Cryptography Reference
In-Depth Information
again, but it could have been just a formality — the reason for this restriction
might have been its disclosure rather than DES itself.
It is also possible that DES is really very secure, and that it was published
only due to misunderstandings between the NBS and the NSA, and the NSA
had assumed that DES would be implemented in hardware only. Two reasons
speak in favor of this assumption:
•
DES was the first algorithm studied by the NSA that became pub-
licly known. The next NSA standard algorithm — Skipjack (see Section
5.7.5) — typically remained secret for many years.
•
The design criteria of the S-boxes were published after Biham and Shamir
discovered the differential cryptanalysis in 1990. You can read about it in
[SchnCr, 12.5]. The S-boxes obviously guarantee maximum resistance to
differential cryptanalysis. This is no coincidence, since IBM and the NSA
already knew this attack when DES had been in the design phase. Cop-
persmith wrote in 1992 that differential cryptanalysis would have become
known as early as in 1977 had the said criteria been disclosed, and nei-
ther IBM nor the NSA wanted this to happen. After the design criteria
were published, Shamir asked Coppersmith to admit that there were no
attacks more effective against DES to his knowledge. Coppersmith didn't
comment. Schneier [SchnCr, 12.4] states 'personal communication' as
his source.
You can see that much remains in the realm of speculation. But there is
one obvious fact: since the NSA had been aware of differential cryptanalysis
long before DES was designed, by their own statements, it can be reasonably
assumed that
the NSA was at least 20 years in the lead of public cryptological
research in this field
. That was back then — it is likely to be much less today.
4.3.2 The Algorithm
We will discuss the DES method here only to the extent required to better
understand it. If you are interested in the specific design of the S-boxes, you'll
find all details in [SchnCr, 12.2], or visit the Web site — you will find two DES
implementations.
The following characteristics show that DES is a product algorithm, especially
a Feistel network:
•
It uses a 56-bit key
