KKEEYY SSCCHHEEDDUULLIINNGG IINN DDEESS TTYYPPEE CCRRYYPPTTOOSSYYSSTTEEMMSS
_L_a_w_r_e_n_c_e _B_r_o_w_n _a_n_d _J_e_n_n_i_f_e_r _S_e_b_e_r_r_y
Department of Computer Science
University College, UNSW, Australian Defence Force Academy
Canberra ACT 2600. Australia.
AAbbssttrraacctt
This paper reviews some possible design criteria for the key
schedule in a DES style cryptosystem. The key schedule
involves a Key Rotation component, and the permutation _P_C2.
Together these provide for a diffusion of dependency of cipher-
text bits on key bits. Some empirical rules which seem to
account for the derivation of the key schedule used in the DES
are first presented. A number of trials were run with various
key schedules, and some further design rules were derived. An
alternative form of key schedule was then tested. This used
either a null _P_C2, or one in which permutations only occurred
within the inputs to a given S-box, and a much larger rotation
schedule than used in the DES. This was found to be as effec-
tive as the key schedule used in the current DES, and is pro-
posed for use in new cryptosystems.
11.. IInnttrroodduuccttiioonn
The Data Encryption Standard (DES) [NBS77] is currently the
only certified encryption standard. It has achieved wide uti-
lization, particularly in the banking and electronic funds
transfer areas, and is an Australian standard [ASA85] among
others. With the current significant use of DES (especially in
banking), there is interest in designing and building a DES-
type cryptosystem with an extended key length of either 64
(rather than 56) or 128 bits. This is one of a continuing
series of papers [Bro89], [BrS90], [PiS89], [Pie89], analysing
aspects of the current DES, and indicating criteria to be used
in the design of future schemes.
This paper will concentrate on the design of the key schedule,
which involves a key rotation component, and the permutation
_P_C2. Together these provide for a diffusion of dependency of
ciphertext bits in key bits. As a measure of effectiveness,
Meyer's analysis of output bit dependence on key bits will be
used [MeM82]. Some empirical rules for the key schedule,
derived previously [Bro89], will be presented. A discussion of
some alternatives to the current schedule will be presented,
followed by the results obtained from testing a number of
alternate schedules. A presentation of the implications from
these in the design of any extended DES type schemes will con-
clude the paper.
AAuussccrryypptt9900 KKeeyy SScchheedduulliinngg iinn DDEESS TTyyppee CCrryyppttoossyysstteeBBmmrrssoowwnn,, SSeebbeerrrryy
22.. TThhee KKeeyy SScchheedduullee iinn DDEESS
The central component of the DES cryptosystem is the function
_g, which is a composition of expansion function _E, eight sub-
stitution boxes (S-boxes) _S, and a permutation _P1. Function _g
has as inputs the plaintext [_L(_i-1),_R(_i-1)] from the previous
round, and a selection of key bits _K(_i) (see Fig 1.). This may
be written as:
_g:_R(_i)=_L(_i-1)_X_O_R_P(_S(_E(_R(_i-1))_X_O_R_K(_i))),_L(_i)=_R(_i-1).
Fig 1. DES as a Mixing Function
The _k_e_y _s_c_h_e_d_u_l_e in a DES algorithm is responsible for forming
the sixteen 48-bit sub-keys _K(_i) used in the rounds of the
encryption procedure. This function is important since if the
same key is used on successive rounds, it can weaken the
resulting algorithm (see [GrT78], [MeM82], [MoS87], [MoS86],
and [ASA85]). In detail, the 64-bit key is permuted by _P_C1.
This permutation performs two functions: first it strips the
eight parity bits out, and then distributes the remaining 56
bits over two 28-bit halves _C(0) and _D(0). The cryptographic
significance of this permutation is questionable [DDF83]. Sub-
sequently for each round, each 28-bit register is rotated left
____________________
1 A more detailed description of these functions may be
found in [NBS77], [ASA85] or [SeP89].
