Cryptography

Ch.3: The Data Encryption

Standard (DES)
Prepared By
Dr. Ibrahim Attiya
© 2024 NMU
 Ch.3: Outline
❑ Introduction to DES.
❑ The design process of DES.
❑ Basic design ideas of block ciphers.
❑ The internal structure of DES.
❑ Key Schedule
❑ Security analysis of DES.
❑ Alternatives to DES, including 3DES.
❑ Lessons Learned.
 Key Schedule
➢ The key schedule derives 16 round keys ki, each
consisting of 48 bits, from the original 56-bit key.
Another term for round key is subkey.
➢ First, note that the DES input key is often stated as
64-bit, where every eighth bit is used as an odd
parity bit over the preceding seven bits.
➢ In any case, the eight parity bits are not actual key
bits and do not increase the security.
➢ DES is a 56-bit cipher, not a 64-bit one.
➢ As shown in the following Fig., the 64-bit key is
first reduced to 56 bits by ignoring every eighth bit.
 Key Schedule

➢ Parity bits are removed in a first permuted choice

PC-1:
▪ Note that the bits 8, 16,
24, 32, 40, 48, 56 and
64 are not used at all.
 Key Schedule
➢ The resulting 56-bit key is split into two halves C0
and D0, and the actual key schedule starts as shown
in the following Fig.
➢ The two 28-bit halves are cyclically shifted, i.e.,
rotated, left by one- or two-bit positions depending
on the round i according to the following rules:
▪ In rounds i = 1, 2, 9, 16, the two halves are rotated
left by one bit.
▪ In the other rounds where i ≠ 1, 2, 9, 16, the two
halves are rotated left by two bits.
 Key Schedule
➢ Key schedule for
DES encryption.
 Key Schedule
➢ To derive the 48-bit round keys ki, the two halves
are permuted bitwise again with PC−2, which
stands for “permuted choice 2”.
➢ PC−2 permutes the 56 input bits coming from Ci and
Di and ignores 8 of them. The exact bit-connections
of PC−2 are given in the previous table.
➢ Note that every round key is a selection of 48
permuted bits of the input key k.
➢ The key schedule is merely a method of realizing
the 16 permutations systematically.
Summary of DES Operations
 Decryption
➢ One advantage of DES is that decryption is
essentially the same function as encryption.
➢ This is because DES is based on a Feistel network.
➢ The following Figure shows a block diagram for
DES decryption. Compared to encryption, only the
key schedule is reversed, i.e., in decryption round
1, subkey 16 is needed; in round 2, subkey 15; etc.
➢ Thus, when in decryption mode, the key schedule
algorithm has to generate the round keys as the
sequence k16, k15, . . . , k1.
 Decryption
➢ Reversed key schedule:
➢ As D0 = D16 and C0 = C16 the first-round key can be
generated by applying PC-2 right after PC-1 (no
rotation here!).
➢ All other rotations of C and D can be reversed to
reproduce the other round keys resulting in:
▪ No rotation in round 1.
▪ One bit rotation to the right in rounds 2, 9 and 16.
▪ Two bit rotations to the right in all other rounds (i.e.,
rounds 3, 4, 5, 6, 7, 8, 10, 11, 12, 13, 14 and 15).
 Decryption

➢ Reversed key
schedule for
decryption of
DES.
 Decryption

➢ DES
decryption.
 Security of DES
➢ After the proposal of DES two major criticisms
arose:
▪ The Key space is too small (256 keys).
▪ The S-box design criteria was kept and there
might have existed an analytical attack that
exploits mathematical properties of the S-
boxes, but which is only known to the DES
designers.
➢ The main conclusion about DES security: Despite
very intensive cryptanalysis over the lifetime of DES,
current analytical attacks are not very efficient.
 Security of DES
➢ Exhaustive key search:

➢ Special-purpose key-search machines are an option

to perform the 256 key tests necessary.
➢ Large institutions have long been able to build such
brute-force crackers, which can break DES in a
matter of days.
 Security of DES
➢ Analytical Attacks:
➢ It is a major triumph for the designers of DES that
no weakness was found until 1990.
➢ DES is highly resistant to both differential
cryptanalysis (DC) and linear cryptanalysis (LC),
which have been published years later than the DES.
➢ This means IBM and NSA had been aware of these
attacks for 15 years!
➢ The effectiveness of both DC and LC attacks
heavily depend on the structure of the S-boxes.
➢ So far there is no known analytical attack which
breaks DES in realistic scenarios.
History of Attacks on DES
 History of Attacks on DES

➢ Deep Crack — the

hardware exhaustive
key-search machine that
broke DES in 1998.

➢ COPACOBANA — A
cost-optimized parallel
code breaker.
 Alternatives to DES
Algorithm I/O Bit Key lengths Remarks

DES ''replacement'',
AES / Rijndael 128 128/192/256
worldwide used standard

Triple DES 64 112 (effective) conservative choice

Mars 128 128/192/256 AES finalist

RC6 128 128/192/256 AES finalist

Serpent 128 128/192/256 AES finalist

Twofish 128 128/192/256 AES finalist

IDEA 64 128 patented

 Triple DES – 3DES
➢ An alternative to AES algorithm is triple DES,
often denoted as 3DES.
➢ 3DES consists of three subsequent DES
encryptions.
y = DESk3 (DESk2 (DESk1 (x))).
with different keys, as shown below
 Triple DES – 3DES
➢ 3DES is often used in practice to extend the
effective key length of DES to 112.
➢ Choosing k1=k2=k3 performs single DES
encryption.
➢ No practical attack known today.
➢ 3DES seems resistant to both brute-force attacks
and any analytical attack imaginable at the moment.
➢ It is popular in financial applications as well as for
protecting biometric information in electronic
passports.
 Lessons Learned
➢ DES was the dominant symmetric encryption
algorithm from the mid-1970s to the mid-1990s.
➢ Since 56-bit keys are no longer secure, the
Advanced Encryption Standard (AES) was created.
➢ Standard DES with 56-bit key length can be broken
relatively easily nowadays through an exhaustive
key search.
➢ DES is quite robust against known analytical
attacks: In practice it is very difficult to break the
cipher with differential or linear cryptanalysis.
 Lessons Learned (Cont.)
➢ By encrypting with DES three times in a row, triple
DES (3DES) is created, against which no practical
attack is currently known.
➢ The “default” symmetric cipher is nowadays often
AES. In addition, the other four AES finalist ciphers
all seem very secure and efficient.
➢ Since about 2005 several proposals for lightweight
ciphers have been made. They are suited for
resource-constrained applications.
Any Questions?