The Data Encryption Standard (DES ) is a
symmetric-key algorithm
Symmetric-key algorithms are algorithms for cryptography that use the same cryptographic keys for both the encryption of plaintext and the decryption of ciphertext. The keys may be identical, or there may be a simple transformation to go between ...
for the
encryption
In Cryptography law, cryptography, encryption (more specifically, Code, encoding) is the process of transforming information in a way that, ideally, only authorized parties can decode. This process converts the original representation of the inf ...
of digital data. Although its short key length of 56 bits makes it too insecure for modern applications, it has been highly influential in the advancement of
cryptography
Cryptography, or cryptology (from "hidden, secret"; and ''graphein'', "to write", or ''-logy, -logia'', "study", respectively), is the practice and study of techniques for secure communication in the presence of Adversary (cryptography), ...
.
Developed in the early 1970s at
IBM
International Business Machines Corporation (using the trademark IBM), nicknamed Big Blue, is an American Multinational corporation, multinational technology company headquartered in Armonk, New York, and present in over 175 countries. It is ...
and based on an earlier design by
Horst Feistel, the algorithm was submitted to the
National Bureau of Standards
The National Institute of Standards and Technology (NIST) is an agency of the United States Department of Commerce whose mission is to promote American innovation and industrial competitiveness. NIST's activities are organized into physical sc ...
(NBS) following the agency's invitation to propose a candidate for the protection of sensitive, unclassified electronic government data. In 1976, after consultation with the
National Security Agency
The National Security Agency (NSA) is an intelligence agency of the United States Department of Defense, under the authority of the director of national intelligence (DNI). The NSA is responsible for global monitoring, collection, and proces ...
(NSA), the NBS selected a slightly modified version (strengthened against
differential cryptanalysis
Differential cryptanalysis is a general form of cryptanalysis applicable primarily to block ciphers, but also to stream ciphers and cryptographic hash functions. In the broadest sense, it is the study of how differences in information input can a ...
, but weakened against
brute-force attacks), which was published as an official
Federal Information Processing Standard The Federal Information Processing Standards (FIPS) of the United States are a set of publicly announced standards that the National Institute of Standards and Technology (NIST) has developed for use in computer systems of non-military United Stat ...
(FIPS) for the United States in 1977.
[
The publication of an NSA-approved encryption standard led to its quick international adoption and widespread academic scrutiny. Controversies arose from classified design elements, a relatively short key length of the symmetric-key block cipher design, and the involvement of the NSA, raising suspicions about a backdoor. The S-boxes that had prompted those suspicions were designed by the NSA to address a vulnerability they secretly knew (]differential cryptanalysis
Differential cryptanalysis is a general form of cryptanalysis applicable primarily to block ciphers, but also to stream ciphers and cryptographic hash functions. In the broadest sense, it is the study of how differences in information input can a ...
). However, the NSA also ensured that the key size was drastically reduced so that they could break the cipher by brute force attack. The intense academic scrutiny the algorithm received over time led to the modern understanding of block ciphers and their cryptanalysis
Cryptanalysis (from the Greek ''kryptós'', "hidden", and ''analýein'', "to analyze") refers to the process of analyzing information systems in order to understand hidden aspects of the systems. Cryptanalysis is used to breach cryptographic se ...
.
DES is insecure due to the relatively short 56-bit key size. In January 1999, distributed.net and the Electronic Frontier Foundation
The Electronic Frontier Foundation (EFF) is an American international non-profit digital rights group based in San Francisco, California. It was founded in 1990 to promote Internet civil liberties.
It provides funds for legal defense in court, ...
collaborated to publicly break a DES key in 22 hours and 15 minutes (see ). There are also some analytical results which demonstrate theoretical weaknesses in the cipher, although they are infeasible in practice. DES has been withdrawn as a standard by the NIST
The National Institute of Standards and Technology (NIST) is an agency of the United States Department of Commerce whose mission is to promote American innovation and industrial competitiveness. NIST's activities are organized into physical s ...
.[ Later, the variant Triple DES was developed to increase the security level, but it is considered insecure today as well. DES has been superseded by the ]Advanced Encryption Standard
The Advanced Encryption Standard (AES), also known by its original name Rijndael (), is a specification for the encryption of electronic data established by the U.S. National Institute of Standards and Technology (NIST) in 2001.
AES is a variant ...
(AES).
Some documents distinguish between the DES standard and its algorithm, referring to the algorithm as the DEA (Data Encryption Algorithm).
History
The origins of DES date to 1972, when a National Bureau of Standards
The National Institute of Standards and Technology (NIST) is an agency of the United States Department of Commerce whose mission is to promote American innovation and industrial competitiveness. NIST's activities are organized into physical sc ...
study of US government computer security
Computer security (also cybersecurity, digital security, or information technology (IT) security) is a subdiscipline within the field of information security. It consists of the protection of computer software, systems and computer network, n ...
identified a need for a government-wide standard for encrypting unclassified, sensitive information.
