Chapter 2

The Data Encryption Standard (DES)

As mentioned earlier there are two main types of cryptography in use today - symmet-
ric or secret key cryptography and asymmetric or public key cryptography. Symmet-
ric key cryptography is the oldest type whereas asymmetric cryptography is only being
used publicly since the late 1970s1 . Asymmetric cryptography was a major milestone
in the search for a perfect encryption scheme.
Secret key cryptography goes back to at least Egyptian times and is of concern here.
It involves the use of only one key which is used for both encryption and decryption
(hence the use of the term symmetric). Figure 2.1 depicts this idea. It is necessary for
security purposes that the secret key never be revealed.

Secret Key (K) Secret Key (K)

? ?
Plaintext (P ) - E{P,K} - Ciphertext (C) - D{C,K} - Plaintext (P )

Figure 2.1: Secret key encryption.

To accomplish encryption, most secret key algorithms use two main techniques known
as substitution and permutation. Substitution is simply a mapping of one value to
another whereas permutation is a reordering of the bit positions for each of the inputs.
These techniques are used a number of times in iterations called rounds. Generally,
the more rounds there are, the more secure the algorithm. A non-linearity is also
introduced into the encryption so that decryption will be computationally infeasible2
without the secret key. This is achieved with the use of S-boxes which are basically
non-linear substitution tables where either the output is smaller than the input or vice
versa.
1
It is claimed by some that government agencies knew about asymmetric cryptography before this.
2
This means that it costs more to implement the attack than the information is worth.

10
Chapter 2 The DES Algorithm

One of the main problems with secret key cryptography is key distribution. For this
form of cryptography to work, both parties must have a copy of the secret key. This
would have to be communicated over some secure channel which, unfortunately, is not
that easy to achieve. As will be seen later, puplic key cryptography provides a solution
to this.

2.1 Brief history of DES

Up until recently, the main standard for encrypting data was a symmetric algorithm
known as the Data Encryption Standard (DES). However, this has now been replaced
by a new standard known as the Advanced Encryption Standard (AES) which we
will look at later. DES is a 64 bit block cipher which means that it encrypts data 64
bits at a time. This is contrasted to a stream cipher in which only one bit at a time (or
sometimes small groups of bits such as a byte) is encrypted.
DES was the result of a research project set up by International Business Machines
(IBM) corporation in the late 1960s which resulted in a cipher known as LUCIFER. In
the early 1970s it was decided to commercialise LUCIFER and a number of significant
changes were introduced. IBM was not the only one involved in these changes as
they sought technical advice from the National Security Agency (NSA) (other outside
consultants were involved but it is likely that the NSA were the major contributors
from a technical point of view). The altered version of LUCIFER was put forward as
a proposal for the new national encryption standard requested by the National Bureau
of Standards (NBS)3 . It was finally adopted in 1977 as the Data Encryption Standard -
DES (FIPS PUB 46).
Some of the changes made to LUCIFER have been the subject of much controversy
even to the present day. The most notable of these was the key size. LUCIFER used
a key size of 128 bits however this was reduced to 56 bits for DES. Even though DES
actually accepts a 64 bit key as input, the remaining eight bits are used for parity
checking and have no effect on DESs security. Outsiders were convinced that the 56
bit key was an easy target for a brute force attack4 due to its extremely small size. The
need for the parity checking scheme was also questioned without satisfying answers.
Another controversial issue was that the S-boxes used were designed under classified
conditions and no reasons for their particular design were ever given. This led people
to assume that the NSA had introduced a trapdoor through which they could decrypt
any data encrypted by DES even without knowledge of the key. One startling discovery
was that the S-boxes appeared to be secure against an attack known as Differential
Cryptanalysis which was only publicly discovered by Biham and Shamir in 1990.
This suggests that the NSA were aware of this attack in 1977; 13 years earlier! In fact
the DES designers claimed that the reason they never made the design specifications for
the S-boxes available was that they knew about a number of attacks that werent public

3
Now known as the National Institute of Standards and Technology (NIST).
4
This is where every possible key is tried in order to determine the actual key.

