[cryptography] ICIJ's project - comment on cryptography & tools

ianG iang at iang.org
Tue Apr 9 10:19:59 EDT 2013

On 9/04/13 03:43 AM, Jeffrey Goldberg wrote:
> On Apr 8, 2013, at 7:38 AM, ianG <iang at iang.org> wrote:
>> We all know stories.  DES is now revealed as interfered with, yet for decades we told each other it was just parity bits.
> But it turned out that the interference was to make it *stronger* against attacks, differential cryptanalysis, that only the NSA and IBM knew about at the time.

That's what we all believed.  From Wikipedia (I haven't checked the 
primary references):

In contrast, a declassified NSA book on cryptologic history states:

     In 1973 NBS solicited private industry for a data encryption 
standard (DES). The first offerings were disappointing, so NSA began 
working on its own algorithm. Then Howard Rosenblum, deputy director for 
research and engineering, discovered that Walter Tuchman of IBM was 
working on a modification to Lucifer for general use. NSA gave Tuchman a 
clearance and brought him in to work jointly with the Agency on his 
Lucifer modification."[8]


     NSA worked closely with IBM to strengthen the algorithm against all 
except brute force attacks and to strengthen substitution tables, called 
S-boxes. Conversely, NSA tried to convince IBM to reduce the length of 
the key from 64 to 48 bits. Ultimately they compromised on a 56-bit key.[9]

Conclusion?  We wuz tricked!  In their own words, they managed the 
entire process, and succeeded in convincing everyone that they did not. 
  And they made it weaker where they held the advantage:  budget to 
crunch.  Last two sentences, above.

> If history is a guide, weakness that TLAs insist on are transparent. They are about (effective) key size.

Indeed.  Notice the subtlety of their attack:  it is brutally simple. 
We others focus on elegance, and dismiss the simplistic.

Cognitive dissonance?

They focussed on mission, and used asymmetry of crunch strength.  Recall 
that, in the old days, no other country could muster the budget and 
technology that they could.

> We have no way to know whether this will continue to be the case, but I'd imagine that the gap in knowledge between the NSA and the academic community diminishes over time; so that makes me think that they'd be even more reluctant to try to slip in a hidden weakness today than in 1975.

Possibly.  In terms of algorithms, I don't think there has been a case 
where they've deliberately weakened the algorithm.  OTOH, in terms of 
key strength, they have been very very finessed.  Remember Skipjack? 
The comments at the time was that the key strength was beautifully 
aligned - right at the edge.  80 bit keys where the open community had 
already concluded 128 was the target.  Which meant that if there was to 
be an advantage, all that was left was:  budget in crunching.


More information about the cryptography mailing list