Editing Data Encryption Standard (section)

=== NSA's involvement in the design ===
On 17 March 1975, the proposed DES was published in the ''[[Federal Register]]''. Public comments were requested, and in the following year two open workshops were held to discuss the proposed standard. There was criticism received from [[public-key cryptography]] pioneers [[Martin Hellman]] and [[Whitfield Diffie]],<ref name="dh-exh">{{cite journal
 |last1=Diffie 
 |first1=Whitfield 
 |last2=Hellman 
 |first2=Martin E. 
 |date=June 1977 
 |title=Exhaustive Cryptanalysis of the NBS Data Encryption Standard 
 |journal=Computer 
 |volume=10 
 |issue=6 
 |pages=74–84 
 |doi=10.1109/C-M.1977.217750 
 |s2cid=2412454 
 |url=http://origin-www.computer.org/csdl/mags/co/1977/06/01646525.pdf 
 |url-status=dead 
 |archive-url=https://web.archive.org/web/20140226205104/http://origin-www.computer.org/csdl/mags/co/1977/06/01646525.pdf 
 |archive-date=2014-02-26 
}}</ref> citing a shortened [[key length]] and the mysterious "[[Substitution box|S-boxes]]" as evidence of improper interference from the NSA. The suspicion was that the algorithm had been covertly weakened by the intelligence agency so that they—but no one else—could easily read encrypted messages.<ref>{{cite web
 |url=http://www.emc.com/emc-plus/rsa-labs/standards-initiatives/has-des-been-broken.htm
 |url-status=dead
 |archive-url=https://web.archive.org/web/20160517015519/http://www.emc.com/emc-plus/rsa-labs/standards-initiatives/has-des-been-broken.htm
 |archive-date=2016-05-17 
 |title=Has DES been broken?|author=RSA Laboratories|access-date=2009-11-08}}</ref> Alan Konheim (one of the designers of DES) commented, "We sent the S-boxes off to Washington. They came back and were all different."<ref>{{Cite book|last=Schneier|title=Applied Cryptography|edition=2nd|page=280}}</ref> The [[United States Senate Select Committee on Intelligence]] reviewed the NSA's actions to determine whether there had been any improper involvement. In the unclassified summary of their findings, published in 1978, the Committee wrote:
{{blockquote|In the development of DES, NSA convinced [[IBM]] that a reduced key size was sufficient; indirectly assisted in the development of the S-box structures; and certified that the final DES algorithm was, to the best of their knowledge, free from any statistical or mathematical weakness.<ref>{{Cite book|first=D.W.|last=Davies|author2=W.L. Price|title=Security for computer networks, 2nd ed.|publisher=John Wiley & Sons|year=1989}}</ref>}}
However, it also found that
{{blockquote|NSA did not tamper with the design of the algorithm in any way. IBM invented and designed the algorithm, made all pertinent decisions regarding it, and concurred that the agreed upon key size was more than adequate for all commercial applications for which the DES was intended.<ref>{{Cite journal|editor=Robert Sugarman |title=On foiling computer crime|journal=IEEE Spectrum|date=July 1979}}</ref>}}
Another member of the DES team, Walter Tuchman, stated "We developed the DES algorithm entirely within IBM using IBMers. The NSA did not dictate a single wire!"<ref>{{Cite journal|author=P. Kinnucan|title=Data Encryption Gurus: Tuchman and Meyer|journal=Cryptologia|volume=2|issue=4|date=October 1978|doi=10.1080/0161-117891853270|page=371}}</ref>
In contrast, a declassified NSA book on cryptologic history states:
