Abstract
The Data Encryption Standard (DES) defines an indexed set of permutations acting on the message space M = {0,1}64. If this set of permutations were closed under functional composition, then DES would be vulnerable to a known-plaintext attack that runs in 228 steps, on the average. It is unknown in the open literature whether or not DES has this weakness.
We describe two statistical tests for determining if an indexed set of permutations acting on a finite message space forms a group under functional composition. The first test is a “meet-in-the-middle” algorithm which uses O(√K) time and space, where K is the size of the key space. The second test, a novel cycling algorithm, uses the same amount of time but only a small constant amount of space. Each test yields a known-plaintext attack against any finite, deterministic cryptosystem that generates a small group.
The cycling test takes a pseudo-random walk in the message space until a cycle is detected. For each step of the pseudo-random walk, the previous ciphertext is encrypted under a key chosen by a pseudo-random function of the previous ciphertext. Results of the test are asymmetrical: long cycles are overwhelming evidence that the set of permutations is not a group; short cycles are strong evidence that the set of permutations has a structure different from that expected from a set of randomly chosen permutations.
Using a combination of software and special-purpose hardware, we applied the cycling test to DES. Our experiments show, with a high degree of confidence, that DES is not a group.
This research was supported by NSF grant MCS-8006938 and IBM.
A revised and more detailed version of this paper will be available from the authors sometime in the future. In August 1985 the authors reported results of additional cycling experiments on DES at the Crypto 85 conference at the University of California, Santa Barbara [41].
Chapter PDF
References
Survey Works on Cryptology
Beker, Henry; and Fred Piper, Cipher Systems: The Protection of Communications, John Wiley (New York, 1982).
Davies, Donald W.; and W. L. Price, Security for Computer Networks: An Introduction to Data Security in Teleprocessing and Electronic Funds Transfer, John Wiley (Chichester, England, 1984).
Diffie, Whitfield; and Martin E. Hellman, “Privacy and authentication: An introduction to cryptography,” Proceedings of the IEEE, 67 (March 1979), 397–427.
Meyer, Carl H.; and Stephen M. Matyas, Cryptology: A New Dimension in Computer Data Security, John Wiley (New York, 1982). See also [50] [55].
Works on Probability and Statistics
Bovey, J. D., “An approximate probability distribution for the order of elements of the symmetric group,” Bull. London Math Society, 12 (1980), 41–46.
Feller, W., An Introduction to Probability Theory and its Applications, vol. I, John Wiley (New York, 1971).
Good, Irving John, The Estimation of Probabilities: An Essay on Modern Bayesian Methods, MIT Press (1965).
Harris, Bernard, “Probability distributions related to random mappings,” Annals of Math. Statistics, 31 (1959), 1045–1062.
Osteyee, David Bridston; and Irving John Good, Information, Weight of Evidence, the Singularity between Probability Measures and Signal Detection, Springer (Berlin, 1974).
Purdom, Paul W.; and J. H. Williams, “Cycle length in a random function,” Transactions of the American Mathematics Society, 133 (1968), 547–551.
Shepp, L. A.; and S. P. Lloyd, “Ordered cycle lengths in a random permutation,” Transactions of the American Mathematics Society, (February 1966), 340–357. See also [12] [14] [25].
Works on Algebra
Bovey, John; and Alan Williamson, “The probability of generating the symmetric group,” Bull. London Math Society, 10 (1978), 91–96.
Carmichael, Robert D., Introduction to the Theory of Groups of Finite Order, Dover (New York, 1956).
Dixon, John D., “The probability of generating the symmetric group,” Math Zentrum, 110 (1969), 199–205.
Rotman, Joseph J., The Theory of Groups: An Introduction, Allyn and Bacon (Boston, 1978).
Wielandt, Helmut, Finite Permutation Groups, Academic Press (New York, 1964). See also [5] [8] [10] [25] [11].
Works on Algorithms and Complexity Theory
Allender, Eric; and Maria Klawa, “Improved Lower Bounds for the Cycle Detection Problem,” working paper.
Brent, Richard P., “Analysis of some new cycle-finding and factorization algorithms,” technical report, Department of Computer Science, Australian National University (1979).
Chandra, Ashok K., “Efficient compilation of linear recursive programs,” technical report no. STAN-CS-72-282, Computer Science Dept., Stanford Univ (April 1972).
Knuth, Donald E., Seminumerical Algorithms in The Art of Computer Programming, vol. 2, Addison-Wesley (1969).
Knuth, Donald E., Sorting and Searching in The Art of Computer Programming, vol. 3, Addison-Wesley (1973).
Pollard, J. M., “A Monte Carlo method for factorization,” Bit, 15 (1975), 331–334.
Pomerance, Carl, “Analysis and comparison of some integer factoring algorithms,” technical report, Math Dept., Univ. of Georgia.
Purdom, Paul W. Jr.; and Cynthia A. Brown, The Analysis of Algorithms, Holt, Rinehart, and Winston (New York, 1985).
Sattler, J.; and C. P. Schnorr, “Generating random walks in groups,” unpublished manuscript (October 1983).
Sedgewick, Robert; and Thomas G. Szymanski, “The complexity of finding periods,” Proceedings of the 11th Annual STOC Conference (1979), 74–80.
Sedgewick, Robert; Thomas G. Szymanski; and Andrew C. Yao, “The complexity of finding cycles in periodic functions,” Siam Journal on Computing, 11 (1982), 376–390.
Selected Federal Standards Involving DES
“Data Encryption Standard,” National Bureau of Standards, Federal Information Processing Standards Publications No. 46 (January 15, 1977).
