If there always existed a $k_3$ such that $\operatorname{DES}(k_2, \operatorname{DES}(k_1, M)) = \operatorname{DES}(k_3, M)$, how would that affect the security of $\operatorname{DES}$?
Asked
Active
Viewed 105 times
1 Answers
3
This question was tested years ago by Kaliski at. al Is the Data Encryption Standard a group? (Results of cycling experiments on DES as;
- Is DES closed under functional composition?
They applied the cycling test and concluded that DES is not a group. Therefore, we don't expect that $$\operatorname{DES}(k_2, \operatorname{DES}(k_1, M)) = \operatorname{DES}(k_3, M)$$
As noted in the article, if there was such functional composition then a known-plaintext attack with $2^{28}$ would be able to break DES, on average.
