KKEEYY SSCCHHEEDDUULLIINNGG IINN DDEESS TTYYPPEE CCRRYYPPTTOOSSYYSSTTEEMMSS _L_a_w_r_e_n_c_e _B_r_o_w_n _a_n_d _J_e_n_n_i_f_e_r _S_e_b_e_r_r_y Department of Computer Science University College, UNSW, Australian Defence Force Academy Canberra ACT 2600. Australia. AAbbssttrraacctt This paper reviews some possible design criteria for the key schedule in a DES style cryptosystem. The key schedule involves a Key Rotation component, and the permutation _P_C2. Together these provide for a diffusion of dependency of cipher- text bits on key bits. Some empirical rules which seem to account for the derivation of the key schedule used in the DES are first presented. A number of trials were run with various key schedules, and some further design rules were derived. An alternative form of key schedule was then tested. This used either a null _P_C2, or one in which permutations only occurred within the inputs to a given S-box, and a much larger rotation schedule than used in the DES. This was found to be as effec- tive as the key schedule used in the current DES, and is pro- posed for use in new cryptosystems. 11.. IInnttrroodduuccttiioonn The Data Encryption Standard (DES) [NBS77] is currently the only certified encryption standard. It has achieved wide uti- lization, particularly in the banking and electronic funds transfer areas, and is an Australian standard [ASA85] among others. With the current significant use of DES (especially in banking), there is interest in designing and building a DES- type cryptosystem with an extended key length of either 64 (rather than 56) or 128 bits. This is one of a continuing series of papers [Bro89], [BrS90], [PiS89], [Pie89], analysing aspects of the current DES, and indicating criteria to be used in the design of future schemes. This paper will concentrate on the design of the key schedule, which involves a key rotation component, and the permutation _P_C2. Together these provide for a diffusion of dependency of ciphertext bits in key bits. As a measure of effectiveness, Meyer's analysis of output bit dependence on key bits will be used [MeM82]. Some empirical rules for the key schedule, derived previously [Bro89], will be presented. A discussion of some alternatives to the current schedule will be presented, followed by the results obtained from testing a number of alternate schedules. A presentation of the implications from these in the design of any extended DES type schemes will con- clude the paper. AAuussccrryypptt9900 KKeeyy SScchheedduulliinngg iinn DDEESS TTyyppee CCrryyppttoossyysstteeBBmmrrssoowwnn,, SSeebbeerrrryy 22.. TThhee KKeeyy SScchheedduullee iinn DDEESS The central component of the DES cryptosystem is the function _g, which is a composition of expansion function _E, eight sub- stitution boxes (S-boxes) _S, and a permutation _P1. Function _g has as inputs the plaintext [_L(_i-1),_R(_i-1)] from the previous round, and a selection of key bits _K(_i) (see Fig 1.). This may be written as: _g:_R(_i)=_L(_i-1)_X_O_R_P(_S(_E(_R(_i-1))_X_O_R_K(_i))),_L(_i)=_R(_i-1). Fig 1. DES as a Mixing Function The _k_e_y _s_c_h_e_d_u_l_e in a DES algorithm is responsible for forming the sixteen 48-bit sub-keys _K(_i) used in the rounds of the encryption procedure. This function is important since if the same key is used on successive rounds, it can weaken the resulting algorithm (see [GrT78], [MeM82], [MoS87], [MoS86], and [ASA85]). In detail, the 64-bit key is permuted by _P_C1. This permutation performs two functions: first it strips the eight parity bits out, and then distributes the remaining 56 bits over two 28-bit halves _C(0) and _D(0). The cryptographic significance of this permutation is questionable [DDF83]. Sub- sequently for each round, each 28-bit register is rotated left ____________________ 1 A more detailed description of these functions may be found in [NBS77], [ASA85] or [SeP89]. -- 22 -- AAuussccrryypptt9900 KKeeyy SScchheedduulliinngg iinn DDEESS TTyyppee CCrryyppttoossyysstteeBBmmrrssoowwnn,, SSeebbeerrrryy either one or two places according to the following schedule (subsequently denoted _K_S): +---------------------------------------------------+ | TTaabbllee 11 -- KKeeyy SScchheedduullee ffoorr DDEESS | +------++-------------------------------------------+ |Round ||1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 | +------++-------------------------------------------+ |Shift ||1 1 2 2 2 2 2 2 1 2 2 2 2 2 2 1 | +------++-------------------------------------------+ |Total ||1 2 4 6 8 10 12 14 15 17 19 21 23 25 27 28 | +------++-------------------------------------------+ After the shift, the resultant 28-bit vectors are permuted by _P_C2 (which in fact consists of two 28-bit permutations, each of which selects 24 bits) to form the sub-key for that round. This permutation may be written in terms of which S-box each bit is directed to, as shown in Table 2 (nb: an * indicates an autoclave S-box input rather than a message input; an X speci- fies exclusion of that bit). +-------------------------------------------------------------------+ | TTaabbllee 22 -- CCuurrrreenntt DDEESS PPeerrmmuuttaattiioonn PPCC22 | +-------------------------------------------------------------------+ |C: 1 4* 2* 3 1* 2 4 3* X 2* 1 3 4 1* 2 4* 1 X 3 4 2 X 3* 1 X 3 4 2 | |D: 8 6* 5 8* 6 7 X 8 5 X 7 6 5* 8 X 7* 6 8* 5 6* 7 8 6 5 7* X 5* 7 | +-------------------------------------------------------------------+ The sub-keys _K(_i) may be written as; _K(_i)=_P_C2(_K_S(_U,_i)), where_U=_P_C1(_K) and _K_S(_U,_i) is the key rotation schedule for input block _U at round _i. 33.. EEmmppiirriiccaall KKeeyy SScchheedduullee DDeessiiggnn CCrriitteerriiaa In Brown [Bro89], some empirical design rules for the key schedule are presented. The rules presented for permutation _P_C2 are (if the bits are sorted into ascending order of their input bits): +o 1 bits permuted to the same S-box input are no closer than 3 bits apart +o 2 bits permuted to an S-box input must have a span from low- est to highest input bit number of at least 22 of the 28 bits in each key half (alternatively, the average spacing must be at least 3 2/3) +o 3 bits permuted to the selector bits _a,_f on a given S-box must not be adjacent in the sorted list of input bits +o 4 bits not selected by _P_C2 must be at least 3 places apart -- 33 -- AAuussccrryypptt9900 KKeeyy SScchheedduulliinngg iinn DDEESS TTyyppee CCrryyppttoossyysstteeBBmmrrssoowwnn,, SSeebbeerrrryy The design of the key schedule _K_S is obviously related to the design of _P_C2 by rules 1 and 4 given above. Brown notes that the key schedule _K_S ensures that: +o 1 each bit is used as input to each S-box +o 2 no bit is used as input to the same S-box on successive rounds +o 3 the total number of bits rotated is 56 (which implies that _K(0) = _K(16), enabling the decryption operation to use right shifts in reverse order). 44.. CCiipphheerrtteexxtt DDeeppeennddeennccee oonn KKeeyy BBiittss This analysis is complex, and is dependent on the choices of permutations _P and _P_C2 as well as the _K_S the key schedule2. To quantify this dependency, a 64*56 array _F_r is formed, in which element _F_r[_i,_j] specifies a dependency of output bit _X(_j) on key bit _U(_i). The vector _U is that formed after PC1 is applied, ie _U=_P_C1(_K). The number of marked elements in _G_r will be examined to provide a profile of the degree of dependence achieved by round _r. Details of the derivation of this matrix, and the means by which entries are propagated, may be found in [MeM82]. This analysis technique will be used as a measure of effectiveness for possible key schedules. In particular, two criteria are used: +o rate of growth of output bit dependence on key bits by any S-box