Advances in Cryptology — CRYPTO’ 92

Volume 740 of the series Lecture Notes in Computer Science pp 512-520


DES is not a Group

  • Keith W. CampbellAffiliated withBell-Northern Research
  • , Michael J. WienerAffiliated withBell-Northern Research


We prove that the set of DES permutations (encryption and decryption for each DES key) is not closed under functional composition. This implies that, in general, multiple DES-encryption is not equivalent to single DES-encryption, and that DES is not susceptible to a particular known-plaintext attack which requires, on average, 228 steps. We also show that the size of the subgroup generated by the set of DES permutations is greater than 102499, which is too large for potential attacks on DES which would exploit a small subgroup.