[147367] in cryptography@c2.net mail archive
Re: [Cryptography] check-summed keys in secret ciphers?
daemon@ATHENA.MIT.EDU (Bill Frantz)
Mon Sep 30 20:40:10 2013
X-Original-To: cryptography@metzdowd.com
Date: Mon, 30 Sep 2013 17:23:06 -0700
From: Bill Frantz <frantz@pwpconsult.com>
To: cryptography@metzdowd.com
In-Reply-To: <F3FE40F2-01E8-4BDD-A9BA-7BACA4F5E2EB@lrw.com>
Errors-To: cryptography-bounces+crypto.discuss=bloom-picayune.mit.edu@metzdowd.com
On 9/30/13 at 2:07 PM, leichter@lrw.com (Jerry Leichter) wrote:
>People used to wonder why NSA asked that DES keys be
>checksummed - the original IBM Lucifer algorithm used a full
>64-bit key, while DES required parity bits on each byte. On
>the one hand, this decreased the key size from 64 to 56 bits;
>on the other, it turns out that under differential crypto
>attack, DES only provides about 56 bits of security anyway.
>NSA, based on what we saw in the Clipper chip, seems to like
>running crypto algorithms "tight": Just as much effective
>security as the key size implies, exactly enough rounds to
>attain it, etc. So *maybe* that was why they asked for 56-bit
>keys. Or maybe they wanted to make brute force attacks easier
>for themselves.
The effect of NSA's work with Lucifer to produce DES was:
DES was protected against differential cryptanalysis without
making this attack public.
The key was shortened from 64 bits to 56 bits adding parity bits.
I think the security side of NSA won here. It is relatively easy
to judge how much work a brute force attack will take. It is
harder to analyze the effect of an unknown attack mode. DES
users could make a informed judgment based on $$$, Moore's law,
and the speed of DES.
Cheers - Bill
-----------------------------------------------------------------------
Bill Frantz | Privacy is dead, get over | Periwinkle
(408)356-8506 | it. | 16345
Englewood Ave
www.pwpconsult.com | - Scott McNealy | Los Gatos,
CA 95032
_______________________________________________
The cryptography mailing list
cryptography@metzdowd.com
http://www.metzdowd.com/mailman/listinfo/cryptography