"The Data Encryption Standard (DES)and its strength against attacks" by D. Coppersmith in IBM J. or R&D, v38#3, May 1994 pp243-250 ..in this paper, we examine one such attempt [to break DES], the method of differential cryptanalysis.... we show some of the safeguards against differential cryptanalysis that were built into the system from the beginning. Disclaimer: The present author participated in the design and test of DES, particularly in the design of the S-boxes and in strengthening them against differential cryptonalysis. Naturally , this author has strong opinions about DES and its history. Any opinions in this paper are those of the author and are not necessarily shared by IBM Let me strongly recommed this paper. It shows, quite graphically, just how tightly coupled some parts of DES are. You don't make up a good cipher by random bit-twiddling! (By contrast, I heard a presentation last week on the cryptanalysis of another cipher. It wasn't that strong a cipher -- 2^18 ciphertexts, 2^27 operations to crack it -- but it would have been far weaker had it not been for chance. The cipher had a right shift operation; originally, it was left unspecified if an arithmetic or logical right shift should be used. When different C compilers started producing different results, the inventor arbitrarily decided to standardize on arithmetic right shifts. It turns out that the other choice was far weaker -- but he didn't know that.)