Journal of Cryptology

, Volume 1, Issue 1, pp 3–36

Is the Data Encryption Standard a group? (Results of cycling experiments on DES)

  • Burton S. KaliskiJr.
  • Ronald L. Rivest
  • Alan T. Sherman
Article

Abstract

The Data Encryption Standard (DES) defines an indexed set of permutations acting on the message space ℳ ={0,1}64. If this set of permutations were closed under functional composition, then the two most popular proposals for strengthening DES through multiple encryption would be equivalent to single encryption. Moreover, DES would be vulnerable to a known-plaintext attack that runs in 228 steps on the average. It is unknown in the open literature whether or not DES has this weakness.

Two statistical tests are presented for determining if an indexed set of permutations acting on a finite message space forms a group under functional composition. The first test is a “meet-in-the-middle” algorithm which uses O(√K) time and space, where K is the size of the key space. The second test, a novel cycling algorithm, uses the same amount of time but only a small constant amount of space. Each test yields a known-plaintext attack against any finite, deterministic cryptosystem that generates a small group.

The cycling closure test takes a pseudorandom walk in the message space until a cycle is detected. For each step of the pseudorandom walk, the previous ciphertext is encrypted under a key chosen by a pseudorandom function of the previous ciphertext. Results of the test are asymmetrical: long cycles are overwhelming evidence that the set of permutations is not a group; short cycles are strong evidence that the set of permutations has a structure different from that expected from a set of randomly chosen permutations.

Using a combination of software and special-purpose hardware, the cycling closure test was applied to DES. Experiments show, with overwhelming confidence, that DES is not a group. Additional tests confirm that DES is free of certain other gross algebraic weaknesses. But one experiment discovered fixed points of the so-called “weak-key” transformations, thereby revealing a previously unpublished additional weakness of the weak keys.

Key words

Birthday Paradox Closed cipher Cryptanalysis Cryptology Cryptography Cycle-detection algorithm Data Encryption Standard (DES) Finite permutation group Idempotent cryptosystem Multiple encryption Pure cipher Weak keys 

