- Greetings and Felicitations
- Remember, talks about what you could do are at the end of this week

- History
- IBM did Lucifer, submitted it in response to NIST CFP
- NIST (really, NSA) suggested some minor changes; major one was to make key 56 bits, not 112.

- Show the cipher
- Product cipher with 64 bits in, 64 bits out, and 16 48-bit round keys generated from 56 bit key
- Note S-boxes are real heart of algorithm

- Known attacks and weaknesses
- Complementation property: DES
_{k}(*m*) = (DES_{k'}(*m*'))' where*x*' is the bitwise complement of*x*; - Weak, semiweak keys
- If it's a group, multiple encipherment worthless (as group is closed under composition)
- differential cryptanalysis: first version unusable as at 16 rounds, more
plaintext/ciphertext pairs needed than exhaustive key trial; but for 15 rounds,
cuts this time. Later versions cut it to 2
^{47}tries. Works by comparing xors of results with xors of corresponding plaintext.. Designers of DES knew about this one, hence the design of the S-boxes - linear cryptanalysis drops required chosen plaintext/ciphertext pairs to
2
^{42}; not known to designers of DES.

- Complementation property: DES
- DES Modes
- ECB
- CBC
- note that OFB and CFB exist, essentially use DES as a pseudorandom bitstream generator; OFB feeds back before xor, CFB after
- Triple DES and EDE mode

Notes by Elizabeth Jurrus: [Postscript] [Text] [Microsoft Word]

You can get this document in Postscript, ASCII text, or Framemaker version 5.1.

Send email to cs253@csif.cs.ucdavis.edu.

Department of Computer Science

University of California at Davis

Davis, CA 95616-8562