Encyclopedia  |   World Factbook  |   World Flags  |   Reference Tables  |   List of Lists     
   Academic Disciplines  |   Historical Timeline  |   Themed Timelines  |   Biographies  |   How-Tos     
Sponsor by The Tattoo Collection
Data Encryption Standard
Main Page | See live article | Alphabetical index

Data Encryption Standard

This article is about the DES encryption algorithm. For other uses of DES, see DES (disambiguation)'.''
Data Encryption Standard

The Feistel function (F function) of DES
Designer(s) IBM
First published 1975 (January 1977 as the standard)
Derived from Lucifer (cipher)
Cipher(s) based on this design Triple DES, G-DES, DES-X, LOKI89
Algorithm detail
Block size(s) 64 bits
Key size(s) 56 bits
Structure Feistel network
Number of rounds 16
Best cryptanalysis
As of 2004, the best theoretical attack is linear cryptanalysis, which requires 243 known plaintexts and has a time complexity of 239-43 (Junod, 2001); a brute force attack is possible (see EFF DES cracker).
The Data Encryption Standard (DES) is a cipher (a method for encrypting information) selected as an official FIPS standard for the United States in 1976, and which has subsequently enjoyed widespread use internationally. The algorithm was initially controversial, with classified design elements, a relatively short key length, and continuing suspicions about a National Security Agency (NSA) backdoor. DES consequently came under intense academic scrutiny, and motivated the modern understanding of block ciphers and their cryptanalysis. The cipher has since been superseded by the Advanced Encryption Standard (AES).

In some documentation, DES is referred to as the DEA (the Data Encryption Algorithm). When spoken, "DES" is either spelled out (dee-ee-ess) or pronounced as a single syllable (dez).

Table of contents
1 History of DES
2 Description
3 Security and cryptanalysis
4 Replacement algorithms
5 See also
6 References
7 External links

History of DES

The origins of DES go back to the early 1970s. In 1972, after concluding a study on the US government's computer security needs, the US standards body NBS (National Bureau of Standards) — now renamed NIST (National Institute of Standards and Technology) — identified a need for a government-wide standard for encrypting unclassified, sensitive information. Accordingly, on 15 May 1973, after consulting with the NSA, NBS solicited proposals for a cipher that would meet rigorous design criteria. None of the submissions, however, turned out to be suitable. A second request was issued on 27 August 1974. This time, IBM submitted a candidate which was deemed acceptable, a cipher developed during the period 1973—1974 based on an earlier algorithm, Horst Feistel's Lucifer cipher. The team at IBM involved in cipher design and analysis included Feistel, Walter Tuchman, Don Coppersmith, Alan Konheim, Carl Meyer, Mike Matyas, Roy Adler, Edna Grossman, Bill Notz, Lynn Smith and Bryant Tuckerman.

NSA's involvement in the design

On 17 March 1975, the proposed DES was published in the Federal Register. Public comments were requested, and in the following year two open workshops were held to discuss the proposed standard. There was some criticism from various parties, including from public-key cryptography pioneers Martin Hellman and Whitfield Diffie, citing a shortened key length and the mysterious "S-boxes" as evidence of improper interference from the NSA. The suspicion was that the algorithm had been covertly weakened by the intelligence agency so that they — but no-one else — could easily read encrypted messages. Alan Konheim (one of the designers of DES) commented that, "We sent the S-boxes off to Washington. They came back and were all different." The United States Senate Select Committee on Intelligence reviewed the NSA's actions to determine whether there had been any improper involvement. In the unclassifed summary of their findings, published in 1978, the Commitee wrote, "In the development of DES, NSA convinced IBM that a reduced keysize was sufficient; indirectly assisted in the development of the S-box structures; and certified that the final DES algorithm was, to the best of their knowledge, free from any statistical or mathematical weakness.". However, it also found that, "NSA did not tamper with the design of the algorithm in any way. IBM invented and designed the algorithm, made all pertinent decisions regarding it, and concurred that the agreed upon key size was more than adequate for all commercial applications for which the DES was intended". Another member of the DES team, Walter Tuchman, is quoted as saying, "We developed the DES algorithm entirely within IBM using IBMers. The NSA did not dictate a single wire!".

Some of the suspicions about hidden weaknesses in the S-boxes were allayed in 1990, with the independent discovery and open publication by Eli Biham and Adi Shamir of differential cryptanalysis, a general method for breaking block ciphers. The S-boxes of DES were much more resistant to the attack than if they had been chosen at random, strongly suggesting that IBM knew about the technique back in the 1970s. This was indeed the case — in 1994, Don Coppersmith published the original design criteria for the S-boxes. IBM had discovered differential cryptanalysis in the 1970s and, after securing DES, had been instructed to keep the technique secret by the NSA. Coppersmith explains, "that was because [differential cryptanalysis] can be a very powerful tool, used against many schemes, and there was concern that such information in the public domain could adversely affect national security.". Shamir himself commented, "I would say that, contrary to what some people believe, there is no evidence of tampering with the DES so that the basic design was weakened."

