Data Encryption Standard

 This article is about the DES encryption algorithm. For other uses, see DES (disambiguation).
Data Encryption Standard  
 
General  
Designer(s)  IBM  
First published  1975 (January 1977 as the standard)  
Derived from  Lucifer (cipher)  
Cipher(s) based on this design  Triple DES, GDES, DESX, LOKI89, ICE  
Algorithm detail  
Block size(s)  64 bits  
Key size(s)  56 bits  
Structure  Feistel network  
Number of rounds  16  
Best cryptanalysis  
DES is now considered insecure because a brute force attack is possible (see EFF DES cracker). As of 2004, the best analytical attack is linear cryptanalysis, which requires 2^{43} known plaintexts and has a time complexity of 2^{3943} (Junod, 2001); under a chosenplaintext assumption, the data complexity can be reduced by a factor of four (Knudsen and Mathiassen, 2000). 
The Data Encryption Standard (DES) is a cipher (a method for encrypting information) selected as an official Federal Information Processing Standard (FIPS) for the United States in 1976, and which has subsequently enjoyed widespread use internationally. The algorithm was initially controversial, with classified design elements, a relatively short key length, and suspicions about a National Security Agency (NSA) backdoor. DES consequently came under intense academic scrutiny, and motivated the modern understanding of block ciphers and their cryptanalysis.
DES is now considered to be insecure for many applications. This is chiefly due to the 56bit key size being too small; DES keys have been broken in less than 24 hours. There are also some analytical results which demonstrate theoretical weaknesses in the cipher, although they are infeasible to mount in practice. The algorithm is believed to be practically secure in the form of Triple DES, although there are theoretical attacks. In recent years, the cipher has been superseded by the Advanced Encryption Standard (AES).
In some documentation, DES is referred to as the DEA (the Data Encryption Algorithm). When spoken, "DES" is either spelled out (deeeeess) or pronounced as a single syllable (dez).
Contents 
History of DES
The origins of DES go back to the early 1970s. In 1972, after concluding a study on the US government's computer security needs, the US standards body NBS (National Bureau of Standards) — now renamed NIST (National Institute of Standards and Technology) — identified a need for a governmentwide standard for encrypting unclassified, sensitive information. Accordingly, on 15 May 1973, after consulting with the NSA, NBS solicited proposals for a cipher that would meet rigorous design criteria. None of the submissions, however, turned out to be suitable. A second request was issued on 27 August 1974. This time, IBM submitted a candidate which was deemed acceptable, a cipher developed during the period 1973–1974 based on an earlier algorithm, Horst Feistel's Lucifer cipher. The team at IBM involved in cipher design and analysis included Feistel, Walter Tuchman, Don Coppersmith, Alan Konheim, Carl Meyer, Mike Matyas, Roy Adler, Edna Grossman, Bill Notz, Lynn Smith, and Bryant Tuckerman.
NSA's involvement in the design
On 17 March 1975, the proposed DES was published in the Federal Register. Public comments were requested, and in the following year two open workshops were held to discuss the proposed standard. There was some criticism from various parties, including from publickey cryptography pioneers Martin Hellman and Whitfield Diffie, citing a shortened key length and the mysterious "Sboxes" as evidence of improper interference from the NSA. The suspicion was that the algorithm had been covertly weakened by the intelligence agency so that they — but noone else — could easily read encrypted messages. Alan Konheim (one of the designers of DES) commented, "We sent the Sboxes off to Washington. They came back and were all different." The United States Senate Select Committee on Intelligence reviewed the NSA's actions to determine whether there had been any improper involvement. In the unclassified summary of their findings, published in 1978, the Committee wrote:
 "In the development of DES, NSA convinced IBM that a reduced key size was sufficient; indirectly assisted in the development of the Sbox structures; and certified that the final DES algorithm was, to the best of their knowledge, free from any statistical or mathematical weakness."
However, it also found that
 "NSA did not tamper with the design of the algorithm in any way. IBM invented and designed the algorithm, made all pertinent decisions regarding it, and concurred that the agreed upon key size was more than adequate for all commercial applications for which the DES was intended."
