From: frantz@netcom.com (Bill Frantz)
Date: Wed, 22 May 1996 07:58:40 +0800
To: jim bell <stewarts@ix.netcom.com>
Subject: Re: Rumor: DSS Broken?
Message-ID: <199605211817.LAA00206@netcom8.netcom.com>
MIME-Version: 1.0
Content-Type: text/plain


At  8:39 PM 5/20/96 -0800, jim bell wrote:
>At 01:05 AM 5/20/96 -0700, Bill Frantz wrote:
>>I was rather impressed by NSA's role in the creation of DES.  The
>>strengthened it against an attack which was not publicly known, and didn't,
>>in the process, reveal the attack.  (See AC2.)
>
>Isn't this partly bad, at least?

Given NSA's responsibilities to:
 (1) Break foreign crypto systems.
 (2) Make US crypto systems unbreakable.
 (3) Never Say Anything.
I find it remarkable they were that open.

They had a technique which helped them with 1.  They didn't want to reveal
it or foreign systems would be changed hurting NSA's pursuit of 1.  They
had a (small, DES was public and therefore could be used by foreigners)
obligation thru 2 to help with DES.  They honored 3 by saying as little as
possible, while still strengthening DES.

>All in all, I don't think the NSA's near-silence on DES is unambiguously 
>commendable.

If they were cypherpunks, or academic cryptologists I would agree. 
However, their responsibilities do not involve publishing, so I can't fault
the way they skated thru the maze of conflicting responsibilities given
what we know.  I can not fault them for following their charter.  (Faulting
their charter is a different matter.)

When designing crypto systems, it is worthwhile to consider NSA as the
opponent, because as far as I know, they are the best there is.  If your
system is secure from NSA, then it is secure from everyone except insiders.
 However the government always skates between the horns of the dilemma that
acting on the results of NSA intercepts may cause their opponents the
change their crypto systems, cutting off the intercepts.

This logic says the government can always act on the results of 40 bit key
intercepts because everyone knows they are insecure.  If they acted on a 56
bit key intercept, it would make concrete what we already know
theoretically.  If they acted on a 96 bit key intercept, people would
abandon the underlying crypto system because of the unfeasibility of brute
forcing a 96 bit key.  (When considering what to abandon, the random
process used to generate the 96 bits should be at least as suspect as the
crypto system.)


------------------------------------------------------------------------
Bill Frantz       | The CDA means  | Periwinkle  --  Computer Consulting
(408)356-8506     | lost jobs and  | 16345 Englewood Ave.
frantz@netcom.com | dead teenagers | Los Gatos, CA 95032, USA