Is the Data Encryption Standard a group? (Results of cycling experiments on DES)
 Burton S. Kaliski Jr.,
 Ronald L. Rivest,
 Alan T. Sherman
 … show all 3 hide
Rent the article at a discount
Rent now* Final gross prices may vary according to local VAT.
Get AccessAbstract
The Data Encryption Standard (DES) defines an indexed set of permutations acting on the message space ℳ ={0,1}^{64}. If this set of permutations were closed under functional composition, then the two most popular proposals for strengthening DES through multiple encryption would be equivalent to single encryption. Moreover, DES would be vulnerable to a knownplaintext attack that runs in 2^{28} steps on the average. It is unknown in the open literature whether or not DES has this weakness.
Two statistical tests are presented for determining if an indexed set of permutations acting on a finite message space forms a group under functional composition. The first test is a “meetinthemiddle” algorithm which uses O(√K) time and space, where K is the size of the key space. The second test, a novel cycling algorithm, uses the same amount of time but only a small constant amount of space. Each test yields a knownplaintext attack against any finite, deterministic cryptosystem that generates a small group.
The cycling closure test takes a pseudorandom walk in the message space until a cycle is detected. For each step of the pseudorandom walk, the previous ciphertext is encrypted under a key chosen by a pseudorandom function of the previous ciphertext. Results of the test are asymmetrical: long cycles are overwhelming evidence that the set of permutations is not a group; short cycles are strong evidence that the set of permutations has a structure different from that expected from a set of randomly chosen permutations.
Using a combination of software and specialpurpose hardware, the cycling closure test was applied to DES. Experiments show, with overwhelming confidence, that DES is not a group. Additional tests confirm that DES is free of certain other gross algebraic weaknesses. But one experiment discovered fixed points of the socalled “weakkey” transformations, thereby revealing a previously unpublished additional weakness of the weak keys.
 Beker, H., Piper, F. (1982) Cipher Systems: The Protection of Communications. Wiley, New York
 Bovey, J. D. (1980) An approximate probability distribution for the order of elements of the symmetric group. Bulletin of the London Mathematical Society 12: pp. 4146
 Bovey, J., Williamson, A. (1978) The probability of generating the symmetric group. Bulletin of the London Mathematical Society 10: pp. 9196
 Brent, R. P., Analysis of some new cyclefinding and factorization algorithms, Technical Report, Department of Computer Science, Australian National University (1979).
 Carmichael, R. D. (1956) Introduction to the Theory of Groups of Finite Order. Dover, New York
 Chandra, A. K., Efficient compilation of linear recursive programs, Technical Report STANCS72282, Computer Science Department, Stanford University (April 1972).
 Chor, B.Z. (1985) Two Issues in PublicKey Cryptography: RSA Bit Security and a New Knapsack Type Cryptosystem. MIT Press, Cambridge, MA
 Coppersmith, D., Grossman, E. (1975) Generators for certain alternating groups with applications to cryptology. Siam Journal on Applied Mathematics 29: pp. 624627
 Davies, D. W., Some regular properties of the DES, in [55] A. T. Sherman, eds., Advances in Cryptology: Proceedings of Crypto 82, Plenum, New York, 1983., 89–96.
 Davies, D. W., and G. I. P. Parkin, The average size of the key stream in output feedback encipherment, in [59] Beth, T., ed., Cryptography, Proceedings of the Workshop on Cryptography, Burg Feuerstein, Germany, March 29–April 2,1982, SpringerVerlag, Berlin, 263–279.
 Davies, D. W., and G. I. P. Parkin, The average size of the key stream in output feedback mode, in [55] A. T. Sherman, eds., Advances in Cryptology: Proceedings of Crypto 82, Plenum, New York, 1983., 97–98.
 Davies, D. W., Price, W. L. (1984) Security for Computer Networks: An Introduction to Data Security in Teleprocessing and Electronic Funds Transfer. Wiley, Chichester
 Davio, M. Y. Desmedt, J. Goubert, F. Hoornaert, and J.J. Quisquater, Efficient hardware and software implementations for the DES, in [56] Blakley, G. R., and D. Chaum, eds., Advances in Cryptology: Proceedings of Crypto 84, SpringerVerlag, New York, 1985, 144–146.
