Textbook: Introduction to Cryptography 2nd ed.
By J.A. Buchmann
Chap 5 Data Encryption Standard (DES)
Department of Computer Science and Information Engineering,
Chaoyang University of Technology
朝陽科技大學資工系
Speaker: Fuw-Yi Yang 楊伏夷
伏夷非征番,
道德經 察政章(Chapter 58) 伏者潛藏也
道紀章(Chapter 14) 道無形象, 視之不可見者曰夷
Fuw-Yi Yang
1
Contents
Feistel Ciphers
DES Algorithm
Plaintext and ciphertext space
Initial permutation
Internal block cipher
S-boxex
Keys
Decryption
An example
Fuw-Yi Yang
2
5.1 Feistel Ciphers
The DES algorithm is a so-called Festal cipher.
We use a block cipher with alphabet {0, 1}. Let t be its block length.
Let fK be the encryption function for the key K.
The Festal cipher that is constructed from these ingredients is a block
cipher with block length 2t and alphabet {0, 1}. We fix a number r  1
of rounds, a key space K, and a method that, from any key k  K,
generates a sequence K1,…,Kr of round keys that belong to the key
space of the underlying block cipher.
The encryption function Ek of the Festal cipher for key k  K works
as follows. Let p be a plaintext of length 2t. We split it into two halves
of length t; that is, we write p = (L0, R0), where L0 is the left half and
R0 is the right half.
Fuw-Yi Yang
3
5.1 Feistel Ciphers
Then the sequence
(Li, Ri) = (Ri-1, Li-1  fKi(Ri-1)), 1  i  r
is constructed, and we set
Ek(L0, R0) = (Rr, Lr).
Clearly the security of the Feistel cipher depends on the security of the
internal block cipher. The security is increased by iterated application.
The decryption of the Feistel cipher is obtained
(Ri-1, Li-1) = (Li, Ri  fKi(Li)), 1  i  r.
Using this sequence in r rounds with the reverse key sequence
(Kr, Kr-1,…,K1) the plaintext p = (L0, R0) is reconstructed.
Fuw-Yi Yang
4
5.2 DES algorithm
5.2.1 Plaintext and ciphertext space
The DES cryptosystem is a slightly modified Feistel cipher with
alphabet {0, 1} and block length 64.
The plaintext and ciphertext space of DES are P = C = {0, 1}64. 5
The DES keys are all bitstrings of length 64 with the following
property.
8
b 8 k  i  1 mod 2, 0  k  7}.
K = {(b1, b2,…,b64) {0, 1}64: 
i 1
The number of DES keys is 256  7.2 * 1016.
Fuw-Yi Yang
5
5.2 DES algorithm
5.2.1 Plaintext and ciphertext space
Example 5.2.1 A valid hexadecimal DES key is
13 34 57 79 9B BC DF F1.
0
0
0
1
0
0
1
1
0
0
1
1
0
1
0
0
0
1
0
1
0
1
1
1
0
1
1
1
1
0
0
1
1
0
0
1
1
0
1
1
1
0
1
1
1
1
0
0
1
1
0
1
1
1
1
1
1
1
1
1
0
0
0
1
Fuw-Yi Yang
6
5.2 DES algorithm
5.2.2 Initial permutation
Given a plaintext p, DES works in three steps.
Prior to the Feistel encryption, DES applies an initial permutation (IP)
to p. Tables IP and IP-1 are shown below. Table IP (left) is read as
follows: if p = p1…p64  {0, 1}64, then IP(p) = p58 p50 p42…p7.
