (a subkey) is derived from the encryption key. This means that
each round uses a different key, although all these subkeys are related to the original key.
 The permutation step at the end of each round swaps the modified L and unmodified R. Therefore, the L
for the next round would be R of the current round. And R for the next round be the output L of the current
round.
 Above substitution and permutation steps form a ‘round’. The number of rounds are specified by the
algorithm design.
 Once the last round is completed then the two sub blocks, ‘R’ and ‘L’ are concatenated in this order to form
the ciphertext block.
 How DES Works
 DES is an implementation of a Feistel Cipher. It uses 16 round Feistel structure. The
block size is 64-bit. Though, key length is 64-bit, DES has an effective key length of 56
bits, since 8 of the 64 bits of the key are not used by the encryption algorithm (function
as check bits only).
 DES
 DES uses a 56-bit key.
 However, before the DES process even starts, every eighth bit of the key is discarded to
produce a 56-bit key.
 That is, bit positions 8, 16, 24, 32, 40, 48, 56 and 64 are discarded.
 Before discarding, these bits can be used for parity checking to ensure that the key does not
contain any errors.

DES
 DES
 DES is based on the two fundamental attributes of cryptography: substitution (also called
confusion) and transposition (also called diffusion).
 DES consists of 16 steps, each of which is called a round. Each round performs the steps of
substitution and transposition.
 In the first step, the 64-bit plain-text block is handed over to an Initial Permutation (IP)
function.
 The initial permutation is performed on plain text.
 Next, the Initial Permutation (IP) produces two halves of the permuted block; say Left
Plain Text (LPT) and Right Plain Text (RPT).
 Now, each of LPT and RPT go through 16 rounds of encryption process, each with its own
key.
 In the end, LPT and RPT are rejoined, and a Final Permutation (FP) is performed on the
combined block.
 The result of this process produces 64-bit cipher text.
DES
 Initial Permutation (IP)

 The Initial Permutation (IP) happens only once, and it happens before the first round.
 It suggests how the transposition in IP should proceed.

Idea of IP
 IP

 After IP is done, the resulting 64-bit permuted text block is divided into two half blocks. Each half
block consists of 32 bits.
 We have called the left block as LPT and the right block as RPT. Now, 16 rounds are performed on
these two blocks.
 Rounds

 Each of the 16 rounds, in turn, consists of the broad-level steps :

Step 1: Key Transformation

 The initial 64-bit key is transformed into a 56-bit key by discarding every 8th bit of the
initial key. Thus, for each round, a 56-bit key is available.
 From this 56-bit key, a different 48-bit sub-key is generated during each round using a
process called key transformation.
 For this, the 56-bit key is divided into two halves, each of 28 bits.
 These halves are circularly shifted left by one or two positions, depending on the round.
For example, if the round number is 1, 2, 9 or 16, the shift is done by only one position. For
other rounds, the circular shift is done by two positions.
 Key Transformation

 The number of key bits shifted per round is shown in Fig .:

 After an appropriate shift, 48 of the 56 bits are selected. For selecting 48 of the 56 bits, the
table is being used.

Compression permutation

• Since the key-transformation process involves permutation as well as selection of a 48-bit

subset of the original 56-bit key, it is called compression permutation.
• Because of this compression permutation technique, a different subset of key bits is used in
each round. That makes DES more difficult to crack.
 Step 2: Expansion Permutation
 After initial permutation, we had two 32-bit plain text areas, called Left Plain Text (LPT) and Right Plain
Text (RPT).
 During expansion permutation, the RPT is expanded from 32 bits to 48 bits. Besides increasing the bit
size from 32 to 48, the bits are permuted as well, hence the name expansion permutation.
This happens as follows:
 The 32-bit RPT is divided into 8 blocks, with each block consisting of 4 bits.
 Each 4-bit block of the above step is then expanded to a corresponding 6-bit block. That is, per 4-bit
block, 2 more bits are added. (They are actually the repeated first and the fourth bits of the 4-bit block ).
 The second and the third bits are written down as they were in the input .
 Note that the first bit inputted is outputted to the second output position, and also repeats in output
position 48. Similarly, the 32nd input bit is found in the 47th output position as well as in the first output
position.
Permutation Table
 As we have seen, firstly, the key-transformation process compresses the 56-bit key to 48
bits. Then, the expansion permutation process expands the 32-bit RPT to 48 bits. Now, the
48-bit key is XORed with the 48-bit RPT, and the resulting output is given to the next step,
which is the S-box substitution .
 Step 3: S-box Substitution
 S-box substitution is a process that accepts the 48-bit input from the XOR operation involving the
compressed key and expanded RPT, and produces a 32-bit output using the substitution technique.
 The substitution is performed by eight substitution boxes.
 Each of the eight S-boxes has a 6-bit input and a 4-bit output.
 The 48-bit input block is divided into 8 sub-blocks (each containing 6 bits), and each such sub-block is given
to an S-box.
 The S-box transforms the 6-bit input into a 4-bit output.
 We can conceptually think of every S-box as a table that has 4 rows (numbered 0 to 3) and 16 columns
(numbered 0 to 15).
 Thus, we have 8 such tables, one for each S-box. At the intersection of every row and column, a 4-bit
number (which will be the 4-bit output for that S-box) is present.
 The output of each S-box is then combined to form a 32-bit block, which is given to the last stage of a round,
the P-box permutation
S-BOX SUBSTITUTION
 Each S-box takes its 6-bit input and maps it to a 4-bit output. The exact substitution is
determined by the contents of the S-box, which are pre-defined and fixed as part of the
DES standard. Each S-box has 64 possible input combinations (2^6) and 16 possible output
values (2^4). This non-linear substitution is what adds confusion to the encryption process.
Example of S-box substitution
 Example of S-box substitution