Around the same time, engineer Mohamed Atalla in 1972 founded Atalla Corporation and developed the first hardware security module (HSM), the so-called "Atalla Box" which was commercialized in 1973. It protected offline devices with a secure PIN generating key, and was a commercial success. Banks and credit card companies were fearful that Atalla would dominate the market, which spurred the development of an international encryption standard. Atalla was an early competitor to IBM
International Business Machines Corporation (using the trademark IBM), nicknamed Big Blue, is an American Multinational corporation, multinational technology company headquartered in Armonk, New York, and present in over 175 countries. It is ...
in the banking market, and was cited as an influence by IBM employees who worked on the DES standard. The IBM 3624 later adopted a similar PIN verification system to the earlier Atalla system.
On 15 May 1973, after consulting with the NSA, NBS solicited proposals for a cipher that would meet rigorous design criteria. None of the submissions was suitable. A second request was issued on 27 August 1974. This time, IBM
International Business Machines Corporation (using the trademark IBM), nicknamed Big Blue, is an American Multinational corporation, multinational technology company headquartered in Armonk, New York, and present in over 175 countries. It is ...
submitted a candidate which was deemed acceptable—a cipher developed during the period 1973–1974 based on an earlier algorithm, Horst Feistel's Lucifer cipher. The team at IBM involved in cipher design and analysis included Feistel, Walter Tuchman, Don Coppersmith, Alan Konheim, Carl Meyer, Mike Matyas, Roy Adler, Edna Grossman, Bill Notz, Lynn Smith, and Bryant Tuckerman.
NSA's involvement in the design
On 17 March 1975, the proposed DES was published in the ''Federal Register
The ''Federal Register'' (FR or sometimes Fed. Reg.) is the government gazette, official journal of the federal government of the United States that contains government agency rules, proposed rules, and public notices. It is published every wee ...
''. Public comments were requested, and in the following year two open workshops were held to discuss the proposed standard. There was criticism received from public-key cryptography
Public-key cryptography, or asymmetric cryptography, is the field of cryptographic systems that use pairs of related keys. Each key pair consists of a public key and a corresponding private key. Key pairs are generated with cryptographic alg ...
pioneers Martin Hellman and Whitfield Diffie, citing a shortened key length and the mysterious " S-boxes" as evidence of improper interference from the NSA. The suspicion was that the algorithm had been covertly weakened by the intelligence agency so that they—but no one else—could easily read encrypted messages. Alan Konheim (one of the designers of DES) commented, "We sent the S-boxes off to Washington. They came back and were all different." The United States Senate Select Committee on Intelligence reviewed the NSA's actions to determine whether there had been any improper involvement. In the unclassified summary of their findings, published in 1978, the Committee wrote:
However, it also found that
Another member of the DES team, Walter Tuchman, stated "We developed the DES algorithm entirely within IBM using IBMers. The NSA did not dictate a single wire!"
In contrast, a declassified NSA book on cryptologic history states:
and
Some of the suspicions about hidden weaknesses in the S-boxes were allayed in 1990, with the independent discovery and open publication by Eli Biham and Adi Shamir of differential cryptanalysis
Differential cryptanalysis is a general form of cryptanalysis applicable primarily to block ciphers, but also to stream ciphers and cryptographic hash functions. In the broadest sense, it is the study of how differences in information input can a ...
, a general method for breaking block ciphers. The S-boxes of DES were much more resistant to the attack than if they had been chosen at random, strongly suggesting that IBM knew about the technique in the 1970s. This was indeed the case; in 1994, Don Coppersmith published some of the original design criteria for the S-boxes. According to Steven Levy
Steven Levy (born 1951) is an American journalist and editor at large for '' Wired'' who has written extensively for publications on computers, technology, cryptography, the internet, cybersecurity, and privacy. He is the author of the 1984 boo ...
, IBM Watson researchers discovered differential cryptanalytic attacks in 1974 and were asked by the NSA to keep the technique secret.[Levy, ''Crypto'', p. 55] Coppersmith explains IBM's secrecy decision by saying, "that was because ifferential cryptanalysiscan be a very powerful tool, used against many schemes, and there was concern that such information in the public domain could adversely affect national security." Levy quotes Walter Tuchman: " ey asked us to stamp all our documents confidential... We actually put a number on each one and locked them up in safes, because they were considered U.S. government classified. They said do it. So I did it".[ Bruce Schneier observed that "It took the academic community two decades to figure out that the NSA 'tweaks' actually improved the security of DES."]
The algorithm as a standard
Despite the criticisms, DES was approved as a federal standard in November 1976, and published on 15 January 1977 as FIPS PUB 46, authorized for use on all unclassified data. It was subsequently reaffirmed as the standard in 1983, 1988 (revised as FIPS-46-1), 1993 (FIPS-46-2), and again in 1999 (FIPS-46-3), the latter prescribing " Triple DES" (see below). On 26 May 2002, DES was finally superseded by the Advanced Encryption Standard (AES), following a public competition. On 19 May 2005, FIPS 46-3 was officially withdrawn, but NIST
The National Institute of Standards and Technology (NIST) is an agency of the United States Department of Commerce whose mission is to promote American innovation and industrial competitiveness. NIST's activities are organized into physical s ...
has approved Triple DES through the year 2030 for sensitive government information.National Institute of Standards and Technology
The National Institute of Standards and Technology (NIST) is an agency of the United States Department of Commerce whose mission is to promote American innovation and industrial competitiveness. NIST's activities are organized into Outline of p ...
