Digital Encryption Standard

The Data Encryption Standard (DES), known as the Data Encryption Algorithm (DEA) by ANSI and the DEA-1 by ISO, has been the world wide standard since the late 1970s and was originally developed by IBM in 1974. It is a symmetric (private key) system that has held up remarkably well against years of cryptanalysis. In order for it to be acceptable as the standard encryption algorithm, DEA had to meet with the following specifications:

• be completely specified and easy to understand;

• the security of the algorithm must reside in the key (the security should not depend on the secrecy of the algorithm);

• the algorithm must be available to all users;

• the algorithm must be acceptable for use in diverse applications; • it must be economically implementable in electronic devices; • it must be efficient to use;

• it must be able to be validated; • it must be exportable.

DES is a block cipher using 64-bit blocks. The key length is 56-bits, a relatively low key length which is why DES was upgraded to DES3 in the 1990s. The key is usually expressed as a 64-bit number, but every 8th-bit is used for parity checking and is ignored. The security of DES resides within the key(s). The algorithm operates on a 64-bit block of plaintext. After an initial permutation, the block is split into two halves, each 32-bits long. The algorithm then initiates 16 rounds of identical operations in which the data is combined with the key. After the 16th-round, the two halves are joined, and a final permutation (the inverse of the initial permutation) completes the algorithm. In each round the key bits are shifted, and then 48-bits are selected from the 56-bits of the key. The right half of the data is expanded to 48-bits via an expansion permutation, combined with 48-bits of the shifted and permuted key via an XOR opertaion, sent through 8 ‘S-boxes’ producing 32 new bits, and permuted again. These four operations constitute a function f . The output of function f is then combined with the left half via another XOR operation. The result of these operations becomes the new right half; the old right half becomes the new left half. These operations are repeated 16 times

In effect, DES is based on randomisation of the data via the process of shuffling. If Bi is the result of an iteration, Li and Ri are the left and right halves of Bi, Ki is the 48-bit key for round i, and f is the function includes the substituting, permuting and XORing with the key, then a round is as follows:

Li = Ri−1

Ri = Li−1⊕ f (Ri−1, Ki)

DES processes plaintext blocks of n = 64 bits, producing 64-bit ciphertext blocks. The effective size of the key K is 56 bits; more precisely, the input key K is specified as a 64-bit key, 8 bits of which (bits 8, 16, ... 64) may be used as parity bits. The 256 keys implement (at most) 256 of 264 possible bijections on 64-bit blocks. The

encryption process proceeds in 16 stages of rounds. From the input key K, sixteen 48-bit subkeys Ki are generated, one for each round. Within each round, eight fixed carefully selected 6-to-4 bit substitution mappings (S-boxes) Si, collectively denote S, are used. The 64-bit plaintext is divided into 32-bit halves L0 and R0. Each round is functionally equivalent, taking 32-bit inputs Li−1and Ri−1from a previous round and producing a 32-bit output. If E is taken to denote a fixed expression permutation, mapping Ri − 1 from 32 to 48-bits (all bits are used once, some are used twice) and P is another permutation on 32-bits, then an initial permutation (IP ) precedes the first round. Following the last round, the left and right halves are exchanged and, finally, the resulting string is bit permuted by the inverse of IP . Decryption involves the same key and algorithm, but with subkeys applied to the internal rounds in the reverse order. A simplified view is that the right half of each round (after expanding a 32-bit input of 8 characters of 6-bits each) carries out key-dependent substitutions on each of the 8 characters and then uses a fixed bit transposition to redistribute the bits of the resulting characters to produce a 32-bit output.

Using a step-by-step approach, the DES algorithm is given below.

Input: plaintext m1, ..., m64; 64-bit key K = k1, ..., k64 (includes 8 parity bits) Output: 64-bit ciphertext block C = c1, ..., c64

1. (Key schedule) Compute sixteen 48-bit round keys Ki from K (using the DES key schedule algorithm - see below).

2. (L0, R0) ← IP (m1, m2, ..., m64).

3. (16 rounds) for i from 1 to 16, compute Liand Ri, with f (Ri−1, Ki) = P (S(E(Ri−1⊕ Ki))) computed as follows:

(a) Expand Ri−1= r1, r2, ..., r32 from 32 to 48 bits, i.e. T ← E(Ri−1) so that T = r32, r1, r2, ..., r32, r1.

(b) T 0 ← T ⊕Kiwhere T 0 is represented as eight 6-bit character strings (B1, ..., B8) = T 0.

(c) T 00 ← (S1(B1), S2(B2), ..., Ss(Bs)). Here Si(Bi) maps Bi = b1, b2, ..., b6. (d) T 000 ← P (T 00).

5. C ← IP−1(b1, b2, ..., b64).

Key Schedule Algorithm

Input: 64-bit key K = k1, ..., k64 (including 8 odd-parity bits). Output: sixteen 48-bit keys Ki, 1 ≤ i ≤ 16

1. Define vi, 1 ≤ i ≤ 16 as follows: vi = 1 for i ∈ 1, 2, 9, 16, vi = 2 otherwise. (These are left-shift values for 28-bit circular rotations.)

2. T ← P CI(K) where T is represented as 28-bit halves (C0, D0). 3. For i from 1 to 16 compute Ki as follows:

Ci← (Ci−1← vi), Di ← (Di−1← vi), Ki← P C2(Ci, Di)

Since its invention in the 1970s, the security of DES has been studied intensively. Special techniques such as differential and linear cyptanalysis have been used to attack DES, but the most successful attacks have been based on exhaustive searches of the key space. With special hardware of large networks and workstations, it is now possible to decrypt DES ciphertexts in a few days or even hours. In addition, the Electronic Frontier Foundation (EFF) have sponsored the development of a crypto chip named Deep Crack that can process 88 billion DES keys per second and has successfully cracked 56-bit DES in a few days. For example, in the paper Six Ways to Break DES [127] outlines various methods that can be used to break the encryption. Today, DES can only be considered secure if triple encryption is used. In this context, it is important to know that DES is not a group. This means that for the two DES keys K1 and K2 there is, in general, not a third DES key K3 such that DES(k1) ◦ DES(k2) = DES(k3). If DES were a group, then multiple encryption would not lead to increased security. In fact, the subgroup that the DES encryption permutations generate in the permutation group S64! is at least of the order of 102499. Hence, triple encryption DES or DES3 has become the preferred standard for symmetric encryption systems world wide since the 2001. Sometimes known as triple DES, this is a block cipher formed from the DES algorithm,. 3DES uses 2 56-bit keys, giving an effective key length of 112 bits, and performs DES encryption on the data three times using these keys. However, DES3 is slowly disappearing from use, largely replaced by its natural successor, the Advanced Encryption Standard (AES). One large-scale exception is within the electronic payments industry, which still uses DES3 extensively and continue to develop and promulgate standards based upon it. This guarantees that DES3 will remain an active cryptographic standard well into

the future. By design, DES and therefore DES3, suffer from slow performance in software; on modern processors, AES tends to be around six times faster. DES3 is better suited to hardware implementations, and indeed where it is still used it tends to be with a hardware implementation but even so, AES outperforms it. AES like DES and DES3 uses a transposition approach rather than substitution.