What Is Data Called That Is to Be Encrypted by Inputting It Into a Cryptographic Algorithm?

Early unclassified symmetric-key block nil

Data Encryption Standard

The Feistel function (F function) of DES
General
Designers	IBM
Commencement published	1975 (Federal Register) (standardized in January 1977)
Derived from	Lucifer
Successors	Triple DES, 1000-DES, DES-X, LOKI89, Ice
Null detail
Primal sizes	56 $.25
Block sizes	64 bits
Structure	Balanced Feistel network
Rounds	16
Best public cryptanalysis
DES has been considered insecure right from the commencement because of the feasilibity of brute-force attacks.[ane] Such attacks have been demonstrated in practice (run across EFF DES cracker) and are now available on the market place as a service. As of 2008, the all-time analytical attack is linear cryptanalysis, which requires two43 known plaintexts and has a time complexity of ii39–43 (Junod, 2001).

The Information Encryption Standard (DES ) is a symmetric-key algorithm for the encryption of digital data. Although its curt key length of 56 bits makes it too insecure for applications, it has been highly influential in the advancement of cryptography.

Adult in the early on 1970s at IBM and based on an earlier design past Horst Feistel, the algorithm was submitted to the National Agency of Standards (NBS) following the agency'south invitation to suggest a candidate for the protection of sensitive, unclassified electronic government data. In 1976, afterward consultation with the National Security Agency (NSA), the NBS selected a slightly modified version (strengthened against differential cryptanalysis, only weakened against animal-forcefulness attacks), which was published as an official Federal Information Processing Standard (FIPS) for the United States in 1977.^[2]

The publication of an NSA-approved encryption standard led to its quick international adoption and widespread bookish scrutiny. Controversies arose from classified blueprint elements, a relatively brusque central length of the symmetric-key block cipher blueprint, and the interest of the NSA, raising suspicions about a backdoor. The South-boxes that had prompted those suspicions were designed by the NSA to remove a backdoor they secretly knew (differential cryptanalysis). However, the NSA also ensured that the key size was drastically reduced so that they could pause the zero past animal force assail.^[2] The intense bookish scrutiny the algorithm received over time led to the modern understanding of block ciphers and their cryptanalysis.

DES is insecure due to the relatively short 56-bit key size. In January 1999, distributed.net and the Electronic Frontier Foundation collaborated to publicly break a DES key in 22 hours and 15 minutes (see chronology). There are also some analytical results which demonstrate theoretical weaknesses in the nix, although they are infeasible in practice. The algorithm is believed to exist practically secure in the form of Triple DES, although in that location are theoretical attacks. This nil has been superseded by the Avant-garde Encryption Standard (AES). DES has been withdrawn as a standard by the National Institute of Standards and Engineering science.^[3]

Some documents distinguish betwixt the DES standard and its algorithm, referring to the algorithm equally the DEA (Data Encryption Algorithm).

History [edit]

The origins of DES engagement to 1972, when a National Bureau of Standards study of US regime reckoner security identified a need for a government-wide standard for encrypting unclassified, sensitive information.^[4]

Around the same time, engineer Mohamed Atalla in 1972 founded Atalla Corporation and developed the start hardware security module (HSM), the so-chosen "Atalla Box" which was commercialized in 1973. It protected offline devices with a secure Pivot generating key, and was a commercial success. Banks and credit bill of fare companies were fearful that Atalla would dominate the market place, which spurred the development of an international encryption standard.^[3] Atalla was an early competitor to IBM in the banking market, and was cited as an influence by IBM employees who worked on the DES standard.^[5] The IBM 3624 later adopted a similar Pin verification arrangement to the earlier Atalla system.^[6]

On fifteen May 1973, afterward consulting with the NSA, NBS solicited proposals for a cypher that would meet rigorous design criteria. None of the submissions was suitable. A second asking was issued on 27 August 1974. This time, IBM submitted a candidate which was deemed adequate—a cipher developed during the menstruation 1973–1974 based on an earlier algorithm, Horst Feistel'southward Lucifer zippo. The team at IBM involved in cipher design and analysis included Feistel, Walter Tuchman, Don Coppersmith, Alan Konheim, Carl Meyer, Mike Matyas, Roy Adler, Edna Grossman, Nib Notz, Lynn Smith, and Bryant Tuckerman.

NSA'south involvement in the design [edit]

On 17 March 1975, the proposed DES was published in the Federal Register. Public comments were requested, and in the following year two open workshops were held to talk over the proposed standard. There was criticism received from public-fundamental cryptography pioneers Martin Hellman and Whitfield Diffie,^[one] citing a shortened central length and the mysterious "S-boxes" as show of improper interference from the NSA. The suspicion was that the algorithm had been covertly weakened by the intelligence agency so that they—but no one else—could easily read encrypted messages.^[7] Alan Konheim (one of the designers of DES) commented, "Nosotros sent the S-boxes off to Washington. They came dorsum and were all different."^[8] The United states Senate Select Committee on Intelligence reviewed the NSA'south actions to decide whether in that location had been whatsoever improper involvement. In the unclassified summary of their findings, published in 1978, the Commission wrote:

In the development of DES, NSA convinced IBM that a reduced key size was sufficient; indirectly assisted in the evolution of the S-box structures; and certified that the final DES algorithm was, to the best of their noesis, free from any statistical or mathematical weakness.^[nine]

Yet, it besides found that

NSA did not tamper with the design of the algorithm in any manner. IBM invented and designed the algorithm, fabricated all pertinent decisions regarding it, and concurred that the agreed upon key size was more than than adequate for all commercial applications for which the DES was intended.^[10]

