Chapter 4

The D ata Encryption Standard

4.1

Introduction

In 1973, the N ational Bureau of S tandards (NBS), later to become the Na tional In stitu te of Standards and Technology (NIST), issued a public request seeking a cryptographic algorithm to become a national standard. IBM sub m itted an algorithm called LUCIFER in 1974. T he NBS forwarded it to the National Security Agency, which reviewed it and, after some modifications, returned a version th a t was essentially th e D ata Encryption S tandard (DES) algorithm. In 1975, NBS released DES, as well as a free license for its use, and in 1977 NBS made it the official d a ta encryption standard. DES lias been used extensively in electronic commerce, for example in the banking industry. If two banks want to exchange data, they first use a public key method such as RSA to transm it a key for DES, then they use DES for transm itting the data. It has the advantage of being very fast and reasonably secure. From 1975 on, there has been controversy surrounding DES. Some re garded the key size as too small. Many were worried about NSA's involve ment. For example, liad they arranged for it to have a trapdoor" - in other words, a secret weakness th a t would allow only them to break the sys tem ? It has also been suggested th a t NSA modified the design to avoid the
113

114

C h a p t e r 4. T

he

D a t a E n c r y p t io n S t a n d a r d

possibility th a t IBM had inserted a trapdoor in LUCIFER. In any case, the design decisions remained a mystery for many years. In 1990, Eli Biham and Adi Shamir showed how their method of dif ferential cryptanalysis could be used to attack DES. T he DES algorithm involves 16 rounds; differential cryptanalysis would be more efficient than exhaustively searching all possible keys if the algorithm used at most 15 rounds. This indicated th a t perhaps the designers of DES had been aware of this type of attack. A few years later, IBM released some details of the design criteria, which showed th a t indeed they had constructed the system to be resistant to differential cryptanalysis. This cleared up at least some of the mystery surrounding the algorithm. The DES has lasted for a long time, but is becoming outdated. B rute force searches (see Section 4.6), though expensive, can now break the system. Therefore, NIST replaced it with a new system in the year 2000. However, it is worth studying DES since it represents a popular class of algorithms and it has been one of the most frequently used cryptographic algorithms in history. The DES is a block cipher; namely, it breaks the plaintext into blocks of 64 bits, and encrypts each block separately. T he actual mechanics of how this is done is often called a F e iste l s y s te m , after Horst Feistel, who was part of the IBM team th a t developed LUCIFER. In the next section, we give a simple algorithm that has many of the characteristics of this type of system, b u t is small enough to use as an example. In Section 4.3, we show how differential cryptanalysis can be used to attack this simple system. We give the DES algorithm in Section 4.4, and describe ways it is implemented in Section 4.5. Finally, in Section 4.6, we describe recent progress in breaking DES. For an extensive discussion of block ciphers, see [Schneier].

4.2

A Simplified D E S-T ype A lg o rithm

The DES algorithm is rather unwieldy to use for examples, so in the present section we present an algorithm that has many of the same features, but is much smaller. Like DES, the present algorithm is a block cipher. Since the blocks are encrypted separately, we assume throughout the present discus sion th a t the full message consists of only one block. T he message has 12 bits and is w ritten in the form LoRo, where L q consists of the first 6 bits and R q consists of the last 6 bits. T he key K has 9 bits. The ith round of the algorithm transforms an input /?,_] to the o u tput LiR, using an 8-bit key /f,- derived from K . The main part of the encryption process is a function f { R i ~ i , K i ) th a t

4 .2 . A S im p l if ie d D E S - T y p e A l g o r it h m

115

F ig u r e 4.1: O ne R ound of a Feistel System.

takes a 6-bit input R i - i and an 8 -bit input /(", and produces a 6 -bit output. T his will be described later. T he ou tp ut for the zth round is defined as follows: Li = R i - i and Jl, = i ffi IQ ,

where ffi denotes XOR, namely bit-by-bit addition mod 2. This is depicted in Figure 4.1. T his operation is performed for a certain number of rounds, say n, and produces the ciphertext n-RnHow do we decrypt? S tart with L nR and switch left and right to obtain R n L n. (Note: This switch is built into the DES encryption algorithm, so it is not needed when decrypting DES.) Now use the same procedure os before, but with the keys K i used in reverse order K n, . . . , K i. Let's see how this works. The first step takes RnL n and gives the output (| }{L n , K n)\.

We know from the encryption procedure th a t L n = Rn- i and R = L n~i } ( R u^ l , K n). Therefore, [Ln\ [ R n f ( L n, K n)} = 1 ^ -3 ] [ -i f ( R n ~ i,K ) ffi / ( i n, K n)} = [Ln_!].

The last equality again uses Ln = R ^ - i , so th a t / ( / t n - i , /<")} { L n, K) is 0. Similarly, the second step of decryption sends to J?_2Ln_ o.

