Cryptography Reference
In-Depth Information
DES has, however, been subjected to several different design criticisms over
the years:
Secret design criteria
. Although the full description of DES, including the round
function and key schedule, was published, their design criteria (in other words,
why
they were chosen to be that way) were not. This resulted in some people
becoming suspicious that 'trapdoors' might exist, whereby the designers could
easily subvert a DES encryption through knowledge of some secret technique.
These fears appear to have been unfounded. In particular, the public discovery
of differential cryptanalysis in the 1990s revealed that the design of DES seems
to protect against this type of cryptanalytic attack. Thus, intriguingly, the
designers of DES must have known about this technique long before its public
discovery.
Potentially undesirable keys
. It was pointed out that certain DES keys are not
suitable for use. For example, some keys are described as 'weak' because
encryption and decryption using these keys has the same effect. It is debatable
whether this is actually a problem. In any case, there are only a few such keys
and their use can easily be avoided.
Inadequate key length
. The main criticism of DES, even in 1975, was that the
effective key length of 56 bits was not adequate. Indeed, there were (never
substantiated) accusations that the NSA had influenced the selection of a
relatively small effective key length in order to keep exhaustive search for a
DES key within their capabilities. Whether these claims were true may never
be known. What is true is that 56 bits is inadequate protection today for most
applications.
DES KEY SEARCHES
The security analysis of DES, right from the outset, has mainly focussed on
the difficulty of exhaustively searching for a DES key. To place the subsequent
discussion in some perspective, recall our computation of real attack times
from Section 3.2.3. Suppose that we have a machine consisting of one million
processors, each of which can test one million keys per second. How long is it
likely to take before we find a DES key during an exhaustive key search?
DES effectively has a 56-bit key. A 56-bit key requires 2
56
tests in order to
is approximately equal to 7
.
2
×
10
16
,
search the key space completely. Since 2
56
and since we are able to test 10
6
10
6
10
12
keys every second, a complete search
×
=
will take:
7
.
2
×
10
16
10
12
7
.
2
×
10
4
=
seconds
,
in other words about 20 hours. This means that we will probably find the correct
key in about half that time, or about 10 hours (see Section 1.6.4).
These are straightforward mathematical facts. The real issue is how likely it is
that an attacker has access to a machine this powerful in order to exhaustively
search for a DES key. The historical debate about security of DES has essentially
