DES (Data Encryption Standard)

 Outline
 Background and History of DES
 Overview of DES
 Double and Triple DES
 Security of DES
1. Background and History of DES (1)

 Early 1970’s - NBS (Nat’l Bureau of Standards)

recognized general public’s need for a secure crypto
system
NBS – part of US gov’t / Now: NIST – Nat’l Inst. of Stand’s &
Technology

 „Encryption for the masses” [A. Striegel]

 Existing US gov’t crypto systems were not meant
to be made public

E.g. DoD, State Dept.
 Problems with proliferation of commercial
encryption devices

Incompatible

Not extensively tested by independent body
 2D.2. Overview of DES (1)
 DES - a block cipher
 a product cipher
 16 rounds (iterations) on the input bits (of P)
 substitutions (for confusion) and permutations
(for diffusion)
 Each round with a round key
 Generated from the user-supplied key
 Easy to implement in S/W or H/W
 Overview of DES (2)
Basic Structure
Input
 Input: 64 bits (a block)
Input Permutation
 Li/Ri– left/right half of the input block for
iteration i (32 bits) – subject to substitution L0 R0
S and permutation P (cf. Fig 2-8– text)
S K
 K - user-supplied key
 Ki - round key: P
 56 bits used +8 unused
(unused for E but often used for error checking)
L1 R1
 Output: 64 bits (a block) K1
 Note: Ri becomes L(i+1) L16 R16
K16
 All basic op’s are simple logical ops
 Left shift / XOR Final Permutation

Output
 Background and History of DES (2)
 1972 - NBS calls for proposals for a public crypto
system
 Criteria:


Highly secure / easy to understand / publishable /
available to all / adaptable to diverse app’s /
economical / efficient to use / able to be validated /
exportable
 In truth: Not too strong (for NSA, etc.)

 1974 – IBM proposed its Lucifer

 DES based on it
 Tested by NSA (Nat’l Security Agency) and the general public
 Nov. 1976 – DES adopted as US standard for sensitive
but unclassified data / communication
 Later adopted by ISO (Int’l Standards Organization)
 Official name: DEA - Data Encryption Algorithm / DEA-1
 Overview of DES (3) -
Generation of Round Keys
 key – user-supplied key
(input)
 PC-1, PC-2 – permutation
key
tables
PC-1
PC-2 also extracts 48 of 56
bits
C0 D0
 K1 – K16 – round keys
(outputs)
LSH LSH

PC-2 Length(Ki)
K1 = 48
C1 D1
 Ci / Di – confusion / diffusion
(?)
LSH LSH  LSH –left shift (rotation) tables
PC-2 K16

[Fig: cf. Barbara Endicott-Popovsky, U. Washington]

 Overview of DES (4) -
Problems with DES
 Diffie, Hellman 1977 prediction: “In a few years,
technology would allow DES to be broken in days.”
 Key length is fixed (= 56)
 256 keys ~ 1015 keys
 „Becoming” too short for faster computers
 1997: 3,500 machines – 4 months
 1998: special „DES cracker” h/w – 4 days

 Design decisions not public

 Suspected of having backdoors
 Speculation: To facilitate government access?
 2D.3. Double and Triple DES
(1)
 Double DES:
 Use double DES encryption
C = E(k2, E(k1, P) )
 Expected to multiply difficulty of breaking the
encryption
 Not true!
 In general, 2 encryptions are not better than
one
[Merkle, Hellman, 1981]
 Only doubles the attacker’s work
 Double and Triple DES (2)
 Triple DES:
 Is it C = E(k3, E(k2, E(k1, P) ) ?
 Not soooo simple!
 Double and Triple DES (3)
 Triple DES:
 Tricks used:
D not E in the 2nd step, k1 used twice (in steps
1 & 3)
 It is:
C = E(k1, D(k2, E(k1, P) )
and
P = D(k1, E(k2, D(k1, C) )