inputs +o rate of growth of output bit dependence on key bits by BOTH message and autoclave S-box inputs 55.. AAlltteerrnnaattiivveess ffoorr tthhee KKeeyy SScchheedduullee The purpose of the above rules in designing a key schedule may be summarized as follows: to present each key bit to a message input, and to an autoclave input, of each S-box as quickly as possible. This is achieved by a combination of the key rotation schedule _K_S, the key permutation _P_C2, and the function _g=_S._P._E. Trials have been performed in which each of these is varied in turn, to analyse the effect of each. In addition to that underlying design purpose, there is a prag- matic decision on the size of the key registers. In the current scheme, the key is divided into two halves. An alternate form ____________________ 2 but not on permutations _I_P, _F_P and _P_C1, which only serve to renumber the plaintext, ciphertext, and key bits respective- ly. The analysis done in this paper ignores these permutations for this reason. -- 44 -- AAuussccrryypptt9900 KKeeyy SScchheedduulliinngg iinn DDEESS TTyyppee CCrryyppttoossyysstteeBBmmrrssoowwnn,, SSeebbeerrrryy could be to have a single large key schedule register. We also wish to extend the size of the key, in order to ensure it is large enough to withstand any foreseeable exhaustive search style attack. One way of providing a measure of this, whilst still maintaining compatibility with existing protocols, would be to remove the notion of parity bits in the key, and use all 64-bits. Combining these two ideas we have the following possi- bilities for _P_C2: 28 -> 24 bit 56 -> 48 bit 32 -> 24 bit 64 -> 48 bit Initially, a key schedule with the same form as the current DES was examined, in order that comparisons with the effectiveness of the current DES scheme could be made. Having obtained some guidelines from these trials, key schedules involving some of the alternatives were then tried. 66.. SSoommee TTrriiaallss oonn NNeeww KKeeyy SScchheedduulleess In Brown [Bro89], some empirical design criteria for permuta- tion _P_C2 and the Key Rotation Schedule were presented. The authors have subsequently used these rules to generate a set of permutations _P_C2. Since all possible 28->24 bit permutations could not be tried, permutations with the form shown in Table 3 were tried (that is all arrangements of the 4 excluded bits, subject to the rules set, were found). This form was chosen in order to distribute key bits to each of the 4 S-boxes being fed by each half of the key schedule as quickly as possible. A total of 7315 permutations were found. +---------------------------------------------------------------+ | TTaabbllee 33 -- ffoorrmm ooff ggeenneerraatteedd PPeerrmmuuttaattiioonnss PPCC22 | +---------------------------------------------------------------+ |C: 1 2 3 4 1 2 3 4 1 2 3 4 1 2 3 4 1 2 3 4 1 2 3 4 + X X X X | |D: 5 6 7 8 5 6 7 8 5 6 7 8 5 6 7 8 5 6 7 8 5 6 7 8 + X X X X | +---------------------------------------------------------------+ Ciphertext-Key Dependences (CKdep) tests on these permutations produced results shown in Table 4 (with comparisons to the cur- rent and worst case _P_C2 supplied for comparison). -- 55 -- AAuussccrryypptt9900 KKeeyy SScchheedduulliinngg iinn DDEESS TTyyppee CCrryyppttoossyysstteeBBmmrrssoowwnn,, SSeebbeerrrryy +-----------------------------------------------------------------------------------+ | TTaabbllee 44 -- DDeeppeennddeennccyy ooff CCiipphheerrtteexxtt bbiittss oonn KKeeyy bbiittss | | UUssiinngg CCuurrrreenntt DDEESS PPeerrmmuuttaattiioonn PP aanndd KKeeyy SScchheedduullee | +------+---------+-----------+---------------+-------------+------------------------+ |Round | Std _P_C2 | Worst _P_C2 | Generated _P_C2 | Regular X 2 | Regular X 1, X 3, X 4 | +------+---------+-----------+---------------+-------------+------------------------+ | 1 | 5.36 | 5.36 | 5.36 | 5.36 | 5.36 | | 2 | 39.17 | 42.19 | 38.50-39.06 | 39.06 | 38.62 | | 3 | 82.25 | 81.47 | 80.25-82.37 | 82.37 | 81.47 | | 4 | 98.44 | 91.29 | 96.65-98.66 | 98.66 | 98.21 | | 5 | 100.00 | 96.21 | 99.55-100.00 | 100.00 | 100.00 | | 6 | 100.00 | 99.55 | 100.00 | 100.00 | 100.00 | | 7 | 100.00 | 100.00 | 100.00 | 100.00 | 100.00 | | 8 | 100.00 | 100.00 | 100.00 | 100.00 | 100.00 | +------+---------+-----------+---------------+-------------+------------------------+ Some of these permutations performed better than the _P_C2 used in the current DES. The best of these were selected, 15 being found. These 15 permutations were all found to have a special form, namely that the excluded bits always fell between bits permuted to S-box 1 and S-box 2 (or 5 and 6 in the D-side). There are thus exactly 15 since 15=6_C4. In order to investi- gate these permutations with a regular placing of the excluded bits, all 60 such permutations were generated. A CKdep analy- sis of these permutations resulted in only two results, one for permutations with the excluded bit before a bit permuted to S- box 2 (Regular X 2), and one for the others (Regular X 1, X 3, X 4). These results are also shown in Table 4. So far, we have used the first of the two criteria presented earlier, namely the growth of overall bit dependence of output bits on key bits. If we now consider the alternate measure, namely growth in dependence of output bits on key bits by both message and autoclave S-box inputs, then the results become less clear. As shown in Table 5, whilst growth of overall dependence is greater with the regular _P_C2's, growth of both is worse. +--------------------------------------------------------------------------------------------------------------------------+ | TTaabbllee 55 -- DDeeppeennddeennccyy ooff CCiipphheerrtteexxtt bbiittss oonn KKeeyy bbiittss | | UUssiinngg CCuurrrreenntt DDEESS PPeerrmmuuttaattiioonn PP aanndd KKeeyy SScchheedduullee | | bbyy BBootthh MMeessssaaggee aanndd AAuuttooccllaavvee SS--bbooxx IInnppuuttss | +----------++------------+-------------+-------------+-------------+-------------+-------------+-------------+-------------+ |Round || 1 | 2 | 3 | 4 | 5 | 6 | 7 | 8 | +----------++------------+-------------+-------------+-------------+-------------+-------------+-------------+-------------+ |CKdep ||Both,Either | Both,Either | Both,Either | Both,Either | Both,Either | Both,Either | Both,Either | Both,Either | +----------++------------+-------------+-------------+-------------+-------------+-------------+-------------+-------------+ |PC2.std || 0.0,5.36 | 2.01,39.17 | 36.50,82.25 | 81.03,98.44 | 95.87,100.0 | 99.33,100.0 | 100.0,100.0 | 100.0,100.0 | |PC2.worst || 0.0,5.36 | 0.0,42.19 | 33.71,81.47 | 73.88,91.29 | 84.38,96.21 | 92.86,99.55 | 98.66,100.0 | 100.0,100.0 | |PC2 X 1 || 0.0,5.36 | 0.22,38.62 | 29.91,81.47 | 65.07,98.21 | 73.66,100.0 | 80.13,100.0 | 87.28,100.0 | 93.97,100.0 | |PC2 X 2 || 0.0,5.36 | 0.45,39.06 | 30.36,82.37 | 67.08,98.66 | 77.01,100.0 | 83.26,100.0 | 90.18,100.0 | 95.87,100.0 | |PC2 X 3 || 0.0,5.36 | 0.45,39.06 | 30.13,81.92 | 66.74,98.21 | 76.79,100.0 | 83.04,100.0 | 89.96,100.0 | 95.76,100.0 | |PC2 X 4 || 0.0,5.36 | 0.45,39.06 | 30.13,81.92 | 66.52,98.21 | 75.67,100.0 | 80.36,100.0 | 86.38,100.0 | 92.41,100.0 | +----------++------------+-------------+-------------+-------------+-------------+-------------+-------------+-------------+ -- 66 -- AAuussccrryypptt9900 KKeeyy SScchheedduulliinngg iinn DDEESS TTyyppee CCrryyppttoossyysstteeBBmmrrssoowwnn,, SSeebbeerrrryy A closer look at the structure of the regular permutations shows that the autoclave input bits are clustered, due to the method used to assign them to S-box inputs. By altering the order of inputs within each S-box, a more regular arrangement of autoclave inputs was obtained. When these