# Is the Data Encryption Standard a Group? (Preliminary Abstract)

- 10 Citations
- 1k Downloads

## Abstract

The Data Encryption Standard (DES) defines an indexed set of permutations acting on the message space *M* = {0,1}^{64}. If this set of permutations were closed under functional composition, then DES would be vulnerable to a known-plaintext attack that runs in 2^{28} steps, on the average. It is unknown in the open literature whether or not DES has this weakness.

We describe two statistical tests for determining if an indexed set of permutations acting on a finite message space forms a group under functional composition. The first test is a “meet-in-the-middle” algorithm which uses *O*(√*K*) time and space, where *K* is the size of the key space. The second test, a novel cycling algorithm, uses the same amount of time but only a small constant amount of space. Each test yields a known-plaintext attack against any finite, deterministic cryptosystem that generates a small group.

The cycling test takes a pseudo-random walk in the message space until a cycle is detected. For each step of the pseudo-random walk, the previous ciphertext is encrypted under a key chosen by a pseudo-random function of the previous ciphertext. Results of the test are asymmetrical: long cycles are overwhelming evidence that the set of permutations is not a group; short cycles are strong evidence that the set of permutations has a structure different from that expected from a set of randomly chosen permutations.

Using a combination of software and special-purpose hardware, we applied the cycling test to DES. Our experiments show, with a high degree of confidence, that DES is not a group.

## Key Words and Phrases

Birthday Paradox closed cipher cryptanalysis cycle-detection algorithm Data Encryption Standard (DES) finite permutation group idempotent cryptosystem multiple encryption pure cipher## References

## Survey Works on Cryptology

- [1]Beker, Henry; and Fred Piper,
*Cipher Systems: The Protection of Communications*, John Wiley (New York, 1982).zbMATHGoogle Scholar - [2]Davies, Donald W.; and W. L. Price,
*Security for Computer Networks: An Introduction to Data Security in Teleprocessing and Electronic Funds Transfer*, John Wiley (Chichester, England, 1984).Google Scholar - [3]Diffie, Whitfield; and Martin E. Hellman, “Privacy and authentication: An introduction to cryptography,”
*Proceedings of the IEEE*,**67**(March 1979), 397–427.CrossRefGoogle Scholar - [4]Meyer, Carl H.; and Stephen M. Matyas,
*Cryptology: A New Dimension in Computer Data Security*, John Wiley (New York, 1982). See also [50] [55].Google Scholar

## Works on Probability and Statistics

- [5]Bovey, J. D., “An approximate probability distribution for the order of elements of the symmetric group,”
*Bull. London Math Society*,**12**(1980), 41–46.zbMATHCrossRefMathSciNetGoogle Scholar - [6]Feller, W.,
*An Introduction to Probability Theory and its Applications*, vol. I, John Wiley (New York, 1971).zbMATHGoogle Scholar - [7]Good, Irving John,
*The Estimation of Probabilities: An Essay on Modern Bayesian Methods*, MIT Press (1965).Google Scholar - [8]Harris, Bernard, “Probability distributions related to random mappings,”
*Annals of Math. Statistics*,**31**(1959), 1045–1062.CrossRefGoogle Scholar - [9]Osteyee, David Bridston; and Irving John Good,
*Information, Weight of Evidence, the Singularity between Probability Measures and Signal Detection*, Springer (Berlin, 1974).zbMATHGoogle Scholar - [10]Purdom, Paul W.; and J. H. Williams, “Cycle length in a random function,”
*Transactions of the American Mathematics Society*,**133**(1968), 547–551.zbMATHCrossRefMathSciNetGoogle Scholar - [11]Shepp, L. A.; and S. P. Lloyd, “Ordered cycle lengths in a random permutation,”
*Transactions of the American Mathematics Society*, (February 1966), 340–357. See also [12] [14] [25].Google Scholar

## Works on Algebra

- [12]Bovey, John; and Alan Williamson, “The probability of generating the symmetric group,”
*Bull. London Math Society*,**10**(1978), 91–96.zbMATHCrossRefMathSciNetGoogle Scholar - [13]Carmichael, Robert D.,
*Introduction to the Theory of Groups of Finite Order*, Dover (New York, 1956).zbMATHGoogle Scholar - [14]Dixon, John D., “The probability of generating the symmetric group,”
*Math Zentrum*,**110**(1969), 199–205.zbMATHCrossRefMathSciNetGoogle Scholar - [15]Rotman, Joseph J.,
*The Theory of Groups: An Introduction*, Allyn and Bacon (Boston, 1978).Google Scholar - [16]Wielandt, Helmut,
*Finite Permutation Groups*, Academic Press (New York, 1964). See also [5] [8] [10] [25] [11].zbMATHGoogle Scholar

## Works on Algorithms and Complexity Theory

- [17]Allender, Eric; and Maria Klawa, “Improved Lower Bounds for the Cycle Detection Problem,” working paper.Google Scholar
- [18]Brent, Richard P., “Analysis of some new cycle-finding and factorization algorithms,” technical report, Department of Computer Science, Australian National University (1979).Google Scholar
- [19]Chandra, Ashok K., “Efficient compilation of linear recursive programs,” technical report no. STAN-CS-72-282, Computer Science Dept., Stanford Univ (April 1972).Google Scholar
- [20]Knuth, Donald E.,
*Seminumerical Algorithms*in*The Art of Computer Programming*, vol. 2, Addison-Wesley (1969).Google Scholar - [21]Knuth, Donald E.,
*Sorting and Searching*in*The Art of Computer Programming*, vol. 3, Addison-Wesley (1973).Google Scholar - [22]Pollard, J. M., “A Monte Carlo method for factorization,”
*Bit*,**15**(1975), 331–334.zbMATHCrossRefMathSciNetGoogle Scholar - [23]Pomerance, Carl, “Analysis and comparison of some integer factoring algorithms,” technical report, Math Dept., Univ. of Georgia.Google Scholar
- [24]Purdom, Paul W. Jr.; and Cynthia A. Brown,
*The Analysis of Algorithms*, Holt, Rinehart, and Winston (New York, 1985).Google Scholar - [25]Sattler, J.; and C. P. Schnorr, “Generating random walks in groups,” unpublished manuscript (October 1983).Google Scholar
- [26]Sedgewick, Robert; and Thomas G. Szymanski, “The complexity of finding periods,”
*Proceedings of the 11th Annual STOC Conference*(1979), 74–80.Google Scholar - [27]Sedgewick, Robert; Thomas G. Szymanski; and Andrew C. Yao, “The complexity of finding cycles in periodic functions,”
*Siam Journal on Computing*,**11**(1982), 376–390.zbMATHCrossRefMathSciNetGoogle Scholar

## Selected Federal Standards Involving DES

- [28]“Data Encryption Standard,” National Bureau of Standards, Federal Information Processing Standards Publications No. 46 (January 15, 1977).Google Scholar
- [29]“DES modes of operations,” Federal Information Standards Publication No. 81 (December 1980).Google Scholar

