[Cryptography] check-summed keys in secret ciphers?

Bill Frantz frantz at pwpconsult.com
Mon Sep 30 20:23:06 EDT 2013

On 9/30/13 at 2:07 PM, leichter at lrw.com (Jerry Leichter) wrote:

>People used to wonder why NSA asked that DES keys be 
>checksummed - the original IBM Lucifer algorithm used a full 
>64-bit key, while DES required parity bits on each byte.  On 
>the one hand, this decreased the key size from 64 to 56 bits; 
>on the other, it turns out that under differential crypto 
>attack, DES only provides about 56 bits of security anyway.  
>NSA, based on what we saw in the Clipper chip, seems to like 
>running crypto algorithms "tight":  Just as much effective 
>security as the key size implies, exactly enough rounds to 
>attain it, etc.  So *maybe* that was why they asked for 56-bit 
>keys.  Or maybe they wanted to make brute force attacks easier 
>for themselves.

The effect of NSA's work with Lucifer to produce DES was:

   DES was protected against differential cryptanalysis without 
making this attack public.

   The key was shortened from 64 bits to 56 bits adding parity bits.

I think the security side of NSA won here. It is relatively easy 
to judge how much work a brute force attack will take. It is 
harder to analyze the effect of an unknown attack mode. DES 
users could make a informed judgment based on $$$, Moore's law, 
and the speed of DES.

Cheers - Bill

Bill Frantz        | Privacy is dead, get over    | Periwinkle
(408)356-8506      | it.                          | 16345 
Englewood Ave
www.pwpconsult.com |              - Scott McNealy | Los Gatos, 
CA 95032

More information about the cryptography mailing list