phiber at eff.org
Fri Feb 26 11:06:38 PST 1993
> * Reply to msg originally in Cypherpunks <INET>
> marc at Athena.MIT.EDU (Marc Horowitz) writes:
> BK> I also believe that nobody's security is perfect, and that if
> BK> something as big as DES was broken, even at the NSA, we would have
> BK> heard about it. If the world banking industry trusts DES for their
> BK> trillions of dollars a day, I'm willing to trust it for my little,
> BK> insignificant messages.
> I'm surprised that you haven't had 53 replies to this already, but in
> that you haven't I suppose I ought not let this go by unchallenged.
> In a _MicroTimes_ article by Jim Warren of the EFF, the
> unreliability of DES was discussed at length. In a nutshell, Marty
> Hellman of Stanford broke the "unbreakable" 54-bit DES _prior to its
> adoption as a standard_. He promoted the idea of a 64-bit DES instead,
> but was _opposed by the NSA_ for reasons we can all speculate upon at
> length. This opposition is the basis of the rumors (?) of DES being
> backdoored by the NSA. The upshot was that DES was adopted _after_
> being demonstrably compromised.
Slow down. Firstly, DES encrypts a 64-bit block with a 56-bit key. Are
you talking about key lengths? It was originally proposed to use a 128-bit
key space, alla IBM's LUCIFER. But they opted on the smaller key, which
fuels this NSA conspiracy theory. The other major thing, are the S-boxes,
which no one has been able to deduce the reasoning behind the choice of the
values, and that's the source of the "backdoor" theory.
Saying that Hellman "broke" anything is a bit strong. I remember reading
a published paper, I believe by Hellman and one other, describing that they
were able to WEAKEN DES (with a smaller key space for their experiment), using
a statistical approach, and that this could possibly be applied to the DES
> The postscript to this is that Hellman's proposed "unbreakable"
> 64-bit DES variant was later cracked as well.
> The post-postscript is an apocryphal story I personally got from
> an Israeli communications tech and minor spook. He claimed that DES was
> broken by the cryptanalytic arm of Israeli intelligence _in two hours_.
> It is relatively certain that a DES-encrypted cyphertext can be
> easily decrypted by well-equipped agencies. Whether decryption is now
> trivially accomplished by private parties is another question.
Now this is just hearsay with no basis in fact, only rumor.
It remains that DES's only real "weakness", is that a major corporation,
sparing no expense, can have many massively-parallel machines at their
disposal, and do an exhaustive search of the key space. Which is just
to state the obvious, that as computing speed increases, the amount of time
to do an exhaustive search decreases. This has nothing to do with crypto-
graphic weaknesses in DES, as you're suggesting.
If you're not just some NSA-paranoid wacko, reference some papers to back
up your claims. Otherwise, you're just another NSA-conspiracy theorist,
and part of the noise. We're all capable of suspecting underhandedness
on the part of the NSA, but when you start misrepresenting your opinions
as fact, you're being nonconstructive.
It would be of interest to all cypherpunks to be kept abreast of the academic
research being done in this area, and someone may wish to post a list of
recommended papers to read on developments in cryptographic weaknesses.
More information about the cypherpunks-legacy