1994-06-16 - Re: DES w/ variable S-boxes

Header Data

From: Ben.Goren@asu.edu
To: Rick Busdiecker <rfb@lehman.com>
Message Hash: 1877f44d277f86c8029464a6310363bbffeb9c2b318351ed2c0cda9465fff7c9
Message ID: <9406161609.AA01225@Tux.Music.ASU.Edu>
Reply To: N/A
UTC Datetime: 1994-06-16 16:09:30 UTC
Raw Date: Thu, 16 Jun 94 09:09:30 PDT

Raw message

From: Ben.Goren@asu.edu
Date: Thu, 16 Jun 94 09:09:30 PDT
To: Rick Busdiecker <rfb@lehman.com>
Subject: Re: DES w/ variable S-boxes
Message-ID: <9406161609.AA01225@Tux.Music.ASU.Edu>
MIME-Version: 1.0
Content-Type: text/plain


At 10:32 PM 6/15/94 -0400, Rick Busdiecker wrote:
>    Date: Wed, 15 Jun 1994 17:32:24 -0700
>    From: Ben.Goren@asu.edu
>
>    Are there any implementations of DES-variants that use variable S-boxes?
>
>Well, if you don't use the DES S-boxes then it isn't DES :-)

Well...yeah....

>Variable boxes tend to weaken DES.  The DES S-boxes were chosen to
>make differential cryptanalysis difficult.  Random S-boxes don't tend
>to have this desirable property.

Perhaps I should clarify: not DES with randomly-chosen fixed S-boxes; I'm
well aware that those that DES uses are the best for differential
cryptanalysis.

However, as Bruce Schneier points out (p. 242), *variable* S-boxes make
differential cryptanalysis impossilbe, as such an adaptive plaintext attack
relies on knowledge of the composition of the S-boxes. If the boxes and
their contents change with both keys used and plaintext--probably with the
help of a strong RNG--then the only way such an attack could work would be
by first figuring out what causes the changes in the S-boxes; in that case,
the attack is probably already finished, by other means. Perhaps, even, the
S-boxes could change with so many chunks of text--again, variable, of
course.

Most, if not all, of the actual S-box designs used would be much weaker
than the original design of DES for differential cryptanalysis. However,
each different plaintext (and key) would use different s-boxes, so that
particular attack isn't possible.

So, I guess part of my question should be, does this open up other attacks?
Or, for that matter, am I completely wrong? And, like I said before, has
this been done?

>Use IDEA.

Certainly, until there's something better. I'm just hoping this might be,
or that I can learn more along the way.

>                        Rick

And thanks to Bill and Lyman, who also responded similarly.

b&

PS Hopefully, I'll learn to check the Cc: line more carefully in the
future. Apologies again for the noise. b&

--
Ben.Goren@asu.edu, Arizona State University School of Music
 net.proselytizing (write for info): Protect your privacy; oppose Clipper.
 Voice concern over proposed Internet pricing schemes. Stamp out spamming.
 Finger ben@tux.music.asu.edu for PGP 2.3a public key.







Thread