A(N) _____ Is a Standard Version of a Document That Is Used Over and Over Again.

Early unclassified symmetric-key block cipher

Information Encryption Standard

The Feistel function (F function) of DES
General
Designers	IBM
First published	1975 (Federal Register) (standardized in January 1977)
Derived from	Lucifer
Successors	Triple DES, G-DES, DES-X, LOKI89, ICE
Cipher detail
Key sizes	56 bits
Cake sizes	64 bits
Structure	Balanced Feistel network
Rounds	16
Best public cryptanalysis
DES has been considered insecure right from the offset because of the feasilibity of brute-force attacks.[i] Such attacks accept been demonstrated in practise (see EFF DES cracker) and are now available on the market as a service. As of 2008, the all-time analytical set on is linear cryptanalysis, which requires two43 known plaintexts and has a time complexity of two39–43 (Junod, 2001).

The Data Encryption Standard (DES ) is a symmetric-key algorithm for the encryption of digital data. Although its brusque key length of 56 bits makes it as well insecure for applications, information technology has been highly influential in the advocacy of cryptography.

Adult in the early 1970s at IBM and based on an earlier pattern by Horst Feistel, the algorithm was submitted to the National Bureau of Standards (NBS) following the bureau's invitation to propose a candidate for the protection of sensitive, unclassified electronic regime information. In 1976, after consultation with the National Security Agency (NSA), the NBS selected a slightly modified version (strengthened against differential cryptanalysis, but weakened confronting brute-force attacks), which was published every bit an official Federal Data Processing Standard (FIPS) for the United States in 1977.^[ii]

The publication of an NSA-approved encryption standard led to its quick international adoption and widespread bookish scrutiny. Controversies arose from classified design elements, a relatively brusque key length of the symmetric-key cake nil design, and the involvement of the NSA, raising suspicions near a backdoor. The Southward-boxes that had prompted those suspicions were designed by the NSA to remove a backdoor they secretly knew (differential cryptanalysis). Notwithstanding, the NSA also ensured that the key size was drastically reduced and so that they could break the cipher past brute force attack.^[2] The intense academic scrutiny the algorithm received over time led to the modern understanding of block ciphers and their cryptanalysis.

DES is insecure due to the relatively brusque 56-flake key size. In January 1999, distributed.cyberspace and the Electronic Frontier Foundation collaborated to publicly suspension a DES key in 22 hours and 15 minutes (see chronology). There are as well some belittling results which demonstrate theoretical weaknesses in the cipher, although they are infeasible in exercise. The algorithm is believed to be practically secure in the class of Triple DES, although there are theoretical attacks. This cipher has been superseded by the Avant-garde Encryption Standard (AES). DES has been withdrawn as a standard by the National Institute of Standards and Technology.^[3]

Some documents distinguish betwixt the DES standard and its algorithm, referring to the algorithm as the DEA (Data Encryption Algorithm).

History [edit]

The origins of DES engagement to 1972, when a National Bureau of Standards study of US government computer security identified a demand for a government-wide standard for encrypting unclassified, sensitive data.^[4]

Around the same time, engineer Mohamed Atalla in 1972 founded Atalla Corporation and developed the first hardware security module (HSM), the so-called "Atalla Box" which was commercialized in 1973. Information technology protected offline devices with a secure PIN generating key, and was a commercial success. Banks and credit card companies were fearful that Atalla would dominate the marketplace, which spurred the development of an international encryption standard.^[3] Atalla was an early competitor to IBM in the cyberbanking market, and was cited as an influence by IBM employees who worked on the DES standard.^[v] The IBM 3624 later on adopted a like Pivot verification system to the earlier Atalla organisation.^[6]

On 15 May 1973, subsequently consulting with the NSA, NBS solicited proposals for a cipher that would encounter rigorous blueprint criteria. None of the submissions was suitable. A second request was issued on 27 August 1974. This fourth dimension, IBM submitted a candidate which was deemed adequate—a cipher developed during the flow 1973–1974 based on an earlier algorithm, Horst Feistel's Friction match null. The team at IBM involved in cipher design and analysis included Feistel, Walter Tuchman, Don Coppersmith, Alan Konheim, Carl Meyer, Mike Matyas, Roy Adler, Edna Grossman, Beak Notz, Lynn Smith, and Bryant Tuckerman.

NSA'south involvement in the design [edit]

On 17 March 1975, the proposed DES was published in the Federal Register. Public comments were requested, and in the following yr two open workshops were held to talk over the proposed standard. There was criticism received from public-fundamental cryptography pioneers Martin Hellman and Whitfield Diffie,^[one] citing a shortened central length and the mysterious "South-boxes" every bit evidence of improper interference from the NSA. The suspicion was that the algorithm had been covertly weakened by the intelligence agency and then that they—but no 1 else—could easily read encrypted messages.^[seven] Alan Konheim (i of the designers of DES) commented, "We sent the Due south-boxes off to Washington. They came back and were all different."^[8] The United states Senate Select Committee on Intelligence reviewed the NSA's actions to determine whether there had been any improper involvement. In the unclassified summary of their findings, published in 1978, the Committee wrote:

In the evolution of DES, NSA convinced IBM that a reduced cardinal size was sufficient; indirectly assisted in the development of the S-box structures; and certified that the final DES algorithm was, to the best of their knowledge, free from any statistical or mathematical weakness.^[9]

However, it also plant that

NSA did not tamper with the blueprint of the algorithm in any manner. IBM invented and designed the algorithm, fabricated all pertinent decisions regarding it, and concurred that the agreed upon key size was more than adequate for all commercial applications for which the DES was intended.^[x]

