DES Flames

Ian Farquhar ianf at simple.sydney.sgi.com
Wed Aug 3 15:57:10 PDT 1994


On Aug 3,  1:22pm, Kent Borg wrote:
> Given:
> 1) Some people worry about the strength of DES.     (Correct?)

As a cipher which is completely secure against all levels of attack, yes.
DES would still be suitable for tactical encryption where the lifetime of
the information is less than a few minutes (and is useless past that time),
or in situations where your adversary known, unique and is not well funded.

Outside these categories, I would say that most, not "some", people who are
familiar with the issues worry about the strength of DES.

> 2) DES is within striking distance of a brute-force attack,
>    this is far-and-away its most serious weakness.  (Correct?)

Always has been, which was a point (Diffie?) made right at the beginning.
The problem is that it has now reached the point where the resources needed
to construct a brute-force search engine are commercially available.  Given
the current development of FPGA's and so forth, I would predict that within
three to five years you will be able to do a brute-force search using
commercially available off-the-shelf FPGA arrays.

> 3) 3-DES is nowhere near soon being vulnerable to a
>    brute-force attack.                              (Correct?)

That is the supposition.  DES is not a group (proven), and so it is assumed
that 3DES gives a keyspace to search which is not practical even in the
distant future.

> It follows then that:
>    3-DES is a trivial fix of DES' ills.             (Correct?)

Perhaps.

> Now, I repeat my puzzle.  If there really was a Great Government
> Gnashing of teeth over how to replace DES, what was the problem?

Options:

1. 3DES is not as secure as we think.  I do not believe that NIST has
   said anything about this one way or the other, and their silence is
   rather interesting.

2. 3DES IS as secure as we think (or nearly so), and they know it, and they
   are keeping us in the dark because they do not want to give any of us
   strong non-escrowed encryption.  The FUD principle.

3. 3DES is stronger than DES, but not as strong as we all think.  The NSA
   is not willing to specify a cipher whose key entropy is not a substantial
   portion of it's keysize.

Let's assume (2).

What makes me wonder is that the NSA was obviously aware of the possibilities
of superencryption back in the 1970's, and I would have expected them specify
the production of a cipher which WAS a group to defeat this.  Options:

a. It is not possible to produce a secure cipher which is a group (anyone got
   any comments on this thought?  I must admit that it is not something I
   have given a lot of thought to, and I certainly have no mathematical backing
   for this supposition.)

b. The NSA didn't know how to produce a cipher which was a groups.  Let's
   not have any "the NSA can do anything" arguments, please.  I am positive
   that they have quite amazing skills in cipher design, but they're not
   all powerful.  Because of this, they're sitting tight and hoping that
   we won't notice.

c. The NSA didn't care (unlikely).

d. The NSA did care, expected to specify it when DES became unviable (which
   is a really neat solution, if you consider the installed base and the
   fact that it is mostly a software update in the drivers even for the
   hardware implementations).  Then the political climate changed in the USA,
   civilian crypto started to make the management nervous, and they shelved
   the idea.

I go for (d).  Anyone else?

							Ian.









More information about the cypherpunks-legacy mailing list