Another member of the DES team, Walter Tuchman, is quoted as saying, "We developed the DES algorithm entirely within IBM using IBMers. The NSA did not dictate a single wire!"
Some of the suspicions about hidden weaknesses in the Sboxes were allayed in 1990, with the independent discovery and open publication by Eli Biham and Adi Shamir of differential cryptanalysis, a general method for breaking block ciphers. The Sboxes of DES were much more resistant to the attack than if they had been chosen at random, strongly suggesting that IBM knew about the technique back in the 1970s. This was indeed the case—in 1994, Don Coppersmith published the original design criteria for the Sboxes. IBM had discovered differential cryptanalysis in the 1970s and, after securing DES, had been instructed to keep the technique secret by the NSA. Coppersmith explains, "that was because [differential cryptanalysis] can be a very powerful tool, used against many schemes, and there was concern that such information in the public domain could adversely affect national security.". Shamir himself commented, "I would say that, contrary to what some people believe, there is no evidence of tampering with the DES so that the basic design was weakened."
The other criticism—that the key length was too short—was supported by the fact that the reason given by the NSA for reducing the key length from 64 bits to 56 was that the other 8 bits could serve as parity bits, which seemed somewhat specious. It is widely believed that NSA's decision was motivated by the possibility that they would be able to brute force attack a 56 bit key several years before the rest of the world would.
The algorithm as a standard
Despite the criticisms, DES was approved as a federal standard in November 1976, and published on 15 January 1977 as FIPS PUB 46, authorised for use on all unclassified data. It was subsequently reaffirmed as the standard in 1983, 1988 (revised as FIPS461), 1993 (FIPS462), and again in 1998 (FIPS463), the latter prescribing "Triple DES" (see below). On 26 May 2002, DES was finally superseded by AES, the Advanced Encryption Standard, following a public competition (see AES process). Even as of 2004, however, DES remains in widespread use.
Another theoretical attack, linear cryptanalysis, was published in 1994, but it was a brute force attack in 1998 that demonstrated that DES could be attacked very practically, and highlighted the need for a replacement algorithm. These and other methods of cryptanalysis are discussed in more detail later in the article.
The introduction of DES is considered to have been a catalyst for the academic study of cryptography, particularly of methods to crack block ciphers. Bruce Schneier writes:
 "Off the record, NSA has characterized DES as one of their biggest mistakes. If they knew the details would be released so that people could write software, they would never have agreed to it. DES did more to galvanize the field of cryptanalysis than anything else. Now there was an algorithm to study: one that the NSA said was secure."
Chronology
Date  Year  Event 

15 May  1973  NBS publishes a first request for a standard encryption algorithm 
27 August  1974  NBS publishes a second request for encryption algorithms 
17 March  1975  DES is published in the Federal Register for comment 
August  1976  First workshop on DES 
September  1976  Second workshop, discussing mathematical foundation of DES 
November  1976  DES is approved as a standard 
15 January  1977  DES is published as a FIPS standard FIPS PUB 46 
1983  DES is reaffirmed for the first time  
1986  Videocipher II, a TV satellite scrambling system based upon DES begins use by HBO  
22 January  1988  DES is reaffirmed for the second time as FIPS 461, superseding FIPS PUB 46 
1992  Biham and Shamir publish the first theoretical attack with less complexity than brute force: differential cryptanalysis. However, it requires an unrealistic 2^{47} chosen plaintexts (Biham and Shamir, 1992).  
30 December  1993  DES is reaffirmed for the third time as FIPS 462 
1994  The first experimental cryptanalysis of DES is performed using linear cryptanalysis (Matsui, 1994).  
June  1997  The DESCHALL Project breaks a message encrypted with DES for the first time in public. 
July  1998  The EFF's DES cracker (Deep Crack) breaks a DES key in 56 hours. 
January  1999  Together, Deep Crack and distributed.net break a DES key in 22 hours and 15 minutes. 
25 October  1999  DES is reaffirmed for the fourth time as FIPS 463, which specifies the preferred use of Triple DES, with single DES permitted only in legacy systems. 
