DES (Data Encryption Standard)

IBM's Horst Feistel led the design of Lucifer in the early 1970s. NBS (now NIST) issued an open call for a standard cipher; IBM submitted a hardened Lucifer derivative; NSA modified the S-boxes and reduced the key from 112 bits to 56 bits. Cryptographers cried foul over the key-length cut and the unexplained S-box changes — until 1991, when Biham and Shamir showed the NSA's S-boxes were specifically hardened against differential cryptanalysis, a technique IBM and NSA both knew about and the public did not.

DES is a 16-round Feistel network. The 64-bit plaintext is split into two 32-bit halves L and R. Each round computes Li+1 = Ri and Ri+1 = Li ⊕ F(Ri, Ki). The round function F expands R to 48 bits, XORs the round subkey, passes the result through eight 6-to-4-bit S-boxes (the heart of DES's non-linearity), and applies a final permutation. Sixteen rounds of this with sixteen subkeys derived from the 56-bit master key produce ciphertext that survives all linear and differential attacks within its key budget — but not exhaustive search.

In 1998 the EFF's $250,000 Deep Crack machine recovered a DES key in 56 hours by brute force. By 2008 a single FPGA cluster could do it in under a day. Differential and linear cryptanalysis require ~2⁴⁷ chosen plaintexts — impractical operationally, but a clear theoretical break. Triple-DES (3DES) extended the effective key to 112 bits and bought DES another two decades, but by 2023 NIST formally retired 3DES because of the small 64-bit block size (the Sweet32 birthday attack) and modern computing capacity.