DES takes as input a secret message that will be encrypted:

And a 64bit Key, that will be used to both encrypt and decrypt:

Resulting in a Ciphertext:

In general, a 64-bit key is used as input for DES, of which only 56-bits are used. 16 subkeys, with 48-bit each, will then be created from this 56-bits.

The first step is to permute the key using the PC-1 table above. This is, the first bit of our 56-bit permutation key will be the 57th bit of our original key, and so on.

PC-157 49 41 33 25 17 9 1 58 50 42 34 26 18 10 2 59 51 43 35 27 19 11 3 60 52 44 36 63 55 47 39 31 23 15 7 62 54 46 38 30 22 14 6 61 53 45 37 29 21 13 5 28 20 12 4

For example, our input key:

Would become:

Next we divide the key in two parts, left ** C_{0}** and right

With ** C_{0}** and

Each pair of blocks

Iteration Number of Number Left Shifts 1 1 2 1 3 2 4 2 5 2 6 2 7 2 8 2 9 1 10 2 11 2 12 2 13 2 14 2 15 2 16 1

To do a left shift we move each bit one place to the left, except for the first bit which goes to the end of the block.

In our example, we would have the following 16 keys:

** C_{0}**:

Would originate:

We will now form the final 16 keys by applying another permutation (PC-2 table) to each of the the 16 *C _{n}*

PC-214 17 11 24 1 5 3 28 15 6 21 10 23 19 12 4 26 8 16 7 27 20 13 2 41 52 31 37 47 55 30 40 51 45 33 48 44 49 39 56 34 53 46 42 50 36 29 32

For example, our key *C _{1}*

The other keys are:

Now that we have our keys, it's time to encode our message.

The first thing we need to do is to apply an initial permutation IP to each block of 64 bits, according to the table:

IP58 50 42 34 26 18 10 2 60 52 44 36 28 20 12 4 62 54 46 38 30 22 14 6 64 56 48 40 32 24 16 8 57 49 41 33 25 17 9 1 59 51 43 35 27 19 11 3 61 53 45 37 29 21 13 5 63 55 47 39 31 23 15 7

For example, the first 64-bit block from our message

Would become:

We now divide the permuted block in left and right:

** L_{0}** =

We will now iterate through 16 cycles, each using one of the 16 48-bit keys we computed previously.

We will use a function ** f** which operates over a data block of 32 bits and a key

For

=L_{n}R_{n-1}

=R_{n}⊕L_{n-1}(f,R_{n-1})K_{n}

This is, in each iteration, we take the right 32 bits of the previous result and make them the left 32 bits of the current step. The right 32 bits in the current step are computed XORing the left 32 bits of the previous step with the result of the ** f** function.
This will result in a final block

To calculate ** f**, we first expand each block

This selection table

Let **E** be such that the 48 bits of its output, written
as 8 blocks of 6 bits each, are obtained by selecting the
bits in its inputs in order according to the following
table:

E BIT-SELECTION TABLE32 1 2 3 4 5 4 5 6 7 8 9 8 9 10 11 12 13 12 13 14 15 16 17 16 17 18 19 20 21 20 21 22 23 24 25 24 25 26 27 28 29 28 29 30 31 32 1

In our example we can get **E**(** R_{0}**) from

** R_{0}** =

The next step in ** f** calculation is to XOR the output

⊕K_{n}E()R_{n-1}

In our example we have:

** K_{1}** =

We have not yet finished calculating the function ** f** .
To this point we have expanded

An

⊕K_{n}E() =R_{n-1},B_{1}B_{2}B_{3}B_{4}B_{5}B_{6}B_{7}B_{8}

where each ** B_{i}** is a group of six bits. We now compute:

S_{1}(B_{1})S_{2}(B_{2})S_{3}(B_{3})S_{4}(B_{4})S_{5}(B_{5})S_{6}(B_{6})S_{7}(B_{7})S_{8}(B_{8})

The ** S_{1}** box works as follows:

S1 Column Number Row No. 0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 0 14 4 13 1 2 15 11 8 3 10 6 12 5 9 0 7 1 0 15 7 4 14 2 13 1 10 6 12 11 9 5 3 8 2 4 1 14 8 13 6 2 11 15 12 9 7 3 10 5 0 3 15 12 8 2 4 9 1 7 5 11 3 14 10 0 6 13

The first and last bits of ** B** represent in base 2 a number in the decimal range 0 to 3 (binary 00 to 11).
Let that number be

The 4 bits in the middle of

Look up in the table the number in the

The tables defining the functions ** S_{1},...,S_{8}** are
the following:

S114 4 13 1 2 15 11 8 3 10 6 12 5 9 0 7 0 15 7 4 14 2 13 1 10 6 12 11 9 5 3 8 4 1 14 8 13 6 2 11 15 12 9 7 3 10 5 0 15 12 8 2 4 9 1 7 5 11 3 14 10 0 6 13S215 1 8 14 6 11 3 4 9 7 2 13 12 0 5 10 3 13 4 7 15 2 8 14 12 0 1 10 6 9 11 5 0 14 7 11 10 4 13 1 5 8 12 6 9 3 2 15 13 8 10 1 3 15 4 2 11 6 7 12 0 5 14 9S310 0 9 14 6 3 15 5 1 13 12 7 11 4 2 8 13 7 0 9 3 4 6 10 2 8 5 14 12 11 15 1 13 6 4 9 8 15 3 0 11 1 2 12 5 10 14 7 1 10 13 0 6 9 8 7 4 15 14 3 11 5 2 12S47 13 14 3 0 6 9 10 1 2 8 5 11 12 4 15 13 8 11 5 6 15 0 3 4 7 2 12 1 10 14 9 10 6 9 0 12 11 7 13 15 1 3 14 5 2 8 4 3 15 0 6 10 1 13 8 9 4 5 11 12 7 2 14S52 12 4 1 7 10 11 6 8 5 3 15 13 0 14 9 14 11 2 12 4 7 13 1 5 0 15 10 3 9 8 6 4 2 1 11 10 13 7 8 15 9 12 5 6 3 0 14 11 8 12 7 1 14 2 13 6 15 0 9 10 4 5 3S612 1 10 15 9 2 6 8 0 13 3 4 14 7 5 11 10 15 4 2 7 12 9 5 6 1 13 14 0 11 3 8 9 14 15 5 2 8 12 3 7 0 4 10 1 13 11 6 4 3 2 12 9 5 15 10 11 14 1 7 6 0 8 13S74 11 2 14 15 0 8 13 3 12 9 7 5 10 6 1 13 0 11 7 4 9 1 10 14 3 5 12 2 15 8 6 1 4 11 13 12 3 7 14 10 15 6 8 0 5 9 2 6 11 13 8 1 4 10 7 9 5 0 15 14 2 3 12S813 2 8 4 6 15 11 1 10 9 3 14 5 0 12 7 1 15 13 8 10 3 7 4 12 5 6 11 0 14 9 2 7 11 4 1 9 12 14 2 0 6 10 13 15 3 5 8 2 1 14 7 4 10 8 13 15 12 9 0 3 5 6 11

In our example we obtain as the
output of the eight **S** boxes:

** K_{1}**⊕

** S_{1}(B_{1})S_{2}(B_{2})S_{3}(B_{3})S_{4}(B_{4})S_{5}(B_{5})S_{6}(B_{6})S_{7}(B_{7})S_{8}(B_{8})**
=

The final stage in the calculation of ** f** is to do a permutation

P16 7 20 21 29 12 28 17 1 15 23 26 5 18 31 10 2 8 24 14 32 27 3 9 19 13 30 6 22 11 4 25

From our example we get that:

** S_{1}(B_{1})S_{2}(B_{2})S_{3}(B_{3})S_{4}(B_{4})S_{5}(B_{5})S_{6}(B_{6})S_{7}(B_{7})S_{8}(B_{8})**
=

f =

** R_{1}** =

=

⊕

=

In the next round, we will have ** L_{2}** =

R_{16}L_{16}

and apply a final permutation **IP ^{-1}** as defined by
the following table:

IP40 8 48 16 56 24 64 32 39 7 47 15 55 23 63 31 38 6 46 14 54 22 62 30 37 5 45 13 53 21 61 29 36 4 44 12 52 20 60 28 35 3 43 11 51 19 59 27 34 2 42 10 50 18 58 26 33 1 41 9 49 17 57 25^{-1}

That is, the output of the algorithm has bit 40 of the preoutput block as its first bit, bit 8 as its second bit, and so on, until bit 25 of the preoutput block is the last bit of the output.

**Example:** If we process all 16 blocks using the method
defined previously, we get, on the 16th round,

** L_{16}** =

We reverse the order of these two blocks and apply the final permutation to

** R_{16}L_{16}** =

** IP^{-1}** =

And that's it. If we apply the same steps to every 64-bit chunk of our message we obtain the final cipher:

Decryption is simply the inverse of encryption, follwing the same steps as above, but reversing the order in which the subkeys are applied.