 Doubles the effective key length

 112-bit key is quite strong
 Even for today’s computers
 For all feasible known attacks
 2D.4. Security of DES
 So, is DES insecure?
 No, not yet
 1997 attack required a lot of coperation
 The 1998 special-purpose machine is still
very expensive
 Triple DES still beyong the reach of these 2
attacks
 But ...
 In 1995, NIST (formerly NBS) began search
for new strong encryption standard
DES – Confusion, Diffusion and
Avalanche Effect
• Confusion and diffusion are two fundamental principles in the design of secure cryptographic
algorithms. These concepts were introduced by Claude Shannon in his seminal work on
information theory and form the basis of many encryption algorithms, including the Data
Encryption Standard (DES).
• Confusion refers to making the relationship between the key and the cipher text as complex and
as obscure as possible. This ensures that even if someone knows the cipher text, they cannot
easily deduce the key.
• In DES, confusion is achieved primarily through the use of S-boxes (substitution boxes). The S-boxes take the
input bits and produce output bits that are non-linearly related to the input. This non-linear transformation
obscures the relationship between the plaintext, the cipher text, and the key.
• Diffusion refers to spreading the influence of each plaintext bit over many cipher text bits. This
means that a change in a single bit of the plaintext should result in a significantly different cipher
text, thus making it harder to find patterns that could lead to the key.
• In DES, diffusion is achieved through permutation operations and the Feistel network structure. The
permutations and the repeated mixing of the bits throughout multiple rounds ensure that the plaintext is
thoroughly diffused into the cipher text.
Avalanche Effect in DES
• The avalanche effect is a desirable property of cryptographic algorithms, where a small change in
either the plaintext or the key results in a significant change in the ciphertext. This ensures that the
encryption process is highly sensitive to initial conditions, enhancing security by making it difficult
to predict the output.
• In DES, the avalanche effect is realized through the combined application of confusion and diffusion.
A single bit change in the plaintext or the key should affect approximately half of the bits in the
ciphertext, making it infeasible for attackers to use simple statistical analysis to reverse-engineer the
key.
• Examples in DES
• S-boxes: Introduce non-linearity and contribute to confusion. A slight change in input results in a drastically
different output.
• Permutation (P) Boxes: Spread out the bits across the block to ensure diffusion. They help in making the output
bits depend on the input bits in a complex manner.
• Feistel Network: The structure of DES, which involves multiple rounds of processing, ensures both confusion
and diffusion are achieved. Each round uses a different subkey and applies S-box substitutions and
permutations, contributing to the overall avalanche effect.
Applications of DES
• Standardization Requirements: Some standards and regulations might
still list DES as an optional algorithm for compliance, though it is
usually recommended to use more secure algorithms like AES.
• Variants of DES: Triple DES (3DES): This is an enhancement of DES that
applies the DES algorithm three times to each data block. While it is
more secure than single DES, it is also being phased out in favor of
stronger algorithms like AES.
• Payment Card Industry (PCI) Compliance: Some older payment
systems might still support 3DES for encryption, although PCI
standards are pushing towards the use of AES for stronger security.
Activity : Explore PCI compliance
and list down PCI requirements and
what are the consequences of non-
compliance.
DES Assignment Questions
• Calculate the total number of bits in a DES key.
• Answer: 56 bits (Note: DES keys are 64 bits long, but 8 bits are used for parity, leaving 56 bits for the actual key.)
• How many subkeys are generated during the DES encryption process?
• Answer: 16 subkeys (One subkey for each of the 16 rounds of encryption.)
• Determine the number of bits in each subkey used in DES.
• Answer: 48 bits
• Calculate the number of possible keys in DES.
• Answer: 2562^{56}256 (Approximately 72 quadrillion or 72×101572 \times 10^{15}72×1015)
• How many times is the initial permutation (IP) applied during the DES encryption and decryption
process?
• Answer: Twice (Once at the beginning of encryption and once at the beginning of decryption.)
• If the plaintext input to DES is 64 bits, how many bits will be processed by each of the 16 Feistel
rounds?
• Answer: 32 bits (Each round processes half of the 64-bit block, so each Feistel function works on 32 bits.)
DES Assignment Questions
• Given that DES uses 16 rounds of Feistel structure, calculate the number of permutations
and substitutions applied to a 64-bit block of data.
• Answer: Each round involves permutations (P-box) and substitutions (S-box). There are 8 S-boxes in
each round, and a permutation function is applied. Thus, there are 16 permutations and 128
substitutions (8 substitutions per round × 16 rounds).
• Calculate the number of bits affected by a single bit change in the plaintext after 3 rounds
of DES, assuming a perfectly random substitution and permutation.
• Answer: This is a complex question involving the avalanche effect. After 3 rounds, due to the diffusion
and confusion properties of DES, it's expected that a single bit change can affect approximately half the
bits. Thus, after 3 rounds, around 642=32\frac{64}{2} = 32264​=32 bits could be affected.
• Estimate the time to brute-force a DES key if a machine can test 1 million keys per second.
• Answer: The total number of keys is 2562^{56}256. Testing 1 million keys per second:
Time=256106 seconds≈7.2×1010 seconds≈2283 years\text{Time} = \frac{2^{56}}{10^6} \
text{ seconds} \approx 7.2 \times 10^{10} \text{ seconds} \approx 2283 \text{ years}Time=106256​
seconds≈7.2×1010 seconds≈2283 years
Numerical on Simplified DES
• https://www.youtube.com/watch?v=3jGMCyOXOV8
 2E. The Clipper Story (1)
 ... Or: How not to set up a standard
 A scenario
 Only a single electronic copy of a corporation’s
crucial (and sensitive) document
 To prevent espionage, strong encryption used to
protect that document
 Only CEO knows the key
 CEO gets hit by a truck
 Is the document lost forever?