-- 22 --
AAuussccrryypptt9900 KKeeyy SScchheedduulliinngg iinn DDEESS TTyyppee CCrryyppttoossyysstteeBBmmrrssoowwnn,, SSeebbeerrrryy
either one or two places according to the following schedule
(subsequently denoted _K_S):
+---------------------------------------------------+
| TTaabbllee 11 -- KKeeyy SScchheedduullee ffoorr DDEESS |
+------++-------------------------------------------+
|Round ||1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 |
+------++-------------------------------------------+
|Shift ||1 1 2 2 2 2 2 2 1 2 2 2 2 2 2 1 |
+------++-------------------------------------------+
|Total ||1 2 4 6 8 10 12 14 15 17 19 21 23 25 27 28 |
+------++-------------------------------------------+
After the shift, the resultant 28-bit vectors are permuted by
_P_C2 (which in fact consists of two 28-bit permutations, each of
which selects 24 bits) to form the sub-key for that round.
This permutation may be written in terms of which S-box each
bit is directed to, as shown in Table 2 (nb: an * indicates an
autoclave S-box input rather than a message input; an X speci-
fies exclusion of that bit).
+-------------------------------------------------------------------+
| TTaabbllee 22 -- CCuurrrreenntt DDEESS PPeerrmmuuttaattiioonn PPCC22 |
+-------------------------------------------------------------------+
|C: 1 4* 2* 3 1* 2 4 3* X 2* 1 3 4 1* 2 4* 1 X 3 4 2 X 3* 1 X 3 4 2 |
|D: 8 6* 5 8* 6 7 X 8 5 X 7 6 5* 8 X 7* 6 8* 5 6* 7 8 6 5 7* X 5* 7 |
+-------------------------------------------------------------------+
The sub-keys _K(_i) may be written as;
_K(_i)=_P_C2(_K_S(_U,_i)), where_U=_P_C1(_K)
and _K_S(_U,_i) is the key rotation schedule for input block _U at
round _i.
33.. EEmmppiirriiccaall KKeeyy SScchheedduullee DDeessiiggnn CCrriitteerriiaa
In Brown [Bro89], some empirical design rules for the key
schedule are presented. The rules presented for permutation _P_C2
are (if the bits are sorted into ascending order of their input
bits):
+o 1 bits permuted to the same S-box input are no closer than 3
bits apart
+o 2 bits permuted to an S-box input must have a span from low-
est to highest input bit number of at least 22 of the 28
bits in each key half (alternatively, the average spacing
must be at least 3 2/3)
+o 3 bits permuted to the selector bits _a,_f on a given S-box
must not be adjacent in the sorted list of input bits
+o 4 bits not selected by _P_C2 must be at least 3 places apart
-- 33 --
AAuussccrryypptt9900 KKeeyy SScchheedduulliinngg iinn DDEESS TTyyppee CCrryyppttoossyysstteeBBmmrrssoowwnn,, SSeebbeerrrryy
The design of the key schedule _K_S is obviously related to the
design of _P_C2 by rules 1 and 4 given above. Brown notes that
the key schedule _K_S ensures that:
+o 1 each bit is used as input to each S-box
+o 2 no bit is used as input to the same S-box on successive
rounds
+o 3 the total number of bits rotated is 56 (which implies that
_K(0) = _K(16), enabling the decryption operation to use
right shifts in reverse order).