Another member of the DES squad, Walter Tuchman, stated "Nosotros developed the DES algorithm entirely within IBM using IBMers. The NSA did not dictate a single wire!"^[11] In dissimilarity, a declassified NSA book on cryptologic history states:

In 1973 NBS solicited private industry for a information encryption standard (DES). The first offerings were disappointing, so NSA began working on its own algorithm. Then Howard Rosenblum, deputy director for research and engineering, discovered that Walter Tuchman of IBM was working on a modification to Lucifer for general use. NSA gave Tuchman a clearance and brought him in to work jointly with the Bureau on his Lucifer modification."^[12]

and

NSA worked closely with IBM to strengthen the algorithm against all except brute-forcefulness attacks and to strengthen substitution tables, called S-boxes. Conversely, NSA tried to convince IBM to reduce the length of the fundamental from 64 to 48 bits. Ultimately they compromised on a 56-fleck primal.^{[13] [14]}

Some of the suspicions about subconscious weaknesses in the S-boxes were allayed in 1990, with the independent discovery and open up publication by Eli Biham and Adi Shamir of differential cryptanalysis, a general method for breaking block ciphers. The Southward-boxes of DES were much more resistant to the set on than if they had been chosen at random, strongly suggesting that IBM knew almost the technique in the 1970s. This was indeed the case; in 1994, Don Coppersmith published some of the original design criteria for the S-boxes.^[15] According to Steven Levy, IBM Watson researchers discovered differential cryptanalytic attacks in 1974 and were asked by the NSA to proceed the technique surreptitious.^[16] Coppersmith explains IBM's secrecy decision by maxim, "that was considering [differential cryptanalysis] can exist a very powerful tool, used against many schemes, and there was business organization that such information in the public domain could adversely affect national security." Levy quotes Walter Tuchman: "[t]hey asked us to stamp all our documents confidential... We really put a number on each one and locked them up in safes, considering they were considered U.Southward. authorities classified. They said practise it. Then I did it".^[sixteen] Bruce Schneier observed that "It took the academic community 2 decades to figure out that the NSA 'tweaks' really improved the security of DES."^[17]

The algorithm equally a standard [edit]

Despite the criticisms, DES was approved as a federal standard in November 1976, and published on 15 January 1977 as FIPS PUB 46, authorized for use on all unclassified information. It was subsequently reaffirmed as the standard in 1983, 1988 (revised every bit FIPS-46-one), 1993 (FIPS-46-2), and again in 1999 (FIPS-46-3), the latter prescribing "Triple DES" (run across beneath). On 26 May 2002, DES was finally superseded by the Advanced Encryption Standard (AES), following a public competition. On 19 May 2005, FIPS 46-three was officially withdrawn, but NIST has canonical Triple DES through the twelvemonth 2030 for sensitive government information.^[eighteen]

The algorithm is also specified in ANSI X3.92 (Today X3 is known as INCITS and ANSI X3.92 as ANSI INCITS 92),^[19] NIST SP 800-67^[eighteen] and ISO/IEC 18033-3^[20] (every bit a component of TDEA).

Some other theoretical attack, linear cryptanalysis, was published in 1994, just it was the Electronic Frontier Foundation's DES cracker in 1998 that demonstrated that DES could be attacked very practically, and highlighted the need for a replacement algorithm. These and other methods of cryptanalysis are discussed in more detail later in this article.

The introduction of DES is considered to have been a catalyst for the academic written report of cryptography, particularly of methods to crevice cake ciphers. According to a NIST retrospective about DES,

The DES can be said to have "bound-started" the nonmilitary study and development of encryption algorithms. In the 1970s there were very few cryptographers, except for those in war machine or intelligence organizations, and little academic report of cryptography. At that place are at present many agile academic cryptologists, mathematics departments with strong programs in cryptography, and commercial information security companies and consultants. A generation of cryptanalysts has cut its teeth analyzing (that is, trying to "crack") the DES algorithm. In the words of cryptographer Bruce Schneier,^[21] "DES did more to galvanize the field of cryptanalysis than anything else. Now there was an algorithm to written report." An astonishing share of the open literature in cryptography in the 1970s and 1980s dealt with the DES, and the DES is the standard against which every symmetric fundamental algorithm since has been compared.^[22]

Chronology [edit]

Engagement	Year	Issue
15 May	1973	NBS publishes a outset request for a standard encryption algorithm
27 Baronial	1974	NBS publishes a 2nd request for encryption algorithms
17 March	1975	DES is published in the Federal Annals for comment
August	1976	Offset workshop on DES
September	1976	Second workshop, discussing mathematical foundation of DES
November	1976	DES is approved as a standard
fifteen January	1977	DES is published every bit a FIPS standard FIPS PUB 46
June	1977	Diffie and Hellman fence that the DES cipher tin can be broken past brute forcefulness.[1]
	1983	DES is reaffirmed for the first fourth dimension
	1986	Videocipher 2, a Idiot box satellite scrambling system based upon DES, begins use by HBO
22 January	1988	DES is reaffirmed for the second fourth dimension equally FIPS 46-i, superseding FIPS PUB 46
July	1991	Biham and Shamir rediscover differential cryptanalysis, and apply it to a 15-circular DES-similar cryptosystem.
	1992	Biham and Shamir report the offset theoretical set on with less complexity than animate being force: differential cryptanalysis. Yet, information technology requires an unrealistic two47 called plaintexts.
30 December	1993	DES is reaffirmed for the tertiary time every bit FIPS 46-2
	1994	The first experimental cryptanalysis of DES is performed using linear cryptanalysis (Matsui, 1994).
June	1997	The DESCHALL Project breaks a bulletin encrypted with DES for the first time in public.
July	1998	The EFF'southward DES cracker (Deep Scissure) breaks a DES key in 56 hours.
January	1999	Together, Deep Crevice and distributed.net intermission a DES key in 22 hours and 15 minutes.
25 Oct	1999	DES is reaffirmed for the 4th time as FIPS 46-3, which specifies the preferred use of Triple DES, with unmarried DES permitted only in legacy systems.
26 Nov	2001	The Advanced Encryption Standard is published in FIPS 197
26 May	2002	The AES becomes constructive
26 July	2004	The withdrawal of FIPS 46-3 (and a couple of related standards) is proposed in the Federal Register [23]
19 May	2005	NIST withdraws FIPS 46-3 (see Federal Register vol 70, number 96)
April	2006	The FPGA-based parallel motorcar COPACOBANA of the Universities of Bochum and Kiel, Frg, breaks DES in nine days at a $x,000 hardware toll.[24] Within a year software improvements reduced the average time to half dozen.4 days.
November.	2008	The successor of COPACOBANA, the RIVYERA machine, reduced the average time to less than a unmarried day.
August	2016	The Open up Source countersign dandy software hashcat added in DES brute force searching on general purpose GPUs. Benchmarking shows a single off the shelf Nvidia GeForce GTX 1080 Ti GPU costing $thousand USD recovers a cardinal in an average of 15 days (full exhaustive search taking 30 days). Systems have been congenital with eight GTX 1080 Ti GPUs which can recover a central in an boilerplate of nether 2 days.[25]
July	2017	A chosen-plaintext attack utilizing a rainbow table tin recover the DES key for a single specific called plaintext 1122334455667788 in 25 seconds. A new rainbow tabular array has to be calculated per plaintext. A limited fix of rainbow tables have been made available for download.[26]

Description [edit]

For brevity, the following description omits the exact transformations and permutations which specify the algorithm. For farther details, see DES supplementary material.

Effigy ane— The overall Feistel structure of DES

DES is the archetypal block cipher—an algorithm that takes a fixed-length cord of plaintext bits and transforms information technology through a series of complicated operations into another ciphertext bitstring of the same length. In the case of DES, the block size is 64 bits. DES besides uses a primal to customize the transformation, so that decryption tin supposedly only be performed by those who know the particular key used to encrypt. The key ostensibly consists of 64 bits; even so, only 56 of these are actually used by the algorithm. Eight bits are used solely for checking parity, and are thereafter discarded. Hence the constructive key length is 56 bits.

The key is nominally stored or transmitted equally 8 bytes, each with odd parity. Co-ordinate to ANSI X3.92-1981 (Now, known every bit ANSI INCITS 92-1981), section three.five:

1 flake in each viii-bit byte of the KEY may be utilized for fault detection in key generation, distribution, and storage. $.25 8, 16,..., 64 are for utilize in ensuring that each byte is of odd parity.

Like other block ciphers, DES by itself is not a secure means of encryption, but must instead exist used in a mode of operation. FIPS-81 specifies several modes for use with DES.^[27] Further comments on the usage of DES are contained in FIPS-74.^[28]

Decryption uses the same structure equally encryption, but with the keys used in reverse lodge. (This has the reward that the same hardware or software can be used in both directions.)

Overall structure [edit]

The algorithm's overall structure is shown in Figure one: there are 16 identical stages of processing, termed rounds. At that place is too an initial and final permutation, termed IP and FP, which are inverses (IP "undoes" the activeness of FP, and vice versa). IP and FP have no cryptographic significance, but were included in order to facilitate loading blocks in and out of mid-1970s viii-fleck based hardware.^[29]

Before the main rounds, the cake is divided into two 32-bit halves and candy alternately; this criss-crossing is known as the Feistel scheme. The Feistel structure ensures that decryption and encryption are very similar processes—the only difference is that the subkeys are applied in the reverse club when decrypting. The residue of the algorithm is identical. This profoundly simplifies implementation, particularly in hardware, as there is no need for carve up encryption and decryption algorithms.

The ⊕ symbol denotes the sectional-OR (XOR) operation. The F-function scrambles half a block together with some of the key. The output from the F-function is and so combined with the other half of the block, and the halves are swapped before the next round. Later on the final circular, the halves are swapped; this is a feature of the Feistel construction which makes encryption and decryption similar processes.

The Feistel (F) function [edit]

The F-role, depicted in Figure 2, operates on half a cake (32 bits) at a time and consists of 4 stages:

Figure 2—The Feistel function (F-function) of DES

1. Expansion: the 32-bit one-half-block is expanded to 48 bits using the expansion permutation, denoted E in the diagram, by duplicating half of the bits. The output consists of eight 6-fleck (8 × 6 = 48 bits) pieces, each containing a copy of 4 respective input bits, plus a copy of the immediately next scrap from each of the input pieces to either side.
2. Key mixing: the result is combined with a subkey using an XOR operation. Sixteen 48-fleck subkeys—one for each circular—are derived from the main key using the key schedule (described below).
3. Substitution: after mixing in the subkey, the block is divided into eight 6-bit pieces before processing past the Southward-boxes, or substitution boxes. Each of the eight S-boxes replaces its half-dozen input bits with four output bits according to a non-linear transformation, provided in the grade of a lookup table. The S-boxes provide the cadre of the security of DES—without them, the cipher would exist linear, and trivially breakable.
4. Permutation: finally, the 32 outputs from the S-boxes are rearranged according to a fixed permutation, the P-box. This is designed so that, later permutation, the bits from the output of each S-box in this round are spread across iv different Due south-boxes in the side by side circular.

The alternation of substitution from the South-boxes, and permutation of $.25 from the P-box and E-expansion provides and so-chosen "confusion and improvidence" respectively, a concept identified by Claude Shannon in the 1940s every bit a necessary status for a secure notwithstanding practical cipher.

