Page "Data Encryption Standard" Paragraph 9

Some of the suspicions about hidden weaknesses in the S-boxes were allayed in 1990, with the independent discovery and open publication by Eli Biham and Adi Shamir of differential cryptanalysis, a general method for breaking block ciphers.

The S-boxes of DES were much more resistant to the attack than if they had been chosen at random, strongly suggesting that IBM knew about the technique in the 1970s.

This was indeed the case ; in 1994, Don Coppersmith published some of the original design criteria for the S-boxes.

According to Steven Levy, IBM Watson researchers discovered differential cryptanalytic attacks in 1974 and were asked by the NSA to keep the technique secret.

Coppersmith explains IBM's secrecy decision by saying, " that was because cryptanalysis can be a very powerful tool, used against many schemes, and there was concern that such information in the public domain could adversely affect national security.

" Levy quotes Walter Tuchman: " hey asked us to stamp all our documents confidential ... We actually put a number on each one and locked them up in safes, because they were considered U. S. government classified.

They said do it.

So I did it ".

Bruce Schneier observed that " It took the academic community two decades to figure out that the NSA ' tweaks ' actually improved the security of DES.