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

References

  1. [1]
    Beker, H., and F. Piper, Cipher Systems: The Protection of Communications, Wiley, New York, 1982.Google Scholar
  2. [2]
    Bovey, J. D., An approximate probability distribution for the order of elements of the symmetric group, Bulletin of the London Mathematical Society, 12 (1980), 41–46.Google Scholar
  3. [3]
    Bovey, J., and A. Williamson, The probability of generating the symmetric group, Bulletin of the London Mathematical Society, 10 (1978), 91–96.Google Scholar
  4. [4]
    Brent, R. P., Analysis of some new cycle-finding and factorization algorithms, Technical Report, Department of Computer Science, Australian National University (1979).Google Scholar
  5. [5]
    Carmichael, R. D., Introduction to the Theory of Groups of Finite Order, Dover, New York, 1956.Google Scholar
  6. [6]
    Chandra, A. K., Efficient compilation of linear recursive programs, Technical Report STAN-CS-72-282, Computer Science Department, Stanford University (April 1972).Google Scholar
  7. [7]
    Chor, B.-Z., Two Issues in Public-Key Cryptography: RSA Bit Security and a New Knapsack Type Cryptosystem, MIT Press, Cambridge, MA, 1985.Google Scholar
  8. [8]
    Coppersmith, D., and E. Grossman, Generators for certain alternating groups with applications to cryptology, Siam Journal on Applied Mathematics, 29 (1975), 624–627.Google Scholar
  9. [9]
    Davies, D. W., Some regular properties of the DES, in [55] A. T. Sherman, eds., Advances in Cryptology: Proceedings of Crypto 82, Plenum, New York, 1983., 89–96.Google Scholar
  10. [10]
    Davies, D. W., and G. I. P. Parkin, The average size of the key stream in output feedback encipherment, in [59] Beth, T., ed., Cryptography, Proceedings of the Workshop on Cryptography, Burg Feuerstein, Germany, March 29–April 2,1982, Springer-Verlag, Berlin, 263–279.Google Scholar
  11. [11]
    Davies, D. W., and G. I. P. Parkin, The average size of the key stream in output feedback mode, in [55] A. T. Sherman, eds., Advances in Cryptology: Proceedings of Crypto 82, Plenum, New York, 1983., 97–98.Google Scholar
  12. [12]
    Davies, D. W., and W. L. Price, Security for Computer Networks: An Introduction to Data Security in Teleprocessing and Electronic Funds Transfer, Wiley, Chichester, 1984.Google Scholar
  13. [13]
    Davio, M. Y. Desmedt, J. Goubert, F. Hoornaert, and J.-J. Quisquater, Efficient hardware and software implementations for the DES, in [56] Blakley, G. R., and D. Chaum, eds., Advances in Cryptology: Proceedings of Crypto 84, Springer-Verlag, New York, 1985, 144–146.Google Scholar
  14. [14]
    Diffie, W. and M. E. Hellman, Exhaustive cryptanalysis of the NBS Data Encryption Standard, Computer, 10 (1977), 74–84.PubMedGoogle Scholar
  15. [15]
    Diffie, W., and M. E. Hellman, Privacy and authentication: an introduction to cryptography, Proceedings of the IEEE, 67 (1979), 397–427.Google Scholar
  16. [16]
    Dixon, J. D., The probability of generating the symmetric group, Math Zentrum, 110 (1969), 199–205.Google Scholar
  17. [17]
    Feldman, F., A new spectral test for nonrandomness and the DES, IEEE Transactions on Software Engineering, to appear.Google Scholar
  18. [18]
    Feller, W., An Introduction to Probability Theory and Its Applications, vol. I, Wiley, New York, 1968.Google Scholar
  19. [19]
    Gaines, H. F., Cryptanalysis: A Study of Ciphers and Their Solution, Dover, New York, 1956.Google Scholar
  20. [20]
    Gait, J., A new nonlinear pseudorandom number generator, IEEE Transactions on Software Engineering, 3 (1977), 359–363.Google Scholar
  21. [21]
    Goldreich, O., DES-like functions can generate the alternating group, IEEE Transactions on Information Theory, 29(1983), 863–865.Google Scholar
  22. [22]
    Good, I. J., The Estimation of Probabilities: An Essay on Modern Bayesian Methods, MIT Press, Cambridge, MA, 1965.Google Scholar
  23. [23]
    Harris, B., Probability distributions related to random mappings, Annals of Mathematical Statistics, 31(1959), 1045–1062.Google Scholar
  24. [24]
    Hellman, M. E., R. Merkle, R. Schroeppel, L. Washington, W. Diffie, S. Pohlig, and P. Schweitzer, Results of an initial attempt to cryptanalyze the NBS Data Encryption Standard, Technical Report SEL 76-042, Information Systems Laboratory, Stanford University (November 1976).Google Scholar
  25. [25]
    Hellman, M. E., A cryptanalytic time-memory tradeoff, IEEE Transactions on Information Theory, 26 (1980), 401–406.Google Scholar
  26. [26]
    Hellman, M. E., and J. M. Reyneri, Distribution of drainage in the DES, in [55] Chaum, D., R. L. Rivest, and A. T. Sherman, eds., Advances in Cryptology: Proceedings of Crypto 82, Plenum, New York, 1983., 129–131.Google Scholar
  27. [27]
    Hinsdale, J. K., Implementing the Sedgewick-Szymanski cycle detection algorithm, B.Sc. thesis, Department of EECS, MIT (February 1985).Google Scholar
  28. [28]
    Jueneman, R. R., Analysis of certain aspects of output-feedback mode, in [55] Chaum, D., R. L. Rivest, and A. T. Sherman, eds., Advances in Cryptology: Proceedings of Crypto 82, Plenum, New York, 1983., 99–127.Google Scholar
  29. [29]
    Kaliski, B. S. Jr., Design and reliability of custom hardware for DES cycling experiments, M.Sc. thesis, Department of EECS, MIT (January 1987).Google Scholar
  30. [30]
    Kaliski, B. S. Jr., R. L. Rivest, and A. T. Sherman, Is the Data Encryption Standard a group?, in [60] Pichler, F., ed., Advances in Cryptology: Proceedings of Eurocrypt 85, Springer-Verlag, Berlin, 1986., 81–95.Google Scholar
  31. [31]