## Selected Technical Works on DES

- [30]Davies, Donald W., “Some regular properties of the DES,” in Alan T. Sherman,
*eds.*,*Advances in Cryptology: Proceedings of Crypto 82*, Plenum Press (New York, 1983) [46], 89–96.Google Scholar - [31]Davies, Donald W.; and G. I. P. Parkin, “The average size of the key stream in output feedback mode,” in Alan T. Sherman,
*eds.*,*Advances in Cryptology: Proceedings of Crypto 82*, Plenum Press (New York, 1983) [46], 97–98.Google Scholar - [32]Davies, Donald W.; and G. I. P. Parkin, “The average size of the key stream in output feedback encipherment,” in [45], 263–279.CrossRefGoogle Scholar
- [33]Davio, Mark; Yvo Desmedt; Jozef Goubert; Frank Hoornaert; and Jean-Jacques Quisquater, “Efficient hardware and software implementations for the DES,”
*Proceedings of Crypto 84*, Springer (1985).Google Scholar - [34]Desmedt, Yvo, “Analysis of the security and new algorithms for modern industrial cryptography,” dissertation, Department Elektrotechniek, Katholieke Universiteit Leuven (October 1984).Google Scholar
- [35]Diffie, Whitfield; and Martin E. Hellman, “Exhaustive cryptanalysis of the NBS Data Encryption Standard,”
*Computer*,**10**(March 6, 1980), 74–84.CrossRefGoogle Scholar - [36]Gait, Jason, “A new nonlinear pseudorandom number generator,”
*IEEE Transactions on Software Engineering*, SE-3 (September 1977), 359–363.CrossRefGoogle Scholar - [37]Goldreich, Oded, “DES-like functions can generate the alternating group,”
*IEEE Transactions on Information Theory*, IT-29 (1983), 863–865.MathSciNetGoogle Scholar - [38]Hellman, Martin E.,
*et al.*, “Results of an initial attempt to cryptanalyse the NBS Data Encryption Standard,” technical report SEL 76-042, Information Systems Laboratory, Stanford Univ. (November 1976).Google Scholar - [39]Hellman, Martin E.; and Justin M. Reyneri, “Distribution of Drainage in the DES,” in Alan T. Sherman,
*eds.*,*Advances in Cryptology: Proceedings of Crypto 82*, Plenum Press (New York) [46] (1982), 129–131.Google Scholar - [40]Jueneman, Robert R., “Analysis of certain aspects of output-feedback mode,” in Alan T. Sherman,
*eds.*,*Advances in Cryptology: Proceedings of Crypto 82*, Plenum Press (New York) [46] (1982), 99–127.Google Scholar - [41]Kaliski, Burton S., Jr.; Ronald L. Rivest; and Alan T. Sherman, “Is DES a pure cipher? (Results of more cycling experiments on DES),”
*Proceedings of Crypto 85*, to appear.Google Scholar - [42]Merkle, Ralph C.; and Martin E. Hellman, “On the security of multiple encryption,”
*CACM*,**24**(July 1981), 465–467.MathSciNetGoogle Scholar - [43]Reeds, J. A.; and J. L. Manferdell, “DES has no per round linear factors,”
*Proceedings of Crypto 84*, Springer (1985).Google Scholar - [44]Tuchman, W. L., talk presented at the National Computer Conference, (June 1978). See also [2] [4] [48] [51] [53].Google Scholar

## Other Works

- [45]Beth, Thomas,
*ed.*,*Cryptography*,*Proceedings of the Workshop on Cryptography*,*Burg Feuerstein, Germany*,*March 29–April 2, 1982*, Springer (Berlin, 1983).zbMATHGoogle Scholar - [46]Chaum, David; Ronald L. Rivest; and Alan T. Sherman,
*eds.*,*Advances in Cryptology: Proceedings of Crypto 82*, Plenum Press (New York, 1983).zbMATHGoogle Scholar - [47]Chaum, David,
*ed.*,*Advances in Cryptology: Proceedings of Crypto 83*, Plenum Press (New York, 1984).zbMATHGoogle Scholar - [48]Coppersmith, Don; and Edna Grossman, “Generators for certain alternating groups with applications to cryptology,”
*Siam Journal on Applied Mathemtics*,**29**(December 1975), 624–627.CrossRefMathSciNetzbMATHGoogle Scholar - [49]DeLaurentis, John M., “A further weakness in the common modulus protocol for the RSA cryptosystem,”
*Cryptologia*,**8**(July 1984), 253–259.MathSciNetCrossRefGoogle Scholar - [50]Gaines, Helen Fouché,
*Cryptanalysis: A Study of Ciphers and Their Solution*, Dover (1956).Google Scholar - [51]Grossman, Edna; and Bryant Tuckerman, “Analysis of a Feistel-like cipher weakened by having no rotating key,” IBM research report RC 6375 (#27489), (January 31, 1977).Google Scholar
- [52]
*Data Ciphering Processors Am9518, Am9568, AmZ8068 Technical Manual*, Advanced Micro Devices, Inc. (1984).Google Scholar - [53]Hellman, Martin E., “A cryptanalytic time-memory tradeoff,” technical report, Stanford Univ. (1978).Google Scholar
- [54]
*IBM Personal Computer Technical Reference*(July 1982).Google Scholar - [55]
- [56]Rivest, Ronald; Adi Shamir; and Leonard Adleman, “On digital signatures and public-key cryptosystems,”
*CACM*,**21**(February 1978), 120–126.zbMATHMathSciNetGoogle Scholar - [57]Shannon, Claude E., “Communication theory of secrecy systems,”
*Bell System Technical Journal*,**28**(October 1949), 656–715.MathSciNetGoogle Scholar - [58]“Unclassified summary: Involvement of NSA in the development of the Data Encryption Standard,” staff report of the Senate Select Committee on Intelligence, United States Senate (April 1978).Google Scholar