Starting with DES: The Basic Idea of Block Ciphers

Published: Sat Feb 01 2025 | Modified: Sat Feb 07 2026 , 9 minutes reading.

1. Why Should You Care?

You’ll probably never use DES in a production environment. It was officially declared insecure in 1999.

So why learn it?

Because DES defined the basic patterns of block ciphers—blocks, round functions, key schedules—concepts you’ll see in AES, Blowfish, and even modern ChaCha20. Understanding DES’s design and failure helps you understand why AES is designed the way it is, and why some configurations are secure while others aren’t.

More practically: you might encounter DES or 3DES in legacy systems. Knowing why they’re insecure is more valuable than just knowing “don’t use them.”

2. Definition

A block cipher is an encryption algorithm that transforms fixed-length plaintext blocks into ciphertext blocks of the same length.

Plaintext block (64 bits) + Key → Ciphertext block (64 bits)

Key characteristics:

Fixed block size: DES uses 64 bits, AES uses 128 bits
Deterministic: Same block and key always produce the same ciphertext
Reversible: Given the key, ciphertext can be decrypted back to plaintext

Compared to stream ciphers:

Stream ciphers process bit-by-bit or byte-by-byte
Block ciphers process an entire block at once

3. Why We Need Blocks

Problem: How to Encrypt Arbitrary-Length Data?

The simplest idea is to use a substitution table for each character (like Caesar cipher). But this has fatal problems:

Plaintext:  ATTACK AT DAWN
Ciphertext: ZGGZXP ZG WZTK

Problem: Same letter → Same ciphertext
         Frequency analysis can break it

Solution 1: Large Blocks

What if we process multiple characters as a single unit?

Block 1: "ATTA" → "K7X2"
Block 2: "CK A" → "P9M1"
Block 3: "T DA" → "Q3Z8"
Block 4: "WN  " → "L5Y4"

Now the same letter at different positions produces different output because it’s combined with different neighbors.

Solution 2: Complex Transformations

Blocking alone isn’t enough. We need each input bit to affect multiple output bits, making statistical analysis difficult.

This is why block ciphers use multiple rounds of complex operations:

Substitution: Replace one value with another
Permutation: Rearrange bit positions
Mixing: Combine different bits

4. DES Structure: The Feistel Network

DES uses a structure called the Feistel network. This design is elegant: encryption and decryption use almost the same circuit.

Basic Flow

Input (64 bits)
    │
    ▼
┌───────────┐
│ Initial   │
│ Permutation│
└───────────┘
    │
    ▼
┌─────────────────────────────────┐
│       16 Rounds of Feistel     │
│                                 │
│  L₀ ──────────┬────────► R₀    │
│               │                │
│               ▼                │
│           ┌───────┐            │
│           │   F   │◄── K₁      │
│           └───────┘            │
│               │                │
│               ▼                │
│  L₁ = R₀     XOR              │
│  R₁ = L₀ ⊕ F(R₀, K₁)          │
│               │                │
│              ...               │
│        (Repeat 16 times)       │
└─────────────────────────────────┘
    │
    ▼
┌───────────┐
│ Final     │
│ Permutation│
└───────────┘
    │
    ▼
Output (64 bits)

Feistel Round Details

Each round:

Split the 64-bit block into left and right halves (32 bits each)
Right half goes through F function with subkey
F function output XORed with left half
Swap left and right, proceed to next round

def feistel_round(L, R, subkey):
    new_L = R
    new_R = L ^ F(R, subkey)
    return new_L, new_R

Why This Design Is Clever

Decryption just reverses the subkey order:

# Encryption: K1, K2, K3, ... K16
# Decryption: K16, K15, K14, ... K1

def decrypt_round(L, R, subkey):
    new_R = L
    new_L = R ^ F(L, subkey)  # Exact same F function!
    return new_L, new_R

In the hardware era, this meant the same chip could do both encryption and decryption—just change the key order.

5. The F Function: DES’s Core

The F function is where DES gets its security. It contains:

Expansion Permutation (E)

32 bits → 48 bits

Original bits are reused, creating redundancy
This spreads small input changes to multiple output positions

XOR with Subkey

48-bit data ⊕ 48-bit subkey

S-boxes (Substitution Boxes)

┌────────────────────────────────────────────┐
│ 8 S-boxes, each:                           │
│   - Input: 6 bits                          │
│   - Output: 4 bits                         │
│   - Non-linear mapping (key to security!)  │
└────────────────────────────────────────────┘

48 bits → 8 × 4 = 32 bits

S-boxes are the only non-linear component in DES. Without them, DES would be just XORs and permutations—breakable by linear algebra.

Permutation (P)

Rearranges 32 bits

Ensures one S-box's output affects multiple S-boxes' input in the next round

6. Key Schedule: From 56 Bits to 16 Subkeys

DES uses a 56-bit effective key (8 of 64 bits are parity) to generate 16 48-bit subkeys.

