DES Algorithm

Dr. Risala Tasin Khan

Professor
IIT, JU

1
Modern Symmetric-key Ciphers:

Character-oriented Vs. Bit-oriented Ciphers:

The traditional symmetric-key ciphers are character-oriented ciphers.
Now-a-days, the information to be encrypted is not just text; it can
also consist of numbers, graphics, audio, and video data. It is
convenient to convert these types of data into a stream of bits, to
encrypt the stream, and then to send the encrypted stream.
So, we need bit-oriented ciphers.
❖ When data is treated as the collection of bits, it becomes larger. Mixing a
larger number of symbols increases security.

Kinds of Modern Symmetric-key Ciphers:

Modern symmetric-key ciphers can be divided into two broad
categories:
1. Stream ciphers:
Stream cipher encrypts a single character or bit of plaintext at a time. It also
decrypts a single character or bit of ciphertext at a time.
2. Block ciphers:
A symmetric-key modern block cipher encrypts an n-bit block of plaintext or
2
decrypts an n-bit block of ciphertext together.
Stream Ciphers (continued…)
Example:

Given plaintext: 10011011110100001

Let the keystream be a stream of 1s and 0s.
If we use an exclusive or (XOR) with the keystream and plaintext, we
get ciphertext.
This keystream is called periodic, since the sequence '10' repeats over
and over.

Plaintext : 10011011110100001
Keystream : 10101010101010101
Ciphertext : 00110001011110100 (by XORing each plaintext bit with corresponding keystream bit)

To decrypt this ciphertext, all we need to do is again XOR the

ciphertext with the keystream:
Ciphertext : 00110001011110100
Keystream : 10101010101010101
Plaintext (XOR) : 10011011110100001

3
Block Ciphers:
Example
Plaintext : The only thing we have to fear is fear itself
Modified plaintext : Theonlythingwehavetofearisfearitself
Plaintext blocks : Theonlyt hingweha vetofear isfearit selfXend (break the plaintext into 8-character block)

Ciphertext blocks : tylnoehT ahewgnih raefotev tiraefsi dneXfles (just reverse each plaintext block)

Ciphertext : tylnoehTahewgnihraefotevtiraefsidneXfles

4
Components of a Modern Block Ciphers:

Modern block ciphers normally are keyed substitution ciphers in which

the key allows only partial mappings from the possible inputs to the
possible outputs.
However, modern block ciphers normally are not designed as a single
unit.
To provide the required properties of a modern block cipher, such as
diffusion and confusion, a modern block cipher is made of a
combination of several units:
❑ Transposition units (called P-boxes)
❑ Substitution units (called S-boxes)
❑ Some other units

5
Components of a Modern Block Ciphers (continued…):

P-Boxes:
A P-box (permutation box) is a component in a modern block cipher
that transposes bits.

Types of P-Boxes:
Three types of P-boxes are used in modern block ciphers:
(1) Straight P-Boxes

(2) Expansion P-Boxes

(3) Compression P-Boxes

6
Components of a Modern Block Ciphers (continued…):
Straight P-Boxes:
A straight P-Box is a permutation which has n inputs and n outputs.
There are n! possible mappings.
Figure below shows a 5 x 5 straight P-box.

Figure: A 5x5 straight P-box

Example of all mappings for Straight P-Boxes:

Figure below shows a 3x3 straight P-box with all 6 (3!) possible mappings.

Figure: The possible mappings of a 3 × 3 Straight P-box 7

Components of a Modern Block Ciphers (continued…):

Compression P-Boxes:
A compression P-box is a P-box with n inputs and m outputs where m<n.
Some of the inputs are blocked and do not reach the output.
Figure below shows a 5 x 3 compression P-box.