 Key escrow (a depository) facilitates recovery

of the document if the key is lost
[cf. J. Leiwo]
 The Clipper Story (2)
 1993 - Clipper - U.S. Government’s attempt
to mandate key escrow, designed to encrypt
voice and data
 Secret algorithm, invented by National Security
Agency
 Only authorities, can recover any communications
 Add an escrow key and split into halves
 Give each half to a different authority
 If there is a search warrant, authorities can
combine their halves and recover intercepted
communication
 Of course, government will use it for legitimate
[cf. J. Leiwo]
purposes only
 The Clipper Story (3)
 Clipper failed big time:
 Classified algorithm, h/w (Clipper chip) implement’s
only
 Equipment AND keys provided by the government
 No export of equipment [above -cf. J. Leiwo]

 Public relations disaster

 “Electronic civil liberties" organizations (incl. Electronic
Privacy Information Center & Electronic Frontier
Foundation) challenged the Clipper chip proposal
 Their claims:
 It would subject citizens to increased, possibly
illegal, government surveillance
 strength of encryption could not be evaluated by
the public (bec. secret algorithm) – might be
2F. AES (Advanced Encryption Standard)

 ... Or: How to set up a standard

 Outline
2F.1. The AES Contest
2F.2. Overview of Rijndael
2F.3. Strength of AES
2F.4. Comparison of DES and AES
 2F.1. The AES Contest (1)
(Nat’l Institute of
 1997 – NIST calls for proposals NIST
Standards and Technology)
 Criteria:

Unclassifed code

Publicly disclosed

Royalty-free worldwide

Symmetric block cipher for 128-bit blocks

Usable with keys of 128, 192, and 256 bits

 1998 – 15 algorithms selected

 The AES Contest (2)
 1999 – 5 finalists [cf. J. Leiwo]
 MARS by IBM
 RC6 by RSA Laboratories
 Rijndael by Joan Daemen and Vincent Rijmen
 Serpent by Ross Anderson, Eli Biham and Lars
Knudsen
 Twofish by Bruce Schneier, John Kelsey, Doug
Whiting, Dawid Wagner, Chris Hall and Niels
Ferguson
 Evaluation of finalists
 Public and private scrutiny
 Key evaluation areas:
security / cost or efficiency of operation /
 The AES Contest (3)
 2001- … and the winner is …
Rijndael (RINE-dahl)
Authors: Vincent Rijmen + Joan Daemen
(Dutchmen)

