This section describes DES decryption algorithm - identical to the encryption algorithm step by step in the same order, only with the subkeys applied in the reverse order.

The decryption algorithm of a block cipher should be identical to encryption algorithm
step by step in reverse order. But for DES cipher, the encryption algorithm is so well
designed, that the decryption algorithm is identical to the encryption algorithm
step by step in the same order, only with the subkeys applied in the reverse order.

DES decryption algorithm:

Input:
CC: 64 bits of cipher text
k16, k15, ..., k1: 16 round keys
IP: Initial permutation
FP: Final permutation
f(): Round function
Output:
TT: 64 bits of clear text
Algorithm:
CC' = IP(CC), applying initial permutation
(LL0, RR0) = CC', dividing CC' into two 32-bit parts
(LL1, RR1) = (RR0, LL0 ^ f(RR0, k16))
(LL2, RR2) = (RR1, LL1 ^ f(RR1, k15))
......
TT' = (RR16, LL16), swapping the two parts
TT = FP(TT'), applying final permutation

Here is how to approve the decryption algorithm:

Let:
T: 64 bits of clear text
C: 64 bits of cipher text encrypted from T
CC: 64 bits of cipher text
TT: 64 bits of clear text decrypted from CC
If:
CC = C
Then:
TT = T
Prove:
CC' = IP(CC) First step of decryption
= IP(C) Assumption of CC = C
= IP(FP(C')) Last step of encryption
= C' IP is the inverse permutation of FP
(LL0, RR0) = CC' Initializing step in decryption
= C' CC' = C'
= (R16, L16) Swapping step in encryption
(LL1, RR1) = (RR0, LL0 ^ f(RR0, k16))
First round of decryption
= (L16, R16 ^ f(L16, k16))
Previous result
= (R15, (L15 ^ f(R15,k16)) ^ f(R15, k16))
(L16, R16) = (R15, L15 ^ f(R15, k16))
= (R15, L15) ^ reverse itself
......
(LL16, RR16) = (R0, L0)
TT' = (RR16, LL16) Swapping in decryption
= (L0, R0) Previous result
= T' Initializing step in encryption
TT = FP(TT') Last step in decryption
= FP(T') Previous result
= FP(IP(T)) First step in encryption
= T FP is the inverse permutation of IP