4 0 Lect4 DES

Highly Secure Systems
Data Encryption Standard – DES
Dr Bobby Yang
Diagrams are taken from textbook "Understanding Cryptography" by Christof Paar and Jan Pelzl 1/19
Basic operations
• Confusion: The relationship between

key and ciphertext is obscured – e.g. by
substitution
• Diffusion: The influence one plaintext
symbol is spread over many ciphertext
symbols e.g. by permutation,
mixcolumn operations.
• Product ciphers: concantenate several

confusion and diffusion operations.
DES algorithm
• Based on an IBM cipher, released to

the public by NBS (now NIST) in 1977
• Block size of 64 bits,
• Key size is 56 bits, i.e. keyspace: 256
• Uses 16 rounds of encryptions –
permutations, rotations, and
substitutions with round keys.
• Round keys derived from shared key,
using a process called “key schedule”
DES – overall operation
1. Initial and Final

permutations – reversible
2. Each round uses a Feistal
network (Horst Feistal &
Don Coppersmith, 1973) –
a reversible function
3. f an irreversible function
using substitution
“S-boxes”
4. Key schedule used to
derive 16 round keys
5. After last round, one more
left-right swap
DES encryption and decryption
• Consider only one round
DES encryption and decryption
• Consider only one round, Encrypt plaintext X :
A = IP(x) = (L0 R0 )
B = L1 = R0 ; R1 = L0 ⊕ f (K1 , R0 )
Y = IP −1 (R1 L1 ) = IP −1 (R1 , R0 )
• Decryption
Y = IP −1 (R1 , R0 )
U = IP(Y ) = IP(IP −1 (R1 , R0 )) = (R1 , R0 )
V = (R0 , R1 ⊕ f (K1 , R0 ) = (R0 , L0 ⊕ f (K1 , R0 ) ⊕ f (K1 , R0 )
= (R0 , L0 )
W = (L0 , R0 )
Z = IP −1 (L0 , R0 ) = X
• Decryption uses the same function as encryption, except
the round keys are used in reverse.
DES internals – Initial and Final
permutations
1. Initial Permutation IP and Final permutation IP −1
DES internals – f -Function
f -function • Expansion permutation E
32-bit input expanded into

48-bits
DES – S-boxes
• S-boxes provides
confusion
• There are 8 S-boxes,
crucial to the strength of
DES
• Transforms 6 bit inputs
• E.g. S-box 1 input
into 4 bit outputs
• Non-linear, i.e. (100101)2
S(a) ⊕ S(b) 6= S(a ⊕ b) becomes (1000)2 = 8
• Use of S-boxes
• Row: use MSB,LSB of
input
• Column: use remaining
4 bits
DES – S-boxes and P
• Permutation function, P designed to provide diffusion
Key Schedule
• Derives 16 round keys from

original 56-bit key
1. 56-bit key expanded to 64-bit by
adding odd parity bit over the
preceeding 7 bits.
2. Key permutation according to
PC − 1
3. Split into two equal blocks Ci , Di ,
each block cyclically shifted left
by:
1 bit for rounds 1,2,9,16
2 bits for other rounds
4. Permutates Ci , Di using PC − 2
to get round key ki
DES – decryption
• The decryption is same as

encryption
• Only the key schedule
needs to be reversed
Security of DES
• Small keyspace, prone to brute force attacks.
• Brute Force attack: If at least one pair of plaintext and
ciphertext is available, try all 256 keys such that the
decrypted ciphertext matches the plaintext. Hence there
• Average number of attempts required 21 256 = 255
• Time to break: 6.4 days using a special cracking devices,
e.g. COPACABANA, Deep Crack
Exhaustive key search
• Give a plaintext-ciphertext pair (x1 , y1 ) find a DES key ki
?
check: DESki (x1 ) = yi , for i = 0, 1, · · · , 256 − 1
• False positive: if a key ki can decrypt one pair (x1 , y1 ) but
not others, then several pairs of (x, y ) would be needed.
• Consider x1 of 64-bits, key size k 80 bits. There should be
280 ciphertext y10,.... . Since the output size is also 64-bits,
is output space is 264 , then some of the possible
80
ciphertext, on average 2264 = 216 , maps to the same value.
• Hence, for one pair (x1 , y1 ), the probability of the correct
key is 2116
2DES
• Using k1 , k2 use DES in

sequence.
• A direct brute force attack
would need to try 2112
attempts
• Smarter attack:
meet-in-the-middle
• Using kL encrypt plaintext x1 into a set of 256 ciphertext X
• Sort X
• Using kR decrypt ciphertext y1 and look for match in X . At
most 256 decryptions required.
• Total DES encryptions & decryptions: 2 × 256 = 256+1
Easily broken using current computers.
Triple DES (3DES)
• Encryption EDE: C = E(D(E(x, k1 ), k2 ), k3 )

• Decryption DED: D(E(D(x, k3 ), k2 ), k1 ) = x
• 3×56 bits keys: k1 , k2 , k3 , i.e. keysize is 168 bits or
• 2×56 bits keys k1 , k2 , k3 = k1 , i.e. keysize is 112 bits
Security of 3DES
• If k1 = k2 = k3 , then 3DES is equivalent to DES, i.e. same
3DES code/function can be used for DES
• Exhaustive key search using meet-inside attack
• Give plaintext-ciphertext pair x1 , y1 , keys k1 , k2 , k3
• Encrypt x1 with all possible k1 , k2
i.e. Xij′ = EDES (DDES (x1 , k1i ), k2j )
• Decrypt y1 using k3k , each time check with X ′ until a match
found
• Maximum no. of encrypt/decryt: 22×56 + 256 ≈ 2112
• The equivalent key strength is 112 bits, not 168 bits
Other ciphers
• Lightweight cipher designed for low power devices, e.g.
RFID tags
• Block length 64 bits, key lengths of 80 and 128 bits
• uses 31 rounds of substitution-permutations
• MISTY1
• Blowfish
• Twofish
• IDEA, etc.
DES summary
• DES uses 56 bit keys, too weak against brute force today
• DES is quite robust against known analytical attacks
• Efficient in software and hardware
• DES usually uses as 3DES

4 0 Lect4 DES

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

4 0 Lect4 DES

Uploaded by

Copyright:

Available Formats

Highly Secure Systems

Data Encryption Standard – DES

• Confusion: The relationship between

• Product ciphers: concantenate several

• Based on an IBM cipher, released to

1. Initial and Final

f -function • Expansion permutation E

32-bit input expanded into

• Derives 16 round keys from

• The decryption is same as

• Using k1 , k2 use DES in

• Encryption EDE: C = E(D(E(x, k1 ), k2 ), k3 )

You might also like