More efficient software implementations of (generalized) DES

Abstract

This paper serves two purposes: we present some generalizations of the Data Encryption Standard (DES), and explain how to efficiently implement DES and its generalization in software. By preserving the macro structure of DES, but by allowing the user to choose (1) 16 × 48 independent key bits instead of generating them all using only 56 key bits, (2) arbitrary substitutions S 1,…, S 8, (3) arbitrary permutations IP and P, and (4) an arbitrary expanding permutation E, we obtain a very general and presumably much stronger cipher called generalized DES ( G-DES). A cipher having the first three extensions is called G-DES with non-arbitrary E. We choose, in an unorthodox way, from some well known equivalent representations of G-DES and some well suited table combinations and implementations. Concatenations of substitutions and permutations are precomputed and tabulated. Since direct tabulation of, for example, a permutations of 32 bits requires 2 32 entries of 4 bytes each, which clearly exceeds today's main memories, the big table is split into smaller ones that permute disjoint and compact parts of the input bits at the appropriate positions. To compute an entry in the big table, the corresponding entries in the smaller tables are ORed. For some specific expanding permutations (including the original E in DES), the expense of this permutation can be reduced drastically: only copy, rotate and AND with a mask stored in a register is necesarry if the bits in the register and the tables of the substitutions are ordered appropriately. Since this is the only way we know of to achieve better performance for DES than for G-DES, it does not seem to make sense to implement anything more narrow in software than G-DES with non-arbitrary E. Using these techniques, we get by far the fastest software implementations of DES (more specifically G-DES with non-arbitrary E) and G-DES known to us. The same DES and G-DES implementations, partly in MC68000 assembler language, achieve 100 and 80 kbits/s on an Apple Macintosh Classic (MC68000, 7·83 MHz, 150 ns RAM), 1109 and 789 kbits/s on an Apple Macintosh IIfx (MC68030, 40 MHz, 32 Kbyte cache board, 80 ns RAM) in EBC and CBC modes using less than 110 and 430 Kbytes main memory. OFB(64) mode is between 12% and 234% faster because we can save IP, except for the first time. Conversely, if CBC mode is used for authentication, we can save IP −1 except for the last block. This increases speed by between 6% and 24%. To avoid unnecessary IP and IP −1 executions, and to enable multiple encryption in all modes of operation, our implementation supports multiple encryption. Our table implementation makes it possible to save key EORing (Exclusive OR=bitwise addition mod 2) in each round by precomputing a key-specific table for every (or in some cases only every second) round. Memory requirements can be reduced by not copying bits which are input to one combined S-box.