Another member of the DES team, Walter Tuchman, stated "We developed the DES algorithm entirely within IBM using IBMers. The NSA did not dictate a single wire!"^[11] In contrast, a declassified NSA book on cryptologic history states:

In 1973 NBS solicited private industry for a information encryption standard (DES). The get-go offerings were disappointing, so NSA began working on its own algorithm. Then Howard Rosenblum, deputy managing director for research and engineering science, discovered that Walter Tuchman of IBM was working on a modification to Lucifer for general employ. NSA gave Tuchman a clearance and brought him in to piece of work jointly with the Agency on his Lucifer modification."^[12]

and

NSA worked closely with IBM to strengthen the algorithm against all except brute-force attacks and to strengthen substitution tables, called S-boxes. Conversely, NSA tried to convince IBM to reduce the length of the key from 64 to 48 bits. Ultimately they compromised on a 56-bit cardinal.^{[13] [14]}

Some of the suspicions about hidden weaknesses in the S-boxes were allayed in 1990, with the independent discovery and open up publication by Eli Biham and Adi Shamir of differential cryptanalysis, a general method for breaking block ciphers. The S-boxes of DES were much more than resistant to the attack than if they had been chosen at random, strongly suggesting that IBM knew about the technique in the 1970s. This was indeed the case; in 1994, Don Coppersmith published some of the original design criteria for the S-boxes.^[15] According to Steven Levy, IBM Watson researchers discovered differential cryptanalytic attacks in 1974 and were asked by the NSA to go on the technique surreptitious.^[sixteen] Coppersmith explains IBM'southward secrecy decision by maxim, "that was because [differential cryptanalysis] can be a very powerful tool, used against many schemes, and there was concern that such information in the public domain could adversely impact national security." Levy quotes Walter Tuchman: "[t]hey asked us to postage stamp all our documents confidential... We actually put a number on each one and locked them up in safes, considering they were considered U.S. government classified. They said do it. So I did it".^[sixteen] Bruce Schneier observed that "Information technology took the academic community 2 decades to figure out that the NSA 'tweaks' actually improved the security of DES."^[17]

The algorithm as a standard [edit]

Despite the criticisms, DES was canonical equally a federal standard in November 1976, and published on 15 Jan 1977 every bit FIPS PUB 46, authorized for use on all unclassified data. Information technology was subsequently reaffirmed as the standard in 1983, 1988 (revised as FIPS-46-1), 1993 (FIPS-46-2), and again in 1999 (FIPS-46-3), the latter prescribing "Triple DES" (see below). On 26 May 2002, DES was finally superseded by the Advanced Encryption Standard (AES), following a public competition. On 19 May 2005, FIPS 46-3 was officially withdrawn, only NIST has canonical Triple DES through the year 2030 for sensitive regime information.^[18]

The algorithm is also specified in ANSI X3.92 (Today X3 is known equally INCITS and ANSI X3.92 equally ANSI INCITS 92),^[19] NIST SP 800-67^[18] and ISO/IEC 18033-3^[20] (as a component of TDEA).

Another theoretical attack, linear cryptanalysis, was published in 1994, but it was the Electronic Frontier Foundation's DES cracker in 1998 that demonstrated that DES could be attacked very practically, and highlighted the need for a replacement algorithm. These and other methods of cryptanalysis are discussed in more detail later in this article.

The introduction of DES is considered to have been a goad for the academic study of cryptography, particularly of methods to crack block ciphers. According to a NIST retrospective about DES,

The DES can be said to take "jump-started" the nonmilitary report and evolution of encryption algorithms. In the 1970s at that place were very few cryptographers, except for those in military or intelligence organizations, and little bookish study of cryptography. There are now many active academic cryptologists, mathematics departments with stiff programs in cryptography, and commercial information security companies and consultants. A generation of cryptanalysts has cutting its teeth analyzing (that is, trying to "crevice") the DES algorithm. In the words of cryptographer Bruce Schneier,^[21] "DES did more to galvanize the field of cryptanalysis than annihilation else. Now there was an algorithm to study." An amazing share of the open literature in cryptography in the 1970s and 1980s dealt with the DES, and the DES is the standard confronting which every symmetric key algorithm since has been compared.^[22]

Chronology [edit]

