The widespread
rumor or
belief that the DES
design was in any way weakened
by the attention it received from
NSA was largely answered in
Biham
and
Shamir's paper on
differential cryptanalysis.
In their 1992 work presenting chosen plaintext attacks on DES was the first
cryptanalytic attack which could break DES with less effort than an exhaustive
key search. However it requires the attacker to trick the target into
encrypting 247 attacker-supplied plaintexts - not a small task.
This work observed that the S-boxes seem to have been optimally designed
and that any changes to the S-boxes rendered DES substantially easier to break
using differential cryptanalysis.
Following the publication of this work Don Coppersmith broke a 20 year long
silence on the details of the design, indicating that the IBM team had
independently discovered the differential attack on block ciphers and
taken the appropriate steps to modify it. He also indicated that aside from
key-length, NSA made no other modifications to either strengthen or weaken
the design.
Additionally this work demonstrated that the number of rounds used in DES was
optimal to protect against the differential analysis attack (i.e. any fewer
number of rounds introduces weaknesses while adding rounds does not gain any
benefit.
It is acknowledged that US federal policy has long mandated that the spread
of strong encryption technology be minimized. The use of a 56 bit key did
accomplish that, however 3DES with 112 bits remains proof against attack. AES is destined to eventually replace triple DES in financial and
other secure applications.
Reference:
Differential Cryptanalysis, 1992
Eli Biham, Adi Shamir
See also:
linear cryptanalysis