[2848] in cryptography@c2.net mail archive
Re: Matt Blaze: difference distribution table for Skipjack
daemon@ATHENA.MIT.EDU (Marcus Leech)
Thu Jun 25 12:07:12 1998
Date: Wed, 24 Jun 1998 21:00:41 +0200
From: "Marcus Leech" <Marcus.Leech.mleech@nt.com>
To: "Perry E. Metzger" <perry@piermont.com>
CC: cryptography@c2.net
[Matt Blaze] wrote:
>
> I thought this would be of interest to those examining the algorithm
>
> There are a few surprising spikes in the table, but they probably
> disappear after a few rounds. I haven't done anything beyond
> generating the table yet.
>
> (If you don't know what a difference distribution table is
> good for, you won't be able to make much use of this one
> until you understand differential cryptanalysis at the
> level of Biham and Shamir's book).
>
A cursory examination of F() reveals that the single-round
probability is somewhere near 2.3 X 10**-10 (since g ends
up using the F() function 8 times)--this is based purely
on the highest probability entry in the table, not on
actual round characteristics.
I did a linearity test on F() and found it to have a minimum
hamming distance to any of the linear-boolean vectors of
0.39. It (not surprisingly) passes BIC.
Given the way this thing is structured, even if F() were
relatively weak, the effectively large number of rounds
makes it strong against the known linear and differential
attacks.
