This preview shows page 1. Sign up to view the full content.
Unformatted text preview: [738,1573]. And in 1993 Michael Wiener designed a $1 million machine that could complete a bruteforce attack against DES in an average of 3.5 hours (see Section 7.1). No one has publicly admitted building this machine, although it is a reasonable assumption that someone has. A million dollars is not a lot of money to a large—or even a mediumsized—country. It was not until 1990 that two Israeli mathematicians, Biham and Shamir, discovered differential cryptanalysis, a technique that put to rest the question of key length. Before we discuss that technique, let’s turn to some other design criticisms of DES. Number of Rounds
Why 16 rounds? Why not 32? After five rounds every ciphertext bit is a function of every plaintext bit and every key bit [1078,1080], and after eight rounds the ciphertext was essentially a random function of every plaintext bit and every key bit [880]. (This is called the avalanche effect.) So why not stop after eight rounds? Over the years, variants of DES with a reduced number of rounds have been successfully attacked. DES with three or four rounds was easily broken in 1982 [49]. DES with six rounds fell some years later [336]. Biham and Shamir’s differential cryptanalysis explained this as well: DES with any number of rounds fewer than 16 could be broken with a knownplaintext attack more efficiently than by a bruteforce attack. Certainly bruteforce is a much more likely attack, but it is interesting that the algorithm has exactly 16 rounds. Design of the SBoxes
In addition to being accused of reducing the key length, NSA was also accused of modifying the contents of the Sboxes. When pressed for design justification for the Sboxes, the NSA indicated that elements of the algorithm’s design were “sensitive” and would not be made public. Many cryptographers were concerned that the NSAdesigned Sboxes hid a trapdoor, making it possible for them to easily cryptanalyze the algorithm. Since then, considerable effort has gone into analyzing the design and operation of the Sboxes. In the mid1970s, Lexar Corp...
View
Full
Document
This note was uploaded on 10/18/2010 for the course MATH CS 301 taught by Professor Aliulger during the Fall '10 term at Koç University.
 Fall '10
 ALIULGER
 Cryptography

Click to edit the document details