This preview shows page 1. Sign up to view the full content.
Unformatted text preview: ne outside the chip and then loaded in. Differential and linear cryptanalysis require so much known or chosen plaintext as to be unworkable, and a bruteforce attack is inconceivable—with no speed penalties. 12.7 How Secure Is DES Today?
The answer is both easy and hard. The easy answer just looks at key length (see Section 7.1). A bruteforce DEScracking machine that can find a key in an average of 3.5 hours cost only $1 million in 1993 [1597,1598]. DES is so widespread that it is na•ve to pretend that the NSA and its counterparts haven’t built such a machine. And remember that cost will drop by a factor of 5 every 10 years. DES will only become less secure as time goes on. The hard answer tries to estimate cryptanalytic techniques. Differential cryptanalysis was known by the NSA long before the mid1970s, when DES first became a standard. It is na•ve to pretend that the NSA theoreticians have been idle since then; almost certainly they have developed newer cryptanalytic techniques that can be applied against DES. But there are no facts, only rumors. Winn Schwartau writes that the NSA had built a massively parallel DEScracking machine as early as the mid1980s [1404]. At least one such machine was built by Harris Corp. with a Cray YMP as a front end. Supposedly there are a series of algorithms that can reduce the complexity of a DES bruteforce search by several orders of magnitude. Contextual algorithms, based on the inner workings of DES, can scrap sets of possible keys based on partial solutions. Statistical algorithms reduce the effective key size even further. And other algorithms choose likely keys—words, printable ASCII, and so on (see Section 8.1)—to test. The rumor is that the NSA can crack DES in 3 to 15 minutes, depending on how much preprocessing they can do. And these machines cost only $50,000 each, in quantity. A different rumor is that if the NSA has a large amount of plaintext and ciphertext, its experts can perform some kind of statistical calculation and then go out to an array of optical disks and retrieve the...
View
Full
Document
This note was uploaded on 10/18/2010 for the course MATH CS 301 taught by Professor Aliulger during the Fall '10 term at Koç University.
 Fall '10
 ALIULGER
 Cryptography

Click to edit the document details