Primal schedule [edit]

Figure 3 illustrates the primal schedule for encryption—the algorithm which generates the subkeys. Initially, 56 $.25 of the cardinal are selected from the initial 64 by Permuted Choice 1 (PC-one)—the remaining eight bits are either discarded or used equally parity check bits. The 56 $.25 are then divided into two 28-bit halves; each half is thereafter treated separately. In successive rounds, both halves are rotated left by 1 or two bits (specified for each circular), and so 48 subkey bits are selected past Permuted Choice 2 (PC-ii)—24 bits from the left half, and 24 from the right. The rotations (denoted by "<<<" in the diagram) mean that a dissimilar set of $.25 is used in each subkey; each flake is used in approximately xiv out of the xvi subkeys.

The key schedule for decryption is like—the subkeys are in reverse order compared to encryption. Apart from that change, the procedure is the same as for encryption. The same 28 $.25 are passed to all rotation boxes.

Security and cryptanalysis [edit]

Although more than information has been published on the cryptanalysis of DES than whatever other cake cipher, the most applied set on to appointment is however a creature-force arroyo. Various pocket-size cryptanalytic properties are known, and iii theoretical attacks are possible which, while having a theoretical complexity less than a brute-force attack, crave an unrealistic number of known or chosen plaintexts to bear out, and are not a business organization in do.

Brute-strength assail [edit]

For any cipher, the virtually basic method of set on is animal strength—trying every possible cardinal in plow. The length of the fundamental determines the number of possible keys, and hence the feasibility of this approach. For DES, questions were raised nigh the adequacy of its primal size early on on, fifty-fifty before information technology was adopted every bit a standard, and it was the modest key size, rather than theoretical cryptanalysis, which dictated a need for a replacement algorithm. As a outcome of discussions involving external consultants including the NSA, the central size was reduced from 128 bits to 56 bits to fit on a single chip.^[xxx]

The EFF's US$250,000 DES cracking automobile contained 1,856 custom fries and could brute-force a DES key in a affair of days—the photograph shows a DES Cracker circuit board fitted with several Deep Crevice chips.

In academia, various proposals for a DES-cracking auto were advanced. In 1977, Diffie and Hellman proposed a machine costing an estimated US$twenty million which could find a DES primal in a single day.^{[ane] [31]} By 1993, Wiener had proposed a cardinal-search machine costing Us$one million which would observe a key within 7 hours. However, none of these early proposals were ever implemented—or, at least, no implementations were publicly best-selling. The vulnerability of DES was practically demonstrated in the late 1990s.^[32] In 1997, RSA Security sponsored a serial of contests, offer a $x,000 prize to the beginning squad that broke a message encrypted with DES for the contest. That contest was won by the DESCHALL Project, led by Rocke Verser, Matt Curtin, and Justin Dolske, using idle cycles of thousands of computers across the Internet. The feasibility of cracking DES quickly was demonstrated in 1998 when a custom DES-cracker was built by the Electronic Frontier Foundation (EFF), a cyberspace civil rights group, at the toll of approximately The states$250,000 (run into EFF DES cracker). Their motivation was to show that DES was breakable in do as well as in theory: "There are many people who will not believe a truth until they can see information technology with their own eyes. Showing them a concrete machine that can crack DES in a few days is the only way to convince some people that they really cannot trust their security to DES." The machine creature-forced a central in a niggling more than 2 days' worth of searching.

The next confirmed DES cracker was the COPACOBANA machine built in 2006 by teams of the Universities of Bochum and Kiel, both in Germany. Dissimilar the EFF auto, COPACOBANA consists of commercially available, reconfigurable integrated circuits. 120 of these field-programmable gate arrays (FPGAs) of type XILINX Spartan-iii 1000 run in parallel. They are grouped in twenty DIMM modules, each containing six FPGAs. The utilize of reconfigurable hardware makes the machine applicative to other code breaking tasks as well.^[33] I of the more interesting aspects of COPACOBANA is its cost gene. One automobile can be built for approximately $ten,000.^[34] The price decrease by roughly a factor of 25 over the EFF motorcar is an example of the continuous improvement of digital hardware—see Moore'south law. Adjusting for inflation over 8 years yields an even college improvement of about 30x. Since 2007, SciEngines GmbH, a spin-off company of the two project partners of COPACOBANA has enhanced and developed successors of COPACOBANA. In 2008 their COPACOBANA RIVYERA reduced the fourth dimension to break DES to less than 1 day, using 128 Spartan-3 5000'southward. SciEngines RIVYERA held the record in creature-force breaking DES, having utilized 128 Spartan-3 5000 FPGAs.^[35] Their 256 Spartan-6 LX150 model has further lowered this time.

In 2012, David Hulton and Moxie Marlinspike announced a system with 48 Xilinx Virtex-6 LX240T FPGAs, each FPGA containing 40 fully pipelined DES cores running at 400 MHz, for a full capacity of 768 gigakeys/sec. The system can exhaustively search the entire 56-bit DES cardinal space in about 26 hours and this service is offered for a fee online.^{[36] [37]}

Attacks faster than fauna force [edit]

There are 3 attacks known that can break the total 16 rounds of DES with less complication than a animate being-strength search: differential cryptanalysis (DC),^[38] linear cryptanalysis (LC),^[39] and Davies' assail.^[forty] Still, the attacks are theoretical and are generally considered infeasible to mount in practice;^[41] these types of attack are sometimes termed certificational weaknesses.