116

C h a p t e r 4. T

he

D ata E n c r y p t io n S t a n d a r d

C o n tin u in g , we see t h a t th e d e c ry p tio n p ro c e ss lea d s u s b ad e to RqLq. S w itc h in g th e left a n d rig h t h alves, w e o b ta in th e o rig in a l p la in te x t L 0 i?o, a s d e sired .

Note th a t the decryption process is essentially the same as the encryption process. We simply need to switch left and right and use the keys I(i in reverse order. Therefore, both the sender and receiver use a common key and they can use identical machines (though the receiver needs to reverse left and right inputs). So far, we have said nothing about the function / . In fact, any / would work in the above procedures. B ut some choices of / yield much b etter security than others. The type of / used in DES is similar to th a t which we describe next. It is built up from a few components. The first function is an expander. It takes an input of 6 bits and outputs 8 bits. T he one we use is given in Figure 4.2. 1 2 3 4 5
6

F i g u r e 4 .2 : T he E xpander Function.

This means th a t the first input bit yields the first o u tp u t bit, the third input bit yields both the fourth and the sixth output bits, etc. For example, 011001 is expanded to 01010101 . T he main com ponents are called S-boxes. We use two:
101 001 100 101 010 100 000 O il 001 110 110 000 110 010 101 111 O il 000 ill 110 100 111 001 010 111 101 O il 001 000 O il 010 ] 100

The input for an S-box has 4 bits. The first bit specifies which row will be used: 0 for the first row, 1 for the second. T he other 3 bits represent a binary number that specifies the column: 000 For the first column, 001 for the second, ..., I l l For the last column. The o utput for the S-box consists of the three bits in th e specified location. For example, an input oF 1010 for Si means we look at the second row, third column, which yields the ou tp u t
110.

The key K consists of 9 bits. T he key Ki for the ith round of encryption is obtained by using 8 bits of K , starting with the ith bit. For example, if

4 .2 . A S im p l if ie d D E S - T y p e A l g o r it h m

117

K = 010011001, then IQ = 01100101 (after 5 bits, we readied the nrwl of K , so th e last 2 bits were obtained from the beginning of K). We can now describe , Ki). The input iZj_! consists of 6 bits. The expander function is used to expand it to 8 bits. The result is XORed with K i to produce another 8 -bit number. The first 4 bits are sent to S \, and tlm last 4 bits are sent tojSo. Each S-box outputs 3 bits, which are concatenated to form a 6-bit number. This is /(iZ j_ i, Ki). We present this in Figure 4,3.

F ig u r e 4 .3 : T h e Function

Ki).

For example, suppose

j = 100110 and IQ = 01100101. We have

( 100110) Ki = 10101010 01100101 = 11001111.

The first 4 bit.s are sent to Sj and the last 4 bits are sent to S 3 . The second row, fifth column of Si contains 000. The second row, last column of S 2 contains 100 . P u ttin g these outputs one after the other yields f ( R i ~ 1, Ki) = 000100.

I IS

C h a pte r 4. T

he

D a t a E n c r y p t io n S t a n d a r d

We can now describe what happens in one round. Suppose the input is L i - i R i - x = 011100100110 imd Ki = 01100101, as previously. This means th a t i t j - i = 100110, as in the example just discussed. Therefore, f ( R i - i , K i ) = 000100.' T his is XORed with L ,_x = 011100 to yield = 011000. Since Li = R i - i , we obtain LiRi = 100110011000. The o u tp u t becomes the input for the next round.

4.3

Differential Cryptanalysis

This section is rather technical and can be skipped on a first reading. Differential cryptanalysis was introduced by Biham and Shamir around 1990, though it was probably known much earlier to the designers of DES at IBM and NSA. T he idea is to compare the differences in the ciphertexts for suitably chosen pairs of plaintexts and thereby deduce information about the key. Note th a t the difference of two strings of bits can be found by XORing them. Because the key is introduced by XORing with looldng at the XOR of the inputs removes the effect of the key a t this stage and hence removes some of the randomness introduced by the key. Well see th a t this allows us to deduce information as to what the key could be.

4.3.1

Differential C ryptanalysis for T hree R ounds

We eventually want to describe how to attack the above system when it uses four rounds, but we need to s ta rt by analyzing three rounds, Therefore, we temporarily s ta rt with L i R i instead of L qR q. Tfye situation is now as follows. We have obtained access to a threeround encryption device th a t uses the preceding procedure. We know all the inner workings of the encryption algorithm such as the S-boxes, but we do not know the key. We want to find the key by a chosen plaintext attack. We use various inputs and obtain outputs L 4 R 4 . We have R2 = L\ f { R i,K i)
3 = R i = L \ f ( R i , K 2)

R 4 = L 3 /(/?3, IQ ) = Li @ f ( R i , K ? ) /(/Za, IQ). Suppose we have another message L '/?J with R \ = R \. For each i, let R?i = Ri R and L\ = L; L '. Then L[R[ is the difference (or sum; we are working mod 2) of LiRi and L 'R " . The preceding calculation applied