44.. CCiipphheerrtteexxtt DDeeppeennddeennccee oonn KKeeyy BBiittss
This analysis is complex, and is dependent on the choices of
permutations _P and _P_C2 as well as the _K_S the key schedule2. To
quantify this dependency, a 64*56 array _F_r is formed, in which
element _F_r[_i,_j] specifies a dependency of output bit _X(_j) on
key bit _U(_i). The vector _U is that formed after PC1 is
applied, ie _U=_P_C1(_K). The number of marked elements in _G_r will
be examined to provide a profile of the degree of dependence
achieved by round _r. Details of the derivation of this matrix,
and the means by which entries are propagated, may be found in
[MeM82]. This analysis technique will be used as a measure of
effectiveness for possible key schedules. In particular, two
criteria are used:
+o rate of growth of output bit dependence on key bits by any
S-box inputs
+o rate of growth of output bit dependence on key bits by
BOTH message and autoclave S-box inputs
55.. AAlltteerrnnaattiivveess ffoorr tthhee KKeeyy SScchheedduullee
The purpose of the above rules in designing a key schedule may
be summarized as follows:
to present each key bit to a message input, and to an
autoclave input, of each S-box as quickly as possible.
This is achieved by a combination of the key rotation schedule
_K_S, the key permutation _P_C2, and the function _g=_S._P._E. Trials
have been performed in which each of these is varied in turn,
to analyse the effect of each.
In addition to that underlying design purpose, there is a prag-
matic decision on the size of the key registers. In the current
scheme, the key is divided into two halves. An alternate form
____________________
2 but not on permutations _I_P, _F_P and _P_C1, which only serve
to renumber the plaintext, ciphertext, and key bits respective-
ly. The analysis done in this paper ignores these permutations
for this reason.
-- 44 --
AAuussccrryypptt9900 KKeeyy SScchheedduulliinngg iinn DDEESS TTyyppee CCrryyppttoossyysstteeBBmmrrssoowwnn,, SSeebbeerrrryy
could be to have a single large key schedule register. We also
wish to extend the size of the key, in order to ensure it is
large enough to withstand any foreseeable exhaustive search
style attack. One way of providing a measure of this, whilst
still maintaining compatibility with existing protocols, would
be to remove the notion of parity bits in the key, and use all
64-bits. Combining these two ideas we have the following possi-
bilities for _P_C2:
28 -> 24 bit
56 -> 48 bit
32 -> 24 bit
64 -> 48 bit
Initially, a key schedule with the same form as the current DES
was examined, in order that comparisons with the effectiveness
of the current DES scheme could be made. Having obtained some
guidelines from these trials, key schedules involving some of
the alternatives were then tried.
66.. SSoommee TTrriiaallss oonn NNeeww KKeeyy SScchheedduulleess
In Brown [Bro89], some empirical design criteria for permuta-
tion _P_C2 and the Key Rotation Schedule were presented. The
authors have subsequently used these rules to generate a set of
permutations _P_C2. Since all possible 28->24 bit permutations
could not be tried, permutations with the form shown in Table 3
were tried (that is all arrangements of the 4 excluded bits,
subject to the rules set, were found). This form was chosen in
order to distribute key bits to each of the 4 S-boxes being fed
by each half of the key schedule as quickly as possible. A
total of 7315 permutations were found.
+---------------------------------------------------------------+
| TTaabbllee 33 -- ffoorrmm ooff ggeenneerraatteedd PPeerrmmuuttaattiioonnss PPCC22 |
+---------------------------------------------------------------+
|C: 1 2 3 4 1 2 3 4 1 2 3 4 1 2 3 4 1 2 3 4 1 2 3 4 + X X X X |
|D: 5 6 7 8 5 6 7 8 5 6 7 8 5 6 7 8 5 6 7 8 5 6 7 8 + X X X X |
+---------------------------------------------------------------+
Ciphertext-Key Dependences (CKdep) tests on these permutations
produced results shown in Table 4 (with comparisons to the cur-
rent and worst case _P_C2 supplied for comparison).
