Data Encryption Standard (DES) Financial companies found the need for a cryptographic algorithm that would have the blessing of the US government (=NSA) First call for candidates in May 73, followed by a new call in August 74 Not very many submissions (Why?) –IBM submitted Lucifer NSA worked with IBM in redesigning the algorithm
DES DES became a federal standard in November 76 –NBS (NIST) hardware standard in January 77 –ANSI X (hardware + software) –ANSI X (modes of operation) –Australia AS Used in most EFT and EFTPOS from banking industry –It was reconfirmed as a standard for 5 years twice –Currently 3DES is recommended
DES The standard is public, the design criteria is classified One of the biggest controversies is the key size (56 bits) –W Diffie, M Hellman "Exhaustive Cryptanalysis of the NBS Data Encryption Standard" IEEE Computer 10(6), June 1977, pp74-84 –M Hellman "DES will be totally insecure within ten years" IEEE Spectrum 16(7), Jul 1979, pp Another controversy: is there a back door?
DES DES has proven a well designed code 56 bits has been proven inadequate –EFF built a cracker for around $200,000 –Increase the key to 112 bits? The best way known to cryptanalyze DES is (after brute force) the differential analysis –NSA new this from the design??
DES Uses Feistel principle Many similarities with Lucifer Improves on the S-Boxes
Simple DES 8 bits block with a 10 bits key The encryption process is : –Initial Permutation –Function f k1 –Switch of the key halves –Function f k2 –Final Permutation (inverse of initial permutation)
Simple DES Key generation –Initial permutation P10 –Divide in left and right parts –Left shift and Merge –An 8 bits permutation, resulting in a 8 bits K1 –Divide in left and right parts –Double left shift and Merge –An 8 bits permutation, resulting in a 8 bits K2
Simple DES Structure of S-P boxes –S-Boxes
Simple DES P-Boxes –P10 –P8 –P4
Simple DES Example of key generation: –Key: –P10: –Split: –Lshift: –P8: K1 –2 Lshift: –P8: K2
Simple DES Initial Permutation –IP The substitution function Expansion:
Simple DES The function F is taken from S0 and S1, such as: –R is expanded by E –The expansion is xored with the subkey –The first 4 bits are the input for S0 the last are input to S1 –If the input is I 1 I 2 I 3 I 4, then I 1 I 3 is the row to consider and I 2 I 3 is the column –The output goes then through P4
DES It operates in 64 bits blocks with 56 bits keys Uses 16 rounds, each round computed by a function f
DES A round can be described as: –L i = R i-1 The key generation is performed –An initial permutation PC1 which selects 56 bits and divide them in two halves –In each round Select 24 bits from each half using a permutation function PC2 Rotate left each half by one or two position
DES Properties of DES (per NSA) –All rows of all the S-boxes are permutations of 0, 1, …, 15 –S-Boxes are not affine transformations of their input –Change in an input bit changes at least two output bits of the S-box –For any x and any S-box S, S(x), S(x ) differs by at least two bits