Date	Year	Event
15 May	1973	NBS publishes a first request for a standard encryption algorithm
27 August	1974	NBS publishes a 2d request for encryption algorithms
17 March	1975	DES is published in the Federal Annals for annotate
August	1976	First workshop on DES
September	1976	Second workshop, discussing mathematical foundation of DES
November	1976	DES is approved equally a standard
15 January	1977	DES is published as a FIPS standard FIPS PUB 46
June	1977	Diffie and Hellman argue that the DES cipher can be broken past brute force.[i]
	1983	DES is reaffirmed for the commencement fourth dimension
	1986	Videocipher II, a Television satellite scrambling system based upon DES, begins utilise by HBO
22 January	1988	DES is reaffirmed for the second time every bit FIPS 46-1, superseding FIPS PUB 46
July	1991	Biham and Shamir rediscover differential cryptanalysis, and apply it to a xv-round DES-similar cryptosystem.
	1992	Biham and Shamir report the starting time theoretical assault with less complexity than brute strength: differential cryptanalysis. Even so, it requires an unrealistic 247 chosen plaintexts.
thirty December	1993	DES is reaffirmed for the third time every bit FIPS 46-2
	1994	The first experimental cryptanalysis of DES is performed using linear cryptanalysis (Matsui, 1994).
June	1997	The DESCHALL Project breaks a message encrypted with DES for the first fourth dimension in public.
July	1998	The EFF's DES cracker (Deep Crack) breaks a DES key in 56 hours.
Jan	1999	Together, Deep Scissure and distributed.net break a DES key in 22 hours and 15 minutes.
25 October	1999	DES is reaffirmed for the fourth time as FIPS 46-three, which specifies the preferred apply of Triple DES, with single DES permitted merely in legacy systems.
26 November	2001	The Avant-garde Encryption Standard is published in FIPS 197
26 May	2002	The AES becomes effective
26 July	2004	The withdrawal of FIPS 46-3 (and a couple of related standards) is proposed in the Federal Register [23]
19 May	2005	NIST withdraws FIPS 46-three (meet Federal Register vol 70, number 96)
April	2006	The FPGA-based parallel automobile COPACOBANA of the Universities of Bochum and Kiel, Germany, breaks DES in 9 days at a $10,000 hardware toll.[24] Inside a year software improvements reduced the boilerplate time to 6.four days.
Nov.	2008	The successor of COPACOBANA, the RIVYERA automobile, reduced the average time to less than a single day.
August	2016	The Open Source password peachy software hashcat added in DES fauna strength searching on general purpose GPUs. Benchmarking shows a single off the shelf Nvidia GeForce GTX 1080 Ti GPU costing $chiliad USD recovers a key in an average of fifteen days (full exhaustive search taking thirty days). Systems have been built with eight GTX 1080 Ti GPUs which can recover a key in an average of nether 2 days.[25]
July	2017	A chosen-plaintext assail utilizing a rainbow table can recover the DES key for a single specific chosen plaintext 1122334455667788 in 25 seconds. A new rainbow table has to be calculated per plaintext. A limited set of rainbow tables accept been made available for download.[26]

Clarification [edit]

For brevity, the following description omits the exact transformations and permutations which specify the algorithm. For further details, encounter DES supplementary material.

Effigy 1— The overall Feistel structure of DES

DES is the archetypal cake cipher—an algorithm that takes a stock-still-length string of plaintext bits and transforms information technology through a series of complicated operations into another ciphertext bitstring of the same length. In the case of DES, the cake size is 64 $.25. DES too uses a cardinal to customize the transformation, so that decryption tin supposedly only be performed by those who know the particular key used to encrypt. The key ostensibly consists of 64 bits; withal, just 56 of these are actually used by the algorithm. Eight bits are used solely for checking parity, and are thereafter discarded. Hence the effective key length is 56 bits.

The key is nominally stored or transmitted as viii bytes, each with odd parity. According to ANSI X3.92-1981 (At present, known equally ANSI INCITS 92-1981), section 3.v:

One fleck in each eight-bit byte of the KEY may exist utilized for fault detection in primal generation, distribution, and storage. $.25 8, xvi,..., 64 are for utilise in ensuring that each byte is of odd parity.

Like other block ciphers, DES by itself is not a secure ways of encryption, only must instead exist used in a mode of operation. FIPS-81 specifies several modes for use with DES.^[27] Further comments on the usage of DES are contained in FIPS-74.^[28]

Decryption uses the same structure equally encryption, only with the keys used in reverse order. (This has the reward that the same hardware or software tin can be used in both directions.)

Overall construction [edit]

The algorithm's overall structure is shown in Figure 1: at that place are 16 identical stages of processing, termed rounds. There is also an initial and final permutation, termed IP and FP, which are inverses (IP "undoes" the action of FP, and vice versa). IP and FP accept no cryptographic significance, simply were included in order to facilitate loading blocks in and out of mid-1970s 8-bit based hardware.^[29]

Before the main rounds, the block is divided into 2 32-bit halves and processed alternately; this criss-crossing is known as the Feistel scheme. The Feistel construction ensures that decryption and encryption are very like processes—the merely departure is that the subkeys are practical in the opposite social club when decrypting. The remainder of the algorithm is identical. This profoundly simplifies implementation, particularly in hardware, as there is no need for dissever encryption and decryption algorithms.

The ⊕ symbol denotes the exclusive-OR (XOR) operation. The F-function scrambles half a block together with some of the key. The output from the F-role is so combined with the other half of the cake, and the halves are swapped before the next round. After the final round, the halves are swapped; this is a feature of the Feistel structure which makes encryption and decryption like processes.

The Feistel (F) function [edit]

The F-function, depicted in Effigy 2, operates on half a block (32 $.25) at a time and consists of four stages:

Figure 2—The Feistel office (F-function) of DES

1. Expansion: the 32-scrap half-block is expanded to 48 $.25 using the expansion permutation, denoted Due east in the diagram, past duplicating half of the bits. The output consists of eight 6-chip (8 × 6 = 48 bits) pieces, each containing a copy of 4 corresponding input bits, plus a re-create of the immediately adjacent bit from each of the input pieces to either side.
2. Key mixing: the result is combined with a subkey using an XOR operation. Xvi 48-fleck subkeys—one for each round—are derived from the main fundamental using the primal schedule (described below).
3. Exchange: afterward mixing in the subkey, the block is divided into 8 6-bit pieces before processing by the Southward-boxes, or substitution boxes. Each of the eight Southward-boxes replaces its six input bits with 4 output bits co-ordinate to a non-linear transformation, provided in the class of a lookup table. The S-boxes provide the cadre of the security of DES—without them, the nix would be linear, and trivially breakable.
4. Permutation: finally, the 32 outputs from the Southward-boxes are rearranged co-ordinate to a fixed permutation, the P-box. This is designed and then that, after permutation, the bits from the output of each Southward-box in this round are spread across 4 different S-boxes in the next round.

The alternation of exchange from the Due south-boxes, and permutation of bits from the P-box and E-expansion provides and so-called "confusion and improvidence" respectively, a concept identified past Claude Shannon in the 1940s every bit a necessary status for a secure nonetheless applied cipher.