• Differential cryptanalysis was rediscovered in the late 1980s by Eli Biham and Adi Shamir; it was known earlier to both IBM and the NSA and kept secret. To break the full 16 rounds, differential cryptanalysis requires ii⁴⁷ chosen plaintexts.^[38] DES was designed to be resistant to DC.
• Linear cryptanalysis was discovered by Mitsuru Matsui, and needs 2⁴³ known plaintexts (Matsui, 1993);^[39] the method was implemented (Matsui, 1994), and was the first experimental cryptanalysis of DES to be reported. There is no evidence that DES was tailored to be resistant to this type of set on. A generalization of LC—multiple linear cryptanalysis—was suggested in 1994 (Kaliski and Robshaw), and was further refined by Biryukov and others. (2004); their analysis suggests that multiple linear approximations could be used to reduce the data requirements of the set on past at least a factor of 4 (that is, two⁴¹ instead of two⁴³).^[42] A similar reduction in data complication can exist obtained in a chosen-plaintext variant of linear cryptanalysis (Knudsen and Mathiassen, 2000).^[43] Junod (2001) performed several experiments to determine the actual fourth dimension complexity of linear cryptanalysis, and reported that it was somewhat faster than predicted, requiring time equivalent to two³⁹–2⁴¹ DES evaluations.^[44]
• Improved Davies' attack: while linear and differential cryptanalysis are general techniques and tin can be practical to a number of schemes, Davies' set on is a specialized technique for DES, first suggested by Donald Davies in the eighties,^[40] and improved by Biham and Biryukov (1997).^[45] The most powerful form of the set on requires 2⁵⁰ known plaintexts, has a computational complexity of 2⁵⁰, and has a 51% success rate.

In that location take besides been attacks proposed against reduced-circular versions of the cipher, that is, versions of DES with fewer than 16 rounds. Such analysis gives an insight into how many rounds are needed for safety, and how much of a "security margin" the full version retains.

Differential-linear cryptanalysis was proposed past Langford and Hellman in 1994, and combines differential and linear cryptanalysis into a unmarried attack.^[46] An enhanced version of the attack can break 9-round DES with 2^fifteen.8 chosen plaintexts and has a 2^29.ii time complexity (Biham and others, 2002).^[47]

Minor cryptanalytic backdrop [edit]

DES exhibits the complementation holding, namely that

${\displaystyle E_{1000}(P)=C\iff E_{\overline {K}}({\overline {P}})={\overline {C}}}$

where ${\displaystyle {\overline {10}}}$ is the bitwise complement of ${\displaystyle ten.}$ ${\displaystyle E_{K}}$ denotes encryption with cardinal ${\displaystyle K.}$ ${\displaystyle P}$ and ${\displaystyle C}$ denote plaintext and ciphertext blocks respectively. The complementation belongings means that the piece of work for a brute-forcefulness attack could exist reduced past a gene of 2 (or a single bit) under a called-plaintext assumption. By definition, this property as well applies to TDES cipher.^[48]

DES as well has four so-chosen weak keys. Encryption (E) and decryption (D) under a weak key have the same effect (run into involution):

${\displaystyle E_{K}(E_{Grand}(P))=P}$ or equivalently, ${\displaystyle E_{K}=D_{K}.}$

In that location are also six pairs of semi-weak keys. Encryption with one of the pair of semiweak keys, ${\displaystyle K_{ane}}$ , operates identically to decryption with the other, ${\displaystyle K_{2}}$ :

${\displaystyle E_{K_{i}}(E_{K_{ii}}(P))=P}$ or equivalently, ${\displaystyle E_{K_{two}}=D_{K_{ane}}.}$

It is easy enough to avert the weak and semiweak keys in an implementation, either by testing for them explicitly, or simply by choosing keys randomly; the odds of picking a weak or semiweak key by chance are negligible. The keys are not really any weaker than whatever other keys anyway, every bit they exercise not give an attack any reward.

DES has also been proved not to be a group, or more than precisely, the set ${\displaystyle \{E_{K}\}}$ (for all possible keys ${\displaystyle Yard}$ ) under functional composition is non a grouping, nor "close" to beingness a grouping.^[49] This was an open up question for some time, and if information technology had been the case, information technology would take been possible to break DES, and multiple encryption modes such as Triple DES would not increase the security, because repeated encryption (and decryptions) under different keys would be equivalent to encryption under another, single key.^[50]

Simplified DES [edit]

Simplified DES (SDES) was designed for educational purposes only, to assistance students larn nearly modern cryptanalytic techniques. SDES has similar structure and properties to DES, merely has been simplified to brand information technology much easier to perform encryption and decryption by paw with pencil and paper. Some people feel that learning SDES gives insight into DES and other cake ciphers, and insight into diverse cryptanalytic attacks against them.^{[51] [52] [53] [54] [55] [56] [57] [58] [59]}

Replacement algorithms [edit]

Concerns nigh security and the relatively slow operation of DES in software motivated researchers to suggest a multifariousness of culling block nothing designs, which started to appear in the belatedly 1980s and early on 1990s: examples include RC5, Blowfish, IDEA, NewDES, SAFER, CAST5 and FEAL. Most of these designs kept the 64-bit block size of DES, and could act equally a "drop-in" replacement, although they typically used a 64-fleck or 128-bit central. In the Soviet Union the GOST 28147-89 algorithm was introduced, with a 64-chip block size and a 256-bit primal, which was too used in Russia later.

DES itself tin be adjusted and reused in a more than secure scheme. Many former DES users now use Triple DES (TDES) which was described and analysed by ane of DES'south patentees (see FIPS Pub 46-three); it involves applying DES three times with two (2TDES) or three (3TDES) unlike keys. TDES is regarded as fairly secure, although information technology is quite dull. A less computationally expensive alternative is DES-X, which increases the cardinal size past XORing extra key fabric before and afterward DES. GDES was a DES variant proposed as a fashion to speed up encryption, only it was shown to be susceptible to differential cryptanalysis.