    Kaliski, B. S., R. L. Rivest, and A. T. Sherman, Is the Data Encryption Standard a pure cipher? (Results of more cycling experiments on DES), in [57] Williams, H. C., ed., Advances in Cryptology: Proceedings of Crypto 85, Springer-Verlag, New York, 1986., 212–226.Google Scholar
  32. [32]
    Knuth, D. E., The Art of Computer Programming, vol. II: Seminumerical algorithms, Addison-Wesley, Reading, MA, 1981.Google Scholar
  33. [33]
    Knuth, D. E., The Art of Computer Programming, vol. III: Sorting and searching, Addison-Wesley, Reading, MA, 1973.Google Scholar
  34. [34]
    Kolata, G., Codes go public, Boston Globe (September 30,1985), 44.Google Scholar
  35. [35]
    Lenstra, H. W. Jr., Factoring integers with elliptic curves, Annals of Mathematics, to appear.Google Scholar
  36. [36]
    Longo, G., ed., Secure Digital Communications, Springer-Verlag, Vienna, 1983.Google Scholar
  37. [37]
    Merkle, R. C., and M. E. Hellman, On the security of multiple encryption, Communications of the Association for Computing Machinery, 24 (July 1981), 465–467.Google Scholar
  38. [38]
    Meyer, C. H., and S. M. Matyas, Cryptology: A New Dimension in Computer Data Security, Wiley, New York, 1982.Google Scholar
  39. [39]
    Moore, J. H., and G. J. Simmons, Cycle structure of the DES with weak and semi-weak keys, in [58] Odlyzko, A., ed., Advances in Cryptology: Proceedings of Crypto 86, Springer-Verlag, New York, 1987., 3–32.Google Scholar
  40. [40]
    Osteyee, D. B., and I. J. Good, Information, Weight of Evidence, the Singularity Between Probability Measures and Signal Detection, Springer-Verlag, Berlin, 1974.Google Scholar
  41. [41]
    Pollard, J. M., A Monte Carlo method for factorization, Bit, 15 (1975), 331–334.Google Scholar
  42. [42]
    Pomerance, C., Analysis and comparison of some integer factoring algorithms, in Computational Methods in Number Theory, H. W. Lenstra Jr., and R. Tijdeman, eds., Math. Centrum Tract 154, Amsterdam, 1982, 89–139.Google Scholar
  43. [43]
    Purdom, P. W., Jr., and C. A. Brown, The Analysis of Algorithms, Holt, Rinehart, and Winston, New York, 1985.Google Scholar
  44. [44]
    Purdom, P. W., and J. H. Williams, Cycle length in a random function, Transactions of the American Mathematical Society, 133 (1968), 547–551.Google Scholar
  45. [45]
    Rivest, R., A. Shamir, and L. Adleman, On digital signatures and public-key cryptosystems, Communications of the Association of Computing Machinery, 21 (1978), 120–126.Google Scholar
  46. [46]
    Rotman, J. J., The Theory of Groups: An Introduction, Allyn and Bacon, Boston, 1978.Google Scholar
  47. [47]
    Sattler, J., and C. P. Schnorr, Generating random walks in groups, unpublished manuscript (October 1983).Google Scholar
  48. [48]
    Shannon, C. E., Communication theory of secrecy systems, Bell System Technical Journal, 28 (1949), 656–715.Google Scholar
  49. [49]
    Sedgewick, R. T. G. Szymanski, and A. C. Yao, The complexity of finding cycles in periodic functions, Siam Journal on Computing, 11 (1982), 376–390.Google Scholar
  50. [50]
    Shepp, L. A., and S. P. Lloyd, Ordered cycle lengths in a random permutation, Transactions of the American Mathematical Society, 121 (1966), 340–357.Google Scholar
  51. [51]
    Sherman, A. T., Cryptology and VLSI (a two-part dissertation): I. Detecting and exploiting algebraic weaknesses in cryptosystems. II. Algorithms for placing modules on a custom VLSI chip, Technical Report TR-381, MIT Laboratory for Computer Science (October 1986).Google Scholar
  52. [52]
    Tuchman, W. L., talk presented at the National Computer Conference (June 1978).Google Scholar
  53. [53]
    Wielandt, H., Finite Permutation Groups, Academic Press, New York 1964.Google Scholar
  54. [54]
    Data Ciphering Processors Am, 9518, Am9568, AmZ8068 Technical Manual, Advanced Micro Device Inc., Sunnyvale, CA (1984).Google Scholar
  55. [55]
    Chaum, D., R. L. Rivest, and A. T. Sherman, eds., Advances in Cryptology: Proceedings of Crypto 82, Plenum, New York, 1983.Google Scholar
  56. [56]
    Blakley, G. R., and D. Chaum, eds., Advances in Cryptology: Proceedings of Crypto 84, Springer-Verlag, New York, 1985.Google Scholar
  57. [57]
    Williams, H. C., ed., Advances in Cryptology: Proceedings of Crypto 85, Springer-Verlag, New York, 1986.Google Scholar
  58. [58]
    Odlyzko, A., ed., Advances in Cryptology: Proceedings of Crypto 86, Springer-Verlag, New York, 1987.Google Scholar
  59. [59]
    Beth, T., ed., Cryptography, Proceedings of the Workshop on Cryptography, Burg Feuerstein, Germany, March 29–April 2,1982, Springer-Verlag, Berlin, 1983.Google Scholar
  60. [60]
    Pichler, F., ed., Advances in Cryptology: Proceedings of Eurocrypt 85, Springer-Verlag, Berlin, 1986.Google Scholar
  61. [61]
    Data Encryption Standard, Federal Information Processing Standards Publications 46, National Bureau of Standards, U.S. Department of Commerce, Washington, DC (January 15, 1977).Google Scholar
  62. [62]
    DES Modes of Operation, Federal Information Processing Standards Publication 81, National Bureau of Standards, U.S. Department of Commerce, Washington, DC (December 1980).Google Scholar
  63. [63]
    IBM Personal Computer Technical Reference, Bocaraton, FL (July 1982).Google Scholar
  64. [64]
    Unclassified summary: involvement of NSA in the development of the Data Encryption Standard, Staff Report of the Senate Select Committee on Intelligence, United States Senate (April 1978).Google Scholar

Copyright information

© International Association for Cryptologic Research 1988

Authors and Affiliations

  • Burton S. KaliskiJr.
    • 1
  • Ronald L. Rivest
    • 1
  • Alan T. Sherman
    • 1
  1. 1.MIT Laboratory for Computer ScienceCambridgeUSA
  2. 2.Department of Computer ScienceTufts UniversityMedfordUSA

Personalised recommendations