 Adopted by US gov’t as
Federal Info Processing Standard 197 (FIPS
197)
 2F.2. Overview of Rijndael/AES
 Similar to DES – cyclic type of approach
 128-bit blocks of P
 # of iterations based on key length

128-bit key => 9 “rounds” (called rounds, not
cycles)

192-bit key => 11 rounds

256-bit key => 13 rounds
 Basic ops for a round:
 Substitution – byte level (confusion)
 Shift row (transposition) – depends on key length
(diff.)
 Mix columns – LSH and XOR (confusion
+diffusion)
 2F.3. Strengths of AES
 Not much experience so far (since 2001)
 But:
 Extensive cryptanalysis by US gov’t and
independent experts
 Dutch inventors have no ties to NSA or
other US gov’t bodies (less suspicion of
trapdoor)
 Solid math basis

Despite seemingly simple steps within rounds
 2F.4. Comparison of DES & AES (1)

DES AES
Date 1976 1999
Block size [bits] 64 128
Key length [bits] 56 (effect.) 128, 192, 256, or more
Encryption substitution, substitution, shift, bit
Primitives permutation mixing
Cryptographicconfusion, confusion,
Primitives diffusion diffusion
Design open open
Design closed open
Rationale
Selection secret secret, but accepted
process public comments
Source IBM, enhan-independent Dutch
ced by NSA cryptographers
 Comparison of DES & AES (2)

 Weaknesses in AES?
 20+ yrs of experience with DES eliminated fears
of its weakness (intentional or not)

Might be naïve…
 Experts pored over AES for 2-year review period
 Comparison of DES & AES (3)
 Longevity of AES?
 DES is nearly 30 yrs old (1976)

DES-encrypted message can be cracked in days
 Longevity of AES more difficult to answer

Can extend key length to > 256 bits (DES:
56)
 2 * key length => 4 * number of keys

Can extend number of rounds (DES: 16)
 Extensible AES seems to be significantly better
than DES, but..

Human ingenuity is unpredicatble!
=> Need to incessantly search for better and
better
Advanced Encryption Standard

"It seems very simple."

