Cryptography Reference
In-Depth Information
The Chip Crackers
Though we've moved rather far away from mathematical cryptanalysis and
landed on its 'physical' counterpart, the way that the two methods can be
merged together seemed interesting enough for me to mention it. We will
come across tamperproof chips several more times in this topic, e.g., in GSM
cell phones (the D- and E-networks in Germany), digital signatures, and the
Clipper chip (Section 6.4). Even if you have only the slightest interest in this
field, you should skim through the fascinating article by Anderson and Kuhn
[AndKuhn.tamp] on the Web site. It will give you a rough idea of the guile
involved in reading chips, which makes the trick used by pay-TV pirates look
harmless; appropriate labs can reconstruct the design of an 80386 microproces-
sor within two weeks — that corresponds to several 100 000 transistor functions!
Among other things, the authors explain in their article how nuclear weapons
are protected; we will get back to this issue in Section 6.2.
4.4.6 Bottom Line
We have discussed DES in more detail than any other algorithm in this topic.
This corresponds to its historical significance. If you compare Chapter 3 with
what you've read so far in this chapter, you will clearly see the difference
between modern and classic cryptology. The specification of DES — the first
time ever a good algorithm was published for the world to study — drove the
theory forward by a quantum leap, particularly the theory of cryptanalysis. Five
thousand years from now, an 'expert' might explain this big jump forward by
the landing of aliens. We know better.
We can identify a new, interesting tendency for the years to come: differ-
ential linear cryptanalysis, differential higher-order cryptanalysis, progress in
attacking with related keys — things might look really exciting.
From the perspective of the theory currently known, DES is remarkably good.
Why should the NSA
not
have built in a backdoor? It is currently impossible
to answer this question. It might really be true that the publication of DES was
actually based on a misunderstanding between NIST and NSA.
Such a large number of talented cryptanalysts have cut their teeth on DES
during the past twenty years or so that I personally don't believe in a simple
backdoor. The weakness of DES is its key length. With 64-bit keys, brute force
gets much more costly, but the end of the 56-bit era has already come. It may
