Linear Cryptanalysis Method for

DES Cipher
Mitsuru Matsui
Computer & Information Systems Laboratory
Mitsubishi Electric Corporation
5-1-1, Ofuna, Kamakura, Kanagawa 247, Japan
Email matsui8mmt.isl.melco.co.jp

Abstract
We introduce a new method for cryptanalysisof DES cipher, which is essentially
a known-plaintext attack. As a result, it is possible to break 8-round DES cipher
with 22' known-plaintexts and 16-round DES cipher with 2" known-plaintexts,
respectively. Moreover, this method is applicable to an only-ciphertext attack
in certain situations. For example, if plaintexts consist of natural English sen-
tences represented by ASCII codes, 8-round DES cipher is breakable with Z2'
ciphertexts only.

1 Introduction
Differential Cryptanalysis has been one of main topics in cryptology since the first
paper by Biham and Shamir in 1990 [l]. They have broken FEAL cipher in the
subsequent paper [2], and recently succeeded in breaking the full Ibround DES cipher
by a chosen-plaintext attack [3].
Although Differential Cryptanalysis is a technique for a chosen-plaintext attack,
it is more noteworthy that it can be applied to a known-plaintext attack on condition
that sufficiently many plaintexts are available.
On the other hand, several new approaches t o known-plaintext attacks have been
also studied in special cases. As regards FEAL cipher, for example, Tardy-Corfdir
and Gilbert have presented a statistical method to break FEAL-4 and FEAL-6 [4],
and Matsui and Yamagishi have described a deterministic method to break FEAL-8
by a known-plaintext attack [S], respectively.
In this paper we introduce an essentially known-plaintext attack of DES cipher.
The purpose of this method is to obtain a linear approximate expression of a given
cipher algorithm. For this purpose, we begin by constructing a statistical linear path
between input and output bits of each Sbox. Then we extend this path to the entire
algorithm, and finally reach a linear approximate expression without any intermediate
value.

T. Helleseth (Ed.): Advances in Cryptology - EUROCRYPT '93, LNCS 765, pp. 386-397, 1994.
0 Spnnger-Verlag Berlin Heidelberg 1994
 Our main results on the known-plaintext attack of DES cipher are as follows. The
experiments were implemented with C language programs on HP9750 workstation
computer (PA-RISC/66MHz).
0 ground DES is breakable with 221 known-plaintexts in 40 seconds;

0 12-round DES is breakable with 233known-plaintexts in 50 hours;

0 16-round DES is breakable with 2'' known-plaintexts faster than an exhaustive
search for 56 key bits.
Generally speaking, there exist many linear approximate expressions for a given cipher
algorithm. Moreover, if plaintexts are not random, we may even find an expression
which has no plaintext bit in it. This suggests that our method finally leads to an
only-ciphertext attack. As regards the only-ciphertext attack of DES cipher, we have
obtained the following results.
0 If plaintexts consist of natural English sentences represented by ASCII codes,
ground DES is breakable with zZpciphertexts only;

0 If plaintexts consist of random ASCII codes, ground DES is breakable with 2''
ciphertexts only.
We shall also illustrate a situation in which 16-round DES is still breakable faster
than an exhaustive search for 56-bit keys by the only-ciphertext attack.

2 Preliminaries

wp
Figure 1 shows a data randomization part of DES cipher. We omit the initial permu-
tation IP a,pd the final permutation IP-' unless otherwise indicated. The following
notations are used throughout this paper, where the right most bit is referred to as
the zero-th bit.

P
C : The 64-bit
corresponding
plaintext.
64-bit ciphertext. F I (11,K 1
PH : The left 32-bit of P.
PL : The right 32-bit of P. Kz
F z (xa K z
CH : The left 32-bit of C. Fz
CL : The right 32-bit of C.
Xi : The 32-bit intermediate value
in the i-th round.
Ki : The 48-bit subkey in the i-th round.
&(Xi, X i ) : The i-th round F-function.
A[i] : The i-th bit of A.
+-$Y
C"
F n (Xnv Kn

C
A[i,j,...,k] : A[i]@ A [ j ] @ ,...,e A [ k ] .
[Fiz. 11 D E S c i p h e r
 388