were tested, the growth of dependence on both was much greater, thus emphasizing the importance of this criterion on the design of _P_C2. To obtain an indication of the relative influences of each of the components in the key schedule, a series of trials were run, in which each of the following three components were var- ied with the specified alternatives: _P based on the results in [BrS90], two permutations P were used: +o the current DES _P and +o a strictly regular permutation generated by a difference function on the S-box number of [+1 -2 +3 +4 +2 -1]. Because of its very regular structure, the propagation of dependencies may be more easily calculated. _P_C2 from the above work, the 4 best performing regular _P_C2 were extracted. Then these were processed to provide three levels of clustering of the autoclave inputs. _K_S the key variant in the key rotation schedule appears to be the distribution of shifts of 1 verses 2 places. A set of key schedules with various numbers of shifts of 1 ini- tially were derived as shown in Table 6. +-----------------------------------------------+ | TTaabbllee 66 -- TTrriiaall KKeeyy SScchheedduulleess | +------++---------------------------------------+ |Round ||1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 | +------++---------------------------------------+ |KS ||2 2 2 2 2 2 2 2 2 2 2 2 1 1 1 1 | |KS ||1 2 2 2 2 2 2 2 2 2 2 2 2 1 1 1 | |KS ||1 1 2 2 2 2 2 2 2 2 2 2 2 2 1 1 | |KS ||1 1 1 2 2 2 2 2 2 2 2 2 2 2 2 1 | |KS ||1 1 1 1 2 2 2 2 2 2 2 2 2 2 2 2 | +------++---------------------------------------+ When this test was run, the following conclusions were made: +o the current permutation _P performed better, possibly because its less than regular structure assisted the dis- tribution of dependencies between the autoclave and mes- sage inputs. +o permutations _P_C2 with the best spread of autoclave inputs, performed best as expected. +o a key schedule with as many shifts of 1 initially per- formed best. This again would appear to be a function of -- 77 -- AAuussccrryypptt9900 KKeeyy SScchheedduulliinngg iinn DDEESS TTyyppee CCrryyppttoossyysstteeBBmmrrssoowwnn,, SSeebbeerrrryy the best method for spreading bits to as many S-box inputs as soon as possible. 77.. DDeessiiggnn CCrriitteerriiaa ffoorr NNeeww KKeeyy SScchheedduulleess From the above results, the design principles for designing key schedules can now be summarized as follows: The key schedule ensures that: 1 each key bit is used as input to each S-box in turn 2 no bit is used as autoclave inputs on successive rounds 3 no bit is excluded on successive rounds 4 the final key register value is identical to the original key register value (to enable easy reversal of the key schedule for decryption) 88.. AAnn AAlltteerrnnaattiivvee KKeeyy SScchheedduullee DDeessiiggnn In the design of the DES, small key rotations were used, which required the use of permutation _P_C2 to provide a fan-out of key-bits across the S-box inputs, in order to satisfy the above principles. An alternative design can be envisaged in which a large key rotation interval is used, along with a null _P_C2 (ie: so called worst case _P_C2), or a local _P_C2 which only permutes bits within each block of 6 S-box inputs. The two _P_C2 permuta- tions used are shown in Table 7. +-------------------------------------------------------------------+ | TTaabbllee 77 -- NNuullll aanndd LLooccaall PPeerrmmuuttaattiioonnss PPCC22 | | ffoorr AAlltteerrnnaattiivvee KKeeyy SScchheedduullee | +-------------------------------------------------------------------+ |C: 1* 1 1 1 1 1* 2* 2 2 2 2 2* 3* 3 3 3 3 3* 4* 4 4 4 4 4* X X X X | |D: 5* 5 5 5 5 5* 6* 6 6 6 6 6* 7* 7 7 7 7 7* 8* 8 8 8 8 8* X X X X | +-------------------------------------------------------------------+ |C: 1* 1 1 1 1 1* 2 2 2 2* 2* 2 3 3* 3* 3 3 3 4* 4 4 4 4 4* X X X X | |D: 5* 