-- 55 --
AAuussccrryypptt9900 KKeeyy SScchheedduulliinngg iinn DDEESS TTyyppee CCrryyppttoossyysstteeBBmmrrssoowwnn,, SSeebbeerrrryy
+-----------------------------------------------------------------------------------+
| TTaabbllee 44 -- DDeeppeennddeennccyy ooff CCiipphheerrtteexxtt bbiittss oonn KKeeyy bbiittss |
| UUssiinngg CCuurrrreenntt DDEESS PPeerrmmuuttaattiioonn PP aanndd KKeeyy SScchheedduullee |
+------+---------+-----------+---------------+-------------+------------------------+
|Round | Std _P_C2 | Worst _P_C2 | Generated _P_C2 | Regular X 2 | Regular X 1, X 3, X 4 |
+------+---------+-----------+---------------+-------------+------------------------+
| 1 | 5.36 | 5.36 | 5.36 | 5.36 | 5.36 |
| 2 | 39.17 | 42.19 | 38.50-39.06 | 39.06 | 38.62 |
| 3 | 82.25 | 81.47 | 80.25-82.37 | 82.37 | 81.47 |
| 4 | 98.44 | 91.29 | 96.65-98.66 | 98.66 | 98.21 |
| 5 | 100.00 | 96.21 | 99.55-100.00 | 100.00 | 100.00 |
| 6 | 100.00 | 99.55 | 100.00 | 100.00 | 100.00 |
| 7 | 100.00 | 100.00 | 100.00 | 100.00 | 100.00 |
| 8 | 100.00 | 100.00 | 100.00 | 100.00 | 100.00 |
+------+---------+-----------+---------------+-------------+------------------------+
Some of these permutations performed better than the _P_C2 used
in the current DES. The best of these were selected, 15 being
found. These 15 permutations were all found to have a special
form, namely that the excluded bits always fell between bits
permuted to S-box 1 and S-box 2 (or 5 and 6 in the D-side).
There are thus exactly 15 since 15=6_C4. In order to investi-
gate these permutations with a regular placing of the excluded
bits, all 60 such permutations were generated. A CKdep analy-
sis of these permutations resulted in only two results, one for
permutations with the excluded bit before a bit permuted to S-
box 2 (Regular X 2), and one for the others (Regular X 1, X 3,
X 4). These results are also shown in Table 4.
So far, we have used the first of the two criteria presented
earlier, namely the growth of overall bit dependence of output
bits on key bits. If we now consider the alternate measure,
namely growth in dependence of output bits on key bits by both
message and autoclave S-box inputs, then the results become
less clear. As shown in Table 5, whilst growth of overall
dependence is greater with the regular _P_C2's, growth of both is
worse.
+--------------------------------------------------------------------------------------------------------------------------+
| TTaabbllee 55 -- DDeeppeennddeennccyy ooff CCiipphheerrtteexxtt bbiittss oonn KKeeyy bbiittss |
| UUssiinngg CCuurrrreenntt DDEESS PPeerrmmuuttaattiioonn PP aanndd KKeeyy SScchheedduullee |
| bbyy BBootthh MMeessssaaggee aanndd AAuuttooccllaavvee SS--bbooxx IInnppuuttss |
+----------++------------+-------------+-------------+-------------+-------------+-------------+-------------+-------------+
|Round || 1 | 2 | 3 | 4 | 5 | 6 | 7 | 8 |
+----------++------------+-------------+-------------+-------------+-------------+-------------+-------------+-------------+
|CKdep ||Both,Either | Both,Either | Both,Either | Both,Either | Both,Either | Both,Either | Both,Either | Both,Either |
+----------++------------+-------------+-------------+-------------+-------------+-------------+-------------+-------------+
|PC2.std || 0.0,5.36 | 2.01,39.17 | 36.50,82.25 | 81.03,98.44 | 95.87,100.0 | 99.33,100.0 | 100.0,100.0 | 100.0,100.0 |