3 Principle of Linear Cryptanalysis

The purpose of Linear Cryptanalysis is to find the following “effective” linear expres-
sion for a given cipher algorithm:
~ [ ~ ~ l ~ ~ l . . l =~ ~ [~~ ll, k~2 , .~. I k~ c l~, l ~ ~ l . . (1), ~ ~ J
where i l , io, ..,i,, j1,ja,..,j b and kl,k2, ..,k, denote fixed bit locations, and equation (1)
holds with probability p # 1/2 for randomly given plaintext P and the corresponding
ciphertext C. The magnitude of Ip - 1/21 represents the effectiveness of equation (1).
Once we succeed in reaching an effective linear expression, it is possible to deter-
mine one key bit K[kl, k2, ..,,,] by the following algorithm based on the maximum
likelihood method:
Algorithm 1
Step1 Let T be the number of plaintexts such that the left side of equation (1) is
equal to zero.
Step2 If T > N / 2 (N denotes the number of plaintexts),
then guess K [ k l , k2, ..,k,] = 0 (when p > 1/2) or 1 (when p < 1/2),
else guess K[kl, k2, ..,k,] = 1 (when p > 1/2) or 0 (when p < 1/2).

-
The success rate of this method clearly increases when N or ( p 1/21 does. We now
refer to the most effective linear expression (i.e. Ip - 1/21 is maximal ) &s the best
expression and the probability p as the best probability. Then our main concern is
the following:
P1 How to find effective linear expressions.
P2 An explicit description of the success rate by N and p.
P3 A search for the best expression and a calculation of the best probability.
The first aim of this paper is to solve these problems for DES cipher. For this purpose,
we begin by studying linear approximations of S-boxes in Chapter 4, and will reach
an effective linear expression in Chapter 5. In this stage, the success rate will be
also shown in Lemma 2. As for the search problem, which was solved by a computer
program, we summarize the results in the annex.

For a practical known-plaintext attack of n-round DES cipher, we make use of the
best expression of (n-])-round DES cipher; that is to say, regarding the final round
as having been deciphered using Kn, we accept a term of F-function in the linear ex-
pression. Consequently, we obtain the following type of expression which holds with
the best probability of (n-1)-round DES cipher:
f“ii, i 2 , ..,4 @ C[jl,jz, ..,jb] J’n(CL, Kn)[hj11, -, k p , ..,kc].
= K[ki, (2)
If one substitutes an incorrect candidate for K,,in equation (2), the effectiveness of
this equation clearly decreases. Therefore, the following maximum likelihood method
can be applied to deduce K,,and K[kl,k l , ..,kc]:
 389

Algorithm 2
Step1 For each candidate K$)( i = 1,2, ...) of K,, let T be the number of plaintexts
such that the left side of equation (2) is equal to zero.

S t e p 2 Let Tma=be the maximal value and Tminbe the minimal value of all Z's.

If ITm.=-N/21 > ITmin-N/21, then adopt the key candidate corresponding

to T,,, and guess K[ki,kt, ..,k,] = 0 (when p > 1/2) or 1 (when p < 1/2).
-
If ITmo.- N / 2 ) < lTmin N/2), then adopt the key candidate corresponding
to Tminand guess K [ k l ,kt, ..,k,] = 1 (when p > 1/2) or 0 (when p < 1/2).

The success rate of this method will be discussed in Lemma 4 and Lemma 5.
The next aim of this paper is to consider the case where plaintexts are not random.
Assume that, for example, the probability that P[il,6, ..,i.] = 0 is not equal t o 1/2.
Then even if we eliminate the term P[il,6 ,..,].i fiom equation (2), the resultant
equation may be still effective. This concludes that Algorithm 2 can be directly
applied to an only-ciphertext attack of DES cipher.
We will study the known-plaintext attack of DES cipher in Chapter 6 and develop
the only-ciphertext attack procedure in Chapter 7.

4 Linear Approximation of S-boxes

In this section we study linear approximation of S-boxes. Similar motivation can be
found in articles of Shamir [S] and Rueppel [7]. Our first approach is to investigate
the probability that a value on an input bit coincides with a value on an output bit.
More generally, it is useful to deal with not only one bit position but also an XORed
value of several bit positions. We now start with the following definition:

Definition 1 For given S-bot S, (a = 1,2,..,8), 1 5 a 5 63 and 1 5 B 5 15, we

define NS,(a,@) as the number of times out of 64 input patterns of S,, such that
an XORed value of the input bits masked by cr coincides with an XORed value of the
output bits masked 6y /3; that is to say,
5 5
N S ~ ( QP,) ' # { z I ~5 z < 64, (@(2[51
r=O
~[JI))
= (@(sa(z)[t]
t=O
~ [ t ] ) ) ) i (3)

where the symbol denotes a bitwise A N D operation.

