@InProceedings{KRS85b,
author = {Kaliski, Jr., Burton S. and Ronald L. Rivest and Alan T. Sherman },
title = { Is {DES} a pure cipher? (Results of more cycling experiments
on {DES}) (Preliminary Abstract) },
pages = { 212--226 },
OPTurl = { http://dx.doi.org/10.1007/3-540-39799-X_17 },
doi = { 10.1007/3-540-39799-X_17 },
booktitle = { Advances in Cryptology---CRYPTO '85 Proceedings },
date = { 1985 },
isbn = { 978-3-540-16463-0 },
publisher = { Springer },
editor = { Hugh C. Williams },
series = { Lecture Notes in Computer Science },
volume = { 218 },
OPTyear = { 1985 },
OPTmonth = { August 18--22, },
eventdate = { 1985-08-18/1985-08-22 },
eventtitle = { CRYPTO '85 },
venue = { Santa Barbara, California },
organization = { IACR },
keywords = { birthday paradox, closed cipher, cryptanalysis, cryptography, cryptology,
cycle-detection algorithm, data encryption standard (DES), finite permutation
group, idempotent cryptosystem, multiple encryption, pure cipher
},
abstract = {
During summer 1985, we performed eight cycling
experiments on the Data Encryption Standard (DES) to
see if DES has certain algebraic weaknesses. Using
special-purpose hardware, we applied the cycling
closure test described in our Eurocrypt 85 paper to
determine whether DES is a pure cipher. We also
carried out a stronger version of this test. (A
cipher is pure if, for any keys $i$, $j$, $k$ , there
exists some key $l$ such that
$ T_ i T_j^{-1} T_k = T_l$ ,
where $T_w$ denotes encryption under key $w$ .) In
addition, we followed the orbit of a randomly chosen
DES transformation for $2^{36}$ steps, as well as the
orbit of the composition of two of the ``weak key''
transformations. Except for the weak key experiment,
our results are consistent with the hypothesis that
DES acts like a set of randomly chosen
permutations. In particular, our results show with
overwhelming confidence that DES is not pure. The
weak key experiment produced a short cycle of about
$2^{33}$ steps, the consequence of hitting a fixed point
for each weak key.
},
}