Applied Cryptography, Second Edition: Protocols, Algorithms, and Source Code in C |
People have long questioned the security of DES [458]. There has been much speculation on the key length, number of iterations, and design of the S-boxes. The S-boxes were particularly mysterious—all those constants, without any apparent reason as to why or what they’re for. Although IBM claimed that the inner workings were the result of 17 man-years of intensive cryptanalysis some people feared that the NSA embedded a trapdoor into the algorithm so they would have an easy means of decrypting messages.
The U.S. Senate Select Committee on Intelligence, with full top-secret clearances, investigated the matter in 1978. The findings of the committee are classified, but an unclassified summary of those findings exonerated the NSA from any improper involvement in the algorithm’s design [1552]. “It was said to have convinced IBM that a shorter key was adequate, to have indirectly assisted in the development of the S-box structures and to have certified that the final DES algorithm was, to the best of their knowledge, free of any statistical or mathematical weaknesses” [435]. However, since the government never made the details of the investigation public, many people remained unconvinced.
Tuchman and Meyer, two of the IBM cryptographers who designed DES, said the NSA did not alter the design [841]:
Their basic approach was to look for strong substitution, permutation, and key scheduling functions.... IBM has classified the notes containing the selection criteria at the request of the NSA.... “The NSA told us we had inadvertently reinvented some of the deep secrets it uses to make its own algorithms,” explains Tuchman.
Table 12.9 |
|||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
Manufacturer |
Chip |
Year |
Clock |
Data Rate |
Availability |
||||||
AMD |
Am9518 |
1981 |
3 MHz |
1.3 MByte/s |
N |
||||||
AMD |
Am9568 |
? |
4 MHz |
1.5 MByte/s |
N |
||||||
AMD |
AmZ8068 |
1982 |
4 MHz |
1.7 MByte/s |
N |
||||||
AT&T |
T7000A |
1985 |
? |
1.9 MByte/s |
N |
||||||
CE-Infosys |
SuperCrypt |
1992 |
20 MHz |
12.5 MByte/s |
Y |
||||||
CE99C003 |
|||||||||||
CE-Infosys |
SuperCrypt |
1994 |
30 MHz |
20.0 MByte/s |
Y |
||||||
CE99C003A |
|||||||||||
Cryptech |
Cry12C102 |
1989 |
20 MHz |
2.8 MByte/s |
Y |
||||||
Newbridge |
CA20C03A |
1991 |
25 MHz |
3.85 MByte/s |
Y |
||||||
Newbridge |
CA20C03W |
1992 |
8 MHz |
0.64 MByte/s |
Y |
||||||
Newbridge |
CA95C68/18/09 |
1993 |
33 MHz |
14.67 MByte/s |
Y |
||||||
Pijnenburg |
PCC100 |
? |
? |
2.5 MByte/s |
Y |
||||||
Semaphore Communications |
Roadrunner284 |
? |
40 MHz |
35.5 MByte/s |
Y |
||||||
VLSI Technology |
VM007 |
1993 |
32 MHz |
200.0 MByte/s |
Y |
||||||
VLSI Technology |
VM009 |
1993 |
33 MHz |
14.0 MByte/s |
Y |
||||||
VLSI Technology |
6868 |
1995 |
32 MHz |
64.0 MByte/s |
Y |
||||||
Western Digital |
WD2001/2002 |
1984 |
3 MHz |
0.23 MByte/s |
N |
||||||
Table 12.10 |
|||||
|---|---|---|---|---|---|
Processor |
Speed (in MHz) |
DES Blocks (per second) |
|||
8088 |
4.7 |
370 |
|||
68000 |
7.6 |
900 |
|||
80286 |
6 |
1,100 |
|||
68020 |
16 |
3,500 |
|||
68030 |
16 |
3,900 |
|||
80386 |
25 |
5,000 |
|||
68030 |
50 |
10,000 |
|||
68040 |
25 |
16,000 |
|||
68040 |
40 |
23,000 |
|||
80486 |
66 |
43,000 |
|||
Sun ELC |
26,000 |
||||
HyperSparc |
32,000 |
||||
RS6000-350 |
53,000 |
||||
Sparc 10/52 |
84,000 |
||||
DEC Alpha 4000/610 |
154,000 |
||||
HP 9000/887 |
125 |
196,000 |
|||