On 9/04/13 03:43 AM, Jeffrey Goldberg wrote:
On Apr 8, 2013, at 7:38 AM, ianG <i...@iang.org> wrote:
We all know stories. DES is now revealed as interfered with, yet for decades
we told each other it was just parity bits.
But it turned out that the interference was to make it *stronger* against
attacks, differential cryptanalysis, that only the NSA and IBM knew about at
the time.
That's what we all believed. From Wikipedia (I haven't checked the
primary references):
======================
In contrast, a declassified NSA book on cryptologic history states:
In 1973 NBS solicited private industry for a data encryption
standard (DES). The first offerings were disappointing, so NSA began
working on its own algorithm. Then Howard Rosenblum, deputy director for
research and engineering, discovered that Walter Tuchman of IBM was
working on a modification to Lucifer for general use. NSA gave Tuchman a
clearance and brought him in to work jointly with the Agency on his
Lucifer modification."[8]
and
NSA worked closely with IBM to strengthen the algorithm against all
except brute force attacks and to strengthen substitution tables, called
S-boxes. Conversely, NSA tried to convince IBM to reduce the length of
the key from 64 to 48 bits. Ultimately they compromised on a 56-bit key.[9]
========================
http://en.wikipedia.org/wiki/Data_Encryption_Standard#NSA.27s_involvement_in_the_design
Conclusion? We wuz tricked! In their own words, they managed the
entire process, and succeeded in convincing everyone that they did not.
And they made it weaker where they held the advantage: budget to
crunch. Last two sentences, above.
If history is a guide, weakness that TLAs insist on are transparent. They are
about (effective) key size.
Indeed. Notice the subtlety of their attack: it is brutally simple.
We others focus on elegance, and dismiss the simplistic.
Cognitive dissonance?
They focussed on mission, and used asymmetry of crunch strength. Recall
that, in the old days, no other country could muster the budget and
technology that they could.
We have no way to know whether this will continue to be the case, but I'd
imagine that the gap in knowledge between the NSA and the academic community
diminishes over time; so that makes me think that they'd be even more reluctant
to try to slip in a hidden weakness today than in 1975.
Possibly. In terms of algorithms, I don't think there has been a case
where they've deliberately weakened the algorithm. OTOH, in terms of
key strength, they have been very very finessed. Remember Skipjack?
The comments at the time was that the key strength was beautifully
aligned - right at the edge. 80 bit keys where the open community had
already concluded 128 was the target. Which meant that if there was to
be an advantage, all that was left was: budget in crunching.
iang
_______________________________________________
cryptography mailing list
cryptography@randombit.net
http://lists.randombit.net/mailman/listinfo/cryptography