11
Chapter 2 The DES Algorithm

knowledge at the time and they didnt want them leaking - this is quite a plausible
claim as differential cryptanalysis has shown. However, despite all this controversy, in
1994 NIST reaffirmed DES for government use for a further five years for use in areas
other than classified.
DES of course isnt the only symmetric cipher. There are many others, each with vary-
ing levels of complexity. Such ciphers include: IDEA, RC4, RC5, RC6 and the new
Advanced Encryption Standard (AES). AES is an important algorithm and was orig-
inally meant to replace DES (and its more secure variant triple DES) as the standard
algorithm for non-classified material. However as of 2003, AES with key sizes of 192
and 256 bits has been found to be secure enough to protect information up to top se-
cret. Since its creation, AES had underdone intense scrutiny as one would expect for
an algorithm that is to be used as the standard. To date it has withstood all attacks but
the search is still on and it remains to be seen whether or not this will last. We will
look at AES later in the course.

2.2 Inner workings of DES

DES (and most of the other major symmetric ciphers) is based on a cipher known as
the Feistel block cipher. This was a block cipher developed by the IBM cryptography
researcher Horst Feistel in the early 70s. It consists of a number of rounds where
each round contains bit-shuffling, non-linear substitutions (S-boxes) and exclusive OR
operations. Most symmetric encryption schemes today are based on this structure
(known as a feistel network).
As with most encryption schemes, DES expects two inputs - the plaintext to be en-
crypted and the secret key. The manner in which the plaintext is accepted, and the key
arrangement used for encryption and decryption, both determine the type of cipher it
is. DES is therefore a symmetric, 64 bit block cipher as it uses the same key for both
encryption and decryption and only operates on 64 bit blocks of data at a time5 (be they
plaintext or ciphertext). The key size used is 56 bits, however a 64 bit (or eight-byte)
key is actually input. The least significant bit of each byte is either used for parity (odd
for DES) or set arbitrarily and does not increase the security in any way. All blocks are
numbered from left to right which makes the eight bit of each byte the parity bit.
Once a plain-text message is received to be encrypted, it is arranged into 64 bit blocks
required for input. If the number of bits in the message is not evenly divisible by 64,
then the last block will be padded. Multiple permutations and substitutions are incor-
porated throughout in order to increase the difficulty of performing a cryptanalysis on
the cipher. However, it is generally accepted that the initial and final permutations offer
little or no contribution to the security of DES and in fact some software implementa-
tions omit them (although strictly speaking these are not DES as they do not adhere to

5
This was a typical block size used in cryptographic algorithms for the past number of years as it
made attacks difficult to implement but was small enough for efficient manipulation. With the introduc-
tion of AES the block size has increased to at least 128 bits.

12
Chapter 2 The DES Algorithm

the standard).

2.2.1 Overall structure

Figure 2.2 shows the sequence of events that occur during an encryption operation.
DES performs an initial permutation on the entire 64 bit block of data. It is then split
into 2, 32 bit sub-blocks, Li and Ri which are then passed into what is known as a
round (see figure 2.3), of which there are 16 (the subscript i in Li and Ri indicates
the current round). Each of the rounds are identical and the effects of increasing their
number is twofold - the algorithms security is increased and its temporal efficiency
decreased. Clearly these are two conflicting outcomes and a compromise must be
made. For DES the number chosen was 16, probably to guarantee the elimination of
any correlation between the ciphertext and either the plaintext or key6 . At the end of the
16th round, the 32 bit Li and Ri output quantities are swapped to create what is known
as the pre-output. This [R16 , L16 ] concatenation is permuted using a function which
is the exact inverse of the initial permutation. The output of this final permutation is
the 64 bit ciphertext.

64-bit plaintext 56-bit key

... ...
? ? ? ? ? ? ? ?
Initial Permutation Permuted choice 1
32 bits 32 bits 56 bits
K1
? ? ?
Round 1 48 bits Permuted choice 2 
56 bits Left circular shift
32 bits 32 bits 56 bits
K2
? ? ?
Round 2 48 bits Permuted choice 2 
56 bits Left circular shift
? ? ?

