- It has eight S-boxes which map 6 to 4 bits and each S-box is actually 4 little 4 bit boxes
- outer bits 1 & 6 (row bits) select one rows
- inner bits 2-5 (col bits) are substituted
- result is 8 lots of 4 bits, or 32 bits
- The row selection depends on both data & key, feature known as autoclaving (autokeying)

example: S(18 09 12 3d 11 17 38 39) = 5fd25e03 - forms subkeys used in each round
- consists of:
- initial permutation of the key (PC1) which selects 56-bits in two 28-bit halves
- 16 stages consisting of:
- selecting 24-bits from each half
- permuting them by PC2 for use in function f,
- rotating each half separately either 1 or 2 places depending on the key rotation schedule K

- decrypt must unwind steps of data computation
- with Feistel design, do encryption steps again
- using subkeys in reverse order (SK16 … SK1)
- note that IP undoes final FP step of encryption
- 1st round with SK16 undoes 16th encrypt round
- 16th round with SK1 undoes 1st encrypt round
- then final FP undoes initial encryption IP
- thus recovering original data value

**Avalanche Effect:**

- key desirable property of encryption alg
- where a change of one input or key bit results in changing approx half output bits
- making attempts to “home-in” by guessing keys impossible
- DES exhibits strong avalanche

**Strength of DES – Key Size:**

- 56-bit keys have 256 = 7.2 x 1016 values
- brute force search looks hard
- recent advances have shown is possible
- in 1997 on Internet in a few months
- in 1998 on dedicated h/w (EFF) in a few days
- in 1999 above combined in 22hrs!

- still must be able to recognize plaintext
- now considering alternatives to DES

**Strength of DES – Timing Attacks:**

- attacks actual implementation of cipher
- use knowledge of consequences of implementation to derive knowledge of some/all subkey bits
- specifically use fact that calculations can take varying times depending on the value of the inputs to it
- particularly problematic on smartcards

**Strength of DES – Analytic Attacks:**

- now have several analytic attacks on DES
- these utilise some deep structure of the cipher
- by gathering information about encryptions
- can eventually recover some/all of the sub-key bits
- if necessary then exhaustively search for the rest

- generally these are statistical attacks
- include
- differential cryptanalysis
- linear cryptanalysis
- related key attacks

**Triple DEA:**

- Use three keys and three executions of the DES algorithm (encrypt-decrypt-encrypt)
- C = ciphertext
- P = Plaintext
- EK[X] = encryption of X using key K
- DK[Y] = decryption of Y using key K

- Effective key length of 168 bits
- C = EK3(DK2(EK1(P)))