In this paper we improve Davies’ attack  on DES to become capable of breaking the full 16-round DES faster than the exhaustive search. Our attack requires 250 known plaintexts and 250 complexity of analysis. If independent subkeys are used, a variant of this attack can find 26 bits out of the 768 key bits using 252 known plaintexts. All the 768 bits of the subkeys can be found using 260 known plaintexts. The data analysis requires only several minutes on a SPARC workstation. Therefore, this is the third successful attack on DES, faster than brute force, after differential cryptanalysis  and linear cryptanalysis . We also suggest criteria which make the S-boxes immune to this attack.
Key wordsData Encryption Standard (DES) Cryptanalysis
Unable to display preview. Download preview PDF.
- D. W. Davies, Investigation of a potential weakness in the DES algorithm, Private communications, 1987.Google Scholar
- Kwangjo Kim, Sangjun Park, and Sangjin Lee, Reconstruction ofs 2 DES S-boxes and their immunity to differential cryptanalysis,Proceedings of JW-ISC93—Korea-Japan Joint Workshop on Information Security and Cryptology, Seoul, Korea, October 24–26, 1993.Google Scholar
- Mitsuru Matsui, Linear cryptanalysis method for DES cipher,Advances in Cryptology Proceedings of EUROCRYPT'93, Lecture Notes in Computer Science, vol. 765, (T. Helleseth, ed.), Springer-Verlag, Berlin, pp. 386–397, 1994.Google Scholar
- National Bureau of Standards,Data Encryption Standard, Federal Information Processing Standards Publication 46, January 1977.Google Scholar