 Diffie, W., Hellman, M. E. (1977) Exhaustive cryptanalysis of the NBS Data Encryption Standard. Computer 10: pp. 7484
 Diffie, W., Hellman, M. E. (1979) Privacy and authentication: an introduction to cryptography. Proceedings of the IEEE 67: pp. 397427
 Dixon, J. D. (1969) The probability of generating the symmetric group. Math Zentrum 110: pp. 199205
 Feldman, F., A new spectral test for nonrandomness and the DES, IEEE Transactions on Software Engineering, to appear.
 Feller, W. (1968) An Introduction to Probability Theory and Its Applications. Wiley, New York
 Gaines, H. F. (1956) Cryptanalysis: A Study of Ciphers and Their Solution. Dover, New York
 Gait, J. (1977) A new nonlinear pseudorandom number generator. IEEE Transactions on Software Engineering 3: pp. 359363
 Goldreich, O. (1983) DESlike functions can generate the alternating group. IEEE Transactions on Information Theory 29: pp. 863865
 Good, I. J. (1965) The Estimation of Probabilities: An Essay on Modern Bayesian Methods. MIT Press, Cambridge, MA
 Harris, B. (1959) Probability distributions related to random mappings. Annals of Mathematical Statistics 31: pp. 10451062
 Hellman, M. E., R. Merkle, R. Schroeppel, L. Washington, W. Diffie, S. Pohlig, and P. Schweitzer, Results of an initial attempt to cryptanalyze the NBS Data Encryption Standard, Technical Report SEL 76042, Information Systems Laboratory, Stanford University (November 1976).
 Hellman, M. E. (1980) A cryptanalytic timememory tradeoff. IEEE Transactions on Information Theory 26: pp. 401406
 Hellman, M. E., and J. M. Reyneri, Distribution of drainage in the DES, in [55] Chaum, D., R. L. Rivest, and A. T. Sherman, eds., Advances in Cryptology: Proceedings of Crypto 82, Plenum, New York, 1983., 129–131.
 Hinsdale, J. K., Implementing the SedgewickSzymanski cycle detection algorithm, B.Sc. thesis, Department of EECS, MIT (February 1985).
 Jueneman, R. R., Analysis of certain aspects of outputfeedback mode, in [55] Chaum, D., R. L. Rivest, and A. T. Sherman, eds., Advances in Cryptology: Proceedings of Crypto 82, Plenum, New York, 1983., 99–127.
 Kaliski, B. S. Jr., Design and reliability of custom hardware for DES cycling experiments, M.Sc. thesis, Department of EECS, MIT (January 1987).
 Kaliski, B. S. Jr., R. L. Rivest, and A. T. Sherman, Is the Data Encryption Standard a group?, in [60] Pichler, F., ed., Advances in Cryptology: Proceedings of Eurocrypt 85, SpringerVerlag, Berlin, 1986., 81–95.
 Kaliski, B. S., R. L. Rivest, and A. T. Sherman, Is the Data Encryption Standard a pure cipher? (Results of more cycling experiments on DES), in [57] Williams, H. C., ed., Advances in Cryptology: Proceedings of Crypto 85, SpringerVerlag, New York, 1986., 212–226.
 Knuth, D. E. (1981) The Art of Computer Programming, vol. II: Seminumerical algorithms. AddisonWesley, Reading, MA
 Knuth, D. E. (1973) The Art of Computer Programming, vol. III: Sorting and searching. AddisonWesley, Reading, MA
 Kolata, G., Codes go public, Boston Globe (September 30,1985), 44.
 Lenstra, H. W. Jr., Factoring integers with elliptic curves, Annals of Mathematics, to appear.
 Longo, G. eds. (1983) Secure Digital Communications. SpringerVerlag, Vienna
 Merkle, R. C., Hellman, M. E. (1981) On the security of multiple encryption. Communications of the Association for Computing Machinery 24: pp. 465467
 Meyer, C. H., Matyas, S. M. (1982) Cryptology: A New Dimension in Computer Data Security. Wiley, New York
 Moore, J. H., and G. J. Simmons, Cycle structure of the DES with weak and semiweak keys, in [58] Odlyzko, A., ed., Advances in Cryptology: Proceedings of Crypto 86, SpringerVerlag, New York, 1987., 3–32.
