Des As
Des As
Des As
The Data Encryption Standard (DES) shall consist of the following Data Encryption Algorithm to be implemented in special purpose electronic devices. These devices shall be designed in such a way that they may be used in a computer system or network to provide cryptographic protection to binary coded data. The method of implementation will depend on the application and environment. The devices shall be implemented in such a way that they may be tested and validated as accurately performing the transformations specified in the following algorithm. DATA ENCRYPTION ALGORITHM Introduction The algorithm is designed to encipher and decipher blocks of data consisting of 64 bits under control of a 64-bit key.** Deciphering must be accomplished by using the same key as for enciphering, but with the schedule of addressing the key bits altered so that the deciphering process is the reverse of the enciphering process. A block to be enciphered is subjected to an initial permutation IP, then to a complex key-dependent computation and finally to a permutation which is the inverse of the initial permutation IP . The key-dependent computation can be simply defined in terms of a function f, called the cipher function, and a function KS, called the key schedule. A description of the computation is given first, along with details as to how the algorithm is used for encipherment. Next, the use of the algorithm for decipherment is described. Finally, a definition of the cipher function f is given in terms of primitive functions which are called the selection functions S and the permutation function P. S , Pand KS of the algorithm are contained in the Appendix.
-1 i i
The following notation is convenient: Given two blocks L and R of bits, LR denotes the block consisting of the bits of L followed by the bits of R. Since concatenation is associative, B B ...B , for example, denotes the block consisting of the bits of B followed by the bits of B ...followed by the bits of B .
1 2 8 1 2 8
** Blocks are composed of bits numbered from left to right, i.e., the left most bit of a block is bit one.
Figure 1. Enciphering computation. Enciphering A sketch of the enciphering computation is given in Figure 1. The 64 bits of the input block to be enciphered are first subjected to the following permutation, called the initial permutation IP:
IP 58 60 62 64 57 59 61 63 50 52 54 56 49 51 53 55 42 44 46 48 41 43 45 47 34 36 38 40 33 35 37 39 26 28 30 32 25 27 29 31 18 20 22 24 17 19 21 23 10 12 14 16 9 11 13 15 2 4 6 8 1 3 5 7
That is the permuted input has bit 58 of the input as its first bit, bit 50 as its second bit, and so on with bit 7 as its last bit. The permuted input block is then the input to a
complex key-dependent computation described below. The output of that computation, called the preoutput, is then subjected to the following permutation which is the inverse of the initial permutation:
IP-1 40 39 38 37 36 35 34 33 8 7 6 5 4 3 2 1 48 47 46 45 44 43 42 41 16 15 14 13 12 11 10 9 56 55 54 53 52 51 50 49 24 23 22 21 20 19 18 17 64 63 62 61 60 59 58 57 32 31 30 29 28 27 26 25
That is, the output of the algorithm has bit 40 of the preoutput block as its first bit, bit 8 as its second bit, and so on, until bit 25 of the preoutput block is the last bit of the output. The computation which uses the permuted input block as its input to produce the preoutput block consists, but for a final interchange of blocks, of 16 iterations of a calculation that is described below in terms of the cipher function f which operates on two blocks, one of 32 bits and one of 48 bits, and produces a block of 32 bits. Let the 64 bits of the input block to an iteration consist of a 32 bit block L followed by a 32 bit block R. Using the notation defined in the introduction, the input block is then LR. Let K be a block of 48 bits chosen from the 64-bit key. Then the output L'R' of an iteration with input LR is defined by:
(1) L' = R R' = L(+)f(R,K)
where (+) denotes bit-by-bit addition modulo 2. As remarked before, the input of the first iteration of the calculation is the permuted input block. If L'R' is the output of the 16th iteration then R'L' is the preoutput block. At each iteration a different block K of key bits is chosen from the 64-bit key designated by KEY. With more notation we can describe the iterations of the computation in more detail. Let KS be a function which takes an integer n in the range from 1 to 16 and a 64-bit block KEY as input and yields as output a 48-bit block K which is a permuted selection of bits from KEY. That is
n
(2)
Kn = KS(n,KEY)
with K determined by the bits in 48 distinct bit positions of KEY. KS is called the key schedule because the block K used in the n'th iteration of (1) is the block K determined by (2).
n n
As before, let the permuted input block be LR. Finally, let L and R be respectively L and R and let Ln and Rn be respectively L' and R' of (1) when L and R are respectively L and R and K isK ; that is, when n is in the range from 1 to 16,
() () n-1 n-1 n
(3)
The preoutput block is then R L . The key schedule KS of the algorithm is described in detail in the Appendix. The key schedule produces the 16 K which are required for the algorithm.
n
Deciphering The permutation IP applied to the preoutput block is the inverse of the initial permutation IP applied to the input. Further, from (1) it follows that:
-1
(4)
Consequently, to decipher it is only necessary to apply the very same algorithm to an enciphered message block, taking care that at each iteration of the computation the same block of key bits K is used during decipherment as was used during the encipherment of the block. Using the notation of the previous section, this can be expressed by the equations:
(5) Rn-1 = Ln Ln-1 = Rn (+) f(Ln,Kn)
16 16
where now R L is the permuted input block for the deciphering calculation and L and R is the preoutput block. That is, for the decipherment calculation with R L as the permuted input, K is used in the first iteration, K in the second, and so on, with K used in the 16th iteration.
