Introduction To Network Security: Theory And Practice (2015)
Chapter 2. Data Encryption Algorithms
2.2 Data Encryption Standard
The DES was published by the U.S. National Bureau of Standards (NBS) in 1977. NBS was the predecessor of the U.S. National Institute of Standards and Technology (NIST). DES was based on the Lucifer encryption algorithm developed by an IBM research group led by Horst Feistel. In particular, DES is a concrete realization of the Feistel cipher scheme. Its encryption and decryption structures are symmetrical, and they use four basic operations: exclusive-OR, permutation, substitution, and circular shift. DES was widely used from the mid-1970s to the early 2000s. Although gradually phasing out, DES played an important role in modern cryptography and represents a popular design paradigm for data encryption.
2.2.1 Feistel's Cipher Scheme
The Feistel cipher scheme (FCS) divides the plaintext string into a sequence of blocks, each of which is 
bits long. FCS only uses basic operations of XOR and substitution. Let 
be a positive integer. FCS first generates 
subkeys of a fixed length from the encryption key 
. Let these subkeys be 
. Let 
denote the substitution function that takes an 
-bit binary string and a subkey as input and generates an 
-bit binary string as output. Divide a 
-bit plaintext block 
into two halves 
and 
of equal length, where and are, respectively, the prefix substring and the suffix substring of 
. The FCS encryption and decryption algorithms each executes rounds of a fixed sequence of operations (see Figure 2.1).
Figure 2.1 Feistel cipher scheme block diagram
FCS encryption executes the following operations in round 
, where 
:
2.1
2.2
After rounds, the plaintext block 
is transformed to 
. Let 
and 
be the output of FCS encryption. That is, the FCS encryption algorithm produces a ciphertext block 
.
Rewrite 
as 
; namely, let 
and 
. The FCS decryption algorithm is symmetrical to the FCS encryption algorithm, except that the subkeys are applied in the reverse order. In particular, the FCS decryption algorithm executes the following operations in round , where 
:
2.3
2.4
After rounds, the ciphertext block 
is transformed to 
. Let 
and 
, and let 
be the output of FCS decryption.
We now show that the ciphertext block 
is transformed back to the plaintext block . Because the output of the FCS decryption is 
, it suffices to show the following equality:
Here is a proof. Note that 
and 
, and so it suffices to show that 
and 
. We can use mathematical induction to show that for any integer with 
, we have
2.5
2.6
Let 
, and we will get what we need to prove.
The mathematical induction proof is given as follows. We first note that 
and 
. Thus, when 
, Equalities 2.5 and 2.6 hold.
Induction hypothesis: for any positive integer 
, we have
It follows from Equality 2.3, the induction hypothesis, and Equality 2.1 that
Thus, Equality 2.5 is true.
From Equality 2.4 (the induction hypothesis), Equality 2.2, and Equality 2.1, we have
Thus, Equality 2.6 is true. This completes the proof of the correctness of the FCS decryption algorithm.
DES is an instance of FCS with 
. That is, the block size of DES is 
. The length of DES encryption keys is 56 bits. However, a DES encryption key is represented as a 64-bit binary string, where the 
th bit 
is the parity bit of the seven bits immediately before it. The parity bit is used for error detection. Let 
be an encryption key. DES first generates 16 subkeys from , where each subkey has exactly 48 bits. There are 
rounds of executions in DES.
2.2.2 DES Subkeys
Let 
be an encryption key of DES. To generate 16 subkeys, DES first removes each 
th bit from . For convenience, we still use to denote the new string. DES then permutes the remaining 56 bits using the initial permutation 
as follows, where bits are listed row wise:
It is evident that 
permutes in the following way: the indexes of the first 28 bits start from 57 such that each next index is equal to the current index minus 8 mod 65. The indexes of the next 24 bits start from 63 such that each next index is equal to the current index minus 8 mod 63. The indexes of the last four bits start from 28 such that each next index is equal to the current index minus 8.
The modular operation is a common operation when dealing with integers in a finite domain. Let 
be a positive integer and 
be a non-negative integer. Then “
mod 
” is the remainder of dividing by . If 
and its absolute value 
, then mod is equal to the smallest positive integer 
such that 
. For instance, 
mod 
.