Example 1
NS5(16,15) = 12. (4)

When NS,(a,B) is not equal to 32, we may say that there is a correlation between
the input and the output bits of S,. For example, equation (4) indicates that the
fourth input bit of S5 coincides with an XORed value of all output bits with prob-
ability 12/64 = 0.19. Consequently, taking account of the E expansion and the P
 390

permutation in F-function, we see the following equation which holds with probability
0.19 for fixed K and randomly given X:

X[15] @ P(X, K)[7,18,24,29] = K[22]. (5)

Table 1 describes part of distribution table of S-box S5, where the vertical and the
horizontal axes indicate a and /3 respectively, and each entry shows NS5(a,/3) - 32.
A complete table tells us that equation (4) is the most effective linear approximation
-
in all Sboxes 1i.e. INS,(a,/3) 321 is maximal ); therefore, equation (5) is the best
approximation of F-function.
The following Lemma is now trivial from the definition of S-boxes.

Lemma 1
(1) NS,(a,/3) is even.
(2) If LI = 1,32 or 33, then NS,,(a,/3) = 32 for all S, and /?.

1 2 3 4 5 6 7 8 9 1 0 1 1 1 2 1 3 1 4 1 5
1 ~ 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
21 4-2 2-2 2-4 0 4 0 2-2 2-2 0-4
3 I 0 -2 6 -2 -2 4 -4 0 0 -2 6 -2 -2 4 -4
41 2-2 0 0 2-2 0 0 2 2 4-4-2-2 0
5 1 2 2-4 010-6-4 0 2-10 0 4-2 2 4
6 I -2 -4 -6 -2 -4 2 0 0 -2 0 -2 -6 -8 2 0
71 2 0 2-2 8 6 0 - 4 6 0-6-2 0-6-4
8 1 0 2 6 0 0-2-6-2 2 4-12 2 6-4 4
9 I -4 6 -2 0 -4 -6 -6 6 -2 0 -4 2 -6 -8 -4
101 4 0 0-2-6 2 2 2 2-2 2 4-4-4 0
11 I 4 4 4 6 2 -2 -2 -2 -2 -2 2 0 -8 -4 0
12 I 2 0 -2 0 2 4 10 -2 4 -2 -8 -2 4 -6 -4
13 I 6 0 2 0 -2 4 -10 -2 0 -2 4 -2 8 -6 0
14 I 72 -2 0 -2 4 0 2 -2 0 4 2 -4 6 -2 -4
151-2-2 8 6 4 0 2 2 4 8-2 8-6 2 0
16 I 2 -2 0 0 -2 -6 -8 0 -2 -2 -4 0 2 10 -20
171 2-2 0 4 2-2-4 4 2 2 0-8-6 2 4
18 I -2 0 -2 2 -4 -2 -8 4 6 4 6 -2 4 -6 0
1 9 1 -6 0 2 -2 4 2 0 4 -6 4 2 -6 4 -2 0
201 4-4 0 0 0 0 0-4-4 4 4 0 4-4 0
211 4 0-4-4 4-8-8 0 0-4 4 8 4 0 4
221 0 6 6 2-2 4 0 4 0 6 2 2 2 0 0
23 I 4 -6 -2 6 -2 -4 4 4 -4 -6 2 -2 2 0 4
241 6 0 2 4-10-4 2 2 0-2 0 2 4-2-4
251 2 4 -6 0 -2 4 -2 6 8 6 4 10 0 2 -4
261 2 2-8-2 4 0 2-2 0 4 2 0-2-2 0
2 7 ) 2 6-4-6 0 0 2 6 8 0-2-4-6-2 0
281 0-2 2 4 0-6 2-2 6-4 0 2-2 0 0
29 I 4 -2 6 -8 0 -2 2 10 -2 -8 -8 2 2 0 4
30 I -4 -8 0 -2 -2 -2 2 -2 2 -2 6 4 4 4 0
31 I -4 8 -8 2 -6 -6 -2 -2 2 -2 -2 -8 0 0 -4
321 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0

Table 1. A distribution table of S5 (part).