Central schedule [edit]

Figure three illustrates the key schedule for encryption—the algorithm which generates the subkeys. Initially, 56 bits of the key are selected from the initial 64 past Permuted Choice 1 (PC-one)—the remaining eight bits are either discarded or used as parity check bits. The 56 bits are then divided into 2 28-bit halves; each half is thereafter treated separately. In successive rounds, both halves are rotated left by i or ii bits (specified for each round), then 48 subkey bits are selected by Permuted Choice 2 (PC-two)—24 bits from the left half, and 24 from the correct. The rotations (denoted past "<<<" in the diagram) hateful that a different set of bits is used in each subkey; each bit is used in approximately fourteen out of the 16 subkeys.

The central schedule for decryption is like—the subkeys are in opposite lodge compared to encryption. Apart from that change, the process is the same equally for encryption. The same 28 bits are passed to all rotation boxes.

Security and cryptanalysis [edit]

Although more information has been published on the cryptanalysis of DES than any other cake nothing, the most practical attack to date is still a animate being-force arroyo. Various pocket-size cryptanalytic properties are known, and 3 theoretical attacks are possible which, while having a theoretical complexity less than a brute-strength attack, require an unrealistic number of known or called plaintexts to carry out, and are not a concern in exercise.

Beast-force attack [edit]

For any cipher, the virtually basic method of attack is animal strength—trying every possible cardinal in turn. The length of the key determines the number of possible keys, and hence the feasibility of this arroyo. For DES, questions were raised nigh the capability of its key size early on, fifty-fifty before information technology was adopted as a standard, and information technology was the small key size, rather than theoretical cryptanalysis, which dictated a need for a replacement algorithm. As a result of discussions involving external consultants including the NSA, the key size was reduced from 128 bits to 56 bits to fit on a unmarried chip.^[30]

The EFF's US$250,000 DES peachy auto contained 1,856 custom fries and could animal-strength a DES cardinal in a thing of days—the photograph shows a DES Cracker circuit board fitted with several Deep Scissure fries.

In academia, various proposals for a DES-dandy automobile were avant-garde. In 1977, Diffie and Hellman proposed a auto costing an estimated Us$20 million which could detect a DES key in a single day.^{[one] [31]} By 1993, Wiener had proposed a key-search auto costing U.s.$one million which would discover a key within 7 hours. Nevertheless, none of these early proposals were ever implemented—or, at to the lowest degree, no implementations were publicly acknowledged. The vulnerability of DES was practically demonstrated in the late 1990s.^[32] In 1997, RSA Security sponsored a series of contests, offering a $10,000 prize to the start team that broke a message encrypted with DES for the competition. That contest was won past the DESCHALL Projection, led by Rocke Verser, Matt Curtin, and Justin Dolske, using idle cycles of thousands of computers across the Internet. The feasibility of bully DES quickly was demonstrated in 1998 when a custom DES-cracker was built by the Electronic Frontier Foundation (EFF), a cyberspace ceremonious rights group, at the price of approximately US$250,000 (meet EFF DES cracker). Their motivation was to bear witness that DES was brittle in practice as well as in theory: "There are many people who will not believe a truth until they can meet it with their own eyes. Showing them a concrete machine that can crack DES in a few days is the just way to convince some people that they actually cannot trust their security to DES." The machine brute-forced a central in a little more ii days' worth of searching.

The next confirmed DES cracker was the COPACOBANA machine congenital in 2006 by teams of the Universities of Bochum and Kiel, both in Germany. Unlike the EFF auto, COPACOBANA consists of commercially available, reconfigurable integrated circuits. 120 of these field-programmable gate arrays (FPGAs) of type XILINX Spartan-3 k run in parallel. They are grouped in twenty DIMM modules, each containing half dozen FPGAs. The apply of reconfigurable hardware makes the automobile applicable to other code breaking tasks besides.^[33] One of the more than interesting aspects of COPACOBANA is its cost cistron. I machine can exist built for approximately $10,000.^[34] The cost decrease by roughly a cistron of 25 over the EFF car is an example of the continuous comeback of digital hardware—run into Moore's law. Adjusting for inflation over viii years yields an even college comeback of well-nigh 30x. Since 2007, SciEngines GmbH, a spin-off company of the two project partners of COPACOBANA has enhanced and developed successors of COPACOBANA. In 2008 their COPACOBANA RIVYERA reduced the time to break DES to less than ane twenty-four hour period, using 128 Spartan-3 5000'due south. SciEngines RIVYERA held the tape in creature-strength breaking DES, having utilized 128 Spartan-3 5000 FPGAs.^[35] Their 256 Spartan-6 LX150 model has farther lowered this time.

In 2012, David Hulton and Moxie Marlinspike announced a organization with 48 Xilinx Virtex-6 LX240T FPGAs, each FPGA containing 40 fully pipelined DES cores running at 400 MHz, for a total capacity of 768 gigakeys/sec. The system tin exhaustively search the unabridged 56-flake DES key infinite in nearly 26 hours and this service is offered for a fee online.^{[36] [37]}

Attacks faster than brute strength [edit]

At that place are three attacks known that can break the full 16 rounds of DES with less complication than a animate being-forcefulness search: differential cryptanalysis (DC),^[38] linear cryptanalysis (LC),^[39] and Davies' attack.^[twoscore] Withal, the attacks are theoretical and are generally considered infeasible to mount in practise;^[41] these types of attack are sometimes termed certificational weaknesses.

