Data Encryption Standard

Although its short key length of 56 bits makes it too insecure for modern applications, it has been highly influential in the advancement of cryptography.

Developed in the early 1970s at IBM and based on an earlier design by Horst Feistel, the algorithm was submitted to the National Bureau of Standards (NBS) following the agency's invitation to propose a candidate for the protection of sensitive, unclassified electronic government data.

In 1976, after consultation with the National Security Agency (NSA), the NBS selected a slightly modified version (strengthened against differential cryptanalysis, but weakened against brute-force attacks), which was published as an official Federal Information Processing Standard (FIPS) for the United States in 1977.

[2][failed verification] The intense academic scrutiny the algorithm received over time led to the modern understanding of block ciphers and their cryptanalysis.

In January 1999, distributed.net and the Electronic Frontier Foundation collaborated to publicly break a DES key in 22 hours and 15 minutes (see § Chronology).

Banks and credit card companies were fearful that Atalla would dominate the market, which spurred the development of an international encryption standard.

The team at IBM involved in cipher design and analysis included Feistel, Walter Tuchman, Don Coppersmith, Alan Konheim, Carl Meyer, Mike Matyas, Roy Adler, Edna Grossman, Bill Notz, Lynn Smith, and Bryant Tuckerman.

There was criticism received from public-key cryptography pioneers Martin Hellman and Whitfield Diffie,[1] citing a shortened key length and the mysterious "S-boxes" as evidence of improper interference from the NSA.

"[8] The United States Senate Select Committee on Intelligence reviewed the NSA's actions to determine whether there had been any improper involvement.

In the unclassified summary of their findings, published in 1978, the Committee wrote: In the development of DES, NSA convinced IBM that a reduced key size was sufficient; indirectly assisted in the development of the S-box structures; and certified that the final DES algorithm was, to the best of their knowledge, free from any statistical or mathematical weakness.

IBM invented and designed the algorithm, made all pertinent decisions regarding it, and concurred that the agreed upon key size was more than adequate for all commercial applications for which the DES was intended.

"[11] In contrast, a declassified NSA book on cryptologic history states: In 1973 NBS solicited private industry for a data encryption standard (DES).

Then Howard Rosenblum, deputy director for research and engineering, discovered that Walter Tuchman of IBM was working on a modification to Lucifer for general use.

[13][14]Some of the suspicions about hidden weaknesses in the S-boxes were allayed in 1990, with the independent discovery and open publication by Eli Biham and Adi Shamir of differential cryptanalysis, a general method for breaking block ciphers.

[15] According to Steven Levy, IBM Watson researchers discovered differential cryptanalytic attacks in 1974 and were asked by the NSA to keep the technique secret.

[16] Coppersmith explains IBM's secrecy decision by saying, "that was because [differential cryptanalysis] can be a very powerful tool, used against many schemes, and there was concern that such information in the public domain could adversely affect national security."

Levy quotes Walter Tuchman: "[t]hey asked us to stamp all our documents confidential... We actually put a number on each one and locked them up in safes, because they were considered U.S. government classified.

"[17] Despite the criticisms, DES was approved as a federal standard in November 1976, and published on 15 January 1977 as FIPS PUB 46, authorized for use on all unclassified data.

On 19 May 2005, FIPS 46-3 was officially withdrawn, but NIST has approved Triple DES through the year 2030 for sensitive government information.

Bits 8, 16,..., 64 are for use in ensuring that each byte is of odd parity.Like other block ciphers, DES by itself is not a secure means of encryption, but must instead be used in a mode of operation.

After the final round, the halves are swapped; this is a feature of the Feistel structure which makes encryption and decryption similar processes.

The F-function, depicted in Figure 2, operates on half a block (32 bits) at a time and consists of four stages: The alternation of substitution from the S-boxes, and permutation of bits from the P-box and E-expansion provides so-called "confusion and diffusion" respectively, a concept identified by Claude Shannon in the 1940s as a necessary condition for a secure yet practical cipher.

In 1977, Diffie and Hellman proposed a machine costing an estimated US$20 million which could find a DES key in a single day.

That contest was won by the DESCHALL Project, led by Rocke Verser, Matt Curtin, and Justin Dolske, using idle cycles of thousands of computers across the Internet.

[34] The cost decrease by roughly a factor of 25 over the EFF machine is an example of the continuous improvement of digital hardware—see Moore's law.

In 2012, David Hulton and Moxie Marlinspike announced a system with 48 Xilinx Virtex-6 LX240T FPGAs, each FPGA containing 40 fully pipelined DES cores running at 400 MHz, for a total capacity of 768 gigakeys/sec.

The system can exhaustively search the entire 56-bit DES key space in about 26 hours and this service is offered for a fee online.

The complementation property means that the work for a brute-force attack could be reduced by a factor of 2 (or a single bit) under a chosen-plaintext assumption.

SDES has similar structure and properties to DES, but has been simplified to make it much easier to perform encryption and decryption by hand with pencil and paper.

[51][52][53][54][55][56][57][58][59] Concerns about security and the relatively slow operation of DES in software motivated researchers to propose a variety of alternative block cipher designs, which started to appear in the late 1980s and early 1990s: examples include RC5, Blowfish, IDEA, NewDES, SAFER, CAST5 and FEAL.

Initial permutation Feistel function Feistel function Feistel function Feistel function Final permutation XOR XOR XOR XOR
Figure 1 — The overall Feistel structure of DES
Expansion function Substitution box 1 Substitution box 2 Substitution box 3 Substitution box 4 Substitution box 5 Substitution box 6 Substitution box 7 Substitution box 8 Permutation XOR
Figure 2 —The Feistel function (F-function) of DES
Permuted choice 1 Permuted choice 2 Permuted choice 2 Permuted choice 2 Permuted choice 2 Left shift by 1 Left shift by 1 Left shift by 1 Left shift by 1 Left shift by 2 Left shift by 2 Left shift by 1 Left shift by 1
Figure 3 — The key-schedule of DES
The EFF 's US$250,000 DES cracking machine contained 1,856 custom chips and could brute-force a DES key in a matter of days—the photo shows a DES Cracker circuit board fitted with several Deep Crack chips.