“DES modes of operations,” Federal Information Standards Publication No. 81 (December 1980).
Selected Technical Works on DES
Davies, Donald W., “Some regular properties of the DES,” in Alan T. Sherman, eds., Advances in Cryptology: Proceedings of Crypto 82, Plenum Press (New York, 1983) [46], 89–96.
Davies, Donald W.; and G. I. P. Parkin, “The average size of the key stream in output feedback mode,” in Alan T. Sherman, eds., Advances in Cryptology: Proceedings of Crypto 82, Plenum Press (New York, 1983) [46], 97–98.
Davies, Donald W.; and G. I. P. Parkin, “The average size of the key stream in output feedback encipherment,” in [45], 263–279.
Davio, Mark; Yvo Desmedt; Jozef Goubert; Frank Hoornaert; and Jean-Jacques Quisquater, “Efficient hardware and software implementations for the DES,” Proceedings of Crypto 84, Springer (1985).
Desmedt, Yvo, “Analysis of the security and new algorithms for modern industrial cryptography,” dissertation, Department Elektrotechniek, Katholieke Universiteit Leuven (October 1984).
Diffie, Whitfield; and Martin E. Hellman, “Exhaustive cryptanalysis of the NBS Data Encryption Standard,” Computer, 10 (March 6, 1980), 74–84.
Gait, Jason, “A new nonlinear pseudorandom number generator,” IEEE Transactions on Software Engineering, SE-3 (September 1977), 359–363.
Goldreich, Oded, “DES-like functions can generate the alternating group,” IEEE Transactions on Information Theory, IT-29 (1983), 863–865.
Hellman, Martin E., et al., “Results of an initial attempt to cryptanalyse the NBS Data Encryption Standard,” technical report SEL 76-042, Information Systems Laboratory, Stanford Univ. (November 1976).
Hellman, Martin E.; and Justin M. Reyneri, “Distribution of Drainage in the DES,” in Alan T. Sherman, eds., Advances in Cryptology: Proceedings of Crypto 82, Plenum Press (New York) [46] (1982), 129–131.
Jueneman, Robert R., “Analysis of certain aspects of output-feedback mode,” in Alan T. Sherman, eds., Advances in Cryptology: Proceedings of Crypto 82, Plenum Press (New York) [46] (1982), 99–127.
Kaliski, Burton S., Jr.; Ronald L. Rivest; and Alan T. Sherman, “Is DES a pure cipher? (Results of more cycling experiments on DES),” Proceedings of Crypto 85, to appear.
Merkle, Ralph C.; and Martin E. Hellman, “On the security of multiple encryption,” CACM, 24 (July 1981), 465–467.
Reeds, J. A.; and J. L. Manferdell, “DES has no per round linear factors,” Proceedings of Crypto 84, Springer (1985).
Tuchman, W. L., talk presented at the National Computer Conference, (June 1978). See also [2] [4] [48] [51] [53].
Other Works
Beth, Thomas, ed., Cryptography, Proceedings of the Workshop on Cryptography, Burg Feuerstein, Germany, March 29–April 2, 1982, Springer (Berlin, 1983).
Chaum, David; Ronald L. Rivest; and Alan T. Sherman, eds., Advances in Cryptology: Proceedings of Crypto 82, Plenum Press (New York, 1983).
Chaum, David, ed., Advances in Cryptology: Proceedings of Crypto 83, Plenum Press (New York, 1984).
Coppersmith, Don; and Edna Grossman, “Generators for certain alternating groups with applications to cryptology,” Siam Journal on Applied Mathemtics, 29 (December 1975), 624–627.
DeLaurentis, John M., “A further weakness in the common modulus protocol for the RSA cryptosystem,” Cryptologia, 8 (July 1984), 253–259.
Gaines, Helen Fouché, Cryptanalysis: A Study of Ciphers and Their Solution, Dover (1956).
Grossman, Edna; and Bryant Tuckerman, “Analysis of a Feistel-like cipher weakened by having no rotating key,” IBM research report RC 6375 (#27489), (January 31, 1977).
Data Ciphering Processors Am9518, Am9568, AmZ8068 Technical Manual, Advanced Micro Devices, Inc. (1984).
Hellman, Martin E., “A cryptanalytic time-memory tradeoff,” technical report, Stanford Univ. (1978).
IBM Personal Computer Technical Reference (July 1982).
Longo, G., ed., Secure Digital Communications, Springer (Vienna 1983).
Rivest, Ronald; Adi Shamir; and Leonard Adleman, “On digital signatures and public-key cryptosystems,” CACM, 21 (February 1978), 120–126.
Shannon, Claude E., “Communication theory of secrecy systems,” Bell System Technical Journal, 28 (October 1949), 656–715.
“Unclassified summary: Involvement of NSA in the development of the Data Encryption Standard,” staff report of the Senate Select Committee on Intelligence, United States Senate (April 1978).
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 1986 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Kaliski, B.S., Rivest, R.L., Sherman, A.T. (1986). Is the Data Encryption Standard a Group? (Preliminary Abstract). In: Pichler, F. (eds) Advances in Cryptology — EUROCRYPT’ 85. EUROCRYPT 1985. Lecture Notes in Computer Science, vol 219. Springer, Berlin, Heidelberg. https://doi.org/10.1007/3-540-39805-8_10
Download citation
DOI: https://doi.org/10.1007/3-540-39805-8_10
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-540-16468-5
Online ISBN: 978-3-540-39805-9
eBook Packages: Springer Book Archive