Figure: A 5x3 Compression P-box

The compression P-boxes used in modem block ciphers are keyless

normally, where a permutation table shows the rules for transposing bits.
Compression P-boxes are used when we need to permute bits and the
same time decrease the number of bits for the next stage of
encryption/decryption.
8
Components of a Modern Block Ciphers (continued…):

Expansion P-Boxes:
A expansion P-box is a P-box with n inputs and m outputs where m>n.
Some of the inputs are connected to more than one output.
Figure below shows a 3 x 5 expansion P-box.

Figure: A 3 x 5 Expansion P-box

The expansion P-boxes used in modem block ciphers normally are keyless,
where a permutation table shows the rules for transposing bits.
Expansion P-boxes are used when we need to permute bits and the same
time increase the number of bits for the next stage of
encryption/decryption.
9
Components of a Modern Block Ciphers (continued…):

S-Boxes:
An S-box (substitution box) can be thought of as a miniature
substitution cipher.
However, an S-box can have a different number of inputs and outputs.
In other words, the input to an S-box could be an n-bit word, but the
output can be an m-bit word, where m and n are not necessarily the
same.
Although an S-box can be keyed or keyless, modern block ciphers
normally use keyless S-boxes, where the mapping from the inputs to
the outputs is predetermined.

10
Components of a Modern Block Ciphers (continued…):
Input-Output Relationship for a 3x2 S-Box by Table:
The following table defines the input/output relationship for an S-box of
size 3 × 2.
The leftmost bit of the input defines the row; the two rightmost bits of the
input define the column.
The two output bits are values on the cross section of the selected row and
column.

Table: Input-Output relationship for a 3 x 2 S-box

Based on the above S-box table, an input of 010 yields the output 01. An
input of 101 yields the output of 00.
11
Components of a Modern Block Ciphers (continued…):
Kinds of Product Ciphers:
Modern block ciphers are all product ciphers, but they are divided into two
classes:
❑ Feistel ciphers
❑ Non-Feistel ciphers

❑ Feistel ciphers:
❖ In 1973, Feistel designed a very intelligent and interesting cipher that
has been used for decades. Several block ciphers are based on the
Feistel structure.
❖ This type of ciphers use both invertible and noninvertible components.
❖ A Feistel cipher can have three types of components: self-invertible,
invertible, and noninvertible.
❖ A Feistel cipher combines all noninvertible elements in a unit (called
mixer) and uses the same unit in the encryption and decryption
algorithms.
❖ The block cipher DES, IDEA, RC5 (Rivest’s Cipher) are good examples
of a Feistel cipher. But Feistel design is not used in AES.

12
Components of a Modern Block Ciphers (continued…):

❑ Non-Feistel ciphers:
This type of ciphers use only invertible components.
A component in the encryption cipher has the corresponding
component in the decryption cipher.
For example, S-boxes need to have an equal number of inputs and
outputs to be compatible. No compression or expansion P-boxes are
allowed, because they are not invertible.
❖ In a non-Feistel cipher, there is no need to divide the plaintext into two
halves as we saw in the Feistel ciphers.
❖ The block cipher AES is a good example of a non-Feistel cipher.

