[2874] in cryptography@c2.net mail archive
Re: Musings on Skipjack
daemon@ATHENA.MIT.EDU (John Kelsey)
Thu Jun 25 23:13:08 1998
From: "John Kelsey" <kelsey@plnