Scribd
Upload
12 views

Cryptography, Lecture 05

Uploaded by

norahussiniy
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
12 views

Cryptography, Lecture 05

Uploaded by

norahussiniy
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 23

Cryptography

Ch.3: The Data Encryption


Standard (DES)
Prepared By
Dr. Ibrahim Attiya
© 2024 NMU
Ch.3: Outline
❑ Introduction to DES.
❑ The design process of DES.
❑ Basic design ideas of block ciphers.
❑ The internal structure of DES.
❑ Key Schedule
❑ Security analysis of DES.
❑ Alternatives to DES, including 3DES.
❑ Lessons Learned.
Key Schedule
➢ The key schedule derives 16 round keys ki, each
consisting of 48 bits, from the original 56-bit key.
Another term for round key is subkey.
➢ First, note that the DES input key is often stated as
64-bit, where every eighth bit is used as an odd
parity bit over the preceding seven bits.
➢ In any case, the eight parity bits are not actual key
bits and do not increase the security.
➢ DES is a 56-bit cipher, not a 64-bit one.
➢ As shown in the following Fig., the 64-bit key is
first reduced to 56 bits by ignoring every eighth bit.
Key Schedule

➢ Parity bits are removed in a first permuted choice


PC-1:
▪ Note that the bits 8, 16,
24, 32, 40, 48, 56 and
64 are not used at all.
Key Schedule
➢ The resulting 56-bit key is split into two halves C0
and D0, and the actual key schedule starts as shown
in the following Fig.
➢ The two 28-bit halves are cyclically shifted, i.e.,
rotated, left by one- or two-bit positions depending
on the round i according to the following rules:
▪ In rounds i = 1, 2, 9, 16, the two halves are rotated
left by one bit.
▪ In the other rounds where i ≠ 1, 2, 9, 16, the two
halves are rotated left by two bits.
Key Schedule
➢ Key schedule for
DES encryption.
Key Schedule
➢ To derive the 48-bit round keys ki, the two halves
are permuted bitwise again with PC−2, which
stands for “permuted choice 2”.
➢ PC−2 permutes the 56 input bits coming from Ci and
Di and ignores 8 of them. The exact bit-connections
of PC−2 are given in the previous table.
➢ Note that every round key is a selection of 48
permuted bits of the input key k.
➢ The key schedule is merely a method of realizing
the 16 permutations systematically.
Summary of DES Operations
Decryption
➢ One advantage of DES is that decryption is
essentially the same function as encryption.
➢ This is because DES is based on a Feistel network.
➢ The following Figure shows a block diagram for
DES decryption. Compared to encryption, only the
key schedule is reversed, i.e., in decryption round
1, subkey 16 is needed; in round 2, subkey 15; etc.
➢ Thus, when in decryption mode, the key schedule
algorithm has to generate the round keys as the
sequence k16, k15, . . . , k1.
Decryption
➢ Reversed key schedule:
➢ As D0 = D16 and C0 = C16 the first-round key can be
generated by applying PC-2 right after PC-1 (no
rotation here!).
➢ All other rotations of C and D can be reversed to
reproduce the other round keys resulting in:
▪ No rotation in round 1.
▪ One bit rotation to the right in rounds 2, 9 and 16.
▪ Two bit rotations to the right in all other rounds (i.e.,
rounds 3, 4, 5, 6, 7, 8, 10, 11, 12, 13, 14 and 15).
Decryption

➢ Reversed key
schedule for
decryption of
DES.
Decryption

➢ DES
decryption.
Security of DES
➢ After the proposal of DES two major criticisms
arose:
▪ The Key space is too small (256 keys).
▪ The S-box design criteria was kept and there
might have existed an analytical attack that
exploits mathematical properties of the S-
boxes, but which is only known to the DES
designers.
➢ The main conclusion about DES security: Despite
very intensive cryptanalysis over the lifetime of DES,
current analytical attacks are not very efficient.
Security of DES
➢ Exhaustive key search:

➢ Special-purpose key-search machines are an option


to perform the 256 key tests necessary.
➢ Large institutions have long been able to build such
brute-force crackers, which can break DES in a
matter of days.
Security of DES
➢ Analytical Attacks:
➢ It is a major triumph for the designers of DES that
no weakness was found until 1990.
➢ DES is highly resistant to both differential
cryptanalysis (DC) and linear cryptanalysis (LC),
which have been published years later than the DES.
➢ This means IBM and NSA had been aware of these
attacks for 15 years!
➢ The effectiveness of both DC and LC attacks
heavily depend on the structure of the S-boxes.
➢ So far there is no known analytical attack which
breaks DES in realistic scenarios.
History of Attacks on DES
History of Attacks on DES

➢ Deep Crack — the


hardware exhaustive
key-search machine that
broke DES in 1998.

➢ COPACOBANA — A
cost-optimized parallel
code breaker.
Alternatives to DES
Algorithm I/O Bit Key lengths Remarks

DES ''replacement'',
AES / Rijndael 128 128/192/256
worldwide used standard

Triple DES 64 112 (effective) conservative choice

Mars 128 128/192/256 AES finalist

RC6 128 128/192/256 AES finalist

Serpent 128 128/192/256 AES finalist

Twofish 128 128/192/256 AES finalist

IDEA 64 128 patented


Triple DES – 3DES
➢ An alternative to AES algorithm is triple DES,
often denoted as 3DES.
➢ 3DES consists of three subsequent DES
encryptions.
y = DESk3 (DESk2 (DESk1 (x))).
with different keys, as shown below
Triple DES – 3DES
➢ 3DES is often used in practice to extend the
effective key length of DES to 112.
➢ Choosing k1=k2=k3 performs single DES
encryption.
➢ No practical attack known today.
➢ 3DES seems resistant to both brute-force attacks
and any analytical attack imaginable at the moment.
➢ It is popular in financial applications as well as for
protecting biometric information in electronic
passports.
Lessons Learned
➢ DES was the dominant symmetric encryption
algorithm from the mid-1970s to the mid-1990s.
➢ Since 56-bit keys are no longer secure, the
Advanced Encryption Standard (AES) was created.
➢ Standard DES with 56-bit key length can be broken
relatively easily nowadays through an exhaustive
key search.
➢ DES is quite robust against known analytical
attacks: In practice it is very difficult to break the
cipher with differential or linear cryptanalysis.
Lessons Learned (Cont.)
➢ By encrypting with DES three times in a row, triple
DES (3DES) is created, against which no practical
attack is currently known.
➢ The “default” symmetric cipher is nowadays often
AES. In addition, the other four AES finalist ciphers
all seem very secure and efficient.
➢ Since about 2005 several proposals for lightweight
ciphers have been made. They are suited for
resource-constrained applications.
Any Questions?

You might also like