13
Confusion and Diffusion:
The terms diffusion and confusion were introduced by Claude Shannon to
capture the two basic building blocks for product cipher.
Every block cipher involves a transformation of a block of plaintext into a block
of ciphertext, where the transformation depends on the key.
Hence, the block cipher needs to completely obscure statistical properties of
original message.
Shannon suggested combining S & P elements to obtain diffusion and
confusion.
❑ Diffusion (Substitution):
❖ The idea of diffusion is to hide the relationship between the ciphertext and
the plaintext. That is, the statistical relationship between the plaintext and
ciphertext is made as complex as possible in order to thwart attempts to
deduce the key. This will frustrate the adversary who uses ciphertext
statistics to find the plaintext.
❖ Diffusion implies that each symbol (bit) in the ciphertext is dependent on
some or all symbols in the plaintext. In other words, if a single symbol in
the plaintext is changed, several or all symbols in the ciphertext will also
be changed.
❑ Confusion(Transposition):
❖ The idea of confusion is to hide the relationship between the ciphertext
and the key. That is, the relationship between the ciphertext and the key
is made as complex as possible in order to thwart attempts to discover the
key. This will frustrate the adversary who tries to use the ciphertext to
find the key.
❖ In other words, if a single bit in the key is changed, most or all bits in the 14
ciphertext will also be changed.
Brief History of Data Encryption Standard (DES)
The Data Encryption Standard (DES) is a symmetric-key block cipher published
by the National Institute of Standards and Technology (NIST).
❑ In 1973, NIST published a request for proposals for a national symmetric-key
cryptosystem.
❑ A proposal from IBM, a modification of a research project called Lucifer, was accepted as
DES.
❑ DES was published in the Federal Register in March 1975 as a draft of the Federal
Information Processing Standard (FIPS).
❑ After the publication, IBM sought technical advice from the National Security Agency
(NSA) for the modification of Lucifer.
The modified version of LUCIFER was put forward as a proposal for the new
national encryption standard requested by the National Bureau of Standards
(NBS, now known as the National Institute of Standards and Technology,
NIST). It was finally adopted in 1977 as the Data Encryption Standard -DES
(FIPS PUB 46).
Some of the changes made to LUCIFER have been the subject of much
controversy even to the present day for two reasons:
❑ First, the critics questioned the small key length (only 56 bits) which could make
the cipher vulnerable to brute-force attack. Even though DES actually accepts a 64
bit key as input, the remaining eight bits are used for parity checking and have no
effect on DES’s security.
❑ Second, critics were concerned about some hidden design behind the internal
structure of DES. They were suspicious that some part of the structure (e.g. the
S-boxes) may have some hidden trapdoor that would allow the NSA to decrypt the
message without the need for the key.

15
Overview of DES

DES is a 64 bit block cipher with key length 56 bits.

In DES, the plaintext input bit string is divided into 64-bit blocks and
each block is encrypted using the same 56-bit key. The same key is
used for decryption. Hence, DES is a symmetric block cipher.
It was designed by IBM in 1976 for the National Bureau of Standards
(NBS), with approval from the National Security Agency (NSA).
It had been used as a standard method of encryption until 2000, but
with increase in speed in computers, it is no more considered secure
as a cryptanalyst can break the code by exhaustively searching for all
the keys using a fast computer.
However, a modification of DES, called triple DES (or 3 DES), is now
used which is more secure and is difficult to break.
From 2001, DES has been replaced by a new standard known as the
Advanced Encryption Standard (AES).
After 25 years of analysis, the only security problem with DES found
is that its key length is too short.
Although it’s wide spread use came to an end in 2000, its design idea
is still used in most block ciphers.

16
 • DES uses a 56-bit key.
• Actually, the initial key consists of 64 bits.
• However, before the DES process even starts, every 8th bit
DES Structure of the key is discarded to produce a 56-bit key. That is bit
positions 8, 16, 24, 32, 40, 48, 56, and 64 are discarded.
• Thus, the discarding of every 8th bit of the key produces
a 56-bit key from the original 64-bit key.

17
DES Structure
• DES is based on the two fundamental attributes of cryptography: substitution (also called confusion) and transposition (also
called diffusion).
• DES consists of 16 steps, each of which is called a round.
• Each round performs the steps of substitution and transposition.
• In the first step, the 64-bit plain text block is handed over to an initial Permutation (IP) function.

• The initial permutation is performed on plain text.

• Next, the initial permutation (IP) produces two halves of the permuted block; saying Left Plain Text (L 0) and Right Plain Text
(R0).

• Now each L0 and R0 go through 16 rounds of the encryption process.

• In the end, L0 and R0 are rejoined and a Final Permutation (FP) is performed on the combined block

• The result of this process produces 64-bit ciphertext.

