The Data Encryption Standard (DES) of the National Bureau of Standard [FIPS publication 46, 1977 Jan. 15] describes a widely used algorithm for converting a digital input block into a digital output block. Such an algorithm is generally referred to as a block cipher. The DES algorithm is used for encrypting (enciphering) and decrypting (deciphering) binary coded information. Encrypting converts intelligible data, referred to as plaintext, into an unintelligible form, referred to as ciphertext. Decrypting the ciphertext converts the data back to its original form. In the so-called electronic code book mode, DES is used to encrypt blocks of 64 bits of plaintext into corresponding blocks of 64 bits of ciphertext. In this mode, the encryption uses keys which are derived from a 64 bit key, of which 56 bits may be freely selected. FIG. 1 shows the overall structure of DES during encrypting. In the encrypting computation, the input (64 bit plaintext) is first permuted using a 64 bit fixed permutation IP. The result is split into 32 left bits L0 and 32 right bits R0. The right bits are transformed using a cipher function f(R0,K1), where K1 is a sub-key. The result f(R0,K1) is added (bit-wise modulo 2) to the left bits, followed by interchanging the two resulting 32 bit blocks L0□f(R0,K1) and R0. This procedure is continued iteratively for a total of 16 rounds. At the end of the last round the inverse permutation of the initial permutation IP is applied.
In the calculation of f(Ri,Ki+1) the 32 right bits Ri are first expanded to 48 bits in the box E, as illustrated in FIG. 2. According to a given table this expansion is performed by taking some input bits twice as an output bit and others only once. Then, the expanded 48 bits are added (bit-wise modulo 2) to the 48 key bits Ki. The resulting 48 bits are split into 8 groups of 6 bits each. Each of these groups is processed by an S box (Si), which reduces the 6 bits to 4 bits in a non-linear operation. The eight Si boxes are given in the form of a table. The total output is 32 bits, which is permuted in the box P. P is also given in the form of a table.
FIG. 3 illustrates the key schedule calculation. The key consists of 64 bits, of which only 56 are used in the algorithm. Those 56 bits should be chosen randomly. Eight complementing error detecting bits are used to make the parity of each byte of the key odd. The selection of the 56 bits is performed in box PC1, together with a permutation. The result is split into two 28 bit words C0 and D0. To obtain the 48 key bits for each round, first the words C0 and D0 are left shifted once or twice. A selection and a permutation PC2 are then applied to the result. The output of PC2 is the 48 bit sub-key K1 which is used in f(R0,K1). The process of shifting, selecting and permutating is repeated to generate a sub-key for each round. A table specifies how many shifts must be performed to obtain the next 48 bits of the sub-key for the following round.
The same algorithm and key can be used for decrypting a ciphertext. The initial permutation for the decrypting cancels the inverse permutation of the encrypting. Each round consists of a, so-called, Feistel cipher. It is well-known that for Feistel-ciphers the inverse operation consists of using the same rounds as used for encrypting but applying the sub-keys in inverse order. As such, the first decrypting round must be supplied with the same sub-key as used for the sixteenth encrypting round, the second decrypting round must be supplied with the same sub-key as used for the fifteenth encrypting round, etc. It is also well-known how the DES algorithm can be used in other encryption modes, such as the cipher feedback mode. In this mode, the DES algorithm is used to generate a stream of statistically random binary bits, which are combined with the plaintext, using, for instance, an exclusive-or logic operation.
The DES algorithm, in essence, comprises an initial permutation, followed by sixteen key-dependent computations on part of the data and terminated with an inverse permutation. Each key dependent computation comprises adding (modulo 2) key-dependent bits to the data part, followed by a non-linear operation on sub-blocks of the data part, and terminated by a permutation (linear operation) of the data part.
In general, DES is considered to be a good encryption/decryption tool. It is, however, an open question whether or not DES has remained secure over the past years, particularly in view of the recent very powerful differential cryptanalytic attacks.