5 5 5 5 5* 6 6 6 6* 6* 6 7 7* 7* 7 7 7 8* 8 8 8 8 8* X X X X | +-------------------------------------------------------------------+ For this design, a constant key rotation of 7 bits was used, both because it is larger than the number of inputs to an S- box, and because after sixteen rounds, the key register con- tents are the same as the original value (since 7*16=112=4*28=2*56), for both split key registers or a single large key register. This schedule is shown in Table 8. -- 88 -- AAuussccrryypptt9900 KKeeyy SScchheedduulliinngg iinn DDEESS TTyyppee CCrryyppttoossyysstteeBBmmrrssoowwnn,, SSeebbeerrrryy +-----------------------------------------------+ | TTaabbllee 88 -- AAlltteerrnnaattiivvee CCoonnssttaanntt KKeeyy SScchheedduullee | +------++---------------------------------------+ |Round ||1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 | +------++---------------------------------------+ |KS ||7 7 7 7 7 7 7 7 7 7 7 7 7 7 7 7 | +------++---------------------------------------+ The results obtained for these _P_C2 permutations and this key schedule, using both a split key rotation register, and a sin- gle key register, are shown in Table 9. +----------------------------------------------------------------------------------------------------------------------+ | TTaabbllee 99 -- DDeeppeennddeennccyy ooff CCiipphheerrtteexxtt bbiittss oonn KKeeyy bbiittss | | UUssiinngg CCuurrrreenntt DDEESS PPeerrmmuuttaattiioonn PP aanndd tthhee AAlltteerrnnaattiivvee KKeeyy SScchheedduullee | | bbyy BBootthh MMeessssaaggee aanndd AAuuttooccllaavvee SS--bbooxx IInnppuuttss | +------++------------+-------------+-------------+-------------+-------------+-------------+-------------+-------------+ |Round || 1 | 2 | 3 | 4 | 5 | 6 | 7 | 8 | +------++------------+-------------+-------------+-------------+-------------+-------------+-------------+-------------+ |PC2 ||Both,Either | Both,Either | Both,Either | Both,Either | Both,Either | Both,Either | Both,Either | Both,Either | +------++------------+-------------+-------------+-------------+-------------+-------------+-------------+-------------+ | SSpplliitt KKeeyy RReeggiisstteerr UUsseedd | +------++------------+-------------+-------------+-------------+-------------+-------------+-------------+-------------+ |null || 0.0,5.36 | 1.56,39.06 | 34.82,82.03 | 76.56,98.33 | 91.52,100.0 | 98.21,100.0 | 100.0,100.0 | 100.0,100.0 | |local || 0.0,5.36 | 2.57,39.06 | 38.17,82.03 | 83.82,98.33 | 98.21,100.0 | 100.0,100.0 | 100.0,100.0 | 100.0,100.0 | +------++------------+-------------+-------------+-------------+-------------+-------------+-------------+-------------+ | SSiinnggllee KKeeyy RReeggiisstteerr UUsseedd | +------++------------+-------------+-------------+-------------+-------------+-------------+-------------+-------------+ |null || 0.0,5.36 | 1.79,38.73 | 35.04,81.70 | 76.56,98.33 | 91.52,100.0 | 98.21,100.0 | 100.0,100.0 | 100.0,100.0 | |local || 0.0,5.36 | 2.79,38.73 | 38.39,81.70 | 83.82,98.33 | 98.21,100.0 | 100.0,100.0 | 100.0,100.0 | 100.0,100.0 | +------++------------+-------------+-------------+-------------+-------------+-------------+-------------+-------------+ These results are very similar in performance to the key sched- ule used in the current DES (see Table 5). The null _P_C2 per- forms slightly worse, whilst the local _P_C2 performs better. Depending on the efficiency required, a tradeoff between best performance and ease of implementation can be made between these. There is very little difference in performance between the split and single key rotation registers, thus either could be chosen, depending on other constraints. 