 391

5 Linear Approximation of DES Cipher

In this section we extend linear approximations of F-function to the entire algorithm.
The f i s t example is fround DES cipher (Figure 2). By applying equation (5) to the
first round, we see the following equation which holds with probability 12/64:
x#, 18,24,29] @ PH[~,
18,24,29] @ P~[15]= K1[22]. (6)
The same is true of the final round:
X2[7,18,24,29] @ C~[7,18,24,29]@ C~[15]= K3[22]. (7)
Consequently, we obtain the following linear approximate expression of fround DES
cipher by canceling common terms:

P.[7,18,24,29] @ C~[7,18,24,29]@ P~[15]@ C~[15]=E K1[22] @ K3[22]. (8)

The probability that equation (8) holds for given random plaintext P and the corre-
sponding ciphertext C is (12/64)2+(1-12/64)2=0.70. Since equation (5) is the best
linear approximation of F-function, equation (8) is the best expression of fround DES
cipher. We can now solve equation (8) to deduce K,[22] GI Ks[22] using Algorithm 1.
The following lemma describes the success rate of this method:
Lemma 2 Let N be the number of given random plaintext3 and p be the probability
that equation (1) holds, and assume Ip - 1/21 is sufficiently small. Then the success
rate of Algorithm 1 is

Table 2 shows a numerical calculation of expression (9).

. N 1 f ) p- 1 / 2 p I ;1p - 1 / 2 p I Ip - 1 / 2 p I 21p - 1/21‘)

success Rate I 84.1% I 92.1% I 97.7% I 99.8%
Table 2. The success rate of Algorithm 1.

Next, we show an example of h o u n d DES cipher (Figure 3). In this case, we apply
equation (5) to the second and fourth rounds, and the following linear equation (which
is deduced from N&(27,4) = 22) to the first and final rounds:

X[27,28,30,31] @ F ( X , K)[15] = K[42,43,45,46]. (10)

Then an easy calculation leads to a linear approximate expression of 5-round DES
cipher:
P~[15]@ P,5[7,18,24,27,28,29, 30,311 @ C~[15]@ C L [ 18,24,27,28,29,30,31]
~,
= Ki[42,43,45,46] @ K2[22] @ K,[22] @ K5[42,43,45,46]. (11)
The next lemma gives a simple method to calculate the probability that this type of
equation holds:
 392

Lemma 3 (Piling-up Lemma) Let Xi (1 5 i 5 n) be independent random variables

whose values are 0 with probability pi or 1 with probability 1 -pi. Then the probability
fhat XI @ X2 @ ...@ X,,= 0 is
n

This indicates that equation (11) holds with probability 1/2+23(-10/64)2(-20/64)2 =

0.519. Therefore, according to Lemma 2, if 10,519 - 1/2Ie2 = 2800 known-plaintexts
are given, one can guess the right side of the equation (11) with success rate 97.7%.
The annex shows a table of the best expression and the best probability of DES
cipher up to 20 rounds. Each entry describes from left to right, the number of round,
the best expression, the best probability and the linear approximation of F-function
used in each round. The sign '-'represents that no approximation is needed in the
round. Moreover, it should be noted that there are two best expressions in some
cases, which are indicated by sign '*' in the table, because DES cipher has the round
symmetry; that is, the other best expression is easily obtained by exchanging P and
K;with C and K ~ + l - i ,respectively.
It follows from this table that two key bits of 16-round DES can be deduced with
high success rate using 11.49 x 2-241-2 tr 2" known-plaintexts. In next chapter, we
will describe a method to derive more key bits at a time.