26 November  2001  The Advanced Encryption Standard is published in FIPS 197 
26 May  2002  The AES standard becomes effective 
26 July  2004  The withdrawal of FIPS 463 (and a couple of related standards) is proposed in the Federal Register [1] (http://edocket.access.gpo.gov/2004/0416894.htm) 
Replacement algorithms
Concerns about security and the relatively slow operation of DES in software motivated researchers to propose a variety of alternative block cipher designs, which started to appear in the late 1980s and early 1990s; for example RC5, Blowfish, IDEA, NewDES, SAFER, CAST5 and FEAL. Most of these designs kept the 64bit block size of DES, and could act as a "dropin" replacement, although they typically used a 64bit or 128bit key.
DES itself can be adapted and reused in a more secure scheme. Many former DES users now use Triple DES (3DES) which was described and analysed by one of DES's patentees (see FIPS Pub 463); it involves applying DES three times with different keys. 3DES is regarded as adequately secure, although it is quite slow. A less computationally expensive alternative is DESX, which increases the key size by XORing extra key material before and after DES. GDES was a DES variant proposed as a way to speed up encryption, but it was shown to be susceptible to differential cryptanalysis.
In 2001, after an international competition, NIST selected a new cipher: the Advanced Encryption Standard (AES), as a replacement. The algorithm which was selected as the AES was submitted by its designers under the name Rijndael. Other finalists in the NIST AES competition included RC6, Serpent, MARS, and Twofish.
Description
 For brevity, the following description omits the exact transformations and permutations which specify the algorithm; for reference, the details can be found in DES supplementary material.
DES is the archetypal block cipher — an algorithm that takes a fixedlength string of plaintext bits and transforms it through a series of complicated operations into another ciphertext bitstring of the same length. In the case of DES, the block size is 64 bits. DES also uses a key to customise the transformation, so that decryption can only be performed by those who know the particular key used to encrypt. The key ostensibly consists of 64 bits; however, only 56 of these are actually used by the algorithm. Eight bits are used solely for checking parity, and are thereafter discarded. Hence the effective key length is 56 bits, and it is usually quoted as such.
Like other block ciphers, DES must be used in a mode of operation if applied to a message longer than 64 bits. FIPS81 specifies several modes for use with DES, including one for authentication [2] (http://www.itl.nist.gov/fipspubs/fip81.htm). Further comments on the usage of DES are contained in FIPS74 [3] (http://www.itl.nist.gov/fipspubs/fip74.htm).
Overall structure
The algorithm's overall structure is shown in Figure 1: there are 16 identical stages of processing, termed rounds. There is also an initial and final permutation, termed IP and FP, which are inverses (IP "undoes" the action of FP, and vice versa). IP and FP have almost no cryptographic significance, but were apparently included in order to facilitate loading blocks in and out of mid1970s hardware. Before the main rounds, the block is divided into two 32bit halves and processed alternately; this crisscrossing is known as the Feistel scheme.
The Feistel structure ensures that decryption and encryption are very similar processes — the only difference is that the subkeys are applied in the reverse order when decrypting. The rest of the algorithm is identical. This greatly simplifies implementation, particularly in hardware, as there is no need for separate encryption and decryption algorithms.
The red <math>\oplus<math> symbol denotes the exclusiveOR (XOR) operation. The Ffunction scrambles half a block together with some of the key. The output from the Ffunction is then combined with the other half of the block, and the halves are swapped before the next round. After the final round, the halves are not swapped; this is a feature of the Feistel structure which makes encryption and decryption similar processes.
The Feistel (F) function
The Ffunction, depicted in Figure 2, operates on half a block (32 bits) at a time and consists of four stages:
 Expansion — the 32bit halfblock is expanded to 48 bits using the expansion permutation, denoted E in the diagram, by duplicating some of the bits.
 Key mixing — the result is combined with a subkey using an XOR operation. Sixteen 48bit subkeys — one for each round — are derived from the main key using the key schedule (described below).
