UNIT III--DATA ENCRYPTION STANDARD

The Data Encryption Standard (DES) is a symmetric-key block cipher published by the
National Institute of Standards and Technology (NIST).
DES is an implementation of a Feistel Cipher. It uses 16 round Feistel structure. The block size
is 64-bit. Though, key length is 64-bit, DES has an effective key length of 56 bits, since 8 of the
64 bits of the key are not used by the encryption algorithm (function as check bits only).
General Structure of DES is depicted in the following illustration −

Since DES is based on the Feistel Cipher, all that is required to specify DES is −
 • Round function
• Key schedule
• Initial and final permutation

Initial and Final Permutation

The initial and final permutations are straight Permutation boxes (P-boxes) that are inverses of
each other. They have no cryptography significance in DES. The initial and final permutations
are shown as follows −

. DES Function

The heart of this cipher is the DES function, f. The DES function applies a 48-bit key to the
rightmost 32 bits to produce a 32-bit output
• Expansion Permutation Box − Since right input is 32-bit and round key is a 48-bit, we
first need to expand right input to 48 bits. Permutation logic is graphically depicted in
the following illustration −

• XOR (Whitener). − After the expansion permutation, DES does XOR operation on the
expanded right section and the round key. The round key is used only in this operation.
• Substitution Boxes. − The S-boxes carry out the real mixing (confusion). DES uses 8 S-
boxes, each with a 6-bit input and a 4-bit output. Refer the following illustration −
 • There are a total of eight S-box tables. The output of all eight s-boxes is then combined
in to 32 bit section.
• Straight Permutation − The 32 bit output of S-boxes is then subjected to the straight
permutation with rule

Round Function
DES uses 16 rounds. Each round of DES is a fiestel cipher.the fig. below show the rounds
function
The round takes L1 and R1 and creates L2 and R2, which go to the next round. Each round has
two cipher element, mixer and swapper..The swapper swaps the left half of the text with the right
half .the mixer is invertible because of the XOR operation. All non invertible elements are
collected inside the function f(R1,k1)

Key Generation

The round-key generator creates sixteen 48-bit keys out of a 56-bit cipher key. However the
cipher key is normally given as a 64-bit key in which 8 extra bit are the parity bit,which are
dropped before the actual key generation process.The process of key generation is depicted in
the following illustration −
The logic for Parity drop, shifting, and Compression P-box is given in the DES description.

DES Analysis

The DES satisfies both the desired properties of block cipher. These two properties make cipher
very strong.
• Avalanche effect − A small change in plaintext results in the very great change in the
ciphertext.
• Completeness − Each bit of ciphertext depends on many bits of plaintext.
During the last few years, cryptanalysis have found some weaknesses in DES when key selected
are weak keys. These keys shall be avoided.
DES has proved to be a very well designed block cipher. There have been no significant
cryptanalytic attacks on DES other than exhaustive key search
Multiple DES
DES was susceptible to attacks due to tremendous advances in computer hardware. Since DES
was a very competent algorithm it would be feasible to reuse DES rather than writing a new
cryptographic algorithm.
Due to this variations of DES were introduced known as multiple DES which were as follows:
1.Double DES-

• Double DES is simple as it does that normal DES does. Double DES uses two keys say
K1 and K2. It first performs DES on the original plain text using K1 to get the encrypted
text. It again performs DES on the encrypted text but this time with the other key K2.
• The final output is the encryption of encrypted text with the original plain text encrypted
twice with two different keys shown in figure below.

• The doubly encrypted cipher text block is first decrypted using the key K2 to produce
singly encrypted cipher text. This cipher text block is then decrypted using the key K1 to
obtain the original plain text block.
• Since the cryptanalysis for basic version of DES requires a search of 256 thus the
assumption is double DES require 2128 keys which is not true.
• Meet-in-the-middle attack is the drawback of double DES. This attack involves
encryption from one end, decryption from the other and matching the results in the
middle hence the name.

2.Triple DES-
To improve the security of DES to a higher level triple DES was proposed. This uses three stages
on DES for encryption and decryption. Two versions of triple DES are as follows:
i. Triple DES with Two Keys-

• In triple DES with two keys there are only two keys K1 used by first and third stage and
K2 used in second stage. First the plain text is encrypted with key K1 then the output of
step one is decrypted with K2 and final the output second step is encrypted again with
key K1. Thus having EK1(DK2(EK1(P)))EK1(DK2(EK1(P))) shown below.
 • This is also called as encrypt decrypt encrypt (ECE) mode. Triple DES with two keys is
not susceptible to the meet-in-the-middle attack.

ii. Triple DES with Three Keys-

• The figure below shows the idea of Triple DES with three keys:

• The plain text block P is first encrypted with a key K1 then encrypts with a second key
K2 and finally with a third key K3 where K1, K2 and K3 are all different from each
other. Decryption is done in reverse order. This algorithm is mostly used in PGP and
S/MIME.
 Security of DES

Attacks of Des include

• Brute-force attack
• Differential cryptanalysis
• Linear cryptanalysis

Brute force attack

DES can be broken using 255 encryption. however most application uses triple des with two key
and triple des with three key. These two multiple version makes Des resistant to brute force
attack
Linear Cryptanalysis
Linear cryptanalysis is a known plaintext attack, in which the attacker studies probabilistic linear
relations known as linear approximations between parity bits of the plaintext, the Ciphertext and
the secrete key.
In this technique, the attacker obtains high probability approximations for the parity bit of the
secrete key by analyzing the parity bits of the known plaintexts and ciphertexts. By use of
several techniques such as the auxiliary technique, the attacker can extend the attack to find more
bits of the secret key.
Linear cryptanalysis together with differential cryptanalysis are the most widely used attacks on
block ciphers. The linear cryptanalysis technique was first discovered by Mitsuru Matsui who
first applied it to the FEAL cipher.
There are usually two parts to linear cryptanalysis; the first is to construct linear equations
relating to plaintext, Ciphertext and key bits that have a high bias; that is whose probabilities of
holding are as close as possible to 0 0r 1. The second part is to use these linear equations in
conjunction with known plaintext-ciphertext pairs to drive key bits.
Differential Cryptanalysis
Differential cryptanalysis can be described as a general form of cryptanalysis that is primarily
applicable to block ciphers, cryptographic hash functions. In other words, it entails a careful
analysis of how differences in information input can affect the resulting difference at the output.
In block cipher, differential analysis can be described as a set of techniques for tracing
differences through the network of transformation, discovering where the cipher exhibits what is
known as non-random behavior and exploiting such details to recover the secrete key
(cryptography key).
For any particular cipher, the input difference must be keenly selected for the attack to be
successful. An analysis of the algorithm’s internals is undertaken; the standard method is to trace
a path of highly probable differences through the various stages of encryption, referred to
as differential characteristic. In the process, observing the desired output difference between the
two chosen or unknown plaintext inputs suggests possible key values.
Difference Between Linear and Differential Cryptanalysis
Basis of
Linear Cryptanalysis Differential Cryptanalysis
comparison
Linear cryptanalysis is a known Differential cryptanalysis can be described
plaintext attack, in which the as a general form of cryptanalysis that is
attacker studies probabilistic linear primarily applicable to block ciphers,
Description relations known as linear cryptographic hash functions. It entails a
approximations between parity bits careful analysis of how differences in
of the plaintext, the Ciphertext and information input can affect the resulting
the secrete key. difference at the output.
Linear cryptanalysis was first Differential analysis was discovered by
Discovery discovered by Matsui and Israeli researchers Eli Biham and Adi
Yamagishi in 1992. Shamir.
Linear cryptanalysis focuses on Differential analysis focuses on statistical
Focus statistical analysis against one analysis of two inputs and two outputs of a
round of decrypted cipher text. cryptographic algorithm.
In linear cryptanalysis, the role of In differential cryptanalysis, the role of the
the attacker is to identify the linear attacker is to analyze the changes in some
Role of The relation between some bits of the chosen plaintexts and the difference in the
Attacker plaintext, some bits of the outputs resulting from encrypting each
ciphertext and some bits of the one, it is possible to recover some of the
unknown key. key.
In linear cryptanalysis, the In differential cryptanalysis, the changes to
cryptanalyst decrypts each cipher the intermediate cipher text are obtained
using all possible sub keys for one between multiple rounds of encryption.
Decryption
round of encryption and studies the The attacks can be combined, and this can
resulting intermediate cipher text to be referred to as differential-linear
analyze the random results. cryptanalysis.

DES weakness
1. Weaknesses in cipher design
a)s-boxes
b)d-boxes
2. Weakness in cipher key
a) Key size
b) weak keys

weaknesses in cipher design

 S-box
1) In s box the last 3 output bits can be derived in the same way as the
first outpu bit by complemrnting some of the input bits.
2) It is possible to obtain the same output in a singlr round by changing
bits only three neighbouring s boxes
D-boxes
1) it is not clear why the designers of des used the initial and final
permutation.these have no security benefits
2) In the expansion permutation the first and fourth bits of every 4 bit series
are repeated

Weakness in cipher key

Key size
The key size of des is 56 bits. it is not enough to be used comfortably.
Weak keys
Four out of 256 possible keys are called weak keys.A weak key is the one that,
after parity drop operation consists either of all 0s,all 1s,or half 0s and half 1s