18
Initial Permutation(IP)
• The initial permutation (IP) happens only once
and it happens before the first round.
• It suggests how the transposition in IP should
proceed, as shown in the figure.
• For example, it says that the IP replaces the
first bit of the original plain text block with the
58th bit of the original plain text, the second bit
with the 50th bit of the original plain text
block, and so on.
• This is nothing but jugglery of bit positions of
the original plain text block. the same rule
applies to all the other bit positions shown in
the figure.

19
• After IP is done, the resulting 64-bit
permuted text block is divided into two half
blocks.
• Each half-block consists of 32 bits, and
each of the 16 rounds, in turn, consists of
the broad-level steps outlined in the figure.
•

20
Key Transformation
• Initial 64-bit key is transformed into a 56-bit key by
discarding every 8th bit of the initial key.
• Thus, for each a 56-bit key is available.
• From this 56-bit key, a different 48-bit Sub Key is
generated during each round using a process called
key transformation.
• For this, the 56-bit key is divided into two halves,
each of 28 bits.
• These halves are circularly shifted left by one or two
positions, depending on the round.
• For example: if the round numbers 1, 2, 9, or 16 the
shift is done by only one position for other rounds,
the circular shift is done by two positions.

21
Key Transformation(Cont..)
• After an appropriate shift, 48 of the 56 bits are
selected.
• For selecting 48 of the 56 bits the table is shown in
the figure .
• For instance, after the shift, bit number 14 moves to
the first position, bit number 17 moves to the second
position, and so on.
• If we observe the table , we will realize that it
contains only 48-bit positions.
• Bit number 18 is discarded (we will not find it in the
table), like 7 others, to reduce a 56-bit key to a 48-bit
key.
• Since the key transformation process involves
permutation as well as a selection of a 48-bit subset
of the original 56-bit key it is called Compression
Permutation.

22
Expansion P-Box Permutation
• Recall that after the initial permutation, we had
two 32-bit plain text areas called Left Plain
Text(L0) and Right Plain Text(R0).
• During the expansion permutation, the R0 is
expanded from 32 bits to 48 bits.
• Bits are permuted as well hence called
expansion permutation.
• This happens as the 32-bit R0 is divided into 8
blocks, with each block consisting of 4 bits.
• Then, each 4-bit block of the previous step is
then expanded to a corresponding 6-bit block,
i.e., per 4-bit block, 2 more bits are added.

23
Expansion P-Box
Permutation

• Since R0 is a 32-bit input and K is a 48-bit

key, we first need to expand R0 to 48 bits.
• To do this, the 32-bit R value is expanded
to 48 bits using an expansion P-box
permutation table (shown in Table).
• The expansion table defines a
permutation plus an expansion.

24
Overall Process discussed so far
• The key transformation process compresses the 56-bit key to 48 bits.
• Then the expansion permutation process expands the 32-bit
R0 to 48-bits.
• Now the 48-bit key is XOR with 48-bit R0 and the resulting output is
given to the next step, which is the S-Box substitution.

25
DES Rounds:
In DES, substitution and permutation are used a number of times in
iterations called rounds. Generally, the more rounds there are, the
more secure the algorithm is.
DES uses 16 rounds. Each round of DES is a Feistel cipher.

− The round takes Li-1 and Ri-1 from

previous round (or the initial
permutation box) and creates Li and
Ri, which go to the next round (or
final permutation box).

− Each round has two cipher

elements: mixer and swapper. Each
of these elements is invertible.
❖ The swapper swaps the left half of
the text with the right half. The
mixer performs XOR operation.

Figure: A round in DES (encryption site) 26

DES Round Function f(Ri-1,Ki):
The heart of DES is DES round function.
The round function mixes the bits of the right (R) portion using the
subkey for the current round.
It applies a 48-bit key to the rightmost 32 bits (Ri-1) to produce a
32-bit output.