 Substitution — after mixing in the subkey, the block is divided into eight 6bit pieces before processing by the Sboxes, or substitution boxes. Each of the eight Sboxes replaces its six input bits with four output bits according to a nonlinear transformation, provided in the form of a lookup table. The Sboxes provide the core of the security of DES — without them, the cipher would be linear, and trivially breakable.
 Permutation — finally, the 32 outputs from the Sboxes are rearranged according to a fixed permutation, the Pbox.
The alternation of substitution from the Sboxes, and permutation of bits from the Pbox and Eexpansion provides socalled "confusion and diffusion" respectively, a concept identified by Claude Shannon in the 1940s as a necessary condition for a secure yet practical cipher.
Key schedule
Figure 3 illustrates the key schedule for encryption — the algorithm which generates the subkeys. Initially, 56 bits of the key are selected from the initial 64 by Permuted Choice 1 (PC1) — the remaining eight bits are either discarded or used as parity check bits. The 56 bits are then divided into two 28bit halves; each half is thereafter treated separately. In successive rounds, both halves are rotated left by one or two bits (specified for each round), and then 48 subkey bits are selected by Permuted Choice 2 (PC2) — 24 bits from the left half, and 24 from the right. The rotations (denoted by "<<<" in the diagram) mean that a different set of bits is used in each subkey; each bit is used in approximately 14 out of the 16 subkeys.
The key schedule for decryption is similar — it must generate the keys in the reverse order. Hence the rotations are to the right, rather than the left.
Security and cryptanalysis
Although more information has been published on the cryptanalysis of DES than any other block cipher, the most practical attack to date is still a brute force approach. Various minor cryptanalytic properties are known, and three theoretical attacks are possible which, while having a theoretical complexity less than a brute force attack, require an unrealistic amount of known or chosen plaintext to carry out, and are not a concern in practice.
Brute force attack
For any cipher, the most basic method of attack is brute force — trying every possible key in turn. The length of the key determines the number of possible keys, and hence the feasibility of this approach. For DES, questions were raised about the adequacy of its key size early on, even before it was adopted as a standard, and it was the small key size, rather than theoretical cryptanalysis, which dictated a need for a replacement algorithm. It is known that the NSA encouraged, if not persuaded, IBM in reducing the key size from 128 to 64 bits, and from there to 56 bits; this is often taken as an indication that the NSA possessed enough computer power to break keys of this length even in the mid1970s.
Board300.jpg
In academia, various proposals for a DEScracking machine were advanced. In 1977, Diffie and Hellman proposed a machine costing an estimated US$20 million which could find a DES key in a single day. By 1993, Wiener had proposed a keysearch machine costing US$1 million which would find a key within 7 hours. The vulnerability of DES was practically demonstrated in the late 1990s. In 1997, RSA Security sponsored a series of contests, offering a $10,000 prize to the first team that broke a message encrypted with DES for the contest. That contest was won by the DESCHALL Project, led by Rocke Verser, Matt Curtin, and Justin Dolske, using idle cycles of thousands of computers across the Internet. The feasibility of cracking DES quickly was demonstrated in 1998 when a custom DEScracker was built by the Electronic Frontier Foundation (EFF), a cyberspace civil rights group, at the cost of approximately US$250,000 (see EFF DES cracker). Their motivation was to show that DES was breakable in practice as well as in theory: "There are many people who will not believe a truth until they can see it with their own eyes. Showing them a physical machine that can crack DES in a few days is the only way to convince some people that they really cannot trust their security to DES." The machine bruteforced a key in a little more than 2 days' search; at about the same time at least one attorney from the US Justice Department was announcing that DES was unbreakable.
Attacks faster than bruteforce
There are three attacks known that can break the full sixteen rounds of DES with less complexity than a bruteforce search: differential cryptanalysis (DC), linear cryptanalysis (LC), and Davies' attack. However, the attacks are theoretical and are infeasible to mount in practice; these types of attack are sometimes termed certificational weaknesses.
 Differential cryptanalysis was discovered in the late 1980s by Eli Biham and Adi Shamir, although it was known earlier to both IBM and the NSA and kept secret. To break the full 16 rounds, differential cryptanalysis requires 2^{47} chosen plaintexts. DES was designed to be resistant to DC.
