difficulty levels — click green to claim

> DES — DATA ENCRYPTION STANDARD

des difficulty: 3–6 field: block cipher, Feistel network

The idea in plain English: DES splits a 64-bit block of data into two halves (left and right, 32 bits each). It runs the data through 16 rounds where each round takes the right half, runs it through a complex mangler function (which mixes in a portion of the secret key), then XORs the result with the left half. The two halves are then swapped before the next round. This Feistel network structure means encryption and decryption use the same algorithm — just feed the subkeys in reverse order.

Why this really exists: DES was the US government's official encryption standard from 1977 to 2001. It was developed at IBM (based on an earlier cipher called Lucifer) and adopted by the National Bureau of Standards (now NIST). Every ATM transaction, every bank wire, and countless government secrets were protected by DES. In 1998, the EFF's Deep Crack machine broke DES in 56 hours by brute-forcing all 2⁵⁶ keys — proving 56-bit keys were no longer enough. DES was officially replaced by AES in 2001, but its 3-key variant (Triple DES / 3DES) is still in use in legacy banking systems.

▸ The Feistel Network Structure

Every DES round follows the same pattern. For round i with subkey K_i:

L_i = R_i-1
R_i = L_i-1 ⊕ F(R_i-1, K_i)

where ⊕ is XOR, and F is the mangler function:
  1. Expansion: 32-bit R → 48 bits (via E-box)
  2. XOR with 48-bit round subkey
  3. Split into 8 chunks of 6 bits each
  4. Each 6-bit chunk → S-box lookup → 4 bits
  5. Concatenate 8×4 = 32 bits
  6. Permutation P-box shuffles the 32 bits

💡 The Feistel structure is brilliant because decryption is identical to encryption — you just reverse the subkey order. The F function does not need to be invertible. This is why AES (non-Feistel) has a separate decryption algorithm.

▸ Simplified 8-Bit Version (Teaching Toy)

Full DES is complex, but a reduced 8-bit version captures the essence. Instead of a 64-bit block and 48-bit subkeys, we use 8-bit blocks and 10-bit keys:

8-bit block: [L₀ (4 bits) | R₀ (4 bits)]
10-bit key K: 1010110011
Round subkeys: K₁, K₂ (each 8 bits, derived via shifts + P10)

Round 1:
  R₀ (4 bits) → expand to 8 bits (E/P)
  XOR with K₁ → split into two 4-bit halves
  S₀: first 4 bits → 2x4 S-box lookup → 2 bits
  S₁: second 4 bits → 2x4 S-box lookup → 2 bits
  Concatenate → 4 bits → XOR with L₀
  Swap: L₁ = R₀, R₁ = result

Round 2: same process with K₂
Final output: [R₂ | L₂] (note: no final swap)

The simplified S-DES (by Edward Schaefer) uses this exact structure with 2 rounds, 2 S-boxes, and an 8-bit block. It's a common exercise in undergraduate cryptography courses.

▸ S-Boxes — The Heart of DES Security

DES has eight S-boxes (Substitution boxes), each a 4×16 table mapping 6-bit inputs to 4-bit outputs. S-boxes are the only non-linear element in DES — without them, the entire cipher would be solvable with linear algebra. The S-box design was kept classified by the NSA (sparking conspiracy theories), but was later proven to be resistant to differential cryptanalysis, suggesting IBM/NSA knew about that attack 20 years before it was publicly discovered.

Example — S-box S₁ (row determined by bits 0 and 5, column by bits 1–4):

Col: 0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15
Row 0: 14 4 13 1 2 15 11 8 3 10 6 12 5 9 0 7
Row 1: 0 15 7 4 14 2 13 1 10 6 12 11 9 5 3 8
Row 2: 4 1 14 8 13 6 2 11 15 12 9 7 3 10 5 0
Row 3: 15 12 8 2 4 9 1 7 5 11 3 14 10 0 6 13

Input 101011 → row = bits[0,5] = 11 (binary) = row 3, col = bits[1-4] = 0101 = 5
→ lookup S₁(3,5) = 9 = 1001

💡 Each S-box is carefully designed so that changing one input bit changes at least two output bits (avalanche effect). The S-box tables were later published in FIPS PUB 46 and are now public.