40
8
48
16
56
24
64
32
39
7
47
15
55
23
63
31
6
38
6
46
14
54
22
62
30
16
8
37
5
45
13
53
21
61
29
17
9
1
36
4
44
12
52
20
60
28
27
19
11
3
35
3
43
11
51
19
59
27
37
29
21
13
5
34
2
42
10
50
18
58
26
39
31
23
15
7
33
1
41
9
49
17
57
25
58
50
42
34
26
18
10
2
60
52
44
36
28
20
12
4
62
54
46
38
30
22
14
64
56
48
40
32
24
57
49
41
33
25
59
51
43
35
61
53
45
63
55
47
IP
IP-1
Fuw-Yi Yang
7
5.2 DES algorithm
5.2.2 Initial permutation
A 16-round Feistel cipher is applied to the permuted plaintext. Finally,
the ciphertext is constructed using the inverse permutation IP-1:
c = IP-1(R16L16).
Fuw-Yi Yang
8
5.2 DES algorithm
5.2.3 Internal block cipher
We describe the block cipher on which the DES Feistel cipher is
based. Its alphabet is {0, 1}, its block length is 32, and its key space is
{0, 1}48. We explain the encryption function fK: {0, 1}32  {0, 1}32 for
a key K  {0, 1}48.
Fuw-Yi Yang
9
5.2 DES algorithm
5.2.3 Internal block cipher
R 32 Bits
K 48 Bits
E() expansion
function

E(R) 48 Bits
S-Box
B1(6 bits) B2
B3
B4
B5
B6
B7
B8
S1
S3
S4
S5
S6
S7
S8
S2
C1(4 bits) C2 C3
P() permutation
function
C4 C5 C6 C7 C8
F(R, K)
Fuw-Yi Yang
32 bits
10
5.2 DES algorithm
5.2.3 Internal block cipher
P( )
E( )
32 1
2
3
4
5
16 7
4
5
6
7
8
9
29 12 28 17
8
9
10 11 12 13
12 13 14 15 16 17
16 17 18 19 20 21
20 21 22 23 24 25
24 25 26 27 28 29
10 21
1
15 23 26
5
18 31 20
2
8
24 14
32 27 3
9
19 13 30 6
22 11 4
25
28 29 30 31 32 1
Fuw-Yi Yang
11
5.2 DES algorithm
5.2.4 S-boxes
Now we describe the S-boxes Si, 1  i  8. They are the heart of
DES because they are highly nonlinear.
For each string B = b1b2b3b4b5b6, the value Si(B) is computed as
follows. The integer with binary expansion b1b6 is used as the row
index. The integer with binary expansion b2b3b4b5 is used as the
column index.
Example 5.2.2 S1(001011)  2  0010
Row 1
Column 5
Fuw-Yi Yang
12
5.2 DES algorithm
5.2.4 S-boxes
Row
Column
0
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
S1
0
14
4
13
1
2
15
11
8
3
10
6
12
5
9
0
7
1
0
15
7
4
14
2
13
1
10
6
12
11
9
5
3
8
2
4
1
14
8
13
6
2
11
15
12
9
7
3
10
5
0
3
15
12
8
2
4
9
1
7
5
11
3
14
10
0
6
13
9
7
2
13
12
0
5
10
S2
0
15
1
1
3
13
8
14
6
11
3
4
Fuw-Yi Yang
13
5.2 DES algorithm
5.2.5 Keys
Finally, we explain how the round keys are computed.
Let k  {0, 1}64 be a DES key.
We generate the round keys Ki, 1  i  16, of length 48.
The values vi, 1  i  16, are defined as: vi= 1for i = 1, 2, 9, 16;
vi= 0 otherwise.
The round keys are computed by the following algorithm using the
functions
PC1: {0, 1}64  {0, 1}28  {0, 1}28 ,
PC2: {0, 1}28  {0, 1}28 {0, 1}48 ,
which are described later.
Fuw-Yi Yang
14
5.2 DES algorithm
5.2.5 Keys
1. Set (C0, D0) = PC1(k).
2. For 1  i  16, do the following:
(a) Let Ci be the string that is obtained from Ci-1 by a circular left
shift of vi positions.
(b) Let Di be the string that is obtained from Di-1 by a circular left
shift of vi positions.