NIST Special Publication 800-67 ''Recommendation for the Triple Data Encryption Algorithm (TDEA) Block Cipher'', Version 1.1
/ref>
The algorithm is also specified in ANSI
The American National Standards Institute (ANSI ) is a private nonprofit organization that oversees the development of voluntary consensus standards for products, services, processes, systems, and personnel in the United States. The organiz ...
X3.92 (Today X3 is known as INCITS
The InterNational Committee for Information Technology Standards (INCITS), (pronounced "insights"), is an ANSI-accredited standards development organization composed of Information technology developers. It was formerly known as the X3 and NCITS ...
and ANSI X3.92 as ANSI INCITS
The InterNational Committee for Information Technology Standards (INCITS), (pronounced "insights"), is an ANSI-accredited standards development organization composed of Information technology developers. It was formerly known as the X3 and NCITS ...
92), NIST SP 800-67[ and ISO/IEC 18033-3 (as a component of TDEA).
Another theoretical attack, linear cryptanalysis, was published in 1994, but it was the ]Electronic Frontier Foundation
The Electronic Frontier Foundation (EFF) is an American international non-profit digital rights group based in San Francisco, California. It was founded in 1990 to promote Internet civil liberties.
It provides funds for legal defense in court, ...
's DES cracker in 1998 that demonstrated that DES could be attacked very practically, and highlighted the need for a replacement algorithm. These and other methods of cryptanalysis
Cryptanalysis (from the Greek ''kryptós'', "hidden", and ''analýein'', "to analyze") refers to the process of analyzing information systems in order to understand hidden aspects of the systems. Cryptanalysis is used to breach cryptographic se ...
are discussed in more detail later in this article.
The introduction of DES is considered to have been a catalyst for the academic study of cryptography, particularly of methods to crack block ciphers. According to a NIST retrospective about DES,
:The DES can be said to have "jump-started" the nonmilitary study and development of encryption algorithms. In the 1970s there were very few cryptographers, except for those in military or intelligence organizations, and little academic study of cryptography. There are now many active academic cryptologists, mathematics departments with strong programs in cryptography, and commercial information security
Information security is the practice of protecting information by mitigating information risks. It is part of information risk management. It typically involves preventing or reducing the probability of unauthorized or inappropriate access to data ...
companies and consultants. A generation of cryptanalysts has cut its teeth analyzing (that is, trying to "crack") the DES algorithm. In the words of cryptographer Bruce Schneier
Bruce Schneier (; born January 15, 1963) is an American cryptographer, computer security professional, privacy specialist, and writer. Schneier is an Adjunct Lecturer in Public Policy at the Harvard Kennedy School and a Fellow at the Berkman ...
, "DES did more to galvanize the field of cryptanalysis than anything else. Now there was an algorithm to study." An astonishing share of the open literature in cryptography in the 1970s and 1980s dealt with the DES, and the DES is the standard against which every symmetric key algorithm since has been compared.
Chronology
Description
File:DES-main-network.png, 250px, '' Figure 1''— The overall Feistel structure of DES
rect 0 130 639 229 Initial permutation
rect 220 300 421 405 Feistel function
rect 220 594 421 701 Feistel function
rect 220 1037 421 1144 Feistel function
rect 220 1330 421 1437 Feistel function
rect 0 1478 639 1577 Final permutation
circle 50 351 26 XOR
circle 50 647 26 XOR
circle 50 1090 26 XOR
circle 50 1383 26 XOR
DES is the archetypal block cipher—an algorithm
In mathematics and computer science, an algorithm () is a finite sequence of Rigour#Mathematics, mathematically rigorous instructions, typically used to solve a class of specific Computational problem, problems or to perform a computation. Algo ...
that takes a fixed-length string of plaintext bits and transforms it through a series of complicated operations into another ciphertext
In cryptography, ciphertext or cyphertext is the result of encryption performed on plaintext using an algorithm, called a cipher. Ciphertext is also known as encrypted or encoded information because it contains a form of the original plaintext ...
bitstring of the same length. In the case of DES, the block size is 64 bits. DES also uses a key to customize the transformation, so that decryption can supposedly only be performed by those who know the particular key used to encrypt. The key ostensibly consists of 64 bits; however, only 56 of these are actually used by the algorithm. Eight bits are used solely for checking parity, and are thereafter discarded. Hence the effective key length is 56 bits.
The key is nominally stored or transmitted as 8 byte
The byte is a unit of digital information that most commonly consists of eight bits. Historically, the byte was the number of bits used to encode a single character of text in a computer and for this reason it is the smallest addressable un ...
s, each with odd parity. According to ANSI X3.92-1981 (Now, known as ANSI INCITS
The InterNational Committee for Information Technology Standards (INCITS), (pronounced "insights"), is an ANSI-accredited standards development organization composed of Information technology developers. It was formerly known as the X3 and NCITS ...
