@InProceedings{KRS85b, author = {Kaliski, Jr., Burton S. and Ronald L. Rivest and Alan T. Sherman }, title = { Is {DES} a pure cipher? (Results of more cycling experiments on {DES}) (Preliminary Abstract) }, pages = { 212--226 }, OPTurl = { http://dx.doi.org/10.1007/3-540-39799-X_17 }, doi = { 10.1007/3-540-39799-X_17 }, booktitle = { Advances in Cryptology---CRYPTO '85 Proceedings }, date = { 1985 }, isbn = { 978-3-540-16463-0 }, publisher = { Springer }, editor = { Hugh C. Williams }, series = { Lecture Notes in Computer Science }, volume = { 218 }, OPTyear = { 1985 }, OPTmonth = { August 18--22, }, eventdate = { 1985-08-18/1985-08-22 }, eventtitle = { CRYPTO '85 }, venue = { Santa Barbara, California }, organization = { IACR }, keywords = { birthday paradox, closed cipher, cryptanalysis, cryptography, cryptology, cycle-detection algorithm, data encryption standard (DES), finite permutation group, idempotent cryptosystem, multiple encryption, pure cipher }, abstract = { During summer 1985, we performed eight cycling experiments on the Data Encryption Standard (DES) to see if DES has certain algebraic weaknesses. Using special-purpose hardware, we applied the cycling closure test described in our Eurocrypt 85 paper to determine whether DES is a pure cipher. We also carried out a stronger version of this test. (A cipher is pure if, for any keys $i$, $j$, $k$ , there exists some key $l$ such that $ T_ i T_j^{-1} T_k = T_l$ , where $T_w$ denotes encryption under key $w$ .) In addition, we followed the orbit of a randomly chosen DES transformation for $2^{36}$ steps, as well as the orbit of the composition of two of the ``weak key'' transformations. Except for the weak key experiment, our results are consistent with the hypothesis that DES acts like a set of randomly chosen permutations. In particular, our results show with overwhelming confidence that DES is not pure. The weak key experiment produced a short cycle of about $2^{33}$ steps, the consequence of hitting a fixed point for each weak key. }, }