Let 
be a 56-bit binary string, where 
. Let 
be a compress permutation that takes 
as input and produces a 48-bit string as output. is defined as follows, where bits are listed row wise:
Let 
be a 28-bit binary string. Let 
denote the new string obtained by shifting circularly to the left 
() times, where () is defined as follows:
|
|
1 |
2 |
3 |
4 |
5 |
6 |
7 |
8 |
9 |
10 |
11 |
12 |
13 |
14 |
15 |
16 |
|
|
1 |
1 |
2 |
2 |
2 |
2 |
2 |
2 |
1 |
2 |
2 |
2 |
2 |
2 |
2 |
1 |
(Rewrite as 
, where both 
and 
are 28-bit binary strings. Then the th subkey 
is generated as follows, where 
:
For instance, let
Then
Thus,
2.2.3 DES Substitution Boxes
The substitution function 
in DES is defined using eight special matrices. They are referred to as substitution boxes or S-Boxes in short. Each S-Box is a 
matrix (see Table 2.1), where each row in each S-Box is a permutation of integers from 0 to 15. We label these S-Boxes as 
. For each 
with 
, write
Table 2.1 DES S-Boxes
|
|
14 |
4 |
13 |
1 |
2 |
15 |
11 |
8 |
3 |
10 |
6 |
12 |
5 |
9 |
0 |
7 |
|
0 |
15 |
7 |
4 |
14 |
2 |
13 |
1 |
10 |
6 |
12 |
11 |
9 |
5 |
3 |
8 |
|
|
4 |
1 |
14 |
8 |
13 |
6 |
2 |
11 |
15 |
12 |
9 |
7 |
3 |
10 |
5 |
0 |
|
|
15 |
12 |
8 |
2 |
4 |
9 |
1 |
7 |
5 |
11 |
3 |
14 |
10 |
0 |
6 |
13 |
|
|
|
15 |
1 |
8 |
14 |
6 |
11 |
3 |
4 |
9 |
7 |
2 |
13 |
12 |
0 |
5 |
10 |
|
3 |
13 |
4 |
7 |
15 |
2 |
8 |
14 |
12 |
0 |
1 |
10 |
6 |
9 |
11 |
5 |
|
|
0 |
14 |
7 |
11 |
10 |
4 |
13 |
1 |
5 |
8 |
12 |
6 |
9 |
3 |
2 |
15 |
|
|
13 |
8 |
10 |
1 |
3 |
15 |
4 |
2 |
11 |
6 |
7 |
12 |
0 |
5 |
14 |
9 |
|
|
|
10 |
0 |
9 |
14 |
6 |
3 |
15 |
5 |
1 |
13 |
12 |
7 |
11 |
4 |
2 |
8 |
|
13 |
7 |
0 |
9 |
3 |
4 |
6 |
10 |
2 |
8 |
5 |
14 |
12 |
11 |
15 |
1 |
|
|
13 |
6 |
4 |
9 |
8 |
15 |
3 |
0 |
11 |
1 |
2 |
12 |
5 |
10 |
14 |
7 |
|
|
1 |
10 |
13 |
0 |
6 |
9 |
8 |
7 |
4 |
15 |
14 |
3 |
11 |
5 |
2 |
12 |
|
|
|
7 |
13 |
14 |
3 |
0 |
6 |
9 |
10 |
1 |
2 |
8 |
5 |
11 |
12 |
4 |
15 |
|
13 |
8 |
11 |
5 |
6 |
15 |
0 |
3 |
4 |
7 |
2 |
12 |
1 |
10 |
14 |
9 |
|
|
10 |
6 |
9 |
0 |
12 |
11 |
7 |
13 |
15 |
1 |
3 |
14 |
5 |
2 |
8 |
4 |
|
|
3 |
15 |
0 |
6 |
10 |
1 |
13 |
8 |
9 |
4 |
5 |
11 |
12 |
7 |
2 |
14 |
|
|
|
2 |
12 |
4 |
1 |
7 |
10 |
11 |
6 |
8 |
5 |
3 |
15 |
13 |
0 |
14 |
9 |
|
14 |
11 |
2 |
12 |
4 |
7 |
13 |
1 |
5 |
0 |
15 |
10 |
3 |
9 |
8 |
6 |
|
|
4 |
2 |
1 |
11 |
10 |
13 |
7 |
8 |
15 |
9 |
12 |
5 |
6 |
3 |
0 |
14 |
|
|
11 |
8 |
12 |
7 |
1 |
14 |
2 |
13 |
6 |
15 |
0 |
9 |
10 |
4 |
5 |
3 |
|
|
|
12 |
1 |
10 |
15 |
9 |
2 |
6 |
8 |
0 |
13 |
3 |
4 |
14 |
7 |
5 |
11 |
|
10 |
15 |
4 |
2 |
7 |
12 |
9 |
5 |
6 |
1 |
13 |
14 |
0 |
11 |
3 |
8 |
|
|
9 |
14 |
15 |
5 |
2 |
8 |
12 |
3 |
7 |
0 |
4 |
10 |
1 |
13 |
11 |
6 |
|
|
4 |
3 |
2 |
12 |
9 |
5 |
15 |
10 |
11 |