The other criticism, the one about the key length rather than the S-box design, was supported by the fact that the reason given by the NSA for reducing the key length from 64 bits to 56 -- that the other 8 bits would serve as parity bits -- seemed rather specious. It is widely believed that NSA's decision was motivated by the possibility that they would be able to brute force a 56 bit key several years before the rest of the world would.

The algorithm as a standard

Despite the criticisms, DES was approved as a federal standard in November 1976, and published on 15 January 1977 as FIPS PUB 46, authorised for use on all unclassified data. It was subsequently reaffirmed as the standard in 1983, 1988 (revised as FIPS-46-1), 1993 (FIPS-46-2), and again in 1998 (FIPS-46-3), the latter prescribing "Triple DES" (see below). On 26 May 2002, DES was finally superseded by AES, the Advanced Encryption Standard, following a public competition (see AES process). Even as of 2004, however, DES remains in widespread use.

Another theoretical attack, linear cryptanalysis, was published in 1994, but it was a brute force attack in 1998 that demonstrated that DES could be attacked very practically, and highlighted the need for a replacement algorithm. These and other methods of cryptanalysis are discussed in more detail later in the article.

The introduction of DES is considered to have been a catalyst for the academic study of cryptography, particularly of methods to crack block ciphers. Bruce Schneier writes:

"Off the record, NSA has characterized DES as one of their biggest mistakes. If they knew the details would be released so that people could write software, they would never have agreed to it. DES did more to galvanize the field of cryptanalysis than anything else. Now there was an algorithm to study: one that the NSA said was secure."


Date Year Event
15 May 1973 NBS publishes a first request for a standard encryption algorithm
27 August 1974 NBS publishes a second request for encryption algorithms
17 March 1975 DES is published in the Federal Register for comment
August 1976 First workshop on DES
September 1976 Second workshop, discussing mathematical foundation of DES
November 1976 DES is approved as a standard
15 January 1977 DES is published as a FIPS standard FIPS PUB 46
1983 DES is reaffirmed for the first time
22 January 1988 DES is reaffirmed for the second time as FIPS 46-1, superceding FIPS PUB 46
1992 Biham and Shamir publish the first theoretical attack with less complexity than brute force: differential cryptanalysis. However, it requires an unrealistic 247 chosen plaintexts (Biham and Shamir, 1992).
30 December; 1993 DES is reaffirmed for the third time as FIPS 46-2
1994 The first experimental cryptanalysis of DES is performed using linear cryptanalysis (Matsui, 1994).
July 1998 The EFF's DES cracker breaks a DES key in 56 hours.
January 1999 Together, Deep Crack and distributed.net break a DES key in 22 hours and 15 minutes.
25 October 1999 DES is reaffirmed for the fourth time as FIPS 46-3, which specifies the preferred use of Triple DES, with single DES permitted only in legacy systems.
26 November; 2001 The Advanced Encryption Standard is published in FIPS 197
26 May 2002 The AES standard becomes effective
26 July 2004 The withdrawl of FIPS 46-3 (and a couple of related standards) is proposed in the Federal Register [1]


DES is the archetypal block cipher — an algorithm that takes a fixed-length string of plaintext bits and transforms it through a series of complicated operations into another ciphertext bitstring of the same length. In the case of DES, the block size is 64 bits. DES also uses a key to customise the transformation, so that decryption can only be performed by those who know the particular key used to encrypt. The key ostensibly consists of 64 bits; however, only 56 of these are actually used by the algorithm. Eight bits are used solely for checking parity, and are thereafter discarded. Hence the effective key length is 56 bits, and it is usually quoted as such.

The algorithm's overall structure is shown in Figure 1: there are 16 identical stages of processing, termed rounds. There is also an initial and final permutation, termed IP and FP, which are inversess (IP "undoes" the action of FP, and vice versa). IP and FP have almost no cryptographic significance, but were apparently included in order to facilitate loading blocks in and out of mid-1970s hardware. Before the main rounds, the block is divided into two 32-bit halves and processed alternately; this criss-crossing is known as the Feistel scheme. The red "⊕" symbol denotes the exclusive-OR (XOR) operation. The F-function scrambles half a block together with some of the key.

The F-function, depicted in Figure 2, operates on half a block (32 bits) at time and consists of four stages:

  1. Expansion — the 32-bit half-block is expanded to 48 bits using the expansion permutation, denoted E in the diagram, by duplicating some of the bits.
  2. Key mixing — the result is combined with a subkey using an XOR operation. Sixteen 48-bit subkeys — one for each round — are derived from the main key using the key schedule (described below).
  3. Substitution — after mixing in the subkey, the block is divided into eight 6-bit pieces before processing by the S-boxes, or substitution boxes. Each of the eight S-boxes replaces its six input bits with four output bits according to a non-linear transformation, provided in the form of a lookup table. The S-boxes provide the core of the security of DES — without them, the cipher would be linear, and trivially breakable.
  4. Permutation — finally, the 32 outputs from the S-boxes are rearranged according a fixed permutation, the P-box.