 Linear cryptanalysis was discovered by Mitsuru Matsui, and needs 2^{43} known plaintexts (Matsui, 1993); the method was implemented (Matsui, 1994), and was the first experimental cryptanalysis of DES to be reported. There is no evidence that DES was tailored to be resistant to this type of attack. A generalisation of LC — multiple linear cryptanalysis — was suggested in 1994 (Kaliski and Robshaw), and was further refined by Biryukov et al (2004); their analysis suggests that multiple linear approximations could be used to reduce the data requirements of the attack by at least a factor of 4 (i.e. 2^{41} instead of 2^{43}). A similar reduction in data complexity can be obtained in a chosenplaintext variant of linear cryptanalysis (Knudsen and Mathiassen, 2000). Junod (2001) performed several experiments to determine the actual time complexity of linear cryptanalysis, and reported that it was somewhat faster than predicted, requiring time equivalent to 2^{39}–2^{41} DES evaluations.
 Improved Davies' attack: while linear and differential cryptanalysis are general techniques and can be applied to a number of schemes, Davies' attack is a specialised technique for DES, first suggested by Davies in the eighties, and improved by Biham and Biryukov (1997). The most powerful form of the attack requires 2^{50} known plaintexts, has a computational complexity of 2^{50}, and has a 51% success rate.
There have also been attacks proposed against reducedround versions of the cipher, i.e. versions of DES with fewer than sixteen rounds. Such analysis gives an insight into how many rounds are needed for safety, and how much of a "security margin" the full version retains. Differentiallinear cryptanalysis was proposed by Langford and Hellman in 1994, and combines differential and linear cryptanalysis into a single attack. An enhanced version of the attack can break 9round DES with 2^{15.8} known plaintexts and has a 2^{29.2} time complexity (Biham et al, 2002).
Minor cryptanalytic properties
DES exhibits the complementation property, namely that
 <math>E_K(P)=C \Leftrightarrow E_\overline{K}(\overline{P})=\overline{C}<math>
where <math>\overline{x}<math> is the bitwise complement of <math>x.<math> <math>E_K<math> denotes encryption with key <math>K.<math> <math>P<math> and <math>C<math> denote plaintext and ciphertext blocks respectively. The complementation property means that the work factor for a brute force attack could be reduced by a factor of 2 (or a single bit) under a chosenplaintext assumption.
DES also has four socalled weak keys. Encryption (E) and decryption (D) under a weak key have the same effect (see involution):
 <math>E_K(E_K(P)) = P<math> or equivalently, <math>E_K = D_K<math>
There are also six pairs of semiweak keys. Encryption with one of the pair of semiweak keys, <math>K_1<math>, operates identically to decryption with the other, <math>K_2<math>:
 <math>E_{K_1}(E_{K_2}(P)) = P<math> or equivalently, <math>E_{K_2} = D_{K_1}<math>
It is easy enough to avoid the weak and semiweak keys in an implementation, either by testing for them explicitly, or simply by choosing keys randomly; the odds of picking a weak or semiweak key by chance are negligible.
DES has also been proved not to be a group, or more precisely, the set <math>\{E_K\}<math> (for all possible keys <math>K<math>) under functional composition is not a group, nor "close" to being a group (Campbell and Wiener, 1992). This was an open question for some time, and if it had been the case, it would have been possible to break DES, and multiple encryption modes such as Triple DES would not increase the security.
See also
References
 Ehrsam etl a., Product Block Cipher System for Data Security, Template:US patent, Filed Feb. 24, 1975
 Eli Biham, Adi Shamir, Differential Cryptanalysis of the Data Encryption Standard, Springer Verlag, 1993. ISBN 0387979301, ISBN 3540979301.
 Eli Biham, Alex Biryukov: An Improvement of Davies' Attack on DES. J. Cryptology 10(3): 195206 (1997)
 Eli Biham, Orr Dunkelman, Nathan Keller: Enhancing DifferentialLinear Cryptanalysis. ASIACRYPT 2002: pp254–266
 A.Biryukov, C.De Canniere, M.Quisquater, "On Multiple Linear Approximations", CRYPTO 2004 (to appear); preprint (PDF) (http://www.esat.kuleuven.ac.be/~abiryuko/mla.pdf).