14 |
1 |
7 |
6 |
0 |
8 |
13 |
|
|
|
4 |
11 |
2 |
14 |
15 |
0 |
8 |
13 |
3 |
12 |
9 |
7 |
5 |
10 |
6 |
1 |
|
13 |
0 |
11 |
7 |
4 |
9 |
1 |
10 |
14 |
3 |
5 |
12 |
2 |
15 |
8 |
6 |
|
|
1 |
4 |
11 |
13 |
12 |
3 |
7 |
14 |
10 |
15 |
6 |
8 |
0 |
5 |
9 |
2 |
|
|
6 |
11 |
13 |
8 |
1 |
4 |
10 |
7 |
9 |
5 |
0 |
15 |
14 |
2 |
3 |
12 |
|
|
|
13 |
2 |
8 |
4 |
6 |
15 |
11 |
1 |
10 |
9 |
3 |
14 |
5 |
0 |
12 |
7 |
|
1 |
15 |
13 |
8 |
10 |
3 |
7 |
4 |
12 |
5 |
6 |
11 |
0 |
14 |
9 |
2 |
|
|
7 |
11 |
4 |
1 |
9 |
12 |
14 |
2 |
0 |
6 |
10 |
13 |
15 |
3 |
5 |
8 |
|
|
2 |
1 |
14 |
7 |
4 |
10 |
8 |
13 |
15 |
12 |
9 |
0 |
3 |
5 |
6 |
11 |
Let 
be a function that takes a 48-bit string as input and produces a 32-bit binary string as output. In particular, let 
be a 48-bit binary string, where 
. We use 
to denote the substring 
. Divide into eight 6-bit blocks:
For each 6-bit block 
(
), we use the 
th S-Box to generate a 4-bit binary string as output, denoted by 
, as follows:
Let 
, where 
for 
. Let 
denote the binary representation for a row number and 
denote the binary representation for a column number. Then define 
to be the number in the 4-bit binary representation at row 
and column 
in matrix 
; namely,
For example, if 
, then 
.
Let
Then () transforms the 48-bit input 
to a 32-bit output.
The constructions of the S-Boxes followed a clear set of criteria for the purpose of resisting possible attacks. They were also bound by the computing technologies available in the mid-1970s. For example, the reason why an S-Box has a 6-bit input and a 4-bit output is due to the chip technology available at that time. It took several months of computing time at that time to compute the S-Boxes that satisfy all the criteria. Because the set of criteria for the S-Boxes was not published and because NSA played a role in selecting DES, many people suspected that NSA had planted backdoors in these S-Boxes so that NSA can decipher DES-encrypted messages should they decide to do so. This of course was sheer speculation. In the 1990s, the set of criteria used by the DES design team was discovered by cryptanalysts not in the team. After this, IBM finally decided to publish the original set of criteria for constructing the S-Boxes.
2.2.4 DES Encryption
DES implements its substitution function 
using permutations, exclusive-OR, subkeys, and substitutions from the S-Boxes. In particular, for each 32-bit half block 
, DES first uses a function called expansion permutation, denoted by EP, to expand it into a 48-bit string. It then XORs this string with a 48-bit subkey, takes the resulting 48-bit output as the input of function 
to generate a 32-bit string, and permutes this string to generate a 32-bit string 
.
