Davies–Meyer Hash Function

Abstract

The Data Encryption Standard (DES) [31] has been around for more than 25 years. During this time the standard was revised three times: as FIPS-46-1 in 1988, as FIPS-46-2 in 1993 and as FIPS-46-3 in 1999. DES was an outcome of a call for primitives in 1974, which did not result in many serious candidates except for a predecessor of DES, Lucifer [15, 36] designed by IBM around 1971. It took another year for a joint IBM-NSA effort to turn Lucifer into DES. The structure of Lucifer was significantly altered: since the design rationale was never made public and the secret key size was reduced from 128-bit to 56-bits, this initially resulted in controversy, and some distrust among the public. After some delay , FIPS-46 was published by NBS (National Bureau of Standards)-now NIST (National Institute of Standards and Technology)-on Jan-uary 15, 1977 [31] (see [35] for a discussion of the standardization process). However, in spite of all the controversy it is hard to underestimate the role of DES [31]. DES was one of the first commercially developed (as opposed to government developed) ciphers whose structure was fully published. This effectively created a community of researchers who could analyse it and propose their own designs. This lead to a wave of public interest in cryptography, from which much of the cryptography as we know it today was born. DESCRIPTION OF DES: The Data Encryption Standard, as specified in FIPS Publication 46-3 [31], is a block cipher operating on 64-bit data blocks. The encryption transformation depends on a 56-bit secret key and consists of sixteen Feistel iterations surrounded by two permutation layers: an initial bit permutation IP at the input, and its inverse IP −1 at the output. The structure of the cipher is depicted in Figure 1. The decryption process is the same as the encryption, except for the order of the round keys used in the Feistel iterations. As a result, most of the circuitry can be reused in hardware implementations of DES. The 16-round Feistel network, which constitutes the cryptographic core of DES, splits the 64-bit data blocks into two 32-bit words (denoted by L 0 and R 0). In each iteration (or round), the second word R i is fed to a function f and the result is added to the first word L i. Then both words are swapped and the algorithm proceeds to the next iteration. The function f is key-dependent and consists of four stages (see Figure 2). Their description is given below. Note that all bits in DES are numbered from left to right, i.e., the leftmost bit of a block (the most significant bit) is bit 1. 1. Expansion (E). The 32-bit input word is first expanded to 48 bits by duplicating and reordering half of the bits. The selection of bits is specified by Table 1. The first row in the table refers to the first 6 bits of the expanded word, the second row to bits 7-12, and so on. Thus bit 41 of the expanded word, for example, gets its value from bit 28 of the input word. 2. Key mixing. The expanded word is XORed with a round key constructed by selecting 48 bits from the 56-bit secret key. As explained below , a different selection is used in each round. INPUT INITIAL PERMUTATION INVERSE INITIAL PERM L O L 1 = R 0 L 2 = R 1 L 15 = R 14 L 16 = R 15 R O + R 1 = L 0 f(R O , K 1) + R 2 = L 1 f(R 1 , K 2) + R 15 = L 14 f(R 14 , K 15) + R 16 = L 15 f(R 15 , K 16) + OUTPUT PERMUTED INPUT