Your best chance at encrypting stuff that needs a long shelf life is with a cipher that's had a lot of analysis and plenty of intrinsic key, like 3DES.
Yes, I think that's what my (inaccurate) model would suggest you do, if my guesses as to break probability are close; real, practical cipher breaks get rarer after more analysis-hours pass -- i.e., ciphers are more likely to be broken in the first year of analysis than the tenth -- so expected lifetimes would increase with the amount of analysis survived. Of course, like TcM said, chaining ciphers only cuts speed by a little and helps security a lot.
Am I just going crazy, or is it kind of obvious that NSA knew the s-boxes they provided for DES weren't secure?
The former.
That shouldn't surprise anyone who's seen my posts. :)
The S-boxes they replaced were bogus, and the ones they came up with were good against differential cryptanalysis -- better than random ones. There's no a priori reason to believe they knew about linear cryptanalysis, and in any case Matsui's l.c. attack on DES is better than brute force only in situations where you have a great deal of known or chosen plaintext. So how come you claim they aren't secure? DES isn't suitable for long-archived info, but is still OK for short-lifetime data against a not-too-motivated attacker: its only known weakness for this application is its key-length, not its S-boxes.
Perhaps I should say that the S-boxes weren't as secure as they could/should have been. We know how to construct better ones now (s^5 DES is just that -- DES w/better [?] S-boxes), and I'd venture to say that if NSA wasn't 21 years ahead, they either spent most of their cash on computers, not crypto whizzes, or else the cryptographers spent too much time on coffee breaks... As to their knowledge of linear attacks back then, the same thing applies; although we have no solid evidence, assuming they were up to today's level of analysis is not exactly going out on a limb. Now, this *is* going out on a limb (while contradicting my original statement :), but there's always the possibility that those S-boxes *were* as good as they could have been for 16 rounds, and there was an even more vile attack against DES with S-boxes which we think are more secure. ...
Jim Gillogly Trewesday, 8 Solmath S.R. 1998, 00:27 12.19.4.15.17, 8 Caban 15 Muan, Second Lord of Night
--------------------------------------------------------------------------- Randall Farmer rfarmer@hiwaay.net http://hiwaay.net/~rfarmer