On Jan 2, 1997, NIST appear that they wished to cull a successor to DES.^[60] In 2001, afterward an international competition, NIST selected a new zippo, the Avant-garde Encryption Standard (AES), as a replacement.^[61] The algorithm which was selected equally the AES was submitted past its designers under the proper noun Rijndael. Other finalists in the NIST AES competition included RC6, Serpent, MARS, and Twofish.

Come across too [edit]

• Animal Strength: Cracking the Data Encryption Standard
• DES supplementary material
• Skipjack (cipher)
• Triple DES

Notes [edit]

1. ^ ^{a b c d} Diffie, Whitfield; Hellman, Martin E. (June 1977). "Exhaustive Cryptanalysis of the NBS Data Encryption Standard" (PDF). Figurer. 10 (six): 74–84. doi:x.1109/C-M.1977.217750. S2CID 2412454. Archived from the original (PDF) on 2014-02-26.
2. ^ ^{a b} "The Legacy of DES - Schneier on Security". world wide web.schneier.com. October half dozen, 2004.
3. ^ ^{a b} Bátiz-Lazo, Bernardo (2018). Cash and Dash: How ATMs and Computers Changed Banking. Oxford University Printing. pp. 284 & 311. ISBN9780191085574.
4. ^ Walter Tuchman (1997). "A brief history of the data encryption standard". Cyberspace besieged: countering cyberspace scofflaws. ACM Press/Addison-Wesley Publishing Co. New York, NY, Usa. pp. 275–280.
5. ^ "The Economical Impacts of NIST's Information Encryption Standard (DES) Programme" (PDF). National Institute of Standards and Technology. United States Department of Commerce. October 2001. Archived from the original (PDF) on thirty August 2017. Retrieved 21 Baronial 2019.
6. ^ Konheim, Alan Grand. (1 April 2016). "Automated teller machines: their history and authentication protocols". Journal of Cryptographic Engineering. vi (1): 1–29. doi:x.1007/s13389-015-0104-3. ISSN 2190-8516. S2CID 1706990. Archived from the original on 22 July 2019. Retrieved 28 Baronial 2019.
7. ^ RSA Laboratories. "Has DES been broken?". Archived from the original on 2016-05-17. Retrieved 2009-11-08 .
8. ^ Schneier. Applied Cryptography (second ed.). p. 280.
9. ^ Davies, D.W.; West.50. Toll (1989). Security for computer networks, 2nd ed. John Wiley & Sons.
10. ^ Robert Sugarman, ed. (July 1979). "On foiling figurer criminal offense". IEEE Spectrum.
11. ^ P. Kinnucan (Oct 1978). "Data Encryption Gurus: Tuchman and Meyer". Cryptologia. ii (4): 371. doi:10.1080/0161-117891853270.
12. ^ Thomas R. Johnson (2009-12-eighteen). "American Cryptology during the Cold War, 1945-1989.Book III: Retrenchment and Reform, 1972-1980, page 232" (PDF). National Security Agency, DOCID 3417193 (file released on 2009-12-xviii, hosted at nsa.gov). Archived from the original (PDF) on 2013-09-xviii. Retrieved 2014-07-10 .
13. ^ Thomas R. Johnson (2009-12-18). "American Cryptology during the Cold War, 1945-1989.Book III: Retrenchment and Reform, 1972-1980, page 232" (PDF). National Security Agency. Retrieved 2015-07-16 – via National Security Annal FOIA asking. This version is differently redacted than the version on the NSA website.
14. ^ Thomas R. Johnson (2009-12-18). "American Cryptology during the Cold War, 1945-1989.Book III: Retrenchment and Reform, 1972-1980, page 232" (PDF). National Security Agency. Retrieved 2015-07-sixteen – via National Security Archive FOIA asking. This version is differently redacted than the version on the NSA website.
15. ^ Konheim. Figurer Security and Cryptography. p. 301.
16. ^ ^{a b} Levy, Crypto, p. 55
17. ^ Schneier, Bruce (2004-09-27). "Saluting the data encryption legacy". CNet . Retrieved 2015-07-22 .
18. ^ ^{a b} National Institute of Standards and Engineering, NIST Special Publication 800-67 Recommendation for the Triple Data Encryption Algorithm (TDEA) Cake Cipher, Version 1.ane
19. ^ American National Standards Plant, ANSI X3.92-1981 (now known as ANSI INCITS 92-1981)American National Standard, Information Encryption Algorithm
20. ^ "ISO/IEC 18033-3:2010 It—Security techniques—Encryption algorithms—Part 3: Block ciphers". Iso.org. 2010-12-14. Retrieved 2011-x-21 .
21. ^ Bruce Schneier, Applied Cryptography, Protocols, Algorithms, and Source Code in C, Second edition, John Wiley and Sons, New York (1996) p. 267
22. ^ William East. Burr, "Data Encryption Standard", in NIST'south anthology "A Century of Excellence in Measurements, Standards, and Technology: A Chronicle of Selected NBS/NIST Publications, 1901–2000. HTML Archived 2009-06-xix at the Wayback Car PDF Archived 2006-08-23 at the Wayback Machine
23. ^ "FR Doc 04-16894". Edocket.access.gpo.gov. Retrieved 2009-06-02 .
24. ^ S. Kumar, C. Paar, J. Pelzl, 1000. Pfeiffer, A. Rupp, M. Schimmler, "How to Break DES for Euro 8,980". 2nd Workshop on Special-purpose Hardware for Attacking Cryptographic Systems—SHARCS 2006, Cologne, Deutschland, April 3–4, 2006.
25. ^ "8x1080Ti.physician".
26. ^ "Crack.sh | the World'southward Fastest DES Cracker".
27. ^ "FIPS 81 - Des Modes of Functioning". csrc.nist.gov. Retrieved 2009-06-02 .
28. ^ "FIPS 74 - Guidelines for Implementing and Using the NBS Data". Itl.nist.gov. Archived from the original on 2014-01-03. Retrieved 2009-06-02 .