{{blockquote|In 1973 NBS solicited private industry for a data encryption standard (DES). The first offerings were disappointing, so NSA began working on its own algorithm. Then Howard Rosenblum, deputy director for research and engineering, discovered that Walter Tuchman of IBM was working on a modification to Lucifer for general use. NSA gave Tuchman a clearance and brought him in to work jointly with the Agency on his Lucifer modification."<ref name=johnson3>{{cite web|url=http://www.nsa.gov/public_info/_files/cryptologic_histories/cold_war_iii.pdf |title=American Cryptology during the Cold War, 1945-1989.Book III: Retrenchment and Reform, 1972-1980, page 232 |author=Thomas R. Johnson |access-date=2014-07-10 |publisher=[[National Security Agency]], DOCID 3417193 (file released on 2009-12-18, hosted at nsa.gov) |date=2009-12-18 |url-status=dead |archive-url=https://web.archive.org/web/20130918020036/http://www.nsa.gov/public_info/_files/cryptologic_histories/cold_war_iii.pdf |archive-date=2013-09-18 }}</ref>}}
and
{{blockquote|NSA worked closely with IBM to strengthen the algorithm against all except brute-force attacks and to strengthen substitution tables, called S-boxes. Conversely, NSA tried to convince IBM to reduce the length of the key from 64 to 48 bits. Ultimately they compromised on a 56-bit key.<ref>{{cite web|url=http://nsarchive.gwu.edu/NSAEBB/NSAEBB260/nsa-5.pdf |archive-url=https://web.archive.org/web/20150425043600/http://nsarchive.gwu.edu/NSAEBB/NSAEBB260/nsa-5.pdf |archive-date=2015-04-25 |url-status=live|title=American Cryptology during the Cold War, 1945-1989.Book III: Retrenchment and Reform, 1972-1980, page 232 |author = Thomas R. Johnson| access-date=2015-07-16 |publisher = [[National Security Agency]]| date= 2009-12-18| via=[[National Security Archive]] FOIA request. This version is differently redacted than the version on the NSA website.}}</ref><ref>{{cite web|url=http://nsarchive.gwu.edu/NSAEBB/NSAEBB260/nsa-6.pdf |archive-url=https://web.archive.org/web/20150425043604/http://nsarchive.gwu.edu/NSAEBB/NSAEBB260/nsa-6.pdf |archive-date=2015-04-25 |url-status=live|title=American Cryptology during the Cold War, 1945-1989.Book III: Retrenchment and Reform, 1972-1980, page 232 |author = Thomas R. Johnson| access-date=2015-07-16 |publisher = [[National Security Agency]]| date= 2009-12-18| via=[[National Security Archive]] FOIA request. This version is differently redacted than the version on the NSA website.}}</ref>}}

Some of the suspicions about hidden weaknesses in the S-boxes were allayed in 1990, with the independent discovery and open publication by [[Eli Biham]] and [[Adi Shamir]] of [[differential cryptanalysis]], a general method for breaking block ciphers. The S-boxes of DES were much more resistant to the attack than if they had been chosen at random, strongly suggesting that IBM knew about the technique in the 1970s. This was indeed the case; in 1994, Don Coppersmith published some of the original design criteria for the S-boxes.<ref>{{Cite book|last=Konheim|title=Computer Security and Cryptography|page=301}}</ref> According to [[Steven Levy]], IBM Watson researchers discovered differential cryptanalytic attacks in 1974 and were asked by the NSA to keep the technique secret.<ref name=Levy>Levy, ''Crypto'', p. 55</ref> Coppersmith explains IBM's secrecy decision by saying, "that was because [differential cryptanalysis] can be a very powerful tool, used against many schemes, and there was concern that such information in the public domain could adversely affect national security." Levy quotes Walter Tuchman: "[t]hey asked us to stamp all our documents confidential... We actually put a number on each one and locked them up in safes, because they were considered U.S. government classified. They said do it. So I did it".<ref name=Levy/> Bruce Schneier observed that "It took the academic community two decades to figure out that the NSA 'tweaks' actually improved the security of DES."<ref name="schneier20040927">{{Cite news|last=Schneier|first=Bruce|title=Saluting the data encryption legacy|url=http://www.cnet.com/news/saluting-the-data-encryption-legacy/|access-date=2015-07-22|newspaper=CNet|date=2004-09-27}}</ref>