|PC2.worst || 0.0,5.36 | 0.0,42.19 | 33.71,81.47 | 73.88,91.29 | 84.38,96.21 | 92.86,99.55 | 98.66,100.0 | 100.0,100.0 |
|PC2 X 1 || 0.0,5.36 | 0.22,38.62 | 29.91,81.47 | 65.07,98.21 | 73.66,100.0 | 80.13,100.0 | 87.28,100.0 | 93.97,100.0 |
|PC2 X 2 || 0.0,5.36 | 0.45,39.06 | 30.36,82.37 | 67.08,98.66 | 77.01,100.0 | 83.26,100.0 | 90.18,100.0 | 95.87,100.0 |
|PC2 X 3 || 0.0,5.36 | 0.45,39.06 | 30.13,81.92 | 66.74,98.21 | 76.79,100.0 | 83.04,100.0 | 89.96,100.0 | 95.76,100.0 |
|PC2 X 4 || 0.0,5.36 | 0.45,39.06 | 30.13,81.92 | 66.52,98.21 | 75.67,100.0 | 80.36,100.0 | 86.38,100.0 | 92.41,100.0 |
+----------++------------+-------------+-------------+-------------+-------------+-------------+-------------+-------------+
-- 66 --
AAuussccrryypptt9900 KKeeyy SScchheedduulliinngg iinn DDEESS TTyyppee CCrryyppttoossyysstteeBBmmrrssoowwnn,, SSeebbeerrrryy
A closer look at the structure of the regular permutations
shows that the autoclave input bits are clustered, due to the
method used to assign them to S-box inputs. By altering the
order of inputs within each S-box, a more regular arrangement
of autoclave inputs was obtained. When these were tested, the
growth of dependence on both was much greater, thus emphasizing
the importance of this criterion on the design of _P_C2.
To obtain an indication of the relative influences of each of
the components in the key schedule, a series of trials were
run, in which each of the following three components were var-
ied with the specified alternatives:
_P based on the results in [BrS90], two permutations P were
used:
+o the current DES _P and
+o a strictly regular permutation generated by a difference
function on the S-box number of [+1 -2 +3 +4 +2 -1].
Because of its very regular structure, the propagation of
dependencies may be more easily calculated.
_P_C2 from the above work, the 4 best performing regular _P_C2
were extracted. Then these were processed to provide
three levels of clustering of the autoclave inputs.
_K_S the key variant in the key rotation schedule appears to be
the distribution of shifts of 1 verses 2 places. A set of
key schedules with various numbers of shifts of 1 ini-
tially were derived as shown in Table 6.
+-----------------------------------------------+
| TTaabbllee 66 -- TTrriiaall KKeeyy SScchheedduulleess |
+------++---------------------------------------+
|Round ||1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 |
+------++---------------------------------------+
|KS ||2 2 2 2 2 2 2 2 2 2 2 2 1 1 1 1 |
|KS ||1 2 2 2 2 2 2 2 2 2 2 2 2 1 1 1 |
|KS ||1 1 2 2 2 2 2 2 2 2 2 2 2 2 1 1 |
|KS ||1 1 1 2 2 2 2 2 2 2 2 2 2 2 2 1 |
|KS ||1 1 1 1 2 2 2 2 2 2 2 2 2 2 2 2 |
+------++---------------------------------------+
When this test was run, the following conclusions were made:
+o the current permutation _P performed better, possibly
because its less than regular structure assisted the dis-
tribution of dependencies between the autoclave and mes-
sage inputs.
+o permutations _P_C2 with the best spread of autoclave inputs,
performed best as expected.
+o a key schedule with as many shifts of 1 initially per-
formed best. This again would appear to be a function of
-- 77 --
AAuussccrryypptt9900 KKeeyy SScchheedduulliinngg iinn DDEESS TTyyppee CCrryyppttoossyysstteeBBmmrrssoowwnn,, SSeebbeerrrryy
the best method for spreading bits to as many S-box inputs
as soon as possible.