92–1981), section 3.5:
Like other block ciphers, DES by itself is not a secure means of encryption, but must instead be used in a mode of operation. FIPS-81 specifies several modes for use with DES. Further comments on the usage of DES are contained in FIPS-74.
Decryption uses the same structure as encryption, but with the keys used in reverse order. (This has the advantage that the same hardware or software can be used in both directions.)
Overall structure
The algorithm's overall structure is shown in Figure 1: there are 16 identical stages of processing, termed ''rounds''. There is also an initial and final permutation
In mathematics, a permutation of a set can mean one of two different things:
* an arrangement of its members in a sequence or linear order, or
* the act or process of changing the linear order of an ordered set.
An example of the first mean ...
, termed ''IP'' and ''FP'', which are inverses (IP "undoes" the action of FP, and vice versa). IP and FP have no cryptographic significance, but were included in order to facilitate loading blocks in and out of mid-1970s 8-bit based hardware.
Before the main rounds, the block is divided into two 32-bit halves and processed alternately; this criss-crossing is known as the Feistel scheme. The Feistel structure ensures that decryption and encryption are very similar processes—the only difference is that the subkeys are applied in the reverse order when decrypting. The rest of the algorithm is identical. This greatly simplifies implementation, particularly in hardware, as there is no need for separate encryption and decryption algorithms.
The ⊕ symbol denotes the
exclusive-OR (XOR) operation. The ''F-function'' scrambles half a block together with some of the key. The output from the F-function is then combined with the other half of the block, and the halves are swapped before the next round. After the final round, the halves are swapped; this is a feature of the Feistel structure which makes encryption and decryption similar processes.
The Feistel (F) function
The F-function, depicted in Figure 2, operates on half a block (32 bits) at a time and consists of four stages:
File:Data_Encription_Standard_Flow_Diagram.svg, 250px, '' Figure 2''—The Feistel function (F-function) of DES
rect 10 88 322 170 Expansion function
rect 9 340 77 395 Substitution box 1
rect 89 340 157 395 Substitution box 2
rect 169 340 237 395 Substitution box 3
rect 247 340 315 395 Substitution box 4
rect 327 340 395 395 Substitution box 5
rect 405 340 473 395 Substitution box 6
rect 485 340 553 395 Substitution box 7
rect 565 340 633 395 Substitution box 8
rect 9 482 630 565 Permutation
In mathematics, a permutation of a set can mean one of two different things:
* an arrangement of its members in a sequence or linear order, or
* the act or process of changing the linear order of an ordered set.
An example of the first mean ...
circle 319 232 21 XOR
# ''Expansion'': the 32-bit half-block is expanded to 48 bits using the ''expansion permutation'', denoted ''E'' in the diagram, by duplicating half of the bits. The output consists of eight 6-bit (8 × 6 = 48 bits) pieces, each containing a copy of 4 corresponding input bits, plus a copy of the immediately adjacent bit from each of the input pieces to either side.
# ''Key mixing'': the result is combined with a ''subkey'' using an XOR operation. Sixteen 48-bit subkeys—one for each round—are derived from the main key using the ''key schedule
In cryptography, the so-called product ciphers are a certain kind of cipher, where the (de-)ciphering of data is typically done as an iteration of '' rounds''. The setup for each round is generally the same, except for round-specific fixed va ...
'' (described below).
# ''Substitution'': after mixing in the subkey, the block is divided into eight 6-bit pieces before processing by the '' S-boxes'', or ''substitution boxes''. Each of the eight S-boxes replaces its six input bits with four output bits according to a non-linear transformation, provided in the form of a lookup table
In computer science, a lookup table (LUT) is an array data structure, array that replaces runtime (program lifecycle phase), runtime computation of a mathematical function (mathematics), function with a simpler array indexing operation, in a proc ...
. The S-boxes provide the core of the security of DES—without them, the cipher would be linear, and trivially breakable.
# ''Permutation'': finally, the 32 outputs from the S-boxes are rearranged according to a fixed permutation
In mathematics, a permutation of a set can mean one of two different things:
* an arrangement of its members in a sequence or linear order, or
* the act or process of changing the linear order of an ordered set.
An example of the first mean ...
, the ''P-box''. This is designed so that, after permutation, the bits from the output of each S-box in this round are spread across four different S-boxes in the next round.
The alternation of substitution from the S-boxes, and permutation of bits from the P-box and E-expansion provides so-called "confusion and diffusion
In cryptography, confusion and diffusion are two properties of a secure cipher identified by Claude Elwood Shannon, Claude Shannon in his 1945 classified report ''A Mathematical Theory of Cryptography''. These properties, when present, work toge ...
" respectively, a concept identified by Claude Shannon
Claude Elwood Shannon (April 30, 1916 – February 24, 2001) was an American mathematician, electrical engineer, computer scientist, cryptographer and inventor known as the "father of information theory" and the man who laid the foundations of th ...
in the 1940s as a necessary condition for a secure yet practical cipher.