29. ^ Schneier. Practical Cryptography (1st ed.). p. 271.
30. ^ Stallings, W. Cryptography and network security: principles and practice. Prentice Hall, 2006. p. 73
31. ^ "Bruting DES".
32. ^ van Oorschot, Paul C.; Wiener, Michael J. (1991), Damgård, Ivan Bjerre (ed.), "A Known-Plaintext Attack on Two-Central Triple Encryption", Advances in Cryptology — EUROCRYPT '90, Berlin, Heidelberg: Springer Berlin Heidelberg, vol. 473, pp. 318–325, doi:ten.1007/iii-540-46877-3_29, ISBN978-3-540-53587-iv
33. ^ "Getting Started, COPACOBANA — Cost-optimized Parallel Code-Breaker" (PDF). Dec 12, 2006. Retrieved March half dozen, 2012.
34. ^ Reinhard Wobst (Oct sixteen, 2007). Cryptology Unlocked. John Wiley & Sons. ISBN9780470060643.
35. ^ Suspension DES in less than a unmarried twenty-four hour period Archived 2017-08-28 at the Wayback Machine [Press release of Firm, demonstrated on 2009 Workshop]
36. ^ "The World'due south fastest DES cracker".
37. ^ Recollect Complex Passwords Will Save You?, David Hulton, Ian Foster, BSidesLV 2017
38. ^ ^{a b} Biham, E. & Shamir, A (1993). Differential cryptanalysis of the data encryption standard. Shamir, Adi. New York: Springer-Verlag. pp. 487–496. doi:x.1007/978-one-4613-9314-vi. ISBN978-0387979304. OCLC 27173465. S2CID 6361693. {{cite book}}: CS1 maint: multiple names: authors list (link)
39. ^ ^{a b} Matsui, Mitsuru (1993-05-23). "Linear Cryptanalysis Method for DES Cipher". Advances in Cryptology — EUROCRYPT '93. Lecture Notes in Calculator Science. Springer, Berlin, Heidelberg. 765: 386–397. doi:10.1007/3-540-48285-7_33. ISBN978-3540482857.
40. ^ ^{a b} Davies, D. W. (1987). "Investigation of a potential weakness in the DES algorithm, Individual communications". Private Communications.
41. ^ Alanazi, Hamdan O.; et al. (2010). "New Comparative Study Between DES, 3DES and AES within Nine Factors". Periodical of Calculating. ii (3). arXiv:1003.4085. Bibcode:2010arXiv1003.4085A.
42. ^ Biryukov, Alex; Cannière, Christophe De; Quisquater, Michaël (2004-08-fifteen). On Multiple Linear Approximations. Advances in Cryptology – CRYPTO 2004. Lecture Notes in Computer Science. Springer, Berlin, Heidelberg. pp. ane–22. doi:10.1007/978-3-540-28628-8_1. ISBN9783540226680.
43. ^ Knudsen, Lars R.; Mathiassen, John Erik (2000-04-10). A Chosen-Plaintext Linear Attack on DES. Fast Software Encryption. Lecture Notes in Estimator Science. Springer, Berlin, Heidelberg. pp. 262–272. doi:10.1007/3-540-44706-7_18. ISBN978-3540447061.
44. ^ Junod, Pascal (2001-08-16). On the Complexity of Matsui's Attack. Selected Areas in Cryptography. Lecture Notes in Reckoner Scientific discipline. Vol. 2259. Springer, Berlin, Heidelberg. pp. 199–211. doi:10.1007/3-540-45537-X_16. ISBN978-3540455370.
45. ^ Biham, Eli; Biryukov, Alex (1997-06-01). "An improvement of Davies' attack on DES". Journal of Cryptology. 10 (3): 195–205. doi:x.1007/s001459900027. ISSN 0933-2790. S2CID 4070446.
46. ^ Langford, Susan M.; Hellman, Martin East. (1994-08-21). Differential-Linear Cryptanalysis. Advances in Cryptology — CRYPTO '94. Lecture Notes in Reckoner Science. Springer, Berlin, Heidelberg. pp. 17–25. doi:10.1007/3-540-48658-5_3. ISBN978-3540486589.
47. ^ Biham, Eli; Dunkelman, Orr; Keller, Nathan (2002-12-01). Enhancing Differential-Linear Cryptanalysis. Advances in Cryptology — ASIACRYPT 2002. Lecture Notes in Computer Scientific discipline. Springer, Berlin, Heidelberg. pp. 254–266. doi:10.1007/three-540-36178-2_16. ISBN978-3540361787.
48. ^ Menezes, Alfred J.; van Oorschot, Paul C.; Vanstone, Scott A. (1996). Handbook of Applied Cryptography . CRC Press. p. 257. ISBN978-0849385230.
49. ^ "Campbell and Wiener, 1992".
50. ^ "Double DES" (PDF).
51. ^ Sanjay Kumar; Sandeep Srivastava. "Image Encryption using Simplified Data Encryption Standard (Southward-DES)" Archived 2015-12-22 at the Wayback Automobile. 2014.
52. ^ Alasdair McAndrew. "Introduction to Cryptography with Open up-Source Software". 2012. Section "eight.8 Simplified DES: sDES". p. 183 to 190.
53. ^ William Stallings. "Appendix K: Simplified DES". 2010.
54. ^ Nalini Northward; Thousand Raghavendra Rao. "Cryptanalysis of Simplified Information Encryption Standard via Optimisation Heuristics". 2006.
55. ^ Minh Van Nguyen. "Simplified DES". 2009.
56. ^ Dr. Manoj Kumar. "Cryptography and Network Security". Section 3.4: The Simplified Version of DES (Due south-DES). p. 96.
57. ^ Edward F. Schaefer. "A Simplified Data Encryption Standard Algorithm". doi:ten.1080/0161-119691884799 1996.
58. ^ Lavkush Sharma; Bhupendra Kumar Pathak; and Nidhi Sharma. "Breaking of Simplified Information Encryption Standard Using Binary Particle Swarm Optimization". 2012.
59. ^ "Cryptography Research: Devising a Better Mode to Teach and Learn the Advanced Encryption Standard".
60. ^ "Announcing Development of FIPS for Advanced Encryption Standard | CSRC". 10 January 2017.
61. ^ http://csrc.nist.gov/publications/fips/fips197/fips-197.pdf Nov 26, 2001.