• Differential cryptanalysis was rediscovered in the tardily 1980s by Eli Biham and Adi Shamir; it was known before to both IBM and the NSA and kept underground. To break the total 16 rounds, differential cryptanalysis requires 2⁴⁷ chosen plaintexts.^[38] DES was designed to exist resistant to DC.
• Linear cryptanalysis was discovered by Mitsuru Matsui, and needs 2⁴³ known plaintexts (Matsui, 1993);^[39] the method was implemented (Matsui, 1994), and was the first experimental cryptanalysis of DES to be reported. There is no evidence that DES was tailored to be resistant to this type of set on. A generalization of LC—multiple linear cryptanalysis—was suggested in 1994 (Kaliski and Robshaw), and was further refined by Biryukov and others. (2004); their assay suggests that multiple linear approximations could exist used to reduce the information requirements of the attack past at least a gene of 4 (that is, 2⁴¹ instead of 2⁴³).^[42] A like reduction in information complexity can be obtained in a chosen-plaintext variant of linear cryptanalysis (Knudsen and Mathiassen, 2000).^[43] Junod (2001) performed several experiments to determine the bodily time complexity of linear cryptanalysis, and reported that it was somewhat faster than predicted, requiring time equivalent to ii³⁹–2⁴¹ DES evaluations.^[44]
• Improved Davies' attack: while linear and differential cryptanalysis are general techniques and tin can exist applied to a number of schemes, Davies' attack is a specialized technique for DES, first suggested past Donald Davies in the eighties,^[xl] and improved by Biham and Biryukov (1997).^[45] The most powerful grade of the attack requires 2⁵⁰ known plaintexts, has a computational complication of 2⁵⁰, and has a 51% success rate.

In that location have also been attacks proposed confronting reduced-round versions of the cipher, that is, versions of DES with fewer than 16 rounds. Such analysis gives an insight into how many rounds are needed for safety, and how much of a "security margin" the full version retains.

Differential-linear cryptanalysis was proposed by Langford and Hellman in 1994, and combines differential and linear cryptanalysis into a single assault.^[46] An enhanced version of the assail tin pause 9-round DES with 2^15.8 chosen plaintexts and has a two^29.2 time complexity (Biham and others, 2002).^[47]

Minor cryptanalytic backdrop [edit]

DES exhibits the complementation property, namely that

${\displaystyle E_{K}(P)=C\iff E_{\overline {K}}({\overline {P}})={\overline {C}}}$

where ${\displaystyle {\overline {x}}}$ is the bitwise complement of ${\displaystyle 10.}$ ${\displaystyle E_{K}}$ denotes encryption with key ${\displaystyle K.}$ ${\displaystyle P}$ and ${\displaystyle C}$ denote plaintext and ciphertext blocks respectively. The complementation property means that the piece of work for a creature-forcefulness set on could be reduced by a factor of 2 (or a single bit) under a called-plaintext assumption. By definition, this property as well applies to TDES cipher.^[48]

DES also has four so-called weak keys. Encryption (E) and decryption (D) under a weak key have the same effect (run across involution):

${\displaystyle E_{K}(E_{Thou}(P))=P}$ or equivalently, ${\displaystyle E_{K}=D_{K}.}$

There are too vi pairs of semi-weak keys. Encryption with one of the pair of semiweak keys, ${\displaystyle K_{one}}$ , operates identically to decryption with the other, ${\displaystyle K_{2}}$ :

${\displaystyle E_{K_{1}}(E_{K_{2}}(P))=P}$ or equivalently, ${\displaystyle E_{K_{2}}=D_{K_{ane}}.}$

It is piece of cake enough to avoid the weak and semiweak keys in an implementation, either past testing for them explicitly, or simply by choosing keys randomly; the odds of picking a weak or semiweak primal by run a risk are negligible. The keys are non actually any weaker than any other keys anyway, as they exercise non requite an attack whatever advantage.

DES has also been proved not to exist a group, or more precisely, the prepare ${\displaystyle \{E_{Thou}\}}$ (for all possible keys ${\displaystyle K}$ ) under functional composition is non a group, nor "shut" to existence a group.^[49] This was an open question for some time, and if information technology had been the instance, information technology would have been possible to intermission DES, and multiple encryption modes such as Triple DES would not increment the security, considering repeated encryption (and decryptions) under different keys would be equivalent to encryption nether another, unmarried key.^[50]

Simplified DES [edit]

Simplified DES (SDES) was designed for educational purposes only, to help students learn about modern cryptanalytic techniques. SDES has like structure and backdrop to DES, but has been simplified to make it much easier to perform encryption and decryption past hand with pencil and paper. Some people feel that learning SDES gives insight into DES and other block ciphers, and insight into various cryptanalytic attacks against them.^{[51] [52] [53] [54] [55] [56] [57] [58] [59]}

Replacement algorithms [edit]

Concerns about security and the relatively wearisome operation of DES in software motivated researchers to advise a multifariousness of alternative cake nothing designs, which started to announced in the late 1980s and early 1990s: examples include RC5, Blowfish, IDEA, NewDES, SAFER, CAST5 and FEAL. Near of these designs kept the 64-bit block size of DES, and could human action as a "drop-in" replacement, although they typically used a 64-scrap or 128-bit cardinal. In the Soviet Matrimony the GOST 28147-89 algorithm was introduced, with a 64-bit block size and a 256-fleck key, which was also used in Russia later on.

DES itself tin can exist adapted and reused in a more secure scheme. Many former DES users now utilise Triple DES (TDES) which was described and analysed by i of DES's patentees (meet FIPS Pub 46-three); it involves applying DES three times with 2 (2TDES) or three (3TDES) unlike keys. TDES is regarded as fairly secure, although it is quite tiresome. A less computationally expensive culling is DES-X, which increases the key size by XORing extra fundamental material before and later on DES. GDES was a DES variant proposed as a way to speed upwards encryption, but it was shown to be susceptible to differential cryptanalysis.