Key schedule
File:DES-key-schedule.png, 250px, '' Figure 3''— The key-schedule of DES
rect 96 28 298 58 Permuted choice 1
rect 127 122 268 155 Permuted choice 2
rect 127 216 268 249 Permuted choice 2
rect 127 357 268 390 Permuted choice 2
rect 127 451 268 484 Permuted choice 2
rect 96 91 127 116 Left shift by 1
rect 268 91 299 116 Left shift by 1
rect 96 185 127 210 Left shift by 1
rect 268 185 299 210 Left shift by 1
rect 96 326 127 351 Left shift by 2
rect 268 326 299 351 Left shift by 2
rect 96 419 127 444 Left shift by 1
rect 268 419 299 444 Left shift by 1
Figure 3 illustrates the ''key schedule'' for encryption—the algorithm which generates the subkeys. Initially, 56 bits of the key are selected from the initial 64 by ''Permuted Choice 1'' (''PC-1'')—the remaining eight bits are either discarded or used as parity check bits. The 56 bits are then divided into two 28-bit halves; each half is thereafter treated separately. In successive rounds, both halves are rotated left by one or two bits (specified for each round), and then 48 subkey bits are selected by ''Permuted Choice 2'' (''PC-2'')—24 bits from the left half, and 24 from the right. The rotations (denoted by "<<<" in the diagram) mean that a different set of bits is used in each subkey; each bit is used in approximately 14 out of the 16 subkeys.
The key schedule for decryption is similar—the subkeys are in reverse order compared to encryption. Apart from that change, the process is the same as for encryption. The same 28 bits are passed to all rotation boxes.
Pseudocode
Pseudocode for the DES algorithm follows.
Security and cryptanalysis
Although more information has been published on the cryptanalysis of DES than any other block cipher, the most practical attack to date is still a brute-force approach. Various minor cryptanalytic properties are known, and three theoretical attacks are possible which, while having a theoretical complexity less than a brute-force attack, require an unrealistic number of known or chosen plaintext
Chosen or The Chosen may refer to:
Books
*The Chosen (Potok novel), ''The Chosen'' (Potok novel), a 1967 novel by Chaim Potok
* ''The Chosen'', a 1997 novel by L. J. Smith (author), L. J. Smith
*The Chosen (Pinto novel), ''The Chosen'' (Pinto nov ...
s to carry out, and are not a concern in practice.
Brute-force attack
For any cipher
In cryptography, a cipher (or cypher) is an algorithm for performing encryption or decryption—a series of well-defined steps that can be followed as a procedure. An alternative, less common term is ''encipherment''. To encipher or encode i ...
, the most basic method of attack is brute force—trying every possible key in turn. The length of the key determines the number of possible keys, and hence the feasibility of this approach. For DES, questions were raised about the adequacy of its key size early on, even before it was adopted as a standard, and it was the small key size, rather than theoretical cryptanalysis, which dictated a need for a replacement algorithm
In mathematics and computer science, an algorithm () is a finite sequence of Rigour#Mathematics, mathematically rigorous instructions, typically used to solve a class of specific Computational problem, problems or to perform a computation. Algo ...
. As a result of discussions involving external consultants including the NSA, the key size was reduced from 256 bits to 56 bits to fit on a single chip.[Stallings, W. ''Cryptography and network security: principles and practice''. Prentice Hall, 2006. p. 73]
In academia, various proposals for a DES-cracking machine were advanced. In 1977, Diffie and Hellman proposed a machine costing an estimated US$20 million which could find a DES key in a single day.[ By 1993, Wiener had proposed a key-search machine costing US$1 million which would find a key within 7 hours. However, none of these early proposals were ever implemented—or, at least, no implementations were publicly acknowledged. The vulnerability of DES was practically demonstrated in the late 1990s. In 1997, RSA Security sponsored a series of contests, offering a $10,000 prize to the first team that broke a message encrypted with DES for the contest. That contest was won by the DESCHALL Project, led by Rocke Verser, Matt Curtin, and Justin Dolske, using idle cycles of thousands of computers across the Internet. The feasibility of cracking DES quickly was demonstrated in 1998 when a custom DES-cracker was built by the ]Electronic Frontier Foundation
The Electronic Frontier Foundation (EFF) is an American international non-profit digital rights group based in San Francisco, California. It was founded in 1990 to promote Internet civil liberties.
It provides funds for legal defense in court, ...
(EFF), a cyberspace civil rights group, at the cost of approximately US$250,000 (see EFF DES cracker). Their motivation was to show that DES was breakable in practice as well as in theory: "''There are many people who will not believe a truth until they can see it with their own eyes. Showing them a physical machine that can crack DES in a few days is the only way to convince some people that they really cannot trust their security to DES.''" The machine brute-forced a key in a little more than 2 days' worth of searching.