References [edit]

• Biham, Eli and Shamir, Adi (1991). "Differential Cryptanalysis of DES-like Cryptosystems". Journal of Cryptology. 4 (1): 3–72. doi:10.1007/BF00630563. S2CID 206783462. {{cite journal}}: CS1 maint: multiple names: authors list (link) (preprint)
• Biham, Eli and Shamir, Adi, Differential Cryptanalysis of the Data Encryption Standard, Springer Verlag, 1993. ISBN 0-387-97930-i, ISBN iii-540-97930-1.
• Biham, Eli and Alex Biryukov: An Improvement of Davies' Attack on DES. J. Cryptology 10(3): 195–206 (1997)
• Biham, Eli, Orr Dunkelman, Nathan Keller: Enhancing Differential-Linear Cryptanalysis. ASIACRYPT 2002: pp254–266
• Biham, Eli: A Fast New DES Implementation in Software
• Cracking DES: Secrets of Encryption Research, Wiretap Politics, and Scrap Design, Electronic Frontier Foundation
• Biryukov, A, C. De Canniere and Chiliad. Quisquater (2004). Franklin, Matt (ed.). On Multiple Linear Approximations. Lecture Notes in Figurer Scientific discipline. Vol. 3152. pp. 1–22. doi:10.1007/b99099. ISBN978-3-540-22668-0. S2CID 27790868. {{cite book}}: CS1 maint: multiple names: authors list (link) (preprint).
• Campbell, Keith W., Michael J. Wiener: DES is not a Group. CRYPTO 1992: pp512–520
• Coppersmith, Don. (1994). The data encryption standard (DES) and its strength confronting attacks at the Wayback Car (archived June fifteen, 2007). IBM Journal of Research and Development, 38(3), 243–250.
• Diffie, Whitfield and Martin Hellman, "Exhaustive Cryptanalysis of the NBS Information Encryption Standard" IEEE Calculator x(6), June 1977, pp74–84
• Ehrsam and others., Product Cake Aught Organization for Data Security, U.South. Patent 3,962,539, Filed February 24, 1975
• Gilmore, John, "Cracking DES: Secrets of Encryption Inquiry, Wiretap Politics and Chip Design", 1998, O'Reilly, ISBN 1-56592-520-three.
• Junod, Pascal. "On the Complexity of Matsui'southward Assail." Selected Areas in Cryptography, 2001, pp199–211.
• Kaliski, Burton S., Matt Robshaw: Linear Cryptanalysis Using Multiple Approximations. CRYPTO 1994: pp26–39
• Knudsen, Lars, John Erik Mathiassen: A Called-Plaintext Linear Assail on DES. Fast Software Encryption - FSE 2000: pp262–272
• Langford, Susan K., Martin Eastward. Hellman: Differential-Linear Cryptanalysis. CRYPTO 1994: 17–25
• Levy, Steven, Crypto: How the Code Rebels Beat the Government—Saving Privacy in the Digital Historic period, 2001, ISBN 0-xiv-024432-8.
• Matsui, Mitsuru (1994). Helleseth, Tor (ed.). Linear Cryptanalysis Method for DES Cipher. Lecture Notes in Information science. Vol. 765. pp. 386–397. CiteSeerXten.1.ane.50.8472. doi:x.1007/3-540-48285-7. ISBN978-3-540-57600-half-dozen. S2CID 21157010.
• Matsui, Mitsuru (1994). "The Start Experimental Cryptanalysis of the Data Encryption Standard". Advances in Cryptology — CRYPTO '94. Lecture Notes in Computer Science. Vol. 839. pp. i–11. doi:10.1007/3-540-48658-5_1. ISBN978-3-540-58333-ii.
• National Bureau of Standards, Data Encryption Standard, FIPS-Pub.46. National Bureau of Standards, U.Southward. Department of Commerce, Washington D.C., January 1977.
• Christof Paar, Jan Pelzl, "The Data Encryption Standard (DES) and Alternatives", complimentary online lectures on Chapter 3 of "Understanding Cryptography, A Textbook for Students and Practitioners". Springer, 2009.

External links [edit]

• FIPS 46-3: The official certificate describing the DES standard (PDF)
• COPACOBANA, a $10,000 DES cracker based on FPGAs by the Universities of Bochum and Kiel
• DES step-by-stride presentation and reliable bulletin encoding application
• A Fast New DES Implementation in Software - Biham
• On Multiple Linear Approximations
• RFC4772 : Security Implications of Using the Data Encryption Standard (DES)

allenoaccurescry.blogspot.com

Source: https://en.wikipedia.org/wiki/Data_Encryption_Standard

Share this post