DES Analysis and Attacks
CSCI 5857: Encoding and Encryption
Outline
• Confusion and diffusion
• Attacks and weaknesses
– Linear cryptanalysis attacks
– Weak keys
• Exhaustive search attacks
– Use of multiple keys
– Meet in the middle attacks
– Triple DES
Confusion and Diffusion
• Use of inputs to
create round key
assures each
plaintext bit affects
many ciphertext bits
• Use of shifts and
permutations in key
generation assures
each key bit affects
many ciphertext bits
Cryptanalysis
• Differential Cryptanalysis:
Using similar plaintexts to look for patterns in how
ciphertext generated
• Linear Cryptanalysis:
Attempting to approximate entire cipher as one big
set of linear equations
– Finding solutions to set of linear equations well
studied in engineering
– Possible if all S-boxes linear
– n bit key requires n known plaintexts to solve
Linear S-Boxes
• Linear n x m S-Box can be expressed as linear
equation of form:
c1 = a11x1  a12x2  …  a1nxn
c2 = a21x1  a22x2  …  a2nxn
…
cm = am1x1  am2x2  …  amnxn
where xi is ith input bit
ci is ith ciphertext bit
aij is either 0 or 1
• Each cipherbit character is defined as the XOR of
certain input bits
Linear S-Boxes
• Example of linear 3x3 S-Box:
00 01 10 11
0 000 011 111 100
1 110 101 001 010
• Corresponding linear equations
c 1 = x 1  x2
= 1x1  1 x2  0 x3
c 2 = x 1  x2  x 3
= 1x1  1 x2  1 x3
c 3 = x 2  x3
= 0x1  1 x2  1 x3
Linear Cryptanalysis Example
Example: Above S-Box used after XOR stage
Linear Cryptanalysis Example
• S-Box input bit xi = pi  ki
• Resulting equations:
c1 = (p1  k1)  (p2  k2)
c2 = (p1  k1)  (p2  k2)  (p3  k3)
c3 = (p2  k2)  (p3  k3)
• Can now solve for key bits!
k1 = p1  (c1  c2  c3)
k2 = p1  (c1  c2)
k3 = p1  (c2  c3)
Linear Cryptanalysis
Possible if cipher uses only linear components
– Permutation boxes linear by definition!
Shifting from position i to position j is equation
cj = 0p1  0 p2 …  1 pi…  0 pn
• Therefore, S-Boxes must not be linear!
– They are the only possible nonlinear component
Cryptanalysis Attacks on DES
• Linear Cryptanalysis
– DES not designed for this attack (invented after
DES released
– However, DES S-Boxes not linear
– 243 known plaintexts needed to break DES using
linear cryptanalysis
Weak Keys
• Keys that leave plaintext vulnerable in some way
– Simple example: k = 26 in Caesar cipher
• Weak keys in DES produce same round key for
multiple rounds
– 4 keys give same round key every round
– 8 keys give only 2 distinct round keys
– 48 keys give only 4 distinct round keys
– Odds unlikely (8.8 x 10-16 ), but should still check
randomly generated keys
Exhaustive Search Attacks
• 56-bit key not computationally secure
• Parallel processing attacks
– Computer with 1 million chips (1998) 
key found in 112 hours
– Network of 3500 computers (1977) 
key found in 120 days
• 56-bit key not recommended by NIST!
“all clones test
different keys!”
Multiple Stage DES
• No way to use larger
key in DES
– Structure “hardwired”
• Only solution:
multiple stage DES
– Different keys used
each stage
– Output ciphertext of
one stage  input
plaintext of next stage
Multiple Stage DES
• Multiple stages with different keys greatly increases
number of possible ciphertexts
Possible ciphertexts
Possible ciphertexts
After applying K1 and K2
After applying K1
– (264)! possible mappings from 264 possible input blocks to 264
possible output blocks
– Only 256 possible keys (tiny fraction of the above)
– Extremely unlikely that there exists K3 such that
E(E(P, K1), K2) = E(P, K3)
“Meet In The Middle” Attack
• Theoretically, two stages should be sufficient
– Adversary would have to try all combinations of possible
K1 and K2
– 256 x 256 = 2112 possible combinations of keys
• Vulnerable to “meet in the middle” attack
–
–
–
–
Adversary has a known plaintext P and ciphertext C
Works forward encrypting P with all possible K1
Works backward decrypting C with all possible K2
Stores results and searches for matches
“Meet In The Middle” Attack
“I’ll try all K1 and
store the results in
a table”
“I’ll try all K2
and store the
results in
another table”
Table of all possible M
created by encrypting P
Table of all possible M
“Now I’ll compare created by decrypting C
the two and look
for any matches”
“Meet In The Middle” Attack
• M’s (and keys K1 and K2
that created them)
kept in sorted tables
– 256 runs to create each
table
– 56 x 256 comparisons to
find matches
– Match gives plausible
values for K1 and K2
• “Double DES” not
computationally secure
M
K1
1010001…10 0110100…01
“So this
might be
K1 and
K2”
“These
match”
M
K2
1010001…10 1100110…00
Triple DES
• Need at least three
stages of
encryption
K1
– “Meet in middle”
attack can only
take place after at
least two stages
– Effectively the
same as 112 bit
key
K2
K3
“I can only attack
here”
Triple DES With Two Keys
• Just use K1 twice
(in first and last
stage)
• Shorter keys
(112 bits instead of
168 bits)
• Still secure (have to
try all K1 and K2 to
do meet in middle
attack)
“Still too hard to
crack”
Efficiency of DES
• Fast if burned into hardware
– Basic structure corresponds to wiring diagram
• Slow if executed as software
– Basic structure doesn’t fit into registers
– Much swapping between RAM/registers required
• 3DES even slower