The next confirmed DES cracker was the COPACOBANA machine built in 2006 by teams of the Universities of Bochum and Kiel
Kiel ( ; ) is the capital and most populous city in the northern Germany, German state of Schleswig-Holstein. With a population of around 250,000, it is Germany's largest city on the Baltic Sea. It is located on the Kieler Förde inlet of the Ba ...
, both in Germany
Germany, officially the Federal Republic of Germany, is a country in Central Europe. It lies between the Baltic Sea and the North Sea to the north and the Alps to the south. Its sixteen States of Germany, constituent states have a total popu ...
. Unlike the EFF machine, COPACOBANA consists of commercially available, reconfigurable integrated circuits. 120 of these field-programmable gate arrays (FPGAs) of type XILINX Spartan-3 1000 run in parallel. They are grouped in 20 DIMM modules, each containing 6 FPGAs. The use of reconfigurable hardware makes the machine applicable to other code breaking tasks as well. One of the more interesting aspects of COPACOBANA is its cost factor. One machine can be built for approximately $10,000. The cost decrease by roughly a factor of 25 over the EFF machine is an example of the continuous improvement of digital hardware
Digital electronics is a field of electronics involving the study of digital signals and the engineering of devices that use or produce them. It deals with the relationship between binary inputs and outputs by passing electrical signals through ...
—see Moore's law
Moore's law is the observation that the Transistor count, number of transistors in an integrated circuit (IC) doubles about every two years. Moore's law is an observation and Forecasting, projection of a historical trend. Rather than a law of ...
. Adjusting for inflation over 8 years yields an even higher improvement of about 30x. Since 2007, SciEngines GmbH, a spin-off company of the two project partners of COPACOBANA has enhanced and developed successors of COPACOBANA. In 2008 their COPACOBANA RIVYERA reduced the time to break DES to less than one day, using 128 Spartan-3 5000's. SciEngines RIVYERA held the record in brute-force breaking DES, having utilized 128 Spartan-3 5000 FPGAs. Their 256 Spartan-6 LX150 model has further lowered this time.
In 2012, David Hulton and Moxie Marlinspike announced a system with 48 Xilinx Virtex-6 LX240T FPGAs, each FPGA containing 40 fully pipelined DES cores running at 400 MHz, for a total capacity of 768 gigakeys/sec. The system can exhaustively search the entire 56-bit DES key space in about 26 hours and this service is offered for a fee online. However, the service has been offline since the year 2024, supposedly for maintenance but probably permanently switched off.
Attacks faster than brute force
There are three attacks known that can break the full 16 rounds of DES with less complexity than a brute-force search: differential cryptanalysis
Differential cryptanalysis is a general form of cryptanalysis applicable primarily to block ciphers, but also to stream ciphers and cryptographic hash functions. In the broadest sense, it is the study of how differences in information input can a ...
(DC),[ ]linear cryptanalysis
In cryptography, linear cryptanalysis is a general form of cryptanalysis based on finding affine
Affine may describe any of various topics concerned with connections or affinities.
It may refer to:
* Affine, a Affinity_(law)#Terminology, relat ...
(LC),[ and Davies' attack.][ However, the attacks are theoretical and are generally considered infeasible to mount in practice; these types of attack are sometimes termed certificational weaknesses.
* ]Differential cryptanalysis
Differential cryptanalysis is a general form of cryptanalysis applicable primarily to block ciphers, but also to stream ciphers and cryptographic hash functions. In the broadest sense, it is the study of how differences in information input can a ...
was rediscovered in the late 1980s by Eli Biham and Adi Shamir; it was known earlier to both IBM and the NSA and kept secret. To break the full 16 rounds, differential cryptanalysis requires 247 chosen plaintext
Chosen or The Chosen may refer to:
Books
*The Chosen (Potok novel), ''The Chosen'' (Potok novel), a 1967 novel by Chaim Potok
* ''The Chosen'', a 1997 novel by L. J. Smith (author), L. J. Smith
*The Chosen (Pinto novel), ''The Chosen'' (Pinto nov ...
s. DES was designed to be resistant to DC.
* Linear cryptanalysis
In cryptography, linear cryptanalysis is a general form of cryptanalysis based on finding affine
Affine may describe any of various topics concerned with connections or affinities.
It may refer to:
* Affine, a Affinity_(law)#Terminology, relat ...
was discovered by Mitsuru Matsui, and needs 243 known plaintexts (Matsui, 1993); the method was implemented (Matsui, 1994), and was the first experimental cryptanalysis of DES to be reported. There is no evidence that DES was tailored to be resistant to this type of attack. A generalization of LC—''multiple linear cryptanalysis''—was suggested in 1994 (Kaliski and Robshaw), and was further refined by Biryukov and others. (2004); their analysis suggests that multiple linear approximations could be used to reduce the data requirements of the attack by at least a factor of 4 (that is, 241 instead of 243). A similar reduction in data complexity can be obtained in a chosen-plaintext variant of linear cryptanalysis (Knudsen and Mathiassen, 2000). Junod (2001) performed several experiments to determine the actual time complexity of linear cryptanalysis, and reported that it was somewhat faster than predicted, requiring time equivalent to 239–241 DES evaluations.