99.. CCoonncclluussiioonn The key schedule in the current DES has been analysed, and some empirical principles which could have been used in its design derived. These were used to test a number of alternative key schedules, which led to the development of a new set of gener- alized principles to be used in the design of a new algorithm. An alternative key schedule which either eliminates permutation _P_C2, or uses a local _P_C2, was tried and found to be as effec- tive as that used in the current DES. This is thus suggested for use in any new algorithm. -- 99 -- AAuussccrryypptt9900 KKeeyy SScchheedduulliinngg iinn DDEESS TTyyppee CCrryyppttoossyysstteeBBmmrrssoowwnn,, SSeebbeerrrryy AAcckknnoowwlleeddggeemmeennttss To the following members of the Centre for Computer Security Research: Leisa Condie, Thomas Hardjono, Mike Newberry, Cathy Newberry, Josef Pieprzyk, and Jennifer Seberry; and to: Dr. George Gerrity, Dr. Andzej Goscinski, and Dr. Charles Newton; for their comments on, suggestions about, and critiques of this paper. Thankyou. -- 1100 -- AAuussccrryypptt9900 KKeeyy SScchheedduulliinngg iinn DDEESS TTyyppee CCrryyppttoossyysstteeBBmmrrssoowwnn,, SSeebbeerrrryy RReeffeerreenncceess [ASA85] ASA, "_E_l_e_c_t_r_o_n_i_c_s _F_u_n_d_s _T_r_a_n_s_f_e_r _- _R_e_q_u_i_r_e_m_e_n_t_s _f_o_r _I_n_t_e_r_f_a_c_e_s_, _P_a_r_t _5_, _D_a_t_a _E_n_c_r_y_p_t_i_o_n _A_l_g_o_r_i_t_h_m," AS2805.5-1985, Standards Association of Australia, Sydney, Australia, 1985. [Bro89] L. Brown, "A Proposed Design for an Extended DES," in _C_o_m_p_u_t_e_r _S_e_c_u_r_i_t_y _i_n _t_h_e _A_g_e _o_f _I_n_f_o_r_m_a_t_i_o_n, W. J. Caelli (editor), North-Holland, Amsterdam, 1989. [BrS90] L. Brown and J. Seberry, "On the Design of Permutation P in DES Type Cryptosystems," in _A_d_v_a_n_c_e_s _i_n _C_r_y_p_t_o_l_o_g_y _- _E_u_r_o_c_r_y_p_t_'_8_9, Lecture Notes in Computer Science, no. 434, J. J. Quisquater and J. Vanderwalle (editors), pp. 696-705, |Springer Verlag|, Berlin, 1990. [DDF83] M. Davio, Y. Desmedt, M. Fosseprez, R. Govaerts, J. Hulsbosch, P. Neutjens, P. Piret, J. Quisquater, J. Vanderwalle and P. Wouters, "Analytical Characteristics of the DES," in _A_d_v_a_n_c_e_s _i_n _C_r_y_p_t_o_l_o_g_y _- _|_P_r_o_c_._| _o_f _C_r_y_p_t_o _8_3, D. Chaum, R. L. Rivest and A. T. Sherman (editors), pp. 171-202, Plenum Press, New York, |August.| 22-24, 1983. [GrT78] E. K. Grossman and B. Tuckerman, "Analysis of a Weakened Feistel-Like Cipher," in _|_P_r_o_c_._| _1_9_7_8 _I_E_E_E _|_C_o_n_f_._| _O_n _C_o_m_m_u_n_i_c_a_t_i_o_n_s, pp. 46.3.1-5, IEEE, 1978. [MeM82] C. H. Meyer and S. M. Matyas, _C_r_y_p_t_o_g_r_a_p_h_y_: _A _N_e_w _D_i_m_e_n_s_i_o_n _i_n _D_a_t_a _S_e_c_u_r_i_t_y, |John Wiley & Sons, New York, 1982. [MoS86] J. H. Moore and G. J. Simmons, "Cycle Structure of the Weak and Semi-Weak DES Keys," _E_u_r_o_c_r_y_p_t _8_6 _- _A_b_s_t_r_a_c_t_s _o_f _P_a_p_e_r_s , p. 2.1, Linkoping, Sweden, 20-22 |May| 1986. [MoS87] J. H. Moore and G. J. Simmons, _A_d_v_a_n_c_e_s _i_n _C_r_y_p_t_o_l_o_g_y _- _|_P_r_o_c_._| _o_f _C_R_Y_P_T_O_'_8_6, Lecture Notes in Computer Science, no. 263, pp. 9-32, |Springer Verlag|, Berlin, 1987. [NBS77] NBS, "_D_a_t_a _E_n_c_r_y_p_t_i_o_n _S_t_a_n_d_a_r_d _(_D_E_S_)," FIPS PUB 46, US National Bureau of Standards, Washington, DC, |January.| 1977. [PiS89] J. Pieprzyk and J. Seberry, "_R_e_m_a_r_k_s _o_n _E_x_t_e_n_s_i_o_n _o_f _D_E_S _- _W_h_i_c_h _W_a_y _t_o _G_o_?," Tech. Rep. CS89/4, |Dept. of Computer Science, UC UNSW, Australian Defence Force Academy|, Canberra, Australia, |February.| 1989. [Pie89] J. Pieprzyk, "Error Propagation Property and Application in Cryptography," _I_E_E _P_r_o_c_e_e_d_i_n_g_s_-_E_, _C_o_m_p_u_t_e_r_s _a_n_d _D_i_g_i_t_a_l _T_e_c_h_n_i_q_u_e_s, vol. 136, no. 4, -- 1111 -- AAuussccrryypptt9900 KKeeyy SScchheedduulliinngg iinn DDEESS TTyyppee CCrryyppttoossyysstteeBBmmrrssoowwnn,, SSeebbeerrrryy pp. 262-270, |July| 1989. [SeP89] J. Seberry and J. Pieprzyk, _C_r_y_p_t_o_g_r_a_p_h_y_: _A_n _I_n_t_r_o_d_u_c_t_i_o_n _t_o _C_o_m_p_u_t_e_r _S_e_c_u_r_i_t_y, |Prentice Hall, Englewood Cliffs, NJ|, 1989. -- 1122 --