Security for computer networks: an introduction to data security in teleprocessing and electronic funds transfer
The analysis of algorithms
Efficient hardware and software implementations for the DES
Proceedings of CRYPTO 84 on Advances in cryptology
DES has no per round linear factors
Proceedings of CRYPTO 84 on Advances in cryptology
Is DES a pure cipher? (Results of more cycling experiments on DES)
Lecture notes in computer sciences; 218 on Advances in cryptology---CRYPTO 85
On the security of multiple encryption
Communications of the ACM
A method for obtaining digital signatures and public-key cryptosystems
Communications of the ACM
The complexity of finding periods
STOC '79 Proceedings of the eleventh annual ACM symposium on Theory of computing
Efficient compilation of linear recursive programs.
Efficient compilation of linear recursive programs.
A New Nonlinear Pseudorandom Number Generator
IEEE Transactions on Software Engineering
Proceedings of the 1982 conference on Cryptography
Proceedings of the 1982 conference on Cryptography
The average cycle size of the key stream in output feedback encipherment
Proceedings of the 1982 conference on Cryptography
Scalable multicast security with dynamic recipient groups
ACM Transactions on Information and System Security (TISSEC)
Logical Cryptanalysis as a SAT Problem
Journal of Automated Reasoning
A Layered Approach to the Design of Private Key Cryptosystems
CRYPTO '85 Advances in Cryptology
Is DES a Pure Cipher? (Results of More Cycling Experiments on DES)
CRYPTO '85 Advances in Cryptology
An improved construction for universal re-encryption
PET'04 Proceedings of the 4th international conference on Privacy Enhancing Technologies
Hi-index | 0.00 |
The Data Encryption Standard (DES) defines an indexed set of permutations acting on the message space M = {0, l}64. If this set of permutations were closed under functional composition, then DES would be vulnerable to a known-plaintext attack that runs in 228 steps, on the average. It is unknown in the open literature whether or not DES has this weakness.We describe two statistical tests for determining if an indexed set of permutations acting on a finite message space forms a group under functional composition. The first test is a "meet-in-the-middle" algorithm which uses O[驴K) time and space, where K is the size of the key space. The second test, a novel cycling algorithm, uses the same amount of time but only a small constant amount of space. Each test yields a known-plaintext attack against any finite, deterministic cryptosystem that generates a small group.The cycling test takes a pseudo-random walk in the message space until a cycle is detected. For each step of the pseudo-random walk, the previous ciphertext is encrypted under a key chosen by a pseudo-random function of the previous ciphertext. Results of the test are asymmetrical: long cycles are overwhelming evidence that the set of permutations is not a group; short cycles are strong evidence that the set of permutations has a structure different from that expected from a set of randomly chosen permutations.Using a combination of software and special-purpose hardware, we applied the cycling test to DES. Our experiments show, with a high degree of confidence, that DES is not a group.