From: smb@research.att.com
Date: Mon, 18 Jul 94 15:17:51 PDT
To: baum@apple.com (Allen J. Baum)
Subject: Re: article: DES strength against attacks
Message-ID: <9407182217.AA26293@toad.com>
MIME-Version: 1.0
Content-Type: text/plain


	 "The Data Encryption Standard (DES)and its strength against attacks"
	 by D. Coppersmith in IBM J. or R&D, v38#3, May 1994 pp243-250


	 ..in this paper, we examine one such attempt [to break DES],
	 the method of differential cryptanalysis.... we show some of
	 the safeguards against differential cryptanalysis that were
	 built into the system from the beginning.

	 Disclaimer: The present author participated in the design and
	 test of DES, particularly in the design of the S-boxes and in
	 strengthening them against differential cryptonalysis.
	 Naturally , this author has strong opinions about DES and its
	 history. Any opinions in this paper are those of the author
	 and are not necessarily shared by IBM

Let me strongly recommed this paper.  It shows, quite graphically,
just how tightly coupled some parts of DES are.  You don't make up
a good cipher by random bit-twiddling!  (By contrast, I heard a
presentation last week on the cryptanalysis of another cipher.  It
wasn't that strong a cipher -- 2^18 ciphertexts, 2^27 operations
to crack it -- but it would have been far weaker had it not been for
chance.  The cipher had a right shift operation; originally, it was
left unspecified if an arithmetic or logical right shift should be
used.  When different C compilers started producing different results,
the inventor arbitrarily decided to standardize on arithmetic right
shifts.  It turns out that the other choice was far weaker -- but he
didn't know that.)