* ''Improved Davies' attack'': while linear and differential cryptanalysis are general techniques and can be applied to a number of schemes, Davies' attack is a specialized technique for DES, first suggested by Donald Davies
Donald Watts Davies, (7 June 1924 – 28 May 2000) was a Welsh computer scientist and Internet pioneer who was employed at the UK National Physical Laboratory (NPL).
During 1965-67 he invented modern data communications, including packet s ...
in the eighties, and improved by Biham and Biryukov (1997). The most powerful form of the attack requires 250 known plaintexts, has a computational complexity of 250, and has a 51% success rate.
There have also been attacks proposed against reduced-round versions of the cipher, that is, versions of DES with fewer than 16 rounds. Such analysis gives an insight into how many rounds are needed for safety, and how much of a "security margin" the full version retains.
Differential-linear cryptanalysis was proposed by Langford and Hellman in 1994, and combines differential and linear cryptanalysis into a single attack. An enhanced version of the attack can break 9-round DES with 215.8 chosen plaintexts and has a 229.2 time complexity (Biham and others, 2002).
Minor cryptanalytic properties
DES exhibits the complementation property, namely that
:
where is the bitwise complement
In computer programming, a bitwise operation operates on a bit string, a bit array or a binary numeral (considered as a bit string) at the level of its individual bits. It is a fast and simple action, basic to the higher-level arithmetic operatio ...
of denotes encryption with key and denote plaintext and ciphertext blocks respectively. The complementation property means that the work for a brute-force attack could be reduced by a factor of 2 (or a single bit) under a chosen-plaintext assumption. By definition, this property also applies to TDES cipher.
DES also has four so-called '' weak keys''. Encryption (''E'') and decryption (''D'') under a weak key have the same effect (see involution
Involution may refer to: Mathematics
* Involution (mathematics), a function that is its own inverse
* Involution algebra, a *-algebra: a type of algebraic structure
* Involute, a construction in the differential geometry of curves
* Exponentiati ...
):
: or equivalently,
There are also six pairs of ''semi-weak keys''. Encryption with one of the pair of semiweak keys, , operates identically to decryption with the other, :
: or equivalently,
It is easy enough to avoid the weak and semiweak keys in an implementation, either by testing for them explicitly, or simply by choosing keys randomly; the odds of picking a weak or semiweak key by chance are negligible. The keys are not really any weaker than any other keys anyway, as they do not give an attack any advantage.
DES has also been proved not to be a group, or more precisely, the set (for all possible keys ) under functional composition is not a group, nor "close" to being a group. This was an open question for some time, and if it had been the case, it would have been possible to break DES, and multiple encryption modes such as Triple DES would not increase the security, because repeated encryption (and decryptions) under different keys would be equivalent to encryption under another, single key.
Simplified DES
Simplified DES (SDES) was designed for educational purposes only, to help students learn about modern cryptanalytic techniques.
SDES has similar structure and properties to DES, but has been simplified to make it much easier to perform encryption and decryption by hand with pencil and paper.
Some people feel that learning SDES gives insight into DES and other block ciphers, and insight into various cryptanalytic attacks against them.
Replacement algorithms
Concerns about security and the relatively slow operation of DES in software
Software consists of computer programs that instruct the Execution (computing), execution of a computer. Software also includes design documents and specifications.
The history of software is closely tied to the development of digital comput ...
motivated researchers to propose a variety of alternative block cipher designs, which started to appear in the late 1980s and early 1990s: examples include RC5, Blowfish, IDEA
In philosophy and in common usage, an idea (from the Greek word: ἰδέα (idea), meaning 'a form, or a pattern') is the results of thought. Also in philosophy, ideas can also be mental representational images of some object. Many philosophe ...
, NewDES, SAFER, CAST5 and FEAL. Most of these designs kept the 64-bit block size of DES, and could act as a "drop-in" replacement, although they typically used a 64-bit or 128-bit key. In the Soviet Union
The Union of Soviet Socialist Republics. (USSR), commonly known as the Soviet Union, was a List of former transcontinental countries#Since 1700, transcontinental country that spanned much of Eurasia from 1922 until Dissolution of the Soviet ...
the GOST 28147-89 algorithm was introduced, with a 64-bit block size and a 256-bit key, which was also used in Russia
Russia, or the Russian Federation, is a country spanning Eastern Europe and North Asia. It is the list of countries and dependencies by area, largest country in the world, and extends across Time in Russia, eleven time zones, sharing Borders ...
later.
Another approach to strengthening DES was the development of Triple DES (3DES), which applies the DES algorithm three times to each data block to increase security. However, 3DES was later deprecated by NIST due to its inefficiencies and susceptibility to certain cryptographic attacks.
To address these security concerns, modern cryptographic systems rely on more advanced encryption techniques such as RSA, ECC, and post-quantum cryptography. These replacements aim to provide stronger resistance against both classical and quantum computing attacks.
A crucial aspect of DES involves its permutations and key scheduling, which play a significant role in its encryption process. Analyzing these permutations helps in understanding DES's security limitations and the need for replacement algorithms. A detailed breakdown of DES permutations and their role in encryption is available in this analysis of Data Encryption Standards Permutations.