On Jan 2, 1997, NIST appear that they wished to cull a successor to DES.^[60] In 2001, after an international contest, NIST selected a new cipher, the Advanced Encryption Standard (AES), as a replacement.^[61] The algorithm which was selected every bit the AES was submitted by its designers under the name Rijndael. Other finalists in the NIST AES competition included RC6, Serpent, MARS, and Twofish.

See too [edit]

• Brute Strength: Cracking the Data Encryption Standard
• DES supplementary textile
• Skipjack (zilch)
• Triple DES

Notes [edit]

1. ^ ^{a b c d} Diffie, Whitfield; Hellman, Martin Eastward. (June 1977). "Exhaustive Cryptanalysis of the NBS Information Encryption Standard" (PDF). Computer. 10 (half dozen): 74–84. doi:10.1109/C-1000.1977.217750. S2CID 2412454. Archived from the original (PDF) on 2014-02-26.
2. ^ ^{a b} "The Legacy of DES - Schneier on Security". www.schneier.com. October half dozen, 2004.
3. ^ ^{a b} Bátiz-Lazo, Bernardo (2018). Greenbacks and Dash: How ATMs and Computers Changed Cyberbanking. Oxford University Press. pp. 284 & 311. ISBN9780191085574.
4. ^ Walter Tuchman (1997). "A cursory history of the data encryption standard". Cyberspace besieged: countering net scofflaws. ACM Press/Addison-Wesley Publishing Co. New York, NY, USA. pp. 275–280.
5. ^ "The Economical Impacts of NIST's Data Encryption Standard (DES) Program" (PDF). National Institute of Standards and Engineering science. U.s.a. Section of Commerce. October 2001. Archived from the original (PDF) on xxx August 2017. Retrieved 21 Baronial 2019.
6. ^ Konheim, Alan G. (1 April 2016). "Automatic teller machines: their history and authentication protocols". Periodical of Cryptographic Engineering. 6 (ane): 1–29. doi:10.1007/s13389-015-0104-3. ISSN 2190-8516. S2CID 1706990. Archived from the original on 22 July 2019. Retrieved 28 Baronial 2019.
7. ^ RSA Laboratories. "Has DES been broken?". Archived from the original on 2016-05-17. Retrieved 2009-11-08 .
8. ^ Schneier. Applied Cryptography (2nd ed.). p. 280.
9. ^ Davies, D.W.; W.L. Price (1989). Security for calculator networks, 2nd ed. John Wiley & Sons.
10. ^ Robert Sugarman, ed. (July 1979). "On foiling computer crime". IEEE Spectrum.
11. ^ P. Kinnucan (October 1978). "Data Encryption Gurus: Tuchman and Meyer". Cryptologia. 2 (iv): 371. doi:10.1080/0161-117891853270.
12. ^ Thomas R. Johnson (2009-12-18). "American Cryptology during the Common cold State of war, 1945-1989.Book Three: Retrenchment and Reform, 1972-1980, page 232" (PDF). National Security Agency, DOCID 3417193 (file released on 2009-12-eighteen, hosted at nsa.gov). Archived from the original (PDF) on 2013-09-xviii. Retrieved 2014-07-10 .
13. ^ Thomas R. Johnson (2009-12-18). "American Cryptology during the Cold War, 1945-1989.Volume III: Retrenchment and Reform, 1972-1980, folio 232" (PDF). National Security Bureau. Retrieved 2015-07-xvi – via National Security Archive FOIA request. This version is differently redacted than the version on the NSA website.
14. ^ Thomas R. Johnson (2009-12-18). "American Cryptology during the Cold War, 1945-1989.Volume Three: Retrenchment and Reform, 1972-1980, page 232" (PDF). National Security Bureau. Retrieved 2015-07-sixteen – via National Security Archive FOIA asking. This version is differently redacted than the version on the NSA website.
15. ^ Konheim. Estimator Security and Cryptography. p. 301.
16. ^ ^{a b} Levy, Crypto, p. 55
17. ^ Schneier, Bruce (2004-09-27). "Saluting the information encryption legacy". CNet . Retrieved 2015-07-22 .
18. ^ ^{a b} National Institute of Standards and Engineering science, NIST Special Publication 800-67 Recommendation for the Triple Data Encryption Algorithm (TDEA) Block Cipher, Version 1.1
19. ^ American National Standards Institute, ANSI X3.92-1981 (now known as ANSI INCITS 92-1981)American National Standard, Information Encryption Algorithm
20. ^ "ISO/IEC 18033-3:2010 Information engineering—Security techniques—Encryption algorithms—Role 3: Block ciphers". Iso.org. 2010-12-14. Retrieved 2011-10-21 .
21. ^ Bruce Schneier, Practical Cryptography, Protocols, Algorithms, and Source Lawmaking in C, Second edition, John Wiley and Sons, New York (1996) p. 267
22. ^ William E. Burr, "Information Encryption Standard", in NIST's anthology "A Century of Excellence in Measurements, Standards, and Technology: A Chronicle of Selected NBS/NIST Publications, 1901–2000. HTML Archived 2009-06-19 at the Wayback Machine PDF Archived 2006-08-23 at the Wayback Machine
23. ^ "FR Physician 04-16894". Edocket.access.gpo.gov. Retrieved 2009-06-02 .
24. ^ S. Kumar, C. Paar, J. Pelzl, G. Pfeiffer, A. Rupp, Yard. Schimmler, "How to Break DES for Euro 8,980". 2nd Workshop on Special-purpose Hardware for Attacking Cryptographic Systems—SHARCS 2006, Cologne, Germany, April 3–4, 2006.
25. ^ "8x1080Ti.md".
26. ^ "Crack.sh | the Earth's Fastest DES Cracker".
27. ^ "FIPS 81 - Des Modes of Performance". csrc.nist.gov. Retrieved 2009-06-02 .