77.. DDeessiiggnn CCrriitteerriiaa ffoorr NNeeww KKeeyy SScchheedduulleess
From the above results, the design principles for designing key
schedules can now be summarized as follows:
The key schedule ensures that:
1 each key bit is used as input to each S-box in turn
2 no bit is used as autoclave inputs on successive rounds
3 no bit is excluded on successive rounds
4 the final key register value is identical to the original
key register value (to enable easy reversal of the key
schedule for decryption)
88.. AAnn AAlltteerrnnaattiivvee KKeeyy SScchheedduullee DDeessiiggnn
In the design of the DES, small key rotations were used, which
required the use of permutation _P_C2 to provide a fan-out of
key-bits across the S-box inputs, in order to satisfy the above
principles. An alternative design can be envisaged in which a
large key rotation interval is used, along with a null _P_C2 (ie:
so called worst case _P_C2), or a local _P_C2 which only permutes
bits within each block of 6 S-box inputs. The two _P_C2 permuta-
tions used are shown in Table 7.
+-------------------------------------------------------------------+
| TTaabbllee 77 -- NNuullll aanndd LLooccaall PPeerrmmuuttaattiioonnss PPCC22 |
| ffoorr AAlltteerrnnaattiivvee KKeeyy SScchheedduullee |
+-------------------------------------------------------------------+
|C: 1* 1 1 1 1 1* 2* 2 2 2 2 2* 3* 3 3 3 3 3* 4* 4 4 4 4 4* X X X X |
|D: 5* 5 5 5 5 5* 6* 6 6 6 6 6* 7* 7 7 7 7 7* 8* 8 8 8 8 8* X X X X |
+-------------------------------------------------------------------+
|C: 1* 1 1 1 1 1* 2 2 2 2* 2* 2 3 3* 3* 3 3 3 4* 4 4 4 4 4* X X X X |
|D: 5* 5 5 5 5 5* 6 6 6 6* 6* 6 7 7* 7* 7 7 7 8* 8 8 8 8 8* X X X X |
+-------------------------------------------------------------------+
For this design, a constant key rotation of 7 bits was used,
both because it is larger than the number of inputs to an S-
box, and because after sixteen rounds, the key register con-
tents are the same as the original value (since
7*16=112=4*28=2*56), for both split key registers or a single
large key register. This schedule is shown in Table 8.
-- 88 --
AAuussccrryypptt9900 KKeeyy SScchheedduulliinngg iinn DDEESS TTyyppee CCrryyppttoossyysstteeBBmmrrssoowwnn,, SSeebbeerrrryy
+-----------------------------------------------+
| TTaabbllee 88 -- AAlltteerrnnaattiivvee CCoonnssttaanntt KKeeyy SScchheedduullee |
+------++---------------------------------------+
|Round ||1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 |
+------++---------------------------------------+
|KS ||7 7 7 7 7 7 7 7 7 7 7 7 7 7 7 7 |
+------++---------------------------------------+
The results obtained for these _P_C2 permutations and this key
schedule, using both a split key rotation register, and a sin-
gle key register, are shown in Table 9.
+----------------------------------------------------------------------------------------------------------------------+
| TTaabbllee 99 -- DDeeppeennddeennccyy ooff CCiipphheerrtteexxtt bbiittss oonn KKeeyy bbiittss |
| UUssiinngg CCuurrrreenntt DDEESS PPeerrmmuuttaattiioonn PP aanndd tthhee AAlltteerrnnaattiivvee KKeeyy SScchheedduullee |
| bbyy BBootthh MMeessssaaggee aanndd AAuuttooccllaavvee SS--bbooxx IInnppuuttss |
+------++------------+-------------+-------------+-------------+-------------+-------------+-------------+-------------+
|Round || 1 | 2 | 3 | 4 | 5 | 6 | 7 | 8 |
+------++------------+-------------+-------------+-------------+-------------+-------------+-------------+-------------+
|PC2 ||Both,Either | Both,Either | Both,Either | Both,Either | Both,Either | Both,Either | Both,Either | Both,Either |