 Osteyee, D. B., Good, I. J. (1974) Information, Weight of Evidence, the Singularity Between Probability Measures and Signal Detection. SpringerVerlag, Berlin
 Pollard, J. M. (1975) A Monte Carlo method for factorization. Bit 15: pp. 331334
 Pomerance, C., Analysis and comparison of some integer factoring algorithms, in Computational Methods in Number Theory, H. W. Lenstra Jr., and R. Tijdeman, eds., Math. Centrum Tract 154, Amsterdam, 1982, 89–139.
 Purdom, P. W., Brown, C. A. (1985) The Analysis of Algorithms. Holt, Rinehart, and Winston, New York
 Purdom, P. W., Williams, J. H. (1968) Cycle length in a random function. Transactions of the American Mathematical Society 133: pp. 547551
 Rivest, R., Shamir, A., Adleman, L. (1978) On digital signatures and publickey cryptosystems. Communications of the Association of Computing Machinery 21: pp. 120126
 Rotman, J. J. (1978) The Theory of Groups: An Introduction. Allyn and Bacon, Boston
 Sattler, J., and C. P. Schnorr, Generating random walks in groups, unpublished manuscript (October 1983).
 Shannon, C. E. (1949) Communication theory of secrecy systems. Bell System Technical Journal 28: pp. 656715
 Sedgewick, R., Szymanski, T. G., Yao, A. C. (1982) The complexity of finding cycles in periodic functions. Siam Journal on Computing 11: pp. 376390
 Shepp, L. A., Lloyd, S. P. (1966) Ordered cycle lengths in a random permutation. Transactions of the American Mathematical Society 121: pp. 340357
 Sherman, A. T., Cryptology and VLSI (a twopart dissertation): I. Detecting and exploiting algebraic weaknesses in cryptosystems. II. Algorithms for placing modules on a custom VLSI chip, Technical Report TR381, MIT Laboratory for Computer Science (October 1986).
 Tuchman, W. L., talk presented at the National Computer Conference (June 1978).
 Wielandt, H. (1964) Finite Permutation Groups. Academic Press, New York
 Data Ciphering Processors Am, 9518, Am9568, AmZ8068 Technical Manual, Advanced Micro Device Inc., Sunnyvale, CA (1984).
 Chaum, D., Rivest, R. L., Sherman, A. T. eds. (1983) Advances in Cryptology: Proceedings of Crypto 82. Plenum, New York
 Blakley, G. R., Chaum, D. eds. (1985) Advances in Cryptology: Proceedings of Crypto 84. SpringerVerlag, New York
 Williams, H. C. eds. (1986) Advances in Cryptology: Proceedings of Crypto 85. SpringerVerlag, New York
 Odlyzko, A. eds. (1987) Advances in Cryptology: Proceedings of Crypto 86. SpringerVerlag, New York
 Beth, T. eds. (1983) Cryptography, Proceedings of the Workshop on Cryptography, Burg Feuerstein, Germany, March 29–April 2,1982. SpringerVerlag, Berlin
 Pichler, F. eds. (1986) Advances in Cryptology: Proceedings of Eurocrypt 85. SpringerVerlag, Berlin
 Federal Information Processing Standards Publications 46. National Bureau of Standards, U.S. Department of Commerce, Washington, DC
 Federal Information Processing Standards Publication 81. National Bureau of Standards, U.S. Department of Commerce, Washington, DC
 IBM Personal Computer Technical Reference, Bocaraton, FL (July 1982).
 Unclassified summary: involvement of NSA in the development of the Data Encryption Standard, Staff Report of the Senate Select Committee on Intelligence, United States Senate (April 1978).
 Title
 Is the Data Encryption Standard a group? (Results of cycling experiments on DES)
 Journal

Journal of Cryptology
Volume 1, Issue 1 , pp 336
 Cover Date
 19880101
 DOI
 10.1007/BF00206323
 Print ISSN
 09332790
 Online ISSN
 14321378
 Publisher
 SpringerVerlag
 Additional Links
 Topics
 Keywords

 Birthday Paradox
 Closed cipher
 Cryptanalysis
 Cryptology
 Cryptography
 Cycledetection algorithm
 Data Encryption Standard (DES)
 Finite permutation group
 Idempotent cryptosystem
 Multiple encryption
 Pure cipher
 Weak keys
 Industry Sectors
 Authors

 Burton S. Kaliski Jr. ^{(1)}
 Ronald L. Rivest ^{(1)}
 Alan T. Sherman ^{(1)}
 Author Affiliations

 1. MIT Laboratory for Computer Science, 545 Technology Square, 02139, Cambridge, MA, USA