0

In this post, there's a discussion on single DES not having a key that yields the identity function. It mentions at the top:

That proposition is false for 2DES (EE), even restricted to one key, because twice applying encryption with the all-zero key (and the Final Swap built into the Final Permutation) yields identity.

Why is that so? Is it because there's an even number of rounds and so the second DES would act like the decryption for that key?

If so, would that mean that using all 1s also acts as a decryptor (i.e. $DES_{1}(DES_{1}(m)) = DES^{-1}_{1}(DES_{1}(m))$)?

Anon
  • 403
  • 1
  • 8

1 Answers1

2

Why is that so?

It's a property of DES, known as 'weak keys'. What DES does during decryption is generate the same set of 16 subkeys as it does during encryption, however it processes them in the opposite order (so what was the round 16 encryption subkey becomes the round 1 decryption subkey); because of the Feistel structure, this reverses the operation.

There are 4 specific DES keys that yield palindromic DES subkeys, that is, the round 1 subkey is the same as the round 16 subkey, and the round 2 subkey is also the round 15 subkey, etc. When that happens, the 'encryption' subkeys are exactly the same as the 'decryption' subkeys; that is, DES with one of those weak keys is a self-inverse.

Because of this, 2DES with both DES operations given the same weak key, is the identity function.

poncho
  • 147,019
  • 11
  • 229
  • 360