+------++------------+-------------+-------------+-------------+-------------+-------------+-------------+-------------+
| SSpplliitt KKeeyy RReeggiisstteerr UUsseedd |
+------++------------+-------------+-------------+-------------+-------------+-------------+-------------+-------------+
|null || 0.0,5.36 | 1.56,39.06 | 34.82,82.03 | 76.56,98.33 | 91.52,100.0 | 98.21,100.0 | 100.0,100.0 | 100.0,100.0 |
|local || 0.0,5.36 | 2.57,39.06 | 38.17,82.03 | 83.82,98.33 | 98.21,100.0 | 100.0,100.0 | 100.0,100.0 | 100.0,100.0 |
+------++------------+-------------+-------------+-------------+-------------+-------------+-------------+-------------+
| SSiinnggllee KKeeyy RReeggiisstteerr UUsseedd |
+------++------------+-------------+-------------+-------------+-------------+-------------+-------------+-------------+
|null || 0.0,5.36 | 1.79,38.73 | 35.04,81.70 | 76.56,98.33 | 91.52,100.0 | 98.21,100.0 | 100.0,100.0 | 100.0,100.0 |
|local || 0.0,5.36 | 2.79,38.73 | 38.39,81.70 | 83.82,98.33 | 98.21,100.0 | 100.0,100.0 | 100.0,100.0 | 100.0,100.0 |
+------++------------+-------------+-------------+-------------+-------------+-------------+-------------+-------------+
These results are very similar in performance to the key sched-
ule used in the current DES (see Table 5). The null _P_C2 per-
forms slightly worse, whilst the local _P_C2 performs better.
Depending on the efficiency required, a tradeoff between best
performance and ease of implementation can be made between
these. There is very little difference in performance between
the split and single key rotation registers, thus either could
be chosen, depending on other constraints.
99.. CCoonncclluussiioonn
The key schedule in the current DES has been analysed, and some
empirical principles which could have been used in its design
derived. These were used to test a number of alternative key
schedules, which led to the development of a new set of gener-
alized principles to be used in the design of a new algorithm.
An alternative key schedule which either eliminates permutation
_P_C2, or uses a local _P_C2, was tried and found to be as effec-
tive as that used in the current DES. This is thus suggested
for use in any new algorithm.
-- 99 --
AAuussccrryypptt9900 KKeeyy SScchheedduulliinngg iinn DDEESS TTyyppee CCrryyppttoossyysstteeBBmmrrssoowwnn,, SSeebbeerrrryy
AAcckknnoowwlleeddggeemmeennttss
To the following members of the Centre for Computer Security
Research: Leisa Condie, Thomas Hardjono, Mike Newberry, Cathy
Newberry, Josef Pieprzyk, and Jennifer Seberry; and to: Dr.
George Gerrity, Dr. Andzej Goscinski, and Dr. Charles Newton;
for their comments on, suggestions about, and critiques of this
paper.
Thankyou.
-- 1100 --
AAuussccrryypptt9900 KKeeyy SScchheedduulliinngg iinn DDEESS TTyyppee CCrryyppttoossyysstteeBBmmrrssoowwnn,, SSeebbeerrrryy
RReeffeerreenncceess
[ASA85] ASA, "_E_l_e_c_t_r_o_n_i_c_s _F_u_n_d_s _T_r_a_n_s_f_e_r _- _R_e_q_u_i_r_e_m_e_n_t_s _f_o_r
_I_n_t_e_r_f_a_c_e_s_, _P_a_r_t _5_, _D_a_t_a _E_n_c_r_y_p_t_i_o_n _A_l_g_o_r_i_t_h_m,"
AS2805.5-1985, Standards Association of Australia,
Sydney, Australia, 1985.
[Bro89] L. Brown, "A Proposed Design for an Extended DES,"
in _C_o_m_p_u_t_e_r _S_e_c_u_r_i_t_y _i_n _t_h_e _A_g_e _o_f _I_n_f_o_r_m_a_t_i_o_n, W. J.
Caelli (editor), North-Holland, Amsterdam, 1989.
[BrS90] L. Brown and J. Seberry, "On the Design of
Permutation P in DES Type Cryptosystems," in
_A_d_v_a_n_c_e_s _i_n _C_r_y_p_t_o_l_o_g_y _- _E_u_r_o_c_r_y_p_t_'_8_9, Lecture Notes
in Computer Science, no. 434, J. J. Quisquater and J.