This function is the main part of

every round and consists of four
sections:
1. An expansion P-box (E-box, for 32
bit to 48 bit conversion)

2. A whitener (Exclusive-or that adds

key)

3. A group of S-boxes (for 48 bit to 32

bit conversion)
4. A straight permutation P-box

27
Figure: DES function
DES Round Function f(Ri-1,Ki):

Whitener (Exclusive-or):
After the expansion permutation, DES uses the XOR operation on the
expanded right section and the round key.
❑ Note that both the right section and the key are 48-bits in length. Also
note that the round key is used only in this operation.

That expanded value is then exclusive-or'ed with the 48-bit subkey.

Figure: Whitener

28
The S-boxes (substitute 48 bits to
32 bits):
In DES, a non-linearity is introduced into the encryption so that decryption will be
computationally infeasible without the secret key.
This is achieved with the use of S-boxes . which are basically non-linear substitution tables
where either the output is smaller than the input or vice versa.
❖ The S-boxes are the only non-linear operation in DES that do the real
mixing (confusion).
DES uses 8 S-boxes, each with a 6-bit input and a 4-bit output, that is it
accepts a 48-bit input and produces 32-bit number as output (defined in
tables).
❖ The resulting 48 bits from XOR operation are divided into eight 6-bit
chunks, each of which is fed into an S-Box that mixes the bits and
produces a 4-bit output (The 8 S-boxes are shown in table).
❖ Those 4-bit outputs are combined into a 32-bit value.
❖ The first and last bits of the 6-bit input of each S-box determine which
column permutation is used. It provides non-linearity (confusion).

29
30
31
32
DES Round Function f(Ri-1,Ki):
4. Straight Permutation (P-box):
The combined 32 bits from the previous step are permuted once
again to produce the 32 bits output of the f-function using expansion
P-box table (Shown in Table-4).

Table-4: Straight permutation table

33
DES Algorithm/DES Structure/ Encryption of the DES:

Plaintext is broken into blocks of length 64 bits.

Each 64-bit block of plaintext is encrypted using a 56-bit key.
A 56-bit key k is fed into a subkey generating algorithm to produce
16 round subkeys k1, k2, k3, ……., k16 of length 48 bits each.
❑ At first, an initial permutation (IP) is performed on the 64-bit block of
plaintext. (The initial permutation rearranges the bits of the plaintext to
form the “permuted input” based on the IP table.
❑ After initial permutation, the 64-bit permuted block is divided into two
32-bit sub-blocks represented by L0 and R0 as the left and right
sub-block respectively.
❑ The encryption then proceeds through 16 rounds of identical operations
using a different sub-key of length 48-bit in each round on the left and
right halves of the block.
❑ The 48-bit subkey ki for round i (where i=1, 2, 3,4, ……16) is generated
from the original 56-bit key.

34
DES Algorithm/DES Structure/ Encryption of the DES (continued…) :

❑ The output found using key ki after ith round is represented by Li and Ri
respectively where i=1, 2, 3, …..,16.
❑ Round i has input Li-1||Ri-1 and output Li||Ri where
❖ Li=Ri-1
❖ Ri=Li-1 ⌖ f(Ri-1,ki)

❑ In the final round, the left (L) and right (R) halves are swapped,
so that the decryption algorithm has the same structure as the
encryption algorithm.
❑ After the final round (16th round), the right and left halves are joined or
concatenated.
❑ Then, a final permutation IP-1 (which is the inverse of the initial
permutation ), is applied to the 64-bit joining block.
❑ The output of this final permutation is the 64 bit encrypted output
(ciphertext).

35
DES Algorithm/DES Structure/ Encryption of the DES (continued…) :

Figure-1: Flow Diagram of

DES algorithm for
encrypting data. 36
37
Example on how S-Box works

Q: The input to S-box 1 is 100011. What

is the output?
Answer:
• If we write the first and the sixth bits
together, we get 11 in binary, which is 3 in
decimal. The remaining bits are 0001 in
binary, which is 1 in decimal.
• We look for the value in row 3, column 1,
in Table 6.3 (S-box 1). The result is 12 in
decimal, which in binary is 1100. So the
input 100011 yields the output 1100.

38