The alternation of substitution from the S-boxes, and permutation of bits from the P-box and E-expansion provides so-called "confusion and diffusion" respectively, a concept identified by Claude Shannon in the 1940s as a necessary condition for a secure yet practical cipher.

Figure 3 illustrates the key schedule — the algorithm which generates the subkeys. Initially, 56 bits of the key are selected from the initial 64 by Permuted Choice 1 (PC-1). Then the 56 bits are divided into two 28-bit halves. Each half is thereafter treated separately. In successive rounds, each half is rotated left by one or two bits, and then the 32 subkey bits are selected by Permuted Choice 2 (PC-2).

The Feistel structure ensures that decryption and encryption are very similar processes — the only difference is that the subkeys are applied in the reverse order when decrypting. The rest of the algorithm is identical. This greatly simplifies implementation, particularly in hardware, as there is no need for separate encryption and decryption algorithms.

Security and cryptanalysis

Brute force attack

For any cipher, the most basic method of attack is
brute force — trying every possible key in turn. The length of the key determines the number of possible keys, and hence the feasibility of this approach. For DES, questions were raised about the adequacy of its key size early on, even before it was adopted as a standard, and it was the small key size, rather than theoretical cryptanalysis, which dictated a need for a replacement algorithm. It is known that the NSA encouraged, if not persuaded, IBM in reducing the key size from 128 to 64 bits, and from there to 56 bits; this is often taken as an indication that the NSA possessed enough computer power to break keys of this length even in the mid-1970s.

In academia, various proposals for a DES-cracking machine were advanced. In 1977, Diffie and Hellman proposed a machine costing an estimated US$20 million which could find a DES key in a single day. By 1993, Wiener had proposed a key-search machine costing US$1 million which would find a key within 7 hours. The vulnerability of DES was practically demonstrated in 1998 when a custom DES-cracker was built by the Electronic Frontier Foundation (EFF), a cyberspace civil rights group, at the cost of approximately US$250,000. Their motivation was to show that DES was breakable in practice as well as in theory: "There are many people who will not believe a truth until they can see it with their own eyes. Showing them a physical machine that can crack DES in a few days is the only way to convince some people that they really cannot trust their security to DES." The machine brute-forced a key in a little more than 2 days' search; at about the same time at least one attorney from the US Justice Department was announcing that DES was unbreakable.

Minor cryptanalytic properties

DES exhibits the complementation property, namely that
where is the bitwise complement of ( denotes encryption with key K; P and C denote plaintext and ciphertext blocks.) The complementation property means that the work factor for a
brute force attack could be reduced by a factor of 2 (or a single bit) under a chosen-plaintext assumption.

DES also has four so-called weak keys. Encryption and decryption under a weak key have the same effect (see involution):

There are also six pairs of semi-weak keys. Encryption with one of the pair of semiweak keys, , operates identically to decryption with the other, :

DES has also been proved not to be a group.

Attacks faster than brute-force

There are three attacks known that can break DES with less complexity than a brute-force search: differential cryptanalysis, linear cryptanalysis and Davies' attack. However, the attacks are theoretical and not possible to perform in practice; these types of attack are sometimes termed certificational weaknesses.

Replacement algorithms

Many former DES users now use Triple DES (3DES) which was described and analyzed by one of DES's patentees (see FIPS Pub 46-3); it involves applying DES three times with different keys. 3DES is widely regarded as adequately secure for now, though it is quite slow. A less computationally expensive alternative is DES-X, which increases the key size by XORing extra key material before and after DES. GDES was a DES variant proposed as a way to speed up encryption, but it was shown to be susceptible to differential cryptanalysis.

After much delay (DES was to have been a standard for only five years), and after another, widely respected, competition, NIST has selected a new cipher, the Advanced Encryption Standard (AES) to replace DES late in 2001. The algorithm which was selected as the AES was submitted by its designers under the name Rijndael. Other finalists in the NIST AES competition included RC6, Serpent, MARS, and Twofish.

It should be noted that no encryption algorithm is ideally suited for all uses. Algorithms suitable for low-throughput use on general-purpose machines (eg, SSH, or various forms of email encryption) are not always suited to embedded systems or smart cards, and so on.

See also


External links

Block ciphers
Algorithms: 3-Way | AES | Blowfish | Camellia | CAST-128 | CAST-256 | CMEA | DEAL | DES | DES-X | FEAL | G-DES | GOST | IDEA | Iraqi | KASUMI | KHAZAD | Khufu and Khafre; | LOKI89/91 | LOKI97 | Lucifer | MacGuffin | Madryga | MAGENTA | MARS | MISTY1 | MMB | NewDES | RC2 | RC5 | RC6 | Red Pike; | S-1 | SAFER | Serpent | SHARK | Skipjack | Square | TEA | Triple DES; | Twofish | XTEA
Design: Feistel network; | Key schedule; | Product cipher; | S-box | SPN   Attacks: Brute force; | Linear / Differential cryptanalysis | Mod n; | XSL   Standardisation: AES process; | CRYPTREC | NESSIE   Misc: Avalanche effect | Block size; | IV | Key size; | Modes of operation; | Piling-up lemma; | Weak key;