K3 3K=

c n v ' CL
C

[Fig, 21 3 - r o u n d D E S c i p h e r

[Fig. 31 5 - r o u n d D E S c i p h e r
 393

6 Known-Plaintext Attack of DES Cipher

We are now ready for a known-plaintext attack of DES cipher. Our first example is
8-round DES cipher. As mentioned in Chapter 3, we obtain the following 8-round
expression which holds with the 7-round best probability 0.5 1.95 x 2"": +
CB F~(CL,
P,1[7,18,24] @ p~[12,16]@ Ca[15] CB C~[7,18,24,29] K8)[15]
= KL[19,23] 8 K&2] @ K1[44] 8 K&[22]@ K7[22]. (13)

Although this equation contains 48-bit subkey Ka,the number of subkey bits which
Ka)[15]is only six, namely, K8[42]-K8[47]. Therefore,
essentially influences F~(CL,
we need 64 counters to carry out Algorithm 2. As regards the success rate of this
method, we c a prove the following lemma, which generalizes Lemma 2.
Lemma 4 Let N be the number of given random plaintezts and p be the probability
that equation (2) holds, and assume Ip - 1/21 is suficiently small. Then the success
rate of Algorithm 2 depends on 11,12, ...,l d , and a l p - 1/21 only.

Generally speaking, it is not easy to calculate numerically the accurate probability

above. However, under a condition it can be possible as follows.
Lemma 5 With the same hypotheses as Lemma 4,let g(') be the probability that the
following equation holds for a subkey candidate K i ) and a random variable X :

~ n ( x ~i n ) [ l l i12, lci] = Fn(X,~ : ) ) [ l l l l 2 , id]. (14)

Then ;f q(')'s are independent, the success rate of Algorithm 2 is

where the product is taken over all subkey candidates except Kn.

Although q(')'s are not independent in our situation, our experiments have shown that
Lemma 5 gives a practically good approximation of the success rate, as can be seen
in the following.
Now let d = 1 and ll = 15 in equation (2). Then a numerical calculation of
expression (15) is as follows.
N I 2(p- 1/21-' I 41p- 1/21-' I -
81p 1/21-2 1 1 6 1 ~ -1/21-2
Success Rate I 48.6% I 78.5% I 96.7% I 99.9%
Table 3. The success rate of Algorithm 2 by Lemma 5 ( d = 1, 11 = 15).

Since this method can be also applied to deduction of the subkey bits of the first round,
we finally obtain 14 subkey bits by carrying out Algorithm 2 twice with negligible
memory. It is easy to deduce the remaining key bits, and we omit the detail. Our
computer experiments indicate results better than Table 3: The program completes
 394

deriving the whole key bits in 20 seconds using 411.95 x2-l01-’ u known-plaintexts
and in 40 seconds using 811.95 x 2”01’2 2: 221 known-plaintexts. The success rate of
each attack is 88% and 99%, respectively.
The method to break 1Zround DES cipher is almost same as 8-round DES cipher.
We have succeeded in deriving the key completely in 50 hours using 811.91 x 2-’61’a 2:
2” known-plaintexts. Similarly, according to Lemma 4, it is possible to break 16-round
DES using 811.19 x2-=1-:, 21 247known-plaintexts by solving the following expression:
] ‘ C L [ l8,24,29]
&[7,18,24] @ P.[12,16] @ C ~ [ l 5 @ ~, @ F16(CLl K16)[15]
= Ki[19, 231 8 K3[22] @ K4[4] @ K5[22] @ K7[22] @ Ka[44] @
K0[22] @ K11[22] 8 Ki2[44] @ K13[22] @ K15[22]. (16)
Once finding 14 key bits, the remaining 42 key bits should be deduced exhaustively.
Then one can break l6-round DES cipher with negligibly small memory faster than
an exhaustive search for 56 key bits.

7 Only-Ciphertext Attack of DES Cipher

Now we apply Algorithm 2 to an only-ciphertext attack of DES cipher. We start
with an example of 8-round DES cipher again, which has a linear approximation
illustrated in Figure 4. Then we easily obtain the following expression which holds
+
with probability 1/2 2‘(-2/64)(4/64)’(-4/64)’ = 1/2 - 2-l’:

@ Fa(c~,
p~[27]@ Cn[27] @ CL[~] K8)[27]
= K2[1] @ Ks[8] @ K4[1] @ &[1] @ K7[8]. (17)
We note that P~[27]corresponds to the 39-th bit of the “real” plaintext before the
initial permutation IP. Therefore, assuming that the plaintexts consist of ASCII
codes, this bit must be equal to zero; that is, equation (17) has no plaintext bit.
In fact, under this assumption, a similar discussion to the previous chapter tells us
that seven key bits can be derived from equation (17) with high success rate using
812-”1-’ = ciphertexts only.
Moreover, assuming that the plaintexts consist of natural English sentences r e p
resented by ASCII codes, we can also make use of a linear approximation illustrated
in Figure 5. Then we easily see the following expression which holds with probability
+
1/2 25(-2/64)(-6/64)(10/64)(-20/64)3 = 1/2 - 1.83 x 2-12:

P’[7,18,24] 8 c&“18,24, 29,301 @ c ~ [ 1 5 EI

] Fs(CL, Ks)[30]
= Ka[22] @ K3[44] @ K4[22] @ K6[22] @ K+5] EI K.9[22]. (18)
We note that P~[7],&[18]and P~[24]correspond to the first, 45-th and 63-rd bit of the
“real” plaintext, respectively. As far as we know, when the plaintexts consist of natural
English sentences represented by ASCII codes, the probability of PL[~, 18,241 = 0 is at
most 0.35. Therefore, under this assumption, the linear expression which is obtained
 395

by eliminating &[7,18,24] from equation (18) holds with probability 1/2-2 x (0.35-
0.5) x 1.83 x 2-" = 1/2+ 1.10 x 2-l'. This indicates that seven key bits can be deduced
with high success rate using 811.10 x 2-'sI-2 2:2m uphertexts only.
Finally, we show a situation in which ldround DES cipher is still breakable faster
than an exhaustive search for 56 bits key. We now return to equation (16), which
contains five plaintext bits, and suppose that these bits are independently equal to
zero with probability 80% and all other plaintext bits are random. Then the linear
equation which is obtained by eliminating these five bits from equation (16) holds with
+ - +
probability 1/2 25(0.8 0.5)" x 1.19 x 2-22 = 1/2 1.48 x 2-26. This concludes that
seven key bits can be obtained with high success rate using 8 1 1 . 4 8 ~ 2 - ~ 1=
- ~1 . 8 2 2"
~
ciphertexts only.

P I /PL
K1 I K1

x5

+%s
I K8

CH1: C C H
C
V ' CL

[ F i g . 41 O n l y - C i p h e r t e x t [Fig, 51 O n l y - C i p h e r t e x t
A t t a c k o f 8 - r o u n d D E S (1) A t t a c k o f 8 - r o u n d DES (2)
 396

8 Concluding Remarks
We have introduced a new method for cryptanalysis of DES cipher. This method
has enabled us the first known-plaintext attack of the full 16-round DES cipher and
the initial step toward an only-ciphertext attack. To go more deeply into the only-
ciphertext attack, however, we have to deal with several problems resulting from
non-randomness of plaintexts. The detail discussion of this type of attack including
complete tables and proofs, which we have omitted for lack of space, will appear in
the full paper.

References
[l] E.Biham and A.Shamir, “Differential Cryptanalysis of DESlike Cryptosystems,”
Journal of Cryptology,Vol.4,pp.3-72,(1991).

[2] E.Biham and A.Shamir, “Differential Cryptanalysis of FEAL and N-Hash,”

-
Advances in Cryptology EUROCRYPT’SI, Lecture Notes in Computer Sci-
ence,Vo1.547, pp.l-16,( 1991).

[3] E.Biham and AShamir, “Differential Cryptanalysis of the full 16-round DES,”
CR YPTO ‘92 Eztended A Qstracts,pp. 12-1-12-5,( 1992).

[4]A.Tardy-Corfdir and H.Gilbert, “A Known Plaintext Attack of FEAL-4 and

-
FEAL-6,” Advances in Cryptology CRYPTO’91, Lecture Notes in Computer
Science,Vo1.576, pp. 172-182,( 1991).
[5] M.Matsui and A.Yamagishi, “A New Method for Known Plaintext Attack of
FEAL Cipher,” Advances in Cryptology - EUROCRYPT’92, Lecture Notes in
Computer Science,Vol.658, pp.81-91,( 1992).

[S] A.Shamir, “On the Security of DES,” Advances in Cryptology - CRYPT0’85,

Lecture Notes in Computer Science1Vol.2l8,pp.280-281,( 1985).