Original Key (56 bits)
    │
    ▼
┌───────────┐
│ PC-1      │ (Select 56 bits)
│ Permutation│
└───────────┘
    │
    ▼
Split into C₀ and D₀ (28 bits each)
    │
    ▼
┌─────────────────────────────┐
│ For each round i = 1 to 16: │
│   Cᵢ = Left shift Cᵢ₋₁     │
│   Dᵢ = Left shift Dᵢ₋₁     │
│   Kᵢ = PC-2(Cᵢ, Dᵢ)        │
└─────────────────────────────┘
    │
    ▼
16 subkeys K₁, K₂, ... K₁₆

7. Why DES Failed

Fatal Flaw: Key Too Short

56-bit key = 2⁵⁶ = 72,057,594,037,927,936 possibilities

1977: This seemed secure
1998: EFF's Deep Crack broke it in 56 hours using $250,000 hardware
1999: distributed.net + Deep Crack broke it in 22 hours
2025: A modern GPU can brute force it in minutes

Block Size Also Too Small

64-bit blocks = Collisions after 2³² plaintext/ciphertext pairs

In CBC mode, starts leaking information after processing ~32GB of data
This is the "birthday attack" problem

3DES: A Stopgap

To extend DES’s life, Triple DES was invented:

3DES encryption: E(K3, D(K2, E(K1, plaintext)))
                Encrypt → Decrypt → Encrypt

Using three different keys: 168-bit effective key
Or two keys (K1 = K3): 112-bit effective key

Why “encrypt-decrypt-encrypt” instead of “encrypt-encrypt-encrypt”?

Because if K1 = K2 = K3, 3DES becomes regular DES, maintaining backward compatibility.

3DES Problems

Slow: Requires three DES operations
Block size still 64 bits: Birthday attack problem remains
Outdated design: Based on 1970s technology

8. Evolution from DES to AES

Feature	DES	3DES	AES
Year	1977	1998	2001
Key Length	56 bits	112/168 bits	128/192/256 bits
Block Size	64 bits	64 bits	128 bits
Structure	Feistel	Feistel	SPN
Rounds	16	48	10/12/14
Status	Broken	Deprecated	Secure

AES won the 2001 competition, replacing DES as the new standard. It uses a different structure (SPN instead of Feistel), which we’ll cover in the next article.

9. Code Example: Understanding Feistel Structure

"""
Simplified Feistel structure demonstration
Note: This is not real DES, just for educational purposes
"""

def simple_f_function(right_half, subkey):
    """Simplified F function"""
    # Real DES has complex S-boxes and permutations
    # This just demonstrates the basic concept
    return (right_half ^ subkey) & 0xFFFFFFFF

def feistel_encrypt(plaintext, subkeys):
    """
    Feistel encryption
    plaintext: 64-bit integer
    subkeys: list of 16 subkeys
    """
    # Split into left and right halves
    L = (plaintext >> 32) & 0xFFFFFFFF
    R = plaintext & 0xFFFFFFFF

    # 16 rounds
    for i in range(16):
        new_L = R
        new_R = L ^ simple_f_function(R, subkeys[i])
        L, R = new_L, new_R

    # Final swap and combine
    return (R << 32) | L

def feistel_decrypt(ciphertext, subkeys):
    """
    Feistel decryption
    Just reverse the subkey order!
    """
    return feistel_encrypt(ciphertext, subkeys[::-1])

# Demonstration
if __name__ == "__main__":
    # Generate fake subkeys (real DES has key schedule algorithm)
    import secrets
    subkeys = [secrets.randbits(32) for _ in range(16)]

    plaintext = 0x0123456789ABCDEF

    ciphertext = feistel_encrypt(plaintext, subkeys)
    decrypted = feistel_decrypt(ciphertext, subkeys)

    print(f"Plaintext:  {plaintext:016X}")
    print(f"Ciphertext: {ciphertext:016X}")
    print(f"Decrypted:  {decrypted:016X}")
    print(f"Success:    {plaintext == decrypted}")

10. Common Misconceptions

Misconception	Reality
”DES is only weak because the key is short, the algorithm is fine”	64-bit block size is also a problem, leads to birthday attacks
”3DES has 168-bit key so it’s secure”	Effective security is ~112 bits (meet-in-the-middle attack), plus block size problem remains
”Feistel structure is outdated”	Many modern ciphers still use Feistel variants (Blowfish, Twofish)
“More rounds = more secure”	Rounds must match F function strength; too many rounds waste performance

11. Summary

Three things to remember:

Block ciphers process data in fixed-size chunks. This solves frequency analysis but creates a new problem: “how to handle multiple blocks” (topic for article 8).
Feistel structure is an elegant design. It lets encryption and decryption share the same circuit, just reverse the subkey order. This design influenced decades of cryptography.
DES failed because its parameters were too small. 56-bit key and 64-bit block seemed adequate in 1977, but technology made them insecure. When designing crypto systems, consider security for decades ahead.

12. What’s Next

We understand the basic idea of block ciphers and the Feistel structure. But AES uses a different structure (SPN) and looks more complex.

In the next article, we’ll explore: How AES works—an explanation that doesn’t require math, and why it became the modern encryption standard.

Luke Sun