Comment by fossuser
3 years ago
They had a privately known way to weaken DES that effectively shortens the key length. They could have pretended to allow a longer key length while secretly retaining their privately known attack that lets them shorten it (without also acting to strengthen DES against it). They knew this in the 70s 20 years before it would become publicly known. They actively strengthened DES against this while not revealing the exploit. Doing this secretly doesn't narrow the field (doing it publicly might have), it's also inconsistent with their argument for short keys.
I read the blog post and I've read a lot about the history of this - what you're saying isn't really convincing. Often people I mostly agree with, maybe 90% just take it to the extreme where everything must fit their world view 100%. Rarely imo is that the case, often reality is more mixed.
If they’re related maybe they wanted DES to be strong so they could use it, but wanted the public to only have access to short keys so they could also break the public's use of it. Still, it's interesting they didn't leave in a weakness they could exploit secretly despite a longer key size.
edited for clarity
You’re making a lot of assumptions and guesses to imply they helped overall when we know they weakened DES by reducing the key size such that it was practically breakable as a hobby project. At the time of DES creation, Hellman remarked that this was a bad enough problem to fix it by raising the key size. NSA and IBM and others ignored the cryptographers who were not compromised. Any benefit against DC attacks seems clearly like a hedge against DES being replaced sooner and against known adversary capabilities. When did the Russians learn that technique? Probably before the public did, I would wager.
The longer DES stays, the longer NSA retain their capabilities. Any design changes made by NSA are for their benefit first. That’s the primary lesson from my perspective.
I don’t think they helped overall, I’d agree on net they acted to make things less secure by arguing for the small key sizes. We mostly agree. I just think strengthening public DES based on a security issue that was not public at the time is an interesting example of a time they did the opposite of inserting a backdoor, people were afraid their suggestions were weakening DES, but they were strengthening it. That paired with the history suggested some internal arguing about priorities.