From: “Uhh…this is Joe [Randall Farmer]” <rfarmer@HiWAAY.net>
To: Jim Gillogly <jim@mentat.com>
Message Hash: be3c09e1db2911e99952a3a5ef2a170215189cf71e64c1ece73aa69986799278
Message ID: <Pine.OSF.3.96.980128193416.19021F-100000@fly.HiWAAY.net>
Reply To: <9801290026.AA13035@mentat.com>
UTC Datetime: 1998-01-31 01:31:02 UTC
Raw Date: Sat, 31 Jan 1998 09:31:02 +0800
From: "Uhh...this is Joe [Randall Farmer]" <rfarmer@HiWAAY.net>
Date: Sat, 31 Jan 1998 09:31:02 +0800
To: Jim Gillogly <jim@mentat.com>
Subject: Re: Predicting cipher life / NSA rigged DES? / Destroying encrypted data (Tangent to Re: Burning papers)
In-Reply-To: <9801290026.AA13035@mentat.com>
Message-ID: <Pine.OSF.3.96.980128193416.19021F-100000@fly.HiWAAY.net>
MIME-Version: 1.0
Content-Type: text/plain
>
> Your best chance at encrypting stuff that needs a long shelf life is with a
> cipher that's had a lot of analysis and plenty of intrinsic key, like 3DES.
Yes, I think that's what my (inaccurate) model would suggest you do, if my
guesses as to break probability are close; real, practical cipher breaks get
rarer after more analysis-hours pass -- i.e., ciphers are more likely to be
broken in the first year of analysis than the tenth -- so expected lifetimes
would increase with the amount of analysis survived.
Of course, like TcM said, chaining ciphers only cuts speed by a little and
helps security a lot.
>
> > Am I just going crazy, or is it kind of obvious that NSA knew the s-boxes they
> > provided for DES weren't secure?
>
> The former.
That shouldn't surprise anyone who's seen my posts. :)
> The S-boxes they replaced were bogus, and the ones they came up with were
> good against differential cryptanalysis -- better than random ones. There's
> no a priori reason to believe they knew about linear cryptanalysis, and in
> any case Matsui's l.c. attack on DES is better than brute force only in
> situations where you have a great deal of known or chosen plaintext. So how
> come you claim they aren't secure? DES isn't suitable for long-archived
> info, but is still OK for short-lifetime data against a not-too-motivated
> attacker: its only known weakness for this application is its key-length, not
> its S-boxes.
Perhaps I should say that the S-boxes weren't as secure as they could/should
have been. We know how to construct better ones now (s^5 DES is just that --
DES w/better [?] S-boxes), and I'd venture to say that if NSA wasn't 21 years
ahead, they either spent most of their cash on computers, not crypto whizzes,
or else the cryptographers spent too much time on coffee breaks...
As to their knowledge of linear attacks back then, the same thing applies;
although we have no solid evidence, assuming they were up to today's level of
analysis is not exactly going out on a limb.
Now, this *is* going out on a limb (while contradicting my original statement
:), but there's always the possibility that those S-boxes *were* as good as
they could have been for 16 rounds, and there was an even more vile attack
against DES with S-boxes which we think are more secure.
...
>
> Jim Gillogly
> Trewesday, 8 Solmath S.R. 1998, 00:27
> 12.19.4.15.17, 8 Caban 15 Muan, Second Lord of Night
---------------------------------------------------------------------------
Randall Farmer
rfarmer@hiwaay.net
http://hiwaay.net/~rfarmer
Return to January 1998
Return to ““Uhh…this is Joe [Randall Farmer]” <rfarmer@HiWAAY.net>”