More efficient software implementations of (generalized) DES

By preserving the macro structure of the Data Encryption Standard (DES), but by allowing the user to choose 1. 16•48 independent key bits instead of generating them all using only 56 key bits, 2. arbitrary substitutions S1, ..., S8 and 3. arbitrary permutations IP and P, and 4. an arbitrary expanding permutation E, we obtain a very general and presumably much stronger cipher called generalized DES, or G-DES for short. A cipher having the first three extensions is called G-DES with non-arbitrary E. We choose, in an unorthodox way, from some well known equivalent representations of G-DES and some well suited table combinations and implementations. Concatenations of substitutions and permutations are precomputed and tabulated. Since direct tabulation of e.g. a permutation of 32 bits requires 232 entries of 4 bytes each, which clearly exceeds the main memories of today, the big table is split into smaller ones that permute disjoint and compact parts of the input bits at the appropriate positions. To compute an entry in the big table, the corresponding entries in the smaller tables are ORed. For some specific expanding permutations (including the original E in DES), the expense of this permutation can be reduced drastically: Only copy, rotate, and AND with a mask of a register is necessary, if the bits in the register and the tables of the substitutions are ordered appropriately. Since this is the only way to achieve better performance for DES than for G-DES we know, it does not seem to make sense to implement anything more narrow in software than G-DES with non-arbitrary E. __________________________ This is an extended and revised version of a paper presented at SECURICOM 90.