it and came to the conclusion that it was secure, though questions are still around about why it was changed from 64 bit to 56 bit, ... Didn't someone figure out a way that the 64 bit version would be more vulnerable to differential cryptanalysis (which was known to IBM as the "sliding attack" back when DES was being developed) than
the 56 bit one was? And I've heard indications that the predecessor "Lucifer" at 128 bits had some trivial "meet-in-the-middle" attack that left it at least as weak as 64 bits. The only "backdoor" concept I've heard which had a technical basis behind it was a few years back, when some researcher figured out a way to *produce* S-boxes with particular types of holes, and concluded that it was impossible to identify if the holes where there or not unless you knew the precise formulation... I think it even had a two-of-three challenge, ie, published 3 sets of s-boxes, one or two of which were "trapped" in this way, as a challenge for people to find methods of locating them. (The technical basis stops there -- the psychological or political question that follows is "did NSA/IBM know about this technique? Assuming they did, did they choose the s-boxes with or without holes?") _Mark_ <eichin@athena.mit.edu> MIT Student Information Processing Board Cygnus Support <eichin@cygnus.com>