FW: How far is the NSA ahead of the public crypto community?

ian.farquhar at rsa.com ian.farquhar at rsa.com
Fri May 9 02:07:12 EDT 2008

> The impressively well-engineered
> resistance of DES to differential cryptanalysis (apparently called the
> "tickle attack" on the inside years before Biham and Shamir's result)

That was IBM's name for DC; it wasn't the NSA's name.

In the late 90's I asked a DSD (Australian NSA) officer what the UKUSA
nations called DC, and he thought about it, then declined to answer.
However, a certain well known cryptographer who has done some work with
the NSA told me that they called it "Directional Derivative".

I asked the abovementioned DSD officer when the UKUSA nations discovered
DC.  Again he paused to think, and then said that he believed that Gus
Simmons had publicly said that the NSA was aware of the technique in
1965 or so.  Despite considerable research, I've been unable to locate
any evidence of Simmons saying that.  It is, however, feasable within
the timeline of what is known and implied about their cipher
development.  Before the mid-60's, hardware implementations of block
ciphers would have been largely impractical anyway.

I do have to comment, however, that this particular DSD officer chose
his words carefully in answering the question.  Specifically, he told me
what Simmons said (at least in his memory), as opposed to "we discovered
it in 1965".  This particular officer was responsible for crypto export
control in Oz, and was a hardline anti-export warrior.  He never
directly lied, but in true "Yes Minister" fashion, he was regularly
"economical with the truth" and quite linguistically tricky.  With him,
one quickly learned to listen to what he exactly said, not what he was
trying to imply.  :)

If anyone else can confirm his claim about Simmons, I'd like to read the
full text.


The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com

More information about the cryptography mailing list