Cryptography Reference
In-Depth Information
x
Initial
Permutation
Encryption
k
1
Round 1
k
Encryption
k
16
Round 16
Final
Permutation
y
Fig. 3.4
Iterative structure of DES
only a reversed key schedule, which is an advantage in software and hardware im-
plementations. We discuss the Feistel network in the following.
After the initial bitwise permutation
IP
of a 64-bit plaintext
x
, the plaintext is
split into two halves
L
0
and
R
0
. These two 32-bit halves are the input to the Feistel
network, which consists of 16 rounds. The right half
R
i
is fed into the function
f
. The output of the
f
function is XORed (as usually denoted by the symbol
)
with the left 32-bit half
L
i
. Finally, the right and left half are swapped. This process
repeats in the next round and can be expressed as:
⊕
L
i
=
R
i
−
1
,
R
i
=
L
i
−
1
⊕
f
(
R
i
−
1
,
k
i
)
where i= 1,...,16. After round 16, the 32-bit halves
L
16
and
R
16
are swapped again,
and the final permutation
IP
−
1
is the last operation of DES. As the notation suggests,
the final permutation
IP
−
1
is the inverse of the initial permutation
IP
. In each round,
a round key
k
i
is derived from the main 56-bit key using what is called the key
schedule.
It is crucial to note that the Feistel structure really only encrypts (decrypts) half
of the input bits per each round, namely the left half of the input. The right half
is copied to the next round unchanged. In particular, the right half is
not encrypted
with the
f
function. In order to get a better understanding of the working of Feistel
cipher, the following interpretation is helpful: Think of the
f
function as a pseu-
dorandom generator with the two input parameters
R
i
−
1
and
k
i
. The output of the
pseudorandom generator is then used to encrypt the left half
L
i
−
1
with an XOR op-
eration. As we saw in Chap. 2, if the output of the
f
function is not predictable for
an attacker, this results in a strong encryption method.
