Follow the link in the attached email message for the technical details, but one comment is interesting for what it indicates in the design intent and constraints: "This is still a preliminary result, but it reiterates our earlier comment that SkipJack does not have a conservative design with a large margin of safety." _This_ is what was intended as 'mandatory use'? MW -------------------------------------------------------------------------- To: cryptographyat_private Subject: More analysis of Skipjack by Biham et al. Date: Tue, 30 Jun 1998 13:13:54 -0400 From: "Perry E. Metzger" <perryat_private> I just received a note from Eli Biham indicating that he and his colleagues have made some interesting and substantial progress in attacking variants on Skipjack. See: http://www.cs.technion.ac.il/~biham/Reports/SkipJack/ for details. Here is a summary: Cryptanalysis of SkipJack-4XOR Eli Biham, Alex Biryukov, Orr Dunkelman, Eran Richardson, Adi Shamir June 30, 1998 (DRAFT) This note can be found in http://www.cs.technion.ac.il/~biham/Reports/SkipJack/ Feel free to distribute Summary SkipJack is the secret key encryption algorithm used by the US government in the Clipper chip and Fortezza PC card. It was implemented in tamper-resistant hardware and its structure had been classified since its introduction in 1993. On June 24th, 1998, SkipJack was unclassified, and its description is available at the web site of NIST. In a note from June 25th, we described our initial observations on SkipJack, after several hours of analysis. In this note we summarize our new observations after several days of analysis. The main new result in this note is an attack on a variant of SkipJack which contains all 32 rounds but omits four XORs. We call this variant SkipJack-4XOR (SkipJack minus four XORs). For the sake of simplicity, we describe in this note an unoptimized attack which requires 2^48 time, using about 2^25 chosen plaintexts or about 2^49 known plaintexts. Improved attacks on SkipJack-4XOR and on other variants which are even closer to SkipJack will be described in a forthcoming note. This is still a preliminary result, but it reiterates our earlier comment that SkipJack does not have a conservative design with a large margin of safety. In the remainder of this note we first describe additional observations and extensions of our previous note, and then describe a new technical tool, which we call the Yoyo game. Finally, we describe a simple version of our attack on SkipJack-4XOR, which suffices to get the above results.
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 13:10:11 PDT