▸ Worked Example — One Round of DES

Let's trace round 1 of DES with a simplified 32-bit halves (actual DES uses 64-bit blocks, but the structure is identical). Say after the initial IP permutation we have:

L₀ = 0x12345678 (hex)
R₀ = 0x9ABCDEF0
K₁ = first round subkey (48 bits, derived from the 56-bit key via PC-1, shifts, PC-2)

Step 1 — Expansion (E-box):
  R₀ (32 bits) → E(R₀) = 48 bits
  (The E-box duplicates bits 1,4,5,8,9,12,13,16,17,20,21,24,25,28,29,32)

Step 2 — XOR with subkey:
  X = E(R₀) ⊕ K₁ (48 bits)

Step 3 — S-box substitution:
  Split X into 8 chunks of 6 bits each
  Chunk 1 → S₁ → 4 bits
  Chunk 2 → S₂ → 4 bits
  ...
  Chunk 8 → S₈ → 4 bits
  Concatenate → 32 bits

Step 4 — P-box permutation:
  F(R₀, K₁) = P(S-box output)

Step 5 — XOR with L₀:
  L₁ = R₀ (swap — old R becomes new L)
  R₁ = L₀ ⊕ F(R₀, K₁)

Result after round 1: [L₁ | R₁]

The process repeats for 16 rounds. After round 16, the left and right halves are concatenated (without a final swap) and passed through the inverse IP permutation to produce the 64-bit ciphertext block.

▸ How Many Rounds? Security vs Speed

Rounds	Security Level	Notes
2	❌ Trivially breakable	Linear cryptanalysis recovers key in seconds
4	❌ Very weak	Differential cryptanalysis succeeds easily
8	⚠️ Marginally secure	2³² known plaintexts needed for attack
12	🟡 Moderate	Approaching practical security for 1980s threats
16	✅ Full DES security	Designed to be optimal — more rounds wouldn't help
24+	🟢 Over-engineered	Used in 3DES (3×16 rounds = 48 rounds total)

💡 DES uses exactly 16 rounds. This was chosen because differential cryptanalysis of DES requires 2⁴⁷ chosen plaintexts at 16 rounds — vs 2²⁹ at 12 rounds and 2¹² at 6 rounds. The 16-round design was the sweet spot for security vs performance in 1977 hardware.

▸ History — From IBM to Deep Crack

1972: US National Bureau of Standards (NBS) calls for a government encryption standard

1974: IBM submits a modified version of their Lucifer cipher (developed by Horst Feistel)

1975: NSA reviews the design, suggests changes — key reduced from 128 to 56 bits (controversial!), S-boxes modified

1977: DES officially adopted as FIPS PUB 46 — becomes the global standard for 24 years

1990: Differential cryptanalysis discovered publicly by Biham & Shamir — DES S-boxes are actually optimal against it (meaning NSA knew in 1975!)

1993: Linear cryptanalysis published by Matsui — first theoretical attack faster than brute force

1997: DESCHALL project cracks a DES message in 96 days via distributed computing

1998: EFF Deep Crack — a $250,000 custom machine cracks DES in 56 hours

1999: Deep Crack + distributed.net cracks DES in 22 hours 15 minutes

2001: AES replaces DES as the US government standard

The Deep Crack machine is now in the Computer History Museum in Mountain View, CA. It contained 1,856 custom ASIC chips running at 40 MHz and tested 90 billion keys per second.

▸ Real-World Applications

Banking (ATM/EMV): PIN blocks are still encrypted with Triple DES (3DES) in most ATM networks worldwide. ISO 9564-1 mandates 3DES for PIN encryption
EMV chip cards: Credit/debit card chip authentication uses 3DES for dynamic data authentication in many regions
Financial messaging: SWIFT and other interbank messaging systems use 3DES for message authentication
Windows NT LAN Manager: NTLM authentication in legacy Windows used DES (now deprecated)
POS terminals: Millions of point-of-sale terminals still running 3DES in hardware
Historical: Every US government classified document from 1977–2001 was potentially DES-protected

← Back to all ciphers