Data Encryption Standard

(DES)
Product Ciphers
 Apply confusion and diffusion operations to thwart
cryptanalysis based on statistical analysis
 Diffusion
 dissolve statistical structure of the plaintext into long-range

statistics of the ciphertext

 Spread the statistics over a range of bits, i.e., let each part

of the plaintext affect a large part of the ciphertext, thus

making the statistical relationship as difficult as possible
 Thwarts frequency analysis

 Can be achieved by repeatedly performing some

permutation followed by applying a function to that
permutation
Product Ciphers
 Confusion
 Make statistical relationship between the ciphertext and

key as difficult as possible

 Thwarts attempts to discover the key

 Can be achieved by using a complex, non-linear,

substitution operation (S-box)
Feistel Cipher Structure


 Input block is partitioned

into two halves, Li-1 and
Ri-1
 In round i, 

• Li = Ri-1
• Ri = Li-1  F(Ki, Ri-1)
 Substitution followed by
permutation 

 Multiple rounds
 Block size
 Increasing size improves security, but slows cipher

 Key size
 Increasing size improves security, makes exhaustive key

searching harder, but may slow cipher

 Number of rounds
 Increasing number improves security, but slows cipher

 Subkey generation algorithm

 Greater complexity can make analysis harder, but slows

cipher
 Round function
 Greater complexity can make analysis harder, but slows

cipher
 Fast software encryption/decryption
 Ease of analysis
 In 1973, NBS (NIST) issues a public request for proposals
for a national cipher standard, which must be
 Secure

 Public

 Completely specified

 Easy to understand

 Available to all users

 Economic and efficient in hardware

 Able to be validated

 Exportable
The Data Encryption Standard (DES) is a symmetric-key
block cipher published by the National Institute of
Standards and Technology (NIST).

In 1973, NIST published a request for proposals for a

national symmetric-key cryptosystem. A proposal from
IBM, a modification of a project called Lucifer, was
accepted as DES. DES was published in the Federal
Register in March 1975 as a draft of the Federal
Information Processing Standard (FIPS).
DES is a block cipher

Encryption and decryption with DES

As per Feistel
Structure: DES
cipher and reverse
cipher for the first
approach
DES Architecture
Initial and Final Permutations
Initial and final permutation steps in DES
Initial and final permutation tables

IP IP-1
Note: The initial and final permutations are straight
P-boxes that are inverses of each other.
They have no cryptography significance in DES.
 Rounds
DES uses 16 rounds. Each round of DES is a Feistel
cipher. One single round process architecture shown
below
DES Round Function DES Key Generation
DES Function

The heart of DES

is the DES
function. The DES
function applies a
48-bit key to the
rightmost 32 bits
to produce a 32-
bit output.

D-Box
Expansion P-box
Since RI−1 is a 32-bit input and KI is a 48-bit key, we first
need to expand RI−1 to 48 bits.

Expansion permutation
Although the relationship between the input and output
can be defined mathematically, DES uses below table to
define the P-box.
Expansion P-box table
Whitener (XOR)
After the expansion permutation, DES uses the XOR
operation on the expanded right section and the round
key. Note that both the right section and the key are 48-
bits in length. Also note that the round key is used only in
this operation.
S-Boxes
The S-boxes do the real mixing (confusion). DES uses 8
S-boxes, each with a 6-bit input and a 4-bit output.

S-boxes
S-box rule
shows the permutation for S-box 1. For the rest of the
boxes see the textbook.
S-box 1
Example

The input to S-box 1 is 100011. What is the output?

Solution
• If we write the first and the sixth bits together, we
get 11 i.e. 3 in decimal. (Row side)
• The remaining bits are 0001 in binary, which is 1 in
decimal. (Column Side)
• look for the value in row 3, column 1, in S-box 1 and the
result is 12 in decimal, which in binary is 1100.
• So the input 100011 yields the output 1100.

The input to S-box 1 is 101110. What is the output?

Ans: 11 i.e. 1011

Example
The input to S-box 8 is 000000. What is the output?

Solution
If we write the first and the sixth bits together, we get 00 in
binary, which is 0 in decimal. The remaining bits are 0000 in
binary, which is 0 in decimal. We look for the value in row 0,
column 0, in Table S-box 8. The result is 13 in decimal, which
is 1101 in binary. So the input 000000 yields the output 1101.
Straight D-Box: A straight permutation table is used

The last operation in the DES function is a permutation with a

32-bit input and a 32-bit output. The input/output relationship for
this operation is shown in table above and follows the same
general rule as previous tables.
For example, the seventh bit of the input becomes the second
bit of the output
Calculate the key schedule

• Parity bits (8, 16, …, 64) are discarded (out of

64-bit key)
• 56-bit key is split into 28-bit L and R
• 16, 48-bit subkeys (K1, K2, …, K16) are
generated by various circular left shifts of L
and R
• Bits are permuted and selected
Drop Parity bits
Drop the bits of the grey positions (8x) to make 56 bit space for further
operation for each round.
Parity Drop Table
1 2 3 4 5 6 7 8
9 10 11 12 13 14 15 16
17 18 19 20 21 22 23 24
25 26 27 28 29 30 31 32
33 34 35 36 37 38 39 40
41 42 43 44 45 46 47 48
49 50 51 52 53 54 55 56
57 58 59 60 61 62 63 64
Permuted Choice 1 (PC-1)

57 49 41 33 25 17 9
1 58 50 42 34 26 18 C0
10 2 59 51 43 35 27
19 11 3 60 52 44 36
63 55 47 39 31 23 15 D0
7 62 54 46 38 30 22
14 6 61 53 45 37 29
21 13 5 28 20 12 4

This permutation selects the

48-bit subkey for each round
from the 56-bit key-schedule
state. This permutation will
ignore 8 bits below:
Permuted Choice 2 "PC-2"
Ignored bits 9, 18, 22, 25, 35,
38, 43, 54.
Split the permuted key into two halves. The first 28 bits
are called C[0] and the last 28 bits are called D[0].