() () 16 16 16 15 1
PRIMITIVE FUNCTIONS FOR THE DATA ENCRYPTION ALGORITHM The choice of the primitive functions KS, S ,...,S and P is critical to the strength of an encipherment resulting from the algorithm. Specified below is the recommended set of functions, describingS ,...,S and P in the same way they are described in the
1 8 1 8
algorithm. For the interpretation of the tables describing these functions, see the discussion in the body of the algorithm. The primitive functions S ,...,S are:
1 8
S1 14 O 4 15 4 13 15 7 1 14 12 8 1 2 4 14 8 13 2 4 15 11 2 13 6 2 9 1 8 3 1 10 11 15 7 5 10 6 6 12 12 9 11 3 S2 15 3 0 13 1 8 13 4 14 7 8 10 14 6 7 15 11 10 1 3 11 3 2 8 4 13 15 4 4 9 14 12 1 5 2 11 7 2 0 1 8 12 6 7 S3 10 13 13 1 0 9 7 O 6 4 10 13 14 9 9 0 6 3 8 6 3 15 4 6 15 3 9 8 5 1 10 2 0 11 7 4 13 12 8 5 1 2 15 14 S4 7 13 10 3 13 14 8 11 6 9 15 O 3 0 5 6 0 12 6 10 6 9 15 O 11 7 1 13 10 1 3 4 13 15 8 9 2 7 1 4 S5 2 14 4 11 12 4 11 2 2 1 8 12 1 7 12 4 11 10 7 1 10 11 7 13 13 7 14 2 6 8 1 5 8 15 13 6 5 3 0 15 9 12 15 O S6 12 10 9 4 1 10 15 4 14 15 3 2 15 2 5 12 9 7 2 9 2 6 12 9 8 12 5 15 8 O 5 6 3 7 10 11 13 3 1 13 0 4 14 1 S7 4 13 1 6 11 2 0 11 4 11 11 13 14 15 7 4 13 12 8 1 0 8 9 1 3 7 4 10 13 3 10 14 14 10 7 9 12 3 15 5 9 5 6 0 7 5 12 2 8 0 15 14 10 15 5 2 6 8 9 3 1 6 2 12 4 14 14 O 10 1 7 6 7 5 11 3 13 11 0 8 11 8 6 13 15 13 10 3 5 6 9 10 O 14 9 8 3 O 4 5 9 6 14 3 8 2 3 5 5 11 12 1 14 5 11 12 12 4 10 14 2 8 7 2 15 9 4 14 7 11 14 12 12 5 3 11 4 2 11 15 10 14 5 2 8 1 7 12 13 12 10 6 6 9 12 0 O 5 9 11 3 2 5 14 10 5 15 9 12 5 11 9 7 3 14 10 9 5 10 O 0 3 5 6 7 8 0 13
S8 13 1 7 2 2 8 15 13 11 4 1 14 4 6 8 10 1 9 7 4 15 11 3 7 12 14 10 8 16 29 1 5 2 32 19 22
n
1 10 4 12 2 0 13 15 7 12 15 18 8 27 13 11 20 28 23 31 24 3 30 4
9 3 5 6 6 10 12 9 21 17 26 10 14 9 6 25
14 5 11 0 13 15 0 3
0 12 14 9 3 5 5 6
7 2 8 11
Recall that K , for 1<= n <= 16, is the block of 48 bits in (2) of the algorithm. Hence, to describe KS, it is sufficient to describe the calculation of K from KEY for n = 1, 2,..., 16. That calculation is illustrated in Figure 3. To complete the definition of KS it is therefore sufficient to describe the two permuted choices, as well as the schedule of left shifts. One bit in each 8-bit byte of the KEY may be utilized for error detection in key generation, distribution and storage. Bits 8, 16,..., 64 are for use in assuring that each byte is of odd parity.
n
The table has been divided into two parts, with the first part determining how the bits of C are chosen, and the second part determining how the bits of D are chosen. The bits of KEY are numbered 1 through 64. The bits of C are respectively bits 57, 49, 41,..., 44 and 36 of KEY, with the bits of D being bits 63, 55, 47,..., 12 and 4 of KEY.
() () () ()
With C and D defined, we now define how the blocks C and D are obtained from the blocks C and D , respectively, for n = 1, 2,..., 16. That is accomplished by adhering to the following schedule of left shifts of the individual blocks:
() () n n n-1 n-1
For example, C and D are obtained from C and D , respectively, by two left shifts, and C and D are obtained from C and D , respectively, by one left shift. In all cases, by a single left shift is meant a rotation of the bits one place to the left, so that
16 16 15 15
after one left shift the bits in the 28 positions are the bits that were previously in positions 2, 3,..., 28, 1. Permuted choice 2 is determined by the following table:
PC-2 14 3 23 16 41 30 44 46 17 28 19 7 52 40 49 42
n
11 15 12 27 31 51 39 50
24 6 4 20 37 45 56 36
1 21 26 13 47 33 34 29
n
5 10 8 2 55 48 53 32
n
Therefore, the first bit of K is the 14th bit of C D , the second bit the 17th, and so on with the 47th bit the 29th, and the 48th bit the 32nd.