On 9/30/13 at 2:07 PM, leich...@lrw.com (Jerry Leichter) wrote:
People used to wonder why NSA asked that DES keys be
checksummed - the original IBM Lucifer algorithm used a full
64-bit key, while DES required parity bits on each byte. On
the one hand, this decreased the key size from 64 to 56 bits;
on the other, it turns out that under differential crypto
attack, DES only provides about 56 bits of security anyway.
NSA, based on what we saw in the Clipper chip, seems to like
running crypto algorithms "tight": Just as much effective
security as the key size implies, exactly enough rounds to
attain it, etc. So *maybe* that was why they asked for 56-bit
keys. Or maybe they wanted to make brute force attacks easier
for themselves.
The effect of NSA's work with Lucifer to produce DES was:
DES was protected against differential cryptanalysis without
making this attack public.
The key was shortened from 64 bits to 56 bits adding parity bits.
I think the security side of NSA won here. It is relatively easy
to judge how much work a brute force attack will take. It is
harder to analyze the effect of an unknown attack mode. DES
users could make a informed judgment based on $$$, Moore's law,
and the speed of DES.
Cheers - Bill
-----------------------------------------------------------------------
Bill Frantz | Privacy is dead, get over | Periwinkle
(408)356-8506 | it. | 16345
Englewood Ave
www.pwpconsult.com | - Scott McNealy | Los Gatos,
CA 95032
_______________________________________________
The cryptography mailing list
cryptography@metzdowd.com
http://www.metzdowd.com/mailman/listinfo/cryptography