Calculate the 16 sub keys. Start with i = 1.

Perform one or two circular left shifts on both C[i-1]

and D[i-1] to get C[i] and D[i], respectively. The number
of shifts per iteration are given in the table below.

Iteration # 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16
Left Shifts 1 1 2 2 2 2 2 2 1 2 2 2 2 2 2 1
Permute the concatenation C[i]D[i] as indicated
below. This will yield K[i], which is 48 bits long.

Permuted Choice 2 (PC-2)

14 17 11 24 1 5
3 28 15 6 21 10
23 19 12 4 26 8
16 7 27 20 13 2
41 52 31 37 47 55
30 40 51 45 33 48
44 49 39 56 34 53
46 42 50 36 29 32 8 Ҳ 6 matrix
Example
The original 64-bit key with
parity bits

11011110 bits 1-8

00010000 bits 9-16
10011100 bits 17-24
01011000 bits 25-32
11101000 bits 33-40
10100100 bits 41-48
10100110 bits 49-56
00110000 bits 57-64
The 56-bit key
(parity bits stripped) The original positions
of the bits after the
parity is stripped:
11011110 bits 1-8
00010000 bits 9-16 1 2 3 4 5 6 7
10011100 bits 17-24 9 10 11 12 13 14 15
01011000 bits 25-32 17 18 19 20 21 22 23
11101000 bits 33-40 25 26 27 28 29 30 31
33 34 35 36 37 38 39
10100100 bits 41-48
41 42 43 44 45 46 47
10100110 bits 49-56 49 50 51 52 53 54 55
00110000 bits 57-64 57 58 59 60 61 62 63
The positions of the remained
56 bits after Permuted Choice
1 (PC-1)
The permuted 56-bit key:
57 49 41 33 25 17 9
0111010
1 58 50 42 34 26 18
1000110
10 2 59 51 43 35 27
0110001
19 11 3 60 52 44 36
0001000
63 55 47 39 31 23 15
0100000
7 62 54 46 38 30 22
1011001
14 6 61 53 45 37 29
0100011
21 13 5 28 20 12 4
1011111
Split the permuted key into two halves. The first
28 bits are called C[0] and the last 28 bits are
called D[0].

C[0]

0111010
1000110
0110001
0001000

D[0]

0100000
1011001
0100011
1011111
Calculate the 16 sub keys. Start with i = 1
Perform one or two circular left shifts on both C[i-1] and
D[i-1] to get C[i] and D[i], respectively. The number of
shifts per iteration are given in the table below.
Iteration # 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16
Left Shifts 1 1 2 2 2 2 2 2 1 2 2 2 2 2 2 1

0111010 0100000
1000110 1011001
0110001 0100011
0001000 1011111
C[0]
0111010100011001100010001000

D[0]
0100000101100101000111011111
Find C[1] & D[1] and so on
C[1]
1110101000110011000100010000

D[1]
1000001011001010001110111110

C[2]
1101010001100110001000100001

D[2]
0000010110010100011101111101

C[3]
0101000110011000100010000111

D[3]
0001011001010001110111110100
C[0]
C[0]D[0]
0111010 0 1 1 1 0 1 0 bits 1-7
1000110 1 0 0 0 1 1 0 bits 8-14
0110001 0 1 1 0 0 0 1 bits 15-21
0001000 0 0 0 1 0 0 0 bits 22-28
0 1 0 0 0 0 0 bits 29-35
D[0] 1 0 1 1 0 0 1 bits 36-42
0 1 0 0 0 1 1 bits 43-49
0100000 1 0 1 1 1 1 1 bits 50-56
1011001
0100011
1011111
Permute the concatenation C[i]D[i] as indicated
below. This will yield K[i], which is 48 bits long.

Permuted Choice 2 (PC-2)

K[1]
14 17 11 24 1 5 010000
3 28 15 6 21 10 100110
23 19 12 4 26 8 001101
16 7 27 20 13 2 100011
41 52 31 37 47 55 010001
30 40 51 45 33 48 100001
44 49 39 56 34 53 111101
46 42 50 36 29 32 011100

Loop back until K[16] has been calculated

Double encryption and decryption with a weak key
A pair of semi-weak keys in encryption and decryption
The first approach is to use double DES (2DES).
Meet-in-the-Middle Attack
However, using a known-plaintext attack called meet-in-
the-middle attack proves that double DES improves this
vulnerability slightly (to 257 tests), but not tremendously
(to 2112).
Meet-in-the-middle attack for double DES
Triple DES
Triple DES with two keys