Vanderwalle (editors), pp. 696-705, |Springer
Verlag|, Berlin, 1990.
[DDF83] M. Davio, Y. Desmedt, M. Fosseprez, R. Govaerts, J.
Hulsbosch, P. Neutjens, P. Piret, J. Quisquater, J.
Vanderwalle and P. Wouters, "Analytical
Characteristics of the DES," in _A_d_v_a_n_c_e_s _i_n
_C_r_y_p_t_o_l_o_g_y _- _|_P_r_o_c_._| _o_f _C_r_y_p_t_o _8_3, D. Chaum, R. L.
Rivest and A. T. Sherman (editors), pp. 171-202,
Plenum Press, New York, |August.| 22-24, 1983.
[GrT78] E. K. Grossman and B. Tuckerman, "Analysis of a
Weakened Feistel-Like Cipher," in _|_P_r_o_c_._| _1_9_7_8 _I_E_E_E
_|_C_o_n_f_._| _O_n _C_o_m_m_u_n_i_c_a_t_i_o_n_s, pp. 46.3.1-5, IEEE, 1978.
[MeM82] C. H. Meyer and S. M. Matyas, _C_r_y_p_t_o_g_r_a_p_h_y_: _A _N_e_w
_D_i_m_e_n_s_i_o_n _i_n _D_a_t_a _S_e_c_u_r_i_t_y, |John Wiley & Sons, New
York, 1982.
[MoS86] J. H. Moore and G. J. Simmons, "Cycle Structure of
the Weak and Semi-Weak DES Keys," _E_u_r_o_c_r_y_p_t _8_6 _-
_A_b_s_t_r_a_c_t_s _o_f _P_a_p_e_r_s , p. 2.1, Linkoping, Sweden,
20-22 |May| 1986.
[MoS87] J. H. Moore and G. J. Simmons, _A_d_v_a_n_c_e_s _i_n _C_r_y_p_t_o_l_o_g_y
_- _|_P_r_o_c_._| _o_f _C_R_Y_P_T_O_'_8_6, Lecture Notes in Computer
Science, no. 263, pp. 9-32, |Springer Verlag|,
Berlin, 1987.
[NBS77] NBS, "_D_a_t_a _E_n_c_r_y_p_t_i_o_n _S_t_a_n_d_a_r_d _(_D_E_S_)," FIPS PUB 46,
US National Bureau of Standards, Washington, DC,
|January.| 1977.
[PiS89] J. Pieprzyk and J. Seberry, "_R_e_m_a_r_k_s _o_n _E_x_t_e_n_s_i_o_n _o_f
_D_E_S _- _W_h_i_c_h _W_a_y _t_o _G_o_?," Tech. Rep. CS89/4, |Dept.
of Computer Science, UC UNSW, Australian Defence
Force Academy|, Canberra, Australia, |February.|
1989.
[Pie89] J. Pieprzyk, "Error Propagation Property and
Application in Cryptography," _I_E_E _P_r_o_c_e_e_d_i_n_g_s_-_E_,
_C_o_m_p_u_t_e_r_s _a_n_d _D_i_g_i_t_a_l _T_e_c_h_n_i_q_u_e_s, vol. 136, no. 4,
-- 1111 --
AAuussccrryypptt9900 KKeeyy SScchheedduulliinngg iinn DDEESS TTyyppee CCrryyppttoossyysstteeBBmmrrssoowwnn,, SSeebbeerrrryy
pp. 262-270, |July| 1989.
[SeP89] J. Seberry and J. Pieprzyk, _C_r_y_p_t_o_g_r_a_p_h_y_: _A_n
_I_n_t_r_o_d_u_c_t_i_o_n _t_o _C_o_m_p_u_t_e_r _S_e_c_u_r_i_t_y, |Prentice Hall,
Englewood Cliffs, NJ|, 1989.
-- 1122 --