DES itself can be adapted and reused in a more secure scheme. Many former DES users now use Triple DES (TDES) which was described and analysed by one of DES's patentees (see FIPS Pub 46–3); it involves applying DES three times with two (2TDES) or three (3TDES) different keys. TDES is regarded as adequately secure, although it is quite slow. A less computationally expensive alternative is DES-X, which increases the key size by XORing extra key material before and after DES. GDES was a DES variant proposed as a way to speed up encryption, but it was shown to be susceptible to differential cryptanalysis.
On January 2, 1997, NIST announced that they wished to choose a successor to DES. In 2001, after an international competition, NIST selected a new cipher, the Advanced Encryption Standard
The Advanced Encryption Standard (AES), also known by its original name Rijndael (), is a specification for the encryption of electronic data established by the U.S. National Institute of Standards and Technology (NIST) in 2001.
AES is a variant ...
(AES), as a replacement.[http://csrc.nist.gov/publications/fips/fips197/fips-197.pdf November 26, 2001.] The algorithm which was selected as the AES was submitted by its designers under the name Rijndael. Other finalists in the NIST AES competition
The Advanced Encryption Standard (AES), the symmetric block cipher ratified as a standard by National Institute of Standards and Technology of the United States (NIST), was chosen using a process lasting from 1997 to 2000 that was markedly more ...
included RC6, Serpent, MARS
Mars is the fourth planet from the Sun. It is also known as the "Red Planet", because of its orange-red appearance. Mars is a desert-like rocky planet with a tenuous carbon dioxide () atmosphere. At the average surface level the atmosph ...
, and Twofish.
See also
* '' Brute Force: Cracking the Data Encryption Standard''
* DES supplementary material
* Skipjack (cipher)
* Triple DES
Notes
References
*
preprint
* Biham, Eli and Shamir, Adi, Differential Cryptanalysis of the Data Encryption Standard, Springer Verlag, 1993. , .
* Biham, Eli and Alex Biryukov: An Improvement of Davies' Attack on DES. J. Cryptology 10(3): 195–206 (1997)
* Biham, Eli, Orr Dunkelman, Nathan Keller: Enhancing Differential-Linear Cryptanalysis. ASIACRYPT 2002: pp254–266
* Biham, Eli: A Fast New DES Implementation in Software
Cracking DES: Secrets of Encryption Research, Wiretap Politics, and Chip Design
Electronic Frontier Foundation
The Electronic Frontier Foundation (EFF) is an American international non-profit digital rights group based in San Francisco, California. It was founded in 1990 to promote Internet civil liberties.
It provides funds for legal defense in court, ...
*
preprint
.
*Campbell, Keith W., Michael J. Wiener: DES is not a Group. CRYPTO 1992: pp512–520
* Coppersmith, Don. (1994). . ''IBM Journal of Research and Development'', 38(3), 243–250.
* Diffie, Whitfield and Martin Hellman, "Exhaustive Cryptanalysis of the NBS Data Encryption Standard" IEEE Computer 10(6), June 1977, pp74–84
*Ehrsam and others., Product Block Cipher System for Data Security, , Filed February 24, 1975
* Gilmore, John, "Cracking DES: Secrets of Encryption Research, Wiretap Politics and Chip Design", 1998, O'Reilly, .
*Junod, Pascal
"On the Complexity of Matsui's Attack."
Selected Areas in Cryptography, 2001, pp199–211.
* Kaliski, Burton S., Matt Robshaw: Linear Cryptanalysis Using Multiple Approximations. CRYPTO 1994: pp26–39
* Knudsen, Lars, John Erik Mathiassen: A Chosen-Plaintext Linear Attack on DES. Fast Software Encryption - FSE 2000: pp262–272
*Langford, Susan K., Martin E. Hellman: Differential-Linear Cryptanalysis. CRYPTO 1994: 17–25
* Levy, Steven, Crypto: How the Code Rebels Beat the Government—Saving Privacy in the Digital Age, 2001, .
*
*
* National Bureau of Standards, Data Encryption Standard, FIPS-Pub.46. National Bureau of Standards, U.S. Department of Commerce, Washington D.C., January 1977.
* Christof Paar, Jan Pelzl
"The Data Encryption Standard (DES) and Alternatives"
free online lectures on Chapter 3 of "Understanding Cryptography, A Textbook for Students and Practitioners". Springer, 2009.
External links
FIPS 46-3: The official document describing the DES standard
(PDF)
COPACOBANA, a $10,000 DES cracker based on FPGAs by the Universities of Bochum and Kiel
DES step-by-step presentation and reliable message encoding application
A Fast New DES Implementation in Software - Biham
On Multiple Linear Approximations
RFC4772 : Security Implications of Using the Data Encryption Standard (DES)
Python code of DES Cipher implemented using DES Chapter from NIST SP 958
{{Cryptography navbox , block
Computer-related introductions in 1977
1977 establishments in the United States
Broken block ciphers
American inventions