28. ^ "FIPS 74 - Guidelines for Implementing and Using the NBS Data". Itl.nist.gov. Archived from the original on 2014-01-03. Retrieved 2009-06-02 .
29. ^ Schneier. Practical Cryptography (1st ed.). p. 271.
30. ^ Stallings, Westward. Cryptography and network security: principles and practice. Prentice Hall, 2006. p. 73
31. ^ "Bruting DES".
32. ^ van Oorschot, Paul C.; Wiener, Michael J. (1991), Damgård, Ivan Bjerre (ed.), "A Known-Plaintext Assault on Ii-Key Triple Encryption", Advances in Cryptology — EUROCRYPT 'ninety, Berlin, Heidelberg: Springer Berlin Heidelberg, vol. 473, pp. 318–325, doi:10.1007/3-540-46877-3_29, ISBN978-3-540-53587-4
33. ^ "Getting Started, COPACOBANA — Cost-optimized Parallel Code-Billow" (PDF). December 12, 2006. Retrieved March half dozen, 2012.
34. ^ Reinhard Wobst (October 16, 2007). Cryptology Unlocked. John Wiley & Sons. ISBN9780470060643.
35. ^ Break DES in less than a single day Archived 2017-08-28 at the Wayback Machine [Press release of House, demonstrated on 2009 Workshop]
36. ^ "The Globe'south fastest DES cracker".
37. ^ Call back Complex Passwords Will Save You?, David Hulton, Ian Foster, BSidesLV 2017
38. ^ ^{a b} Biham, E. & Shamir, A (1993). Differential cryptanalysis of the information encryption standard. Shamir, Adi. New York: Springer-Verlag. pp. 487–496. doi:10.1007/978-i-4613-9314-half-dozen. ISBN978-0387979304. OCLC 27173465. S2CID 6361693. {{cite book}}: CS1 maint: multiple names: authors list (link)
39. ^ ^{a b} Matsui, Mitsuru (1993-05-23). "Linear Cryptanalysis Method for DES Cypher". Advances in Cryptology — EUROCRYPT '93. Lecture Notes in Information science. Springer, Berlin, Heidelberg. 765: 386–397. doi:10.1007/iii-540-48285-7_33. ISBN978-3540482857.
40. ^ ^{a b} Davies, D. West. (1987). "Investigation of a potential weakness in the DES algorithm, Private communications". Private Communications.
41. ^ Alanazi, Hamdan O.; et al. (2010). "New Comparative Report Between DES, 3DES and AES within Nine Factors". Periodical of Calculating. 2 (3). arXiv:1003.4085. Bibcode:2010arXiv1003.4085A.
42. ^ Biryukov, Alex; Cannière, Christophe De; Quisquater, Michaël (2004-08-15). On Multiple Linear Approximations. Advances in Cryptology – CRYPTO 2004. Lecture Notes in Estimator Science. Springer, Berlin, Heidelberg. pp. 1–22. doi:10.1007/978-three-540-28628-8_1. ISBN9783540226680.
43. ^ Knudsen, Lars R.; Mathiassen, John Erik (2000-04-x). A Chosen-Plaintext Linear Attack on DES. Fast Software Encryption. Lecture Notes in Figurer Science. Springer, Berlin, Heidelberg. pp. 262–272. doi:10.1007/3-540-44706-7_18. ISBN978-3540447061.
44. ^ Junod, Pascal (2001-08-xvi). On the Complexity of Matsui's Assail. Selected Areas in Cryptography. Lecture Notes in Computer science. Vol. 2259. Springer, Berlin, Heidelberg. pp. 199–211. doi:ten.1007/3-540-45537-X_16. ISBN978-3540455370.
45. ^ Biham, Eli; Biryukov, Alex (1997-06-01). "An improvement of Davies' assault on DES". Journal of Cryptology. x (three): 195–205. doi:10.1007/s001459900027. ISSN 0933-2790. S2CID 4070446.
46. ^ Langford, Susan K.; Hellman, Martin E. (1994-08-21). Differential-Linear Cryptanalysis. Advances in Cryptology — CRYPTO '94. Lecture Notes in Computer science. Springer, Berlin, Heidelberg. pp. 17–25. doi:ten.1007/3-540-48658-5_3. ISBN978-3540486589.
47. ^ Biham, Eli; Dunkelman, Orr; Keller, Nathan (2002-12-01). Enhancing Differential-Linear Cryptanalysis. Advances in Cryptology — ASIACRYPT 2002. Lecture Notes in Computer Science. Springer, Berlin, Heidelberg. pp. 254–266. doi:x.1007/three-540-36178-2_16. ISBN978-3540361787.
48. ^ Menezes, Alfred J.; van Oorschot, Paul C.; Vanstone, Scott A. (1996). Handbook of Applied Cryptography . CRC Printing. p. 257. ISBN978-0849385230.
49. ^ "Campbell and Wiener, 1992".
50. ^ "Double DES" (PDF).
51. ^ Sanjay Kumar; Sandeep Srivastava. "Paradigm Encryption using Simplified Data Encryption Standard (S-DES)" Archived 2015-12-22 at the Wayback Machine. 2014.
52. ^ Alasdair McAndrew. "Introduction to Cryptography with Open-Source Software". 2012. Section "8.8 Simplified DES: sDES". p. 183 to 190.
53. ^ William Stallings. "Appendix Grand: Simplified DES". 2010.
54. ^ Nalini N; G Raghavendra Rao. "Cryptanalysis of Simplified Information Encryption Standard via Optimisation Heuristics". 2006.
55. ^ Minh Van Nguyen. "Simplified DES". 2009.
56. ^ Dr. Manoj Kumar. "Cryptography and Network Security". Section 3.4: The Simplified Version of DES (S-DES). p. 96.
57. ^ Edward F. Schaefer. "A Simplified Information Encryption Standard Algorithm". doi:10.1080/0161-119691884799 1996.
58. ^ Lavkush Sharma; Bhupendra Kumar Pathak; and Nidhi Sharma. "Breaking of Simplified Data Encryption Standard Using Binary Particle Swarm Optimization". 2012.
59. ^ "Cryptography Inquiry: Devising a Better Way to Teach and Learn the Advanced Encryption Standard".
60. ^ "Announcing Development of FIPS for Avant-garde Encryption Standard | CSRC". 10 Jan 2017.
61. ^ http://csrc.nist.gov/publications/fips/fips197/fips-197.pdf November 26, 2001.

