Cryptography and Network Security

DES
DES: The Data Encryption Standard /
DEA: Data Encryption Algorithm


Adopted by NIST as Federal Information Processing Standard 46 (FIPS PUB
46) in 1977.

The algorithmic implementation of DES is known as DEA for
Data Encryption Algorithm.

Based on a cipher (Lucifer) developed earlier by IBM for Lloyd’s of London
for cash transfer.

Data is encrypted in 64-bit blocks using a 56-bit key

Output is also 64 bits in size

DES uses the Feistel cipher structure with 16 rounds of processing.

The key is specified with 8 bytes, but one bit of each byte is used as a parity
check. Hence 56 bit.

DES encryption was broken in 1999 by Electronics 
Frontiers Foundation (EFF, www.eff.org). This resulted in
NIST issuing a new directive that year that required
organizations to use Triple DES, that is, three consecutive
applicationsof DES. (That DES was found to be not as strong
as originally believed also prompted NIST to initiate the
development of new standards for data encryption. The result
is AES that we will discuss later.)

Triple DES continues to enjoy wide usage in commercial
applications even today. To understand Triple DES, you must
first understand the basic DES encryption.

As mentioned, DES uses the Feistel structure
with 16 rounds.

What is specific to DES is the implementation of
the F function in the algorithm and how the round
keys are derived from the main encryption key.

The round keys are generated from the main key
by a sequence of permutations. Each round 
key is 48 bits in length.
DES Algorithm
 DES

Encryption

Step 1 : Initial Permutation(IP)

Step 2 : 16 Fiestel Rounds
Step 3 : Inverse Inital Permutation(IP-1)
 DES

Step 1 and Step 3

These permutations are the inverse of each
other.
-In the initial permutation , the 58 th bit in the
input becomes the 1st bit in the output.
-Similarly, in the inverse permutation, the
first bit in the input becomes the 58 th bit
in the output.
-If the rounds between these two
permutations do not exist,the 58 th bit
entering the initial permutation is the
same as the 58th bit leaving the final
permutation.
 DES

Analysis of IP and IP-1

These two permutations have no cryptographic significance in DES.Both permutations are 
keyless and predetermined. The reason they are included in DES is not clear and has not 
been revealed by the DES developers.

It is inferred that the initial and final permutations are easy to implement on hardware 
chips with  8 bit inetfaces(which was popular when DES was invented) and . The 
contents of the table are chosen to reduce the criss­crossing of wires to realize the 
permutations.
 DES

Single Round of DES

­DES uses 16 rounds
­Each round of DES 
    is a Fiestel Cipher
             (Fiestel Function
                           &
              32­bit swapping)
 Fiestel Functuion-DES

The dotted rectangle 
constitutes the F function.
1.Expansion/Permutation
2.Key Mixing
3.S­Box
4.P­Box based 
Permutation
 Fiestel Function-DES

1)Expansion/Permutation
The 32­bit right half of the 64­bit input data block is expanded by into a 48­bit 
block. This is referred to as the expansion permutation step, or the E­step.
The E­step entails the following:
– first divide the 32­bit block into eight 4­bit words
– attach an additional bit on the left to each 4­bit word that is the last bit of the 
previous 4­bit word
– attach an additional bit to the right of each 4­bit word that is the beginning bit 
of the next 4­bit word.
Note that what gets prefixed to the first 4­bit block is the last bit of the last 4­bit 
block. By the same token, what gets appended to the last 4­bit block is the first 
bit of the first 4­bit block
Fiestel Function-DES

Expansion Table
Expansion Table
 Fiestel Function-DES

2) Key Mixing
The round key(48 bit) is used 
only in this function

The 56-bit key is divided into two
halves, each half shifted separately,
and the combined 56-bit key
permuted/contracted to yield a 48-bit
round key. How this is done will be
explained later.

The 48 bits of the expanded output
produced by the E-step are XORed
with the round key. This is referred
to as key mixing.
 Fiestel Function-DES

3) S­Box

The output produced by the previous step
is broken into eight six-bit words. Each
six-bit word goes through a substitution
step;its replacement is a 4-bit word. The
substitution is carried out with an S-
box[ The name “S-Box” stands for “Substitution
Box”. ]

So after all the substitutions, we again end
up with a 32-bit word.

4) P­box based Permutation

The 32-bits of the previous step then go
through a P-box based permutation.
 Fiestel Function-DES

The S­Box for the Substitution Step in 
Each Round
 Fiestel Function-DES

Definition of S­Boxes 
used in DES
Note that the goal of the
substitution step
implemented by the S­box is
to introduce diffusion in
the generation of the output
from the input. Diffusion
means that each plaintext bit
must affect as many ciphertext
bits as possible.
 Permutation Function P
 Single Round-DES


What comes out of the P-
box is then XORed with
the left half of the 64-bit
block that we started out
with. The output of this
XORing operation gives
us the right half block for
the next round.
 Round Processing-DES

As in any classic Feistel cipher, the overall processing

at each round can be summarized in the following
formulas:
Li = R i-1
R i = L i - 1 ⊕ F(R i - 1 , K i )

The strategy used for creating the different round keys
from the main key is meant to introduce confusion into
the encryption process. Confusion in this context 
means that the relationship between the 
encryption key and the ciphertext must be as 
complex as possible. Another way of describing
confusion would be that each bit of the key must affect
as many bits as possible of the output ciphertext block.

