[cryptography] ICIJ's project - comment on cryptography & tools
iang at iang.org
Tue Apr 9 10:19:59 EDT 2013
On 9/04/13 03:43 AM, Jeffrey Goldberg wrote:
> On Apr 8, 2013, at 7:38 AM, ianG <iang at iang.org> wrote:
>> We all know stories. DES is now revealed as interfered with, yet for decades we told each other it was just parity bits.
> But it turned out that the interference was to make it *stronger* against attacks, differential cryptanalysis, that only the NSA and IBM knew about at the time.
That's what we all believed. From Wikipedia (I haven't checked the
In contrast, a declassified NSA book on cryptologic history states:
In 1973 NBS solicited private industry for a data encryption
standard (DES). The first offerings were disappointing, so NSA began
working on its own algorithm. Then Howard Rosenblum, deputy director for
research and engineering, discovered that Walter Tuchman of IBM was
working on a modification to Lucifer for general use. NSA gave Tuchman a
clearance and brought him in to work jointly with the Agency on his
NSA worked closely with IBM to strengthen the algorithm against all
except brute force attacks and to strengthen substitution tables, called
S-boxes. Conversely, NSA tried to convince IBM to reduce the length of
the key from 64 to 48 bits. Ultimately they compromised on a 56-bit key.
Conclusion? We wuz tricked! In their own words, they managed the
entire process, and succeeded in convincing everyone that they did not.
And they made it weaker where they held the advantage: budget to
crunch. Last two sentences, above.
> If history is a guide, weakness that TLAs insist on are transparent. They are about (effective) key size.
Indeed. Notice the subtlety of their attack: it is brutally simple.
We others focus on elegance, and dismiss the simplistic.
They focussed on mission, and used asymmetry of crunch strength. Recall
that, in the old days, no other country could muster the budget and
technology that they could.
> We have no way to know whether this will continue to be the case, but I'd imagine that the gap in knowledge between the NSA and the academic community diminishes over time; so that makes me think that they'd be even more reluctant to try to slip in a hidden weakness today than in 1975.
Possibly. In terms of algorithms, I don't think there has been a case
where they've deliberately weakened the algorithm. OTOH, in terms of
key strength, they have been very very finessed. Remember Skipjack?
The comments at the time was that the key strength was beautifully
aligned - right at the edge. 80 bit keys where the open community had
already concluded 128 was the target. Which meant that if there was to
be an advantage, all that was left was: budget in crunching.
More information about the cryptography