This is, I believe, the state of the art in published techniques to break DES. Note that this attack is basically useless against one-time or short-lived keys, since there's no chance to make repeated chosen plaintext attacks against the key. Short form: If you can get me to encrypt 2**37 plaintexts *of* *your* *choice* against my key, you can crack it. Marc This info is forwarded from a friend. Eli Biham and Adi Shamir, "Differential Cryptanalysis of the full 16-round DES," December 19, 1991. The paper was announced in Dec. '91 on the net, and paper copies circulated from people who had gotten copies directly from Biham & Shamir. The paper was submitted to Crypto '92 and presented there on August 20, 1992. The Crypto '92 proceedings will be published by Springer-Verlag at some point, so you could also reference it this way: {\sl E.~Biham and A.~Shamir}, Differential Cryptanalysis of the full 16-round DES, {\sl Advances in Cryptology: Proceedings of Crypto '92}, E.~Brickell, ed., {\sl Lecture Notes in Computer Science}, Springer-Verlag, New York, to appear. Biham is at Technion - Israel Inst. of Tech. Shamir is at Weizmann Inst. of Science. I don't know of an FTP site where the paper is available.