(c) Determine Ki = PC2(Ci, Di).
Fuw-Yi Yang
15
5.2 DES algorithm
5.2.5 Keys
PC1
PC2
57
49
41
33
25
17
9
14
17
11
24
1
5
1
58
50
42
34
26
18
3
28
15
6
21
10
10
2
59
51
43
35
27
23
19
12
4
26
8
19
11
3
60
52
44
36
16
7
27
20
13
2
63
55
47
39
31
23
15
41
52
31
37
47
55
7
62
54
46
38
30
22
30
40
51
45
33
48
14
6
61
53
45
37
29
44
49
39
56
34
53
21
13
5
28
20
12
4
46
42
50
36
29
32
Fuw-Yi Yang
16
5.2 DES algorithm
5.2.6 Decryption
To decrypt a ciphertext, DES is applied with the reverse key sequence.
Fuw-Yi Yang
17
5.3 An Example
We encrypt the plaintext p = 0123456789ABCDEF.
Its binary expansion is:
0 0 0 0 0 0 0 1
1 1 0 0 1 1 0 0
0 0 1 0 0 0 1 1
0 0 0 0 0 0 0 0
0 1 0 0 0 1 0 1
1 1 0 0 1 1 0 0
0 1 1 0 0 1 1 1
1 0 0 0 1 0 0 1
Application
of IP
L0
1 1 1 1 1 1 1 1
1 1 1 1 0 0 0 0
1 0 1 0 1 0 1 1
1 0 1 0 1 0 1 0
1 1 0 0 1 1 0 1
1 1 1 1 0 0 0 0
1 1 1 0 1 1 1 1
1 0 1 0 1 0 1 0
Fuw-Yi Yang
R0
18
5.3 An Example
L0 = 1100 1100 0000 0000 1100 1100 1111 1111,
R0 = 1111 0000 1010 1010 1111 0000 1010 1010,
p = 0123456789ABCDEF,
k = 1334 5779 9BBC DFF1 its binary expansion is shown below:
0
0
0
1
0
0
1
1
0
0
1
1
0
1
0
0
0
1
0
1
0
1
1
1
0
1
1
1
1
0
0
1
1
0
0
1
1
0
1
1
1
0
1
1
1
1
0
0
1
1
0
1
1
1
1
1
1
1
1
1
0
0
0
1
We compute the round keys:
Set (C0, D0) = PC1(k).
C0 = 1111 0000 1100 1100 1010 1010 1111,
D0 = 1111 0000 1100 1100 1010 1010 1111,
C1 = 111 0000 1100 1100 1010 1010 11111,
D1 = 111 0000 1100 1100 1010 1010 11111,
Fuw-Yi Yang
19
5.3 An Example
L0 = 1100 1100 0000 0000 1100 1100 1111 1111,
R0 = 1111 0000 1010 1010 1111 0000 1010 1010,
p = 0123456789ABCDEF,
C0 = 1111 0000 1100 1100 1010 1010 1111,
D0 = 1111 0000 1100 1100 1010 1010 1111,
C1 = 1110 0001 1001 1001 0101 0101 1111,
D1 = 1110 0001 1001 1001 0101 0101 1111,
K1 = PC2(C1,D1) =
0001 1011 0000 0010 1110 1111 1111 1100 0111 0000 0111 0010
Fuw-Yi Yang
20
5.3 An Example
L0 = 1100 1100 0000 0000 1100 1100 1111 1111,
R0 = 1111 0000 1010 1010 1111 0000 1010 1010,
p = 0123456789ABCDEF,
K1 = 0001 1011 0000 0010 1110 1111 1111 1100 0111 0000 0111 0010
E(R0) = 0111 1010 0001 0101 0101 0101 0111 1010 0001 0101 0101 0101
E(R0) K1 = 011000 010001 011110 111010 100001 100110 010100 100111
f(R0, K1) = ……….
Fuw-Yi Yang
21