R 1 = L 15 . Hence, after the first decryption round, we in fact have computed the same

values we had before the last encryption round. Thus, the first decryption round

reverses the last encryption round. This is an iterative process which continues in

the next 15 decryption rounds and that can be expressed as:

L i = R 16 − i ,

R i = L 16 − i

where i = 0 , 1 ,..., 16. In particular, after the last decryption round:

L 16 = R 16 − 16 = R 0

R 16 = L 0

Finally, at the end of the decryption process, we have to reverse the initial per-

mutation:

IP − 1 ( R 16 , L 16 )= IP − 1 ( L 0 , R 0 )= IP − 1 ( IP ( x )) = x

where x is the plaintext that was the input to the DES encryption.

3.5 Security of DES

As we discussed in Sect. 1.2.2, ciphers can be attacked in several ways. With respect

to cryptographic attacks, we distinguish between exhaustive key search or brute-

force attacks, and analytical attacks. The latter was demonstrated with the LFSR

attack in Sect. 2.3.2, where we could easily break a stream cipher by solving a

system of linear equations. Shortly after DES was proposed, two major criticisms

against the cryptographic strength of DES centered around two arguments:

1. The key space is too small, i.e., the algorithm is vulnerable against brute-force

attacks.

2. The design criteria of the S-boxes was kept secret and there might have existed an

analytical attack that exploits mathematical properties of the S-boxes, but which

is only known to the DES designers.

We discuss both types of attacks below. However, we also state the main con-

clusion about DES security already here: Despite very intensive cryptanalysis over

the lifetime of DES, current analytical attacks are not very efficient. However, DES

can relatively easily be broken with an exhaustive key-search attack and, thus, plain

DES is not suited for most applications any more.