References [edit]

• Biham, Eli and Shamir, Adi (1991). "Differential Cryptanalysis of DES-like Cryptosystems". Periodical of Cryptology. iv (1): 3–72. doi:x.1007/BF00630563. S2CID 206783462. {{cite journal}}: CS1 maint: multiple names: authors list (link) (preprint)
• Biham, Eli and Shamir, Adi, Differential Cryptanalysis of the Data Encryption Standard, Springer Verlag, 1993. ISBN 0-387-97930-1, ISBN 3-540-97930-1.
• Biham, Eli and Alex Biryukov: An Improvement of Davies' Assail on DES. J. Cryptology 10(3): 195–206 (1997)
• Biham, Eli, Orr Dunkelman, Nathan Keller: Enhancing Differential-Linear Cryptanalysis. ASIACRYPT 2002: pp254–266
• Biham, Eli: A Fast New DES Implementation in Software
• Cracking DES: Secrets of Encryption Research, Wiretap Politics, and Chip Pattern, Electronic Frontier Foundation
• Biryukov, A, C. De Canniere and M. Quisquater (2004). Franklin, Matt (ed.). On Multiple Linear Approximations. Lecture Notes in Information science. Vol. 3152. pp. 1–22. doi:10.1007/b99099. ISBN978-3-540-22668-0. S2CID 27790868. {{cite book}}: CS1 maint: multiple names: authors listing (link) (preprint).
• Campbell, Keith W., Michael J. Wiener: DES is non a Group. CRYPTO 1992: pp512–520
• Coppersmith, Don. (1994). The data encryption standard (DES) and its strength against attacks at the Wayback Motorcar (archived June 15, 2007). IBM Periodical of Research and Evolution, 38(3), 243–250.
• Diffie, Whitfield and Martin Hellman, "Exhaustive Cryptanalysis of the NBS Data Encryption Standard" IEEE Computer ten(6), June 1977, pp74–84
• Ehrsam and others., Production Block Cipher System for Data Security, U.S. Patent 3,962,539, Filed Feb 24, 1975
• Gilmore, John, "Keen DES: Secrets of Encryption Research, Wiretap Politics and Chip Design", 1998, O'Reilly, ISBN 1-56592-520-three.
• Junod, Pascal. "On the Complexity of Matsui'due south Attack." Selected Areas in Cryptography, 2001, pp199–211.
• Kaliski, Burton South., Matt Robshaw: Linear Cryptanalysis Using Multiple Approximations. CRYPTO 1994: pp26–39
• Knudsen, Lars, John Erik Mathiassen: A Chosen-Plaintext Linear Attack on DES. Fast Software Encryption - FSE 2000: pp262–272
• Langford, Susan Yard., Martin E. Hellman: Differential-Linear Cryptanalysis. CRYPTO 1994: 17–25
• Levy, Steven, Crypto: How the Code Rebels Vanquish the Government—Saving Privacy in the Digital Age, 2001, ISBN 0-xiv-024432-eight.
• Matsui, Mitsuru (1994). Helleseth, Tor (ed.). Linear Cryptanalysis Method for DES Nix. Lecture Notes in Computer Scientific discipline. Vol. 765. pp. 386–397. CiteSeerX10.i.1.50.8472. doi:ten.1007/3-540-48285-7. ISBN978-3-540-57600-half-dozen. S2CID 21157010.
• Matsui, Mitsuru (1994). "The Outset Experimental Cryptanalysis of the Information Encryption Standard". Advances in Cryptology — CRYPTO '94. Lecture Notes in Computer Science. Vol. 839. pp. 1–11. doi:ten.1007/3-540-48658-5_1. ISBN978-3-540-58333-ii.
• National Bureau of Standards, Data Encryption Standard, FIPS-Pub.46. National Bureau of Standards, U.S. Section of Commerce, Washington D.C., January 1977.
• Christof Paar, January Pelzl, "The Information Encryption Standard (DES) and Alternatives", complimentary online lectures on Affiliate three of "Understanding Cryptography, A Textbook for Students and Practitioners". Springer, 2009.

External links [edit]

• FIPS 46-3: The official certificate describing the DES standard (PDF)
• COPACOBANA, a $10,000 DES cracker based on FPGAs by the Universities of Bochum and Kiel
• DES step-past-stride presentation and reliable message encoding awarding
• A Fast New DES Implementation in Software - Biham
• On Multiple Linear Approximations
• RFC4772 : Security Implications of Using the Information Encryption Standard (DES)

cabralessuplined1987.blogspot.com

Source: https://en.wikipedia.org/wiki/Data_Encryption_Standard

Share this post