IBM's original S-Boxes for DES?
Dave Howe
DaveHowe at gmx.co.uk
Tue Oct 5 12:32:07 EDT 2004
Steven M. Bellovin wrote:
> It was only to protect against differential cryptanalysis; they did not
> know about linear cryptanalysis.
More accurately, they didn't protect against linear cryptanalysis -
there is no way to know if they knew about it and either didn't want to
make changes to protect against that (they weakened the key, so may have
wished to keep *some* attacks viable against it to weaken it still
further), had to choose (against *either* differential or linear, as
they didn't know how to protect against both) or simply the people doing
the eval on DES didn't know, as it was rated above their clearance level.
We only have a single event to go from (that DES was indeed protected
against one not the other) so can't really judge motivation or knowledge.
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com
More information about the cryptography
mailing list