[Cryptography] NSA versus DES etc.... was: iOS 8

John Denker jsd at av8n.com
Tue Sep 23 17:36:27 EDT 2014 

On 09/23/2014 09:50 AM, ianG remarked:

> I think it is important to keep mining this 'event' because how the
> threat actor acted with DES gives us a window on how they will act in
> the future. 

Agreed.  See further "mining" below.



On 09/21/2014 06:13 AM, Jerry Leichter wrote:

> NSA always claimed that they didn't design DES - IBM did. 

I never said NSA "designed" DES.  I said they weakened it.

FWIW, they're not even pretending otherwise anymore.
See e.g. page 232 of reference [1].

>  All NSA did was change the S boxes and drop the key from 64 to 56 bits.

Isn't that enough?

IBM wanted a longer key.  NSA wanted a much shorter key.
They compromised on 56 bits.  Reference [1].  Also implied
by reference [2].

  Very hypothetically and temporarily *IF* we compare DES
  to a 64-bit cipher with random S-boxes, DES is stronger 
  with respect to differential cryptanalysis but weaker 
  with respect to brute force.  Indeed according to Adi 
  Shamir, DES is about as strong as 128-bit Lucifer.

Non-hypothetically, I don't care.  That's not the right 
comparison to be making.  One of the most fundamental 
principles of reasoning is to consider /all/ of the
plausible options.  It would have been straightforward 
to strengthen Lucifer against differential cryptanalysis 
without shortening the key.

As it says in reference [1], quoting none other than Frank
Rowlett,
  "in the long run it is more important to secure one's own 
  communications than to exploit those of the enemy."
Alas the NSA seems to get this wrong again and again and 
again.

On 09/23/2014 05:29 AM, Nicholas Bohm wrote:

>> With any luck their adversaries would have picked up on these 
>> hints, and been successfully bluffed into retaining their existing systems 
>> rather than moving to the new ones.
>>
>> It could be that those who still maintain that the NSA undermined the DES for 
>> their own advantage are the evidence of the success of a well-executed bluff.

Well executed?  I very much doubt it.  It sounds like an 
awfully foolish gambit to me.  I attribute to the NSA an 
immense budget and some highly skilled cryptologists, but
I don't give them credit for being able to predict the 
actions of other people.

At the time, any sane person would have expected such 
a gambit to backfire ... and all available evidence 
suggests that it did backfire.  The ones who were most 
hurt by weakening DES were outfits like US banks who felt 
constrained by regulation to use DES, who trusted NSA to 
get it right, and were too clueless to superencrypt.

In contrast, when playing chess or doing high-stakes 
crypto, you should not assume that your main adversary 
is clueless.

Specifically, at the time (mid 1970s) the microelectronics
revolution was in full swing.  DES was allegedly constrained
to "just barely" fit on a single chip.  So in accordance with
Moore's law, all you needed to do is wait a couple of years 
and then implement a scaled-up version on a single chip ... 
or implement the algorithm in software on a microprocessor.

This is more-or-less what happened.  Hint: GOST.  Soviet 
chip fabrication was years behind the US, but there was 
nothing to prevent them from buying microprocessors by
the bagful.  The last time I checked, GOST (very unlike 
DES) was unbreakable in practice even today.
  http://www.iacr.org/workshops/fse2012/FSEpreproceedings/PDF/total.pdf

Then superencrypt with bog-standard DES on the off chance
that the NSA was actually adhering to Rowlett's dictum
for once ... and so you can say to the banking regulators 
yeah, sure, I used the approved DES.

Also superencrypt with whatever you were using before,
be it a fancy rotor machine or whatever, on the off 
chance that there might be a systematic weakness in 
all Feistel ciphers.

To summarize:  The claim that DES was superior to this-
or-that straw man is irrelevant and deceptive.  Better 
ciphers were available at the time.  Proof by construction.

=====================================
Useful references:

[1]   Thomas R. Johnson
      "American Cryptology during the Cold War; 1945-1989"
      Center For Cryptologic History / National Security Agency (1998)
      http://www.nsa.gov/public_info/_files/cryptologic_histories/cold_war_iii.pdf


[2]   Michael Schwartzbeck
     "The Evolution of US Government Restrictions on
      Using and Exporting Encryption Technologies"
      From "Studies in Intelligence"  (the secret internal CIA magazine)
      (date not obvious;  circa 1998)
      http://www.foia.cia.gov/sites/default/files/DOC_0006122418.pdf

More information about the cryptography mailing list