[2857] in cryptography@c2.net mail archive
Re: Musings on Skipjack
daemon@ATHENA.MIT.EDU (Perry E. Metzger)
Thu Jun 25 15:38:35 1998
To: "Marcus Leech" <Marcus.Leech.mleech@nt.com>
cc: cryptography@c2.net
In-reply-to: Your message of "Thu, 25 Jun 1998 14:38:47 EDT."
<35929937.77883D93@nt.com>
Reply-To: perry@piermont.com
Date: Thu, 25 Jun 1998 15:29:39 -0400
From: "Perry E. Metzger" <perry@piermont.com>
"Marcus Leech" writes:
> The analysis of the F() table reveals it to be not particularly optimized
> against differential or linear cryptanalysis, but rather the whole algorithm
> gets protection from these attacks by virtue of having a lot of rounds.
>
> It's possible to reduce the number of rounds with better-optimized
> sboxes, but perhaps the NSA knows something about nonlinear functions
> that requires many more rounds, quite apart from DC and LC attacks.
>
> Anyone care to comment?
My question is this: would it be possible to produce an F() that is
better optimized against linear and differential attack? If so, we can
only assume the NSA did not pick such an F() because there are other
attacks they are simultaneously optimizing against.
If people could come up with substantially better F()s from the point
of view of linear and differential analysis, the result would be
interesting since it might indicate that there is something we don't
know.
Perry