Diffusion and confusion are the two cornerstones of
block cipher design
Single Round of DES
DES Key Schedule Calculation

24
 DES

WHAT MAKES DES A STRONG CIPHER (TO THE 
EXTENT IT IS A STRONG CIPHER)
1) Avalanche Effect

The substitution step is very effective as far as diffusion is concerned. It 
has been shown that if you change just one bit of the 64­bit input data 
block, on the average that alters 34 bits of the ciphertext block.

The manner in which the round keys are generated from the encryption 
key is also very effective as far as confusion is concerned. It has been 
shown that if you change just one bit of the encryption key, on the average 
that changes 35 bits of the ciphertext.
2)Brute­Force Attack
   The 56­bit encryption key means a key space of size 2 56 ≈ 7.2 × 10 16
Assuming that, on the average, you’d need to try half the keys
in a brute­force attack, a machine able to process 1000 keys per
microsecond would need roughly 13 months to break the code.
However, a parallel­processing machine trying 1 million keys si­
multaneously would need only about 10 hours. (EFF took
three days on a specially architectured machine to
break the code.)
2)One of the most significant advances in cryptanalysis in recent years
is differential cryptanalysis. We will talk of the technique and the

applicability to DES
Table 3.2

DES
Example

(Table can be found on

page 75 in textbook)

Note: DES subkeys are shown as eight 6-bit values in hex format
DES Example
Avalanche Effect
 Aim: small change in key (or plaintext) produces large change in
ciphertext
 Avalanche effect is present in DES (good for security)
 Following examples show the number of bits that change in output
when two different inputs are used, differing by 1 bit
 Plaintext 1: 02468aceeca86420
 Plaintext 2: 12468aceeca86420
 Ciphertext difference: 32 bits
 Key 1: 0f1571c947d9e859
 Key 2: 1f1571c947d9e859
 Ciphertext difference: 30
Table 3.3 Avalanche Effect in DES: Change in Plaintext
Table 3.4 Avalanche Effect in DES: Change in Key
Table 3.5
Average Time Required for Exhaustive Key Search
Key size
 Although 64 bit initial key, only 56 bits used in
encryption (other 8 for parity check)
 256 = 7.2 x 1016
 1977: estimated cost $US20m to build machine
to break in 10 hours
 1998: EFF built machine for $US250k to break
in 3 days
 Today: 56 bits considered too short to
withstand brute force attack
 3DES uses 128-bit keys
Attacks on DES
 Timing Attacks
 Information gained about key/plaintext by observing how
long implementation takes to decrypt
 No known useful attacks on DES
 Differential Cryptanalysis
 Observe how pairs of plaintext blocks evolve
 Break DES in 247 encryptions (compared to 255); but require
247 chosen plaintexts
 Linear Cryptanalysis
 Find linear approximations of the transformations
 Break DES using 243 known plaintexts
Timing Attack : In cryptography, a
timing attack is a side channel
attack in which the attacker
attempts to compromise a
cryptosystem by analyzing the
time taken to execute
cryptographic algorithms. Every
logical operation in a computer
takes time to execute, and the
time can differ based on the
input; with precise
measurements of the time for
each operation, an attacker can
work backwards to the input.
In computer security, a side-channel attack is any
attack based on information gained from the
implementation of a computer system, rather than
weaknesses in the implemented algorithm itself
(e.g. cryptanalysis and software bugs). Timing
information, power consumption, electromagnetic
leaks or even sound can provide an extra source
of information, which can be exploited.
Differential Crptanalysis
●
Eli Biham and Adi Shamir in 1990
●
Chosen-plaintext attack
●
A statistical attack against Fiestel Cipher
●
exploits the relationship between the difference of two inputs and the difference of the
corresponding two outputs
●
why look at the difference? because in an SPN,
the key does not influence the value of the difference!
X’=1001 k=1010 y’=0011=x’ ⊕k
x’’=1100 y’’=0110=x’’⊕k

Δx=0101 Δy=0101
●
Cryptanalyst finds the probability of a particular output difference for a given input difference
●
This attack will not recover the key, it will reduce the range of possible intermediate values
down to number that is manageable.
In a perfectly randomized cipher, the probability of a
given output difference MY, given an input
difference MX, is (1⁄2) m ,where m is the number
of bits
DES Algorithm Design
 DES was designed in private; questions about the
motivation of the design
 S-Boxes provide non-linearity: important part
of DES, generally considered to be secure
 S-Boxes provide increased confusion
 Permutation P chosen to increase diffusion
Multiple Encryption with DES
 DES is vulnerable to brute force attack
 Alternative block cipher that makes use of DES
software/equipment/knowledge: encrypt multiple
times with different keys
 Options:
 1. Double DES: not much better than single DES
 2. Triple DES (3DES) with 2 keys: brute force 2112
 3. Triple DES with 3 keys: brute force 2168
Double Encryption

 For DES, 2 56-bit keys, meaning 112-bit key

length
 Requires 2111 operations for brute force?
 Meet-in-the-middle attack makes it easier
Triple Encryption
 2 keys, 112 bits
 3 keys, 168 bits
 Why E-D-E? To be compatible with single DES:
Summary
 have considered:
 block vs stream ciphers
 Feistel cipher design & structure
 DES
» details
» strength
 Doupbe DES
 Triple DES