[7] R.A.Rueppe1, “Analysis and Design of Stream Ciphers,” Springer Verlag,( 1986).
 397

3 PH["] © fi.[15] © CH[a] © Ct[15) 1/2 + 1.56 x 2~ J k-l

*4 PH[«]®PI[1S]<BCH[1S]® CL[a,0] 1/2 - 1.95 x 2" s A-AB

= Kl[22\®K3\22\®KM
5 P H [ 1 5 ] © P L M ] © C H [ 1 5 ] © CL[a,0] 1/2 + 1.22 x J-* Bl-AB
= KM © Kt[22) © K,[22] © KM
*6 Pl|Sl©C H [a)®Ci[l5] 1/2 - 1.95 x 2~» -DC1-A
= Zj © AT6[22]
•7 PH[S\®Pill2,ie]®CH[a]® CrflS] 1/2 + 1.95 x 2" 10 E-DCi-1
= #,[19,23] ©Lj ffi/CT[22]
•8 PH[«]©PL[12.16]©CH[15]® Ci[tt,/3) 1/2 - 1.22 x 2" 11 E-DCA-AB
= Ki[19,23]ffiLj © KT(22] © KM
•9 P»[15]ffiPt^,flffiCK[15]© Ci[o,/3] 1/2 - 1.91 x 2 " " BD-DCA-AB
= KM © tfj["l © ^4 © ^.[22) © K9[-r)
•10 PiM©CH[cr)©Ci[l5] 1/2 - 1.53 x 2" 1S -ACD-DCA-A
= i j © U © ifio[22]
11 P«M © P£[15] © CH[c] © Ci[l5] 1/2 + 1.91 x 2 - " A-ACD-DCA-
= tf,[22]ffiLj©LT©#ii[22] A
*12 PH[a]ffiPi,[15]©CH[15]ffi C[cr,0) 1/2 - 1.19 x 2"17 A-ACD-DCA-
= K,[22] © U © LrffiK"n[22l © K^M AB
13 i^llSjffiPtlo.^ffiCHtlS]© CL[a,ft 1/2+1.49X2"1' BA-ACD-DCA
= /fiH © iC2[22] © L, © £, © tf,2[22] © ifuh] -AB
*14 Pi[«]ffiCH[o]ffiCt[l5] 1/2 - 1.19 x 2" 31 -DCA-ACD-D
= L,ffiL6©Iio©ifH[22] CA-A
*15 PH{6] © Pt[l2,16] © CH [a] ® CL(15] 1/2 +1.19 x 2" M E-DCA-ACD-
= ^[19,23] © L, © L 7 © i n ffi «"is[22j DCA-A
•16 PH|*]©Pi[12,16]©CH[l5]ffi C t [o,fl 1/2 - 1.49 x 2" 54 DCA-A
= if,[l9,23] ©L3 ©Lr©!,,, © K,s[22] © Kle[7] DCA-AB
•17 P H ( 1 5 ] ® P I . [ A « ] © C H | 1 5 ] © CL[a,P] 1/2 - 1.16 x 2" M DCA-AB
= Kt b) © ^j[22] © Z-4 © i» © i n © K1S122]ffi/fiT[7] -DCA-AB
*18 PiHffiC H HffiC t [i5] 1/2 - 1.86 x 2~M -DCA-AB
= In © L« © i i o © X-14 © /fu[22] CD-DCA-A
19 PH[O) © Pt(15] ffi CH(o)ffiCt[15] 1/2 + 1.16 x 2~M CD-DCI-A
= id|22] ffi Ls © I Tffi£ n ffi I i s ® «"u[22] ACD-DCA-A
•20 P H H ® P I | 1 5 ] ® C H | 1 5 ] © C£[o,/3] 1/2 - 1.46 x 2 " M ACD-DCA-A
= IC,[22] ffi L, © LT © i n © i i s ffi tfi»(22] © K-w[7] ACD-DCA-AB

A: , K)[7,18,24,29] = /<[22] p = a: 7,18,24,29

B: X[27,28,30,31] ffi F(X, K)[li] = A'[42,43,45,46] p= || a: 7,18,24,29
B: X[27,28,30,31]@F(X,K)[15] = Ir'[42,43,45,46] p =% 7: 42,43,45,46
C: X[29] @ F(X, IC)[l 1 8 , S ] = IC(44] p= $ 7: 7,18,24
E: *|12,16] ffiF(X,K)[7,18,24] = /<T[19,23] p = if 6:

Annex. The best expression and the best probability of DES cipher.