In a personal interview with Walt Tuchman (IBM at the time, worked for
StorageTek when I met him, now retired) he described the process for
creating the s-boxes. A set of mathematical requirements were created
and candidate s-boxes meeting these requirements would be printed out
on a regular basis. The process ran over a weekend on a 360/195 and the
results were given to the ASIC developers to determine which would
result in the smallest ASIC size. One was selected by them. I was told
that after the requirements were set, NSA did not have a hand in
selecting the final S-Boxes.
jim
http://www.stortek.com/hughes
On Sep 30, 2004, at 12:25 PM, Steven M. Bellovin wrote:
In message <[EMAIL PROTECTED]>,
Nicolai Moles
-Benfell writes:
Hi,
A number of sources state that the NSA changed the S-Boxes (and
reduced the ke
y
size) of IBM's original DES submission, and that these change were
made to
strengthen the cipher against differential/linear/?? cryptanalysis.
Does anybody have a reference to, or have an electronic copy of these
original
S-Boxes?
It was only to protect against differential cryptanalysis; they did not
know about linear cryptanalysis. See Don Coppersmith, The Data
Encryption
Standard (DES) and its strength against attacks, IBM Journal of
Research
and Development, Vol. 38, n. 3, pp. 243-250, May 1994.
--Steve Bellovin, http://www.research.att.com/~smb
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to
[EMAIL PROTECTED]
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
