[Cryptography] An Open Source Analysis of NSA Cryptologic Capabilities

Ray Dillinger bear at sonic.net
Fri Sep 18 17:33:18 EDT 2015



On 09/18/2015 04:52 AM, Dave Howe wrote:

>   Not convinced all of that statement is true. It is now reasonably well
> established both that IBM knew about differential attacks and were asked
> to keep quiet about them, *and* that the NSA knew that when they
> strengthened DES against them. It would seem reasonable therefore that
> the NSA quietly strengthened DES against the attack because they knew it
> was no longer their own secret, and didn't trust it not to leak from
> IBM.  They could well have also known about linear, and not strengthened
> DES against that because they believed that knowledge was still
> restricted to themselves, hence strengthening against it would be a
> disclosure.

At IBM, if I recall correctly, it was known at the time, and called
the "tickle attack."

The NSA shortened DES keys, in part, because they had a mandate to
recommend a secure cipher for commercial use, and have a very specific
institutional definition of a "secure cipher:"  IE, one which is no
easier to break by any other means than it is by guessing keys.  They
saw a cipher which (once strengthened against differential
cryptanalysis) still had a 2^56 work factor to attack, and therefore
in order to make it a "secure" cipher they reduced the key to 56 bits
without telling anyone about the relevant attacks.  They could also
have strengthened it with more rounds to support the original key size
to create a "secure" cipher under this criterion, but they were able
to achieve their particular definition of "secure" by reducing the
key length instead.

It's arguable, IMO, that had they known about the linear cryptanalysis
attack they'd have reduced the key to 54 bits in order to satisfy the
same technical criterion.

Either way, I have a different notion of "secure cipher" than they
do, and it is more related to the work factor of the best attack than
it is to a match between the best attack and length of the key.  That
is, I count something with a 2^64 work factor attack as having 64-bit
security and something with a 2^56 work factor attack as having 56-
bit security, even if the former has a 128-bit key and the latter a
56 bit key. Either, of course, is clearly inadequate today.

Today I prefer 128-bit security, and if I take the possibility of large
quantum computers seriously (a point on which I am not yet decided), I
will start to prefer 256-bit security instead.

That said, I distrust ciphers that were thought to have a higher level
of security when designed than they are known to have under the best
attack developed to date.  A discovered vulnerability, especially if
relatively recent, will often be extended to reduce security further.

					Bear


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: OpenPGP digital signature
URL: <http://www.metzdowd.com/pipermail/cryptography/attachments/20150918/48af5887/attachment.sig>


More information about the cryptography mailing list