"It is very simple. But if you don't know what the key is
it's virtually indecipherable."
—Talking to Strange Men, Ruth Rendell
AES Origins
• clear a replacement for DES was needed
• have theoretical attacks that can break it
• have demonstrated exhaustive key search attacks
• can use Triple-DES – but slow, has small blocks
• US NIST issued call for ciphers in 1997
• 15 candidates accepted in Jun 98
• 5 were shortlisted in Aug-99
• Rijndael was selected as the AES in Oct-2000
• issued as FIPS PUB 197 standard in Nov-2001
The AES Cipher - Rijndael
• designed by Rijmen-Daemen in Belgium
• has 128/192/256 bit keys, 128 bit data
• an iterative rather than Feistel cipher
• processes data as block of 4 columns of 4 bytes
• operates on entire data block in every round
• designed to have:
• resistance against known attacks
• speed and code compactness on many CPUs
• design simplicity
AES
Encryption
Process
AES Structure
data block of 4 columns of 4 bytes is state
key is expanded to array of words
has 9/11/13 rounds in which state undergoes:
byte substitution (1 S-box used on every byte)
shift rows (permute bytes between groups/columns)
mix columns (subs using matrix multiply of groups)
add round key (XOR state with key material)
view as alternating XOR key & scramble data bytes
initial XOR key material & incomplete last round
with fast XOR & table lookup implementation
AES Structure
Some Comments on AES
1. an iterative rather than Feistel cipher
2. key expanded into array of 32-bit words
1. four words form round key in each round
3. 4 different stages are used as shown
4. has a simple structure
5. only AddRoundKey uses key
6. AddRoundKey a form of Vernam cipher
7. each stage is easily reversible
8. decryption uses keys in reverse order
9. decryption does recover plaintext
10. final round has only 3 stages
Substitute Bytes
• a simple substitution of each byte
• uses one table of 16x16 bytes containing a permutation of all 256 8-bit
values
• each byte of state is replaced by byte indexed by row (left 4-bits) & column
(right 4-bits)
• eg. byte {95} is replaced by byte in row 9 column 5
• which has value {2A}
• S-box constructed using defined transformation of values in GF(28)
<<Elements of typically represented as polynomials of degree less than 8,
with coefficients in {0,1}.>
• designed to be resistant to all known attacks
Substitute Bytes
Substitute Bytes Example
Shift Rows
• a circular byte shift in each each
• 1st row is unchanged
• 2nd row does 1 byte circular shift to left
• 3rd row does 2 byte circular shift to left
• 4th row does 3 byte circular shift to left
• decrypt inverts using shifts to right
• since state is processed by columns, this step permutes bytes
between the columns
Shift Rows
Mix Columns
• each column is processed separately
• each byte is replaced by a value dependent on all 4 bytes in the
column
• effectively a matrix multiplication in GF(28) using prime poly m(x)
=x8+x4+x3+x+1
Mix Columns
Mix Columns Example
AES Arithmetic
• uses arithmetic in the finite field GF(28)
• with irreducible polynomial
m(x) = x8 + x4 + x3 + x + 1
which is (100011011) or {11b}
• e.g.
{02} • {87} mod {11b} = (1 0000 1110) mod {11b}
= (1 0000 1110) xor (1 0001 1011) = (0001 0101)
Mix Columns
• can express each col as 4 equations
• to derive each new byte in col
• decryption requires use of inverse matrix
• with larger coefficients, hence a little harder
• have an alternate characterisation
• each column a 4-term polynomial
• with coefficients in GF(28)
• and polynomials multiplied modulo (x4+1)
• coefficients based on linear code with maximal
distance between codewords
Add Round Key
XOR state with 128-bits of the round key
again processed by column (though effectively a series of byte
operations)
inverse for decryption identical
since XOR own inverse, with reversed keys
designed to be as simple as possible
a form of Vernam cipher on expanded key
requires other stages for complexity / security
Add Round Key
AES Round
AES Key Expansion
takes 128-bit (16-byte) key and expands into array of 44/52/60 32-bit
words
start by copying key into first 4 words
then loop creating words that depend on values in previous & 4
places back
in 3 of 4 cases just XOR these together
1st word in 4 has rotate + S-box + XOR round constant on previous, before
XOR 4th back
AES Key Expansion
Key Expansion Rationale
• designed to resist known attacks
• design criteria included
• knowing part key insufficient to find many more
• invertible transformation
• fast on wide range of CPU’s
• use round constants to break symmetry
• diffuse key bits into round keys
• enough non-linearity to hinder analysis
• simplicity of description
AES
Example
Key
Expansion
AES
Example
Encryption
AES
Example
Avalanche
AES Decryption
• AES decryption is not identical to encryption since steps done in
reverse
• but can define an equivalent inverse cipher with steps as for
encryption
• but using inverses of each step
• with a different key schedule
• works since result is unchanged when
• swap byte substitution & shift rows
• swap mix columns & add (tweaked) round key
AES Decryption
Implementation Aspects
• can efficiently implement on 8-bit CPU
• byte substitution works on bytes using a table of 256 entries
• shift rows is simple byte shift
• add round key works on byte XOR’s
• mix columns requires matrix multiply in GF(28) which works on byte values,
can be simplified to use table lookups & byte XOR’s
Implementation Aspects
can efficiently implement on 32-bit CPU
redefine steps to use 32-bit words
can precompute 4 tables of 256-words
then each column in each round can be computed using 4 table lookups + 4
XORs
at a cost of 4Kb to store tables
designers believe this very efficient implementation was a key factor
in its selection as the AES cipher
 Advantages of AES?

• It is the most secure security protocol as it is implemented in both hardware and

software.
• The encryption processes of AES are easy to learn, making it more attractive to those
dealing with AES.
• It employs longer key sizes for encryption, such as 128, 192, and 256 bits. Therefore, it
makes the AES algorithm more resistant to infiltration.
• It's easy to implement.
• Faster encryption and decryption times.
• AES consumes less memory and system resources.
• AES can be combined with other security protocols when it needs an extra security layer.
• To overcome 128-bit encryption, approximately 2128 attempts are required. This makes
it extremely difficult to infiltrate, resulting in a very secure protocol.
Disadvantages of AES?