32 bits
? ?
32 bits 56 bits
?
? ? ?
? ? K15 ?
Round 15 
48 bits Permuted choice 2 
56 bits Left circular shift
32 bits 32 bits 56 bits
? ? K16 ?
Round 16 
48 bits Permuted choice 2 
56 bits Left circular shift
32 bits ? ?32 bits

32 bit Swap
64 bits
?
Inverse Permutation
...
? ? ? ?
64-bit ciphertext

Figure 2.2: Flow Diagram of DES algorithm for encrypting data.

So in total the processing of the plaintext proceeds in three phases as can be seen from

6
No reason was given in the design specification as to why 16 rounds were chosen.

13
Chapter 2 The DES Algorithm

the left hand side of figure 2.2:

1. Initial permutation (IP - defined in table 2.1) rearranging the bits to form the
permuted input.
2. Followed by 16 iterations of the same function (substitution and permutation).
The output of the last iteration consists of 64 bits which is a function of the
plaintext and key. The left and right halves are swapped to produce the preoutput.
3. Finally, the preoutput is passed through a permutation (IP1 - defined in table
2.1) which is simply the inverse of the initial permutation (IP). The output of
IP1 is the 64-bit ciphertext.

Table 2.1: Permutation tables used in DES.

As figure 2.2 shows, the inputs to each round consist of the Li , Ri pair and a 48 bit
subkey which is a shifted and contracted version of the original 56 bit key. The use of
the key can be seen in the right hand portion of figure 2.2:

Initially the key is passed through a permutation function (PC1 - defined in table
2.2)
For each of the 16 iterations, a subkey (Ki ) is produced by a combination of a left
circular shift and a permutation (PC2 - defined in table 2.2) which is the same

14
Chapter 2 The DES Algorithm

for each iteration. However, the resulting subkey is different for each iteration
because of repeated shifts.

Table 2.2: DES key schedule.

2.2.2 Details of individual rounds

Details of an individual round can be seen in figure 2.3. The main operations on the
data are encompassed into what is referred to as the cipher function and is labeled F.
This function accepts two different length inputs of 32 bits and 48 bits and outputs a
single 32 bit number. Both the data and key are operated on in parallel, however the
operations are quite different. The 56 bit key is split into two 28 bit halves Ci and Di
(C and D being chosen so as not to be confused with L and R). The value of the key
used in any round is simply a left cyclic shift and a permuted contraction of that used
in the previous round. Mathematically, this can be written as

Ci = Lcsi (Ci1 ), Di = Lcsi (Di1 ) (2.1)

Ki = P C2 (Ci , Di ) (2.2)

15
Chapter 2 The DES Algorithm

where Lcsi is the left cyclic shift for round i, Ci and Di are the outputs after the shifts,
P C2 (.) is a function which permutes and compresses a 56 bit number into a 48 bit
number and Ki is the actual key used in round i. The number of shifts is either one
or two and is determined by the round number i. For i = {1, 2, 9, 16} the number of
shifts is one and for every other round it is two (table 2.2).

Operations on Data Operations on Key

 32 bits -  32 bits -  28 bits -  28 bits -
Li1 Ri1 Ci1 Di1
? ? ?

A

E-Table A Lcsi Lcsi

A

m
? ? ?
F  A

A PC2

? A

A
S-box

Ki
A

A

?
Perm.

- m
?

? ? ? ?
Li Ri Ci Di

Figure 2.3: Details of a single DES round.

The common formulas used to describe the relationships between the input to one
round and its output (or the input to the next round) are:

Li = Ri1 (2.3)

Ri = Li1 F(Ri1 , Ki ) (2.4)

where L and R have their usual meaning and F(.) is the cipher function. This function
F is the main part of every round and consists of four separate stages (see figure 2.4):

1. The E-box expansion permutation - here the 32-bit input data from Ri1 is ex-
panded and permuted to give the 48 bits necessary for combination with the
48 bit key (defined in table 2.1). The E-box expansion permutation delivers a
larger output by splitting its input into 8, 4-bit blocks and copying every first and
fourth bit in each block into the output in a defined manner. The security offered
by this operation comes from one bit affecting two substitutions in the S-boxes.