2.2.4.1 Expansion Permutation
Let 
be a 32-bit binary string. The expansion permutation EP on 
is defined as follows, where bits are listed row wise:
We note that in EP(), the indexes of the four middle columns are 
; the indexes of the first column start from 32, where the next index is the current index plus 4 mod 32; and the indexes of the last column start from 5, where the next index is the current index plus 4 mod 32.
2.2.4.2 DES Substitution
Let 
be a 32-bit binary string. Permuting 
using the following permutation 
, where bits are listed row wise:
DES defines its substitution function as follows:
2.2.4.3 Encryption Steps
Let 
be a 64-bit binary string. Define a permutation 
as follows: it first reverses 
as 
. It then lists the prefix 
into four columns from right to left, where each column has exactly eight rows. It also lists the suffix 
into four columns from right to left, where each column has exactly eight rows, and inserts them alternately in the prefix columns. That is, according to the listing order, we have
The permutation enumerates the elements in this list row wise. Denote by 
the inverse of 
.
Let 
be a plaintext block. Define an initial permutation IP by 
. It is straightforward to verify that IP(
) is equal to the following string, where each number 
represents bit 
(
) and bits are listed row wise:
It is easy to see that the indexes of the first two rows in IP() start from 58, where the next index is equal to the current index minus 8 mod 66; and the indexes of the last two rows in IP(
) start from 57, where the next index is equal to the current index minus 8 mod 66.
Let 
. Then 
is the inverse of IP(
), defined as follows, where each number represents bit 
and bits are listed row wise:
It is straightforward to verify that 
. For example, let 
. Because IP changes 
to 
and 
changes 
to 
, where 
and 
, we know that 
changes 
back to 
.
Let 
and be, respectively, a 64-bit plaintext block and a 64-bit encryption key with added parity bits. Let 
be the 16 subkeys generated from as described in Section 2.2.2. The DES encryption steps are given as follows:
1. Rewrite 
, where 
.
2. For 
, execute the following operations in order:
3. Finally, let 
. (Note that the input of 
is 
, not 
.)
2.2.5 DES Decryption and Correctness Proof
DES decryption is symmetrical to DES encryption, except that subkeys are applied in the reverse order. The DES decryption steps are given as follows:
1. Rewrite 
, where .
2. For , execute the following operations in order
3. Finally, let 
; we then obtain back the plaintext block .
To prove the correctness of DES decryption, we need to show that
Because 
, we have 
and 
. We note that except IP is used before round 1 starts and after round 16, the rest of DES is a concrete implementation of FCS. It follows from FCS decryption that 
and 
. Thus,
This completes the proof.
2.2.6 DES Security Strength
The security strength of DES depends on the number of rounds, the length of encryption key, and the construction of the substitution function. A substantial number of experiments have demonstrated that DES encryption provides good diffusion and confusion effects.
It can be shown that if the number of rounds in DES encryption is less than 16, then differential cryptanalysis can break DES encryption in a reasonable amount of time.
The length of a DES encryption key is 56 bits, which was sufficient to resist brute-force attacks in the 1970s to 1980s. However, the 56-bit key length was no longer secure in the late 1990s due to advancements of computer technologies and algorithms. For example, in 1999, the Electronic Frontier Foundation (EFF) based in the United States spent less than $250,000 to build a special-purpose supercomputer, named “DES Cracker,” to crack DES encryptions. Working with Distributed.Net and a worldwide network of nearly 100,000 PCs on the Internet, DES Cracker broke in 22 hours the “DES Challenge III” encrypted message. The DES Challenges were a series of DES-encrypted messages posted by RSA Data Security in 1997. DES Challenge III was the last one to be broken. This indicated that the DES era was approaching its end.
Does this mean that all the manpower and resources spent over the years in developing hardware and software DES products were down the drain? It is true that DES encryption keys are too short to resist brute-force attacks, but DES has other good properties that have resisted many other attacks. Thus, it is reasonable to look for ways to effectively extend the DES encryption key length without changing the DES algorithms. Fortunately, it can be shown that DES is not a group. Therefore, applying DES multiple times is different from applying DES a single time. In other words, for any three 56-bit DES encryption keys 
, we have 
, where 
represents DES encryption with key 
. We note that this property may not be true in other encryption algorithms. For example, in XOR encryption, for any given encryption keys 
and 
, let 
, then
where 
represents XOR encryption.