 Keith W. Campbell, Michael J. Wiener: DES is not a Group. CRYPTO 1992: pp512–520
 Don Coppersmith. (1994). The data encryption standard (DES) and its strength against attacks. IBM Journal of Research and Development, 38(3), 243–250. [4] (http://www.research.ibm.com/journal/rd/383/coppersmith.pdf)
 Witfield Diffie, Martin Hellman, "Exhaustive Cryptanalysis of the NBS Data Encryption Standard" IEEE Computer 10(6), June 1977, pp7484
 John Gilmore, "Cracking DES: Secrets of Encryption Research, Wiretap Politics and Chip Design", 1998, O'Reilly, ISBN 1565925203.
 Pascal Junod, "On the Complexity of Matsui's Attack. Selected Areas in Cryptography", 2001, pp199211 (http://crypto.junod.info/sac01.html).
 Burton S. Kaliski Jr., Matthew J. B. Robshaw: Linear Cryptanalysis Using Multiple Approximations. CRYPTO 1994: pp26–39
 Lars R. Knudsen, John Erik Mathiassen: A ChosenPlaintext Linear Attack on DES. FSE 2000: pp262–272
 Susan K. Langford, Martin E. Hellman: DifferentialLinear Cryptanalysis. CRYPTO 1994: 17–25
 Steven Levy, Crypto: How the Code Rebels Beat the Government Saving Privacy in the Digital Age (ISBN 0140244328)
 Mitsuru Matsui: Linear Cryptanalysis Method for DES Cipher. EUROCRYPT 1993: pp386397
 Mitsuru Matsui: The First Experimental Cryptanalysis of the Data Encryption Standard. CRYPTO 1994: pp111
 National Bureau of Standards, Data Encryption Standard, FIPSPub.46. National Bureau of Standards, U.S. Department of Commerce, Washington D.C., January 1977.
External links
 FIPS 463: The official document describing the DES standard (http://csrc.nist.gov/publications/fips/fips463/fips463.pdf) (PDF); An older version in HTML. (http://www.itl.nist.gov/fipspubs/fip462.htm)
 The EFF DES cracker project (http://www.eff.org/Privacy/Crypto/Crypto_misc/DESCracker/)
 Helger Lipmaa's links for DES (http://www.cs.ut.ee/~helger/crypto/link/block/des.php)
 John Savard's description of DES (http://home.ecn.ab.ca/~jsavard/crypto/co0402.htm)
 A worked example of the DES algorithm (http://www.aci.net/kalliste/des.htm)
 A Javascript DES calculator showing intermediate values (http://www.cs.eku.edu/faculty/styer/460/Encrypt/JSDES.html)
Block ciphers edit (https://academickids.com:443/encyclopedia/index.php?title=Template:Block_ciphers&action=edit) 
Algorithms: 3Way  AES  Akelarre  Blowfish  Camellia  CAST128  CAST256  CMEA  DEAL  DES  DESX  FEAL  FOX  FROG  GDES  GOST  ICE  IDEA  Iraqi  KASUMI  KHAZAD  Khufu and Khafre  LOKI89/91  LOKI97  Lucifer  MacGuffin  Madryga  MAGENTA  MARS  MISTY1  MMB  NewDES  RC2  RC5  RC6  REDOC  Red Pike  S1  SAFER  SEED  Serpent  SHACAL  SHARK  Skipjack  Square  TEA  Triple DES  Twofish  XTEA 
Design: Feistel network  Key schedule  Product cipher  Sbox  SPN Attacks: Brute force  Linear / Differential cryptanalysis  Mod n  XSL Standardisation: AES process  CRYPTREC  NESSIE Misc: Avalanche effect  Block size  IV  Key size  Modes of operation  Pilingup lemma  Weak key 
es:DES fr:Data encryption standard he:DES id:Data Encryption Standard it:Data Encryption Standard nl:Data Encryption Standard no:DES ja:DES pl:DES pt:DES sv:Data Encryption Standard zh:DES