16
Chapter 2 The DES Algorithm

This causes the dependency of the output bits on the input bits to spread faster,
and is known as the avalanche affect.

2. The bit by bit addition modulo 2 (or exclusive OR) of the E-box output and 48
bit subkey Ki .

3. The S-box substitution - this is a highly important substitution which accepts a

48-bit input and outputs a 32-bit number (defined in table 2.3). The S-boxes are
the only non-linear operation in DES and are therefore the most important part
of its security. They were very carefully designed although the conditions they
were designed under has been under intense scrutiny since DES was released.
The reason was because IBM had already designed a set of S-boxes which were
completely changed by the NSA with no explanation why7 .
The input to the S-boxes is 48 bits long arranged into 8, 6 bit blocks (b1 , b2 , . . . , b6 ).
There are 8 S-boxes (S1 , S2 , . . . , S8 ) each of which accepts one of the 6 bit
blocks. The output of each S-box is a four bit number. Each of the S-boxes
can be thought of as a 4 16 matrix. Each cell of the matrix is identified by a
coordinate pair (i, j), where 0 i 3 and 0 j 15. The value of i is taken
as the decimal representation of the first and last bits of the input to each S-box,
i.e. Dec(b1 b6 ) = i and the value of j is take from the decimal representation
of the inner four bits that remain, i.e. Dec(b2 b3 b4 b5 ) = j. Each cell within the
S-box matrices contains a 4-bit number which is output once that particular cell
is selected by the input.

4. The P-box permutation - This simply permutes the output of the S-box without
changing the size of the data (defined in table 2.1). It is simply a permutation
and nothing else. It has a one to one mapping of its input to its output giving a
32 bit output from a 32 bit input.

2.3 Other points of note

Having looked at DES in some detail a brief look at some other points is in order.
These include decryption, modes of operation, security etc.

2.3.1 Modes of operation

The DES algorithm is a basic building block for providing data security. To apply
DES in a variety of applications, five modes of operation have been defined which
cover virtually all variation of use of the algorithm and these are shown in table 2.4.
We will be discussing these in more detail in the next lecture.

7
Later they claimed that there were certain attacks that they knew about , e.g. differential cryptanal-
ysis, which would have been revealed to the public if the design criteria had been exposed.

17
Chapter 2 The DES Algorithm

Table 2.3: S-box details.

Figure 2.4: The complex F function of the DES algorithm.

18
Chapter 2 The DES Algorithm

Table 2.4: DES modes of operation.

2.3.2 DES decryption

The decryption process with DES is essentially the same as the encryption process and
is as follows:

Use the ciphertext as the input to the DES algorithm but use the keys Ki in
reverse order. That is, use K16 on the first iteration, K15 on the second until K1
which is used on the 16th and last iteration.

2.3.3 Avalanche effect

A desirable property of any encryption algorithm is that a small change in either plain-
text or key should produce significant changes in the ciphertext. DES exhibits a strong
avalanche effect. Table 2.5 illustrates this.

19
Chapter 2 The DES Algorithm

Table 2.5: Avalanche effect - a small change in the plaintext produces a significant change in
the ciphertext.

2.3.4 Concern about the algorithm

As mentioned initially, since its adoption as a federal standard there have been concerns
about the level of security provided by DES in two areas, Key size and nature of the
algorithm.

56 bit key length (approx 7.2 1016 ) on initial consideration brute-force at-
tack seems impractical. However with a massively parallel machine of about
5000 nodes with each node capable of achieving a key search rate of 50 mil-
lion keys/sec, the time taken to do a brute-force search is approximately 100 hrs
which is far from excessive.

The nature of DES algorithm: of more concern is that cryptanalysis is possible

by exploiting the characteristics of DES. The focus is the eight S-boxes used
in each iteration. The design criteria for the complete algorithm has never been
published and there has been speculation that the boxes were constructed in such
a way that cryptanalysis is possible by an opponent who knows the weakness
in the S-boxes. Although this has not been established, the US governments

20
Chapter 2 The DES Algorithm

clipper project raises many question. These are the main reasons DES is now
being replaced by the AES standard which we will look at later on.

21