Let us take an example now. Suppose the bits 5 to 8 of the 48-bit input (i.e. the input to the second
S-box) contain a value 101101 in binary. Therefore, using our earlier diagram, we have (b1, b6) = 11
in binary (i.e. 3 in decimal), and (b2, b3, b4, b5) = 0110 in binary (i.e. 6 in decimal). Thus, the output
of S-box 2 at the intersection of row number 3 and column number 6 will be selected, which is 4.
 Step 4: P-box Permutation

 The output of S-box consists of 32 bits. These 32 bits are permuted using a P-box.
 This straightforward permutation mechanism involves simple permutation.
 Step 5: XOR and Swap

 we have been performing all these operations only on the 32-bit right half portion of the
64-bit original plain text (i.e. on the RPT).
 The left half portion (i.e. LPT) was untouched so far. At this juncture, the left half portion
of the initial 64-bit plain text block (i.e. LPT) is XORed with the output produced by P-box
permutation.
 The result of this XOR operation becomes the new right half (i.e. RPT). The old right half
(i.e. RPT) becomes the new left half, in a process of swapping.
 Final Permutation
 At the end of the 16 rounds, the final permutation is performed (only once). This is a
simple transposition.
 The output of the final permutation is the 64-bit encrypted block .
 Analyzing DES
 Use of S-boxes : The tables used for substitution, i.e. the S-boxes, in DES are kept secret by IBM.
 Key Length: The inner workings of the DES algorithm are completely known to the general public. Therefore,
the strength of DES lies only in the other aspect—its key, which must be secret.
 Differential and Linear Cryptanalysis: In 1990, Eli Biham and Adi Shamir introduced the concept of differential
cryptanalysis. This method looks at pairs of cipher text whose plain texts have particular differences. The idea
is to choose pairs of plain text with fixed differences.
 Linear Cryptanalysis :Invented by Mitsuru Matsui, the linear cryptanalysis attack is based on linear
approximations. If we XOR some plain-text bits together, XOR some cipher-text bits together and then XOR
the result, we will get a single bit, which is the XOR of some of the key bits.
 Timing Attacks Timing attacks refer more to asymmetric-key cryptography. However, they can also apply to
symmetric-key cryptography. The idea is simple: observe how long it takes for the cryptographic algorithm to
decrypt different blocks of cipher text. The idea is to try and obtain either the plain text or the key used for
encryption by observing these timings. In general, it would take different amounts of time to decrypt different
sized cipher-text blocks.
 Variations of DES
 In spite of its strengths, it is generally felt that with the tremendous advances in computer
hardware (higher processing speeds of gigahertz, higher memory availability at cheap
prices, parallel processing capabilities, etc.), DES is susceptible to possible attacks.
 However, because DES is already proven to be a very competent algorithm, it would be
wise to reuse DES by making it stronger by some means, rather than writing a new
cryptographic algorithm.
 Consequently, two main variations of DES have emerged, which are double DES and
triple DES.
 Double DES
 Double DES uses two keys, say K1 and K2. It first performs DES on the original plain text
using K1 to get the encrypted text. It again performs DES on the encrypted text, but this
time with the other key, i.e. K2. The final output is the encryption of encrypted text (i.e. the
original plain text encrypted twice with two different keys).

 Meet-in-the-middle attack
 If we use an n-bit key, the cryptanalyst has to perform 2n operations to try out all the possible
keys. If we use two different keys, each consisting of n bits, the cryptanalyst would need 22n
attempts to crack the key. Therefore, on the face of it, we may think that since the cryptanalysis
for the basic version of DES requires a search of 256 keys, Double DES would require a key
search of (22*56), i.e. 2112 keys.
 Merkle and Hellman introduced the concept of the meet-in-the-middle attack. This attack
involves encryption from one end, decryption from the other, and matching the results in the
middle, hence the name meet-in-the-middle attack.
 A meet-in-the-middle attack is a cryptographic attack that aims to find a common element
between two sets of data by searching through them simultaneously, often to break a
cryptographic key or encryption scheme. This attack relies on the assumption that an encryption
or hashing process can be split into two parts that can be computed independently and then
checked for a match in the middle.
 Modern encryption algorithms are designed to resist meet-in-the-middle attacks by using
complex and interdependent operations that make this type of attack computationally infeasible.
 Triple DES
 Double DES seemed inadequate, paving way for triple DES. As we can imagine, Triple
DES is DES three times.
 It comes in two kinds: one that uses three keys, and the other that uses two keys.

• This is also called Encrypt-Decrypt-Encrypt (EDE) mode. Triple DES with two keys is not
susceptible to the meet-in-the-middle attack,
unlike double DES as K1 and K2 alternate here.