Skip to main content

Differential cryptanalysis of DES-like cryptosystems


The Data Encryption Standard (DES) is the best known and most widely used cryptosystem for civilian applications. It was developed at IBM and adopted by the National Bureau of Standards in the mid 1970s, and has successfully withstood all the attacks published so far in the open literature. In this paper we develop a new type of cryptanalytic attack which can break the reduced variant of DES with eight rounds in a few minutes on a personal computer and can break any reduced variant of DES (with up to 15 rounds) using less than 256 operations and chosen plaintexts. The new attack can be applied to a variety of DES-like substitution/permutation cryptosystems, and demonstrates the crucial role of the (unpublished) design rules.


  1. [1]

    E. F. Brickell, J. H. Moore, M. R. Purtill, Structure in the S-boxes of the DES,Advances in Cryptology, Proceedings of CRYPTO 86, pp. 3–7, 1986.

  2. [2]

    D. Chaum, J.-H. Evertse, Cryptanalysis of DES with a Reduced Number of Rounds, Sequences of Linear Factors in Block Ciphers,Advances in Cryptology, Proceedings of CRYPTO 85, pp. 192–211, 1985.

  3. [3]

    D. W. Davies, Private communications.

  4. [4]

    B. Den Boer, Cryptanalysis of F.E.A.L.,Advances in Cryptology, Proceedings of EUROCRYPT 88, pp. 293–300, 1988.

  5. [5]

    Y. Desmedt, J.-J. Quisquater, M. Davio, Dependence of output on input in DES: small avalanche characteristics,Advances in Cryptology, Proceedings of CRYPTO 84, pp. 359–376, 1984.

  6. [6]

    W. Diffie, M. E. Hellman, Exhaustive cryptanalysis of the NBS Data Encryption Standard,Computer, Vol. 10, No. 6, pp. 74–84, June 1977.

    Google Scholar 

  7. [7]

    H. Feistel, Cryptography and data security,Scientific American, Vol. 228, No. 5, pp. 15–23, May 1973.

    Google Scholar 

  8. [8]

    M. E. Hellman, A cryptanalytic time-memory tradeoff,IEEE Transactions on Information Theory, Vol. 26, No. 4, pp. 401–406, July 1980.

    Google Scholar 

  9. [9]

    M. E. Hellman, R. Merkle, R. Schroppel, L. Washington, W. Diffie, S. Pohlig, P. Schweitzer, Results of an Initial Attempt to Cryptanalyze the NBS Data Encryption Standard, Standford University, September 1976.

  10. [10]

    R. C. Merkle, A fast software one-way hash function,Journal of Cryptology, Vol. 3, No. 1, pp. 43–58, 1990.

    Google Scholar 

  11. [11]

    S. Miyaguchi, Feal-N specifications, NTT, 1989.

  12. [12]

    S. Miyaguchi, News on Feal Cipher, Talk at the RUMP session at CRYPTO 90, 1990.

  13. [13]

    S. Miyaguchi, K. Ohta, M. Iwata, 128-bit hash function (N-Hash),Proceedings of SECURICOM 90, pp. 123–137, March 1990.

  14. [14]

    S. Miyaguchi, A. Shiraishi, A. Shimizu, Fast data encryption algorithm Feal-8,Review of Electrical Communications Laboratories, Vol. 36, No. 4, pp. 433–437, 1988.

    Google Scholar 

  15. [15]

    National Bureau of Standars,Data Encryption Standard, FIPS publication, No. 46, U. S. Department of Commerce, January 1977.

  16. [16]

    I. Schaumuller-Bichl, Zur Analyse des Data Encryption Standard und Synthese Verwandter Chiffriersysteme, Ph.D. Thesis, Linz University, May 1981.

  17. [17]

    I. Schaumuller-Bichl, Cryptanalysis of the Data Encryption Standard by the method of formal coding,Cryptologia, Proceedings of CRYPTO 82, pp. 235–255, 1982.

  18. [18]

    I. Schaumuller-Bichl, On the Design and Analysis of New Cipher Systems Related to the DES, Technical Report, Linz University, 1983.

  19. [19]

    A. Shimizu, S. Miyaguchi, Fast Data Encryption Algorithm Feal,Advances in Cryptology, Proceedings of EUROCRYPT 87, pp. 267–278, 1987.

  20. [20]

    A. Shimizu, S. Miyaguchi, Fast Data Encryption Algorithm Feal,Abstracts of EUROCRYPT 87, pp. VII-11–VII-14, April 1987.

Download references

Author information



Rights and permissions

Reprints and Permissions

About this article

Cite this article

Biham, E., Shamir, A. Differential cryptanalysis of DES-like cryptosystems. J. Cryptology 4, 3–72 (1991).

Download citation

Key words

  • Data Encryption Standard
  • Differential cryptanalysis
  • Iterated cryptosystems