• If the AES key is not employed effectively, a cryptoanalysis attack is

possible. Therefore, key scheduling must be performed with caution.
• Each block is always encrypted using the same algorithm.
• It employs overly simplistic algebraic structure.
• AES in counter mode is difficult to implement in software when
considering both performance and security.
• Software implementation is difficult.
Where is the AES Algorithm Used?

• wireless security, processor security, file encryption, and SSL/TLS.

• AES encryption is used regularly by federal government departments as well as non-
government entities, commercial firms, and organizations, to secure sensitive data.
• AES encryption is now used in devices and applications SSDs for data storage, Google
Cloud storage service, internet browser programs such as Firefox and Opera, security
certificates for websites.
• Many popular apps (such as Snapchat and Facebook Messenger) use AES encryption
to safely send information such as photographs and messages.
• Well-known file compression programs such as 7z, WinRAR, Winzip also use the AES
algorithm to prevent data breaches.
• AES encryption is also implemented in the libraries of programming languages such
as Java, Python, and C++.
AES – Diffusion and Avalanche Effect
Diffusion refers to the property that the influence of one plaintext bit should spread throughout the ciphertext,
such that changing a single bit in the plaintext should result in changes to many bits in the ciphertext. This
ensures that the structure of the plaintext is obscured, making it more difficult for attackers to deduce the
plaintext from the ciphertext.
How Diffusion is Achieved in AES:
• SubBytes Transformation:
• This is a non-linear substitution step where each byte of the state (a 4x4 matrix in AES) is replaced with another byte using
an S-box (substitution box). The S-box is designed to provide non-linearity and help in achieving diffusion by mixing the
bits within each byte.
• Shift Rows Transformation:
• This step involves shifting the rows of the state matrix cyclically by different offsets. The first row is left unchanged, the
second row is shifted one byte to the left, the third row by two bytes, and the fourth row by three bytes. This step ensures
that the columns of the state matrix become mixed, contributing to diffusion across the state.
• Mix Columns Transformation:
• This step is a linear transformation that takes each column of the state and mixes the bytes within the column. Each byte is
replaced with a linear combination of the bytes in the column. This process ensures that each output byte is affected by
each input byte, thus spreading out the influence of any single byte change across the entire state.
Avalanche Effect - AES
The avalanche effect refers to the property that a small change in the input (such as flipping a single bit)
should result in a significant and unpredictable change in the output. This effect is crucial for ensuring that
small modifications in the plaintext or key produce completely different ciphertexts, which helps to obscure
any potential patterns.
• How Avalanche Effect is Achieved in AES:
• Non-Linear S-Box:
• The S-box used in the SubBytes step provides non-linearity, ensuring that a change in a single input bit results in changes
to multiple output bits. This non-linearity is a key factor in achieving the avalanche effect.
• Multiple Rounds:
• AES employs multiple rounds of processing (10 rounds for 128-bit keys, 12 for 192-bit keys, and 14 for 256-bit keys). Each
round applies the aforementioned transformations (SubBytes, ShiftRows, MixColumns) which significantly increases the
diffusion and the avalanche effect. By repeatedly applying these transformations, AES ensures that any small change in
input results in a vastly different output after several rounds.
• Key Expansion and Addition:
• The round keys used in AES are derived from the original key through a key schedule process, which involves expansion
and substitution operations. Adding these round keys to the state during each round further contributes to the
avalanche effect by introducing additional complexity and non-linearity.
references
• https://www.zenarmor.com/docs/network-security-tutorials/what-is-
advanced-encryption-standard-aes
• https://gacbe.ac.in/images/E%20books/Cryptography%20and%20Net
work%20Security%20-%20Prins%20and%20Pract.%205th%20ed%20-
%20W.%20Stallings%20(Pearson,%202011)%20BBSbb.pdf