IBM's original S-Boxes for DES?
james hughes
hughejp at mac.com
Mon Oct 4 21:07:15 EDT 2004
In a personal interview with Walt Tuchman (IBM at the time, worked for
StorageTek when I met him, now retired) he described the process for
creating the s-boxes. A set of mathematical requirements were created
and candidate s-boxes meeting these requirements would be printed out
on a regular basis. The process ran over a weekend on a 360/195 and the
results were given to the ASIC developers to determine which would
result in the smallest ASIC size. One was selected by them. I was told
that after the requirements were set, NSA did not have a hand in
selecting the final S-Boxes.
jim
http://www.stortek.com/hughes
On Sep 30, 2004, at 12:25 PM, Steven M. Bellovin wrote:
> In message <1096535230.415bccbe98ef6 at webmail1.ec.auckland.ac.nz>,
> Nicolai Moles
> -Benfell writes:
>> Hi,
>>
>> A number of sources state that the NSA changed the S-Boxes (and
>> reduced the ke
>> y
>> size) of IBM's original DES submission, and that these change were
>> made to
>> strengthen the cipher against differential/linear/?? cryptanalysis.
>>
>> Does anybody have a reference to, or have an electronic copy of these
>> original
>> S-Boxes?
>>
>
> It was only to protect against differential cryptanalysis; they did not
> know about linear cryptanalysis. See Don Coppersmith, The Data
> Encryption
> Standard (DES) and its strength against attacks, IBM Journal of
> Research
> and Development, Vol. 38, n. 3, pp. 243-250, May 1994.
>
>
> --Steve Bellovin, http://www.research.att.com/~smb
>
>
>
> ---------------------------------------------------------------------
> The Cryptography Mailing List
> Unsubscribe by sending "unsubscribe cryptography" to
> majordomo at metzdowd.com
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com
More information about the cryptography
mailing list