IBM's original S-Boxes for DES?

Dave Howe DaveHowe at
Tue Oct 5 12:32:07 EDT 2004

Steven M. Bellovin wrote:
> It was only to protect against differential cryptanalysis; they did not 
> know about linear cryptanalysis.  
   More accurately, they didn't protect against linear cryptanalysis - 
there is no way to know if they knew about it and either didn't want to 
make changes to protect against that (they weakened the key, so may have 
wished to keep *some* attacks viable against it to weaken it still 
further), had to choose (against *either* differential or linear, as 
they didn't know how to protect against both) or simply the people doing 
the eval on DES didn't know, as it was rated above their clearance level.
   We only have a single event to go from (that DES was indeed protected 
against one not the other) so can't really judge motivation or knowledge.

The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at

More information about the cryptography mailing list