[2042] in cryptography@c2.net mail archive
Re: Speeding up a DES cracker yet again
daemon@ATHENA.MIT.EDU (Colin Plumb)
Wed Jan 14 12:18:33 1998
Date: Tue, 13 Jan 1998 17:44:11 -0700 (MST)
From: Colin Plumb <colin@nyx.net>
To: cryptography@c2.net, giff@va.pubnix.com
> Now, the PC-2 block which selects bits from PC-1 has an interesting
> property. The first 24 entries will only select bits from the C0 block.
> The last 24 entries will only select bits from the D0 block. Mapping this
> onto each round of DES, it becomes clear that the bits listed in the C0
> block only map to the first four S-boxes, never the last four. And the
> bits listed in the D0 block only map the the last four S-boxes, never the
> first four.
You're quite right. In the standrd DES key layout, with parity in the
LSBs, this corresponds to XORing the first 4 bytes of the ley with 0xe1
and the last 4 bytes with 0xf0.
> For the DES encryption (Note! This is the encryption ignoring the IP/IP-1
> transforms!): C = DES(P, K),
> 1) Invert the top half of P and all Key bits from C0 block, the top half
> of the output will be complemented, the lower half is unchanged.
You mean the top halves, right? Top half of left and top half of right?
Which corresponds to XORing the pre-IP plaintext and ciphertext with
0xF0.
> Comments? Anybody want to try modifying their source a little to test
> that out?
Yes. The E expansion foils this. The top and bottom halves (quarters?)
of the left and right halves share some bits through the E expansion,
which defeats the clean separation.
(For what it's worth, you convinced me to actually hack on some source
code and try this, and get annoyed when it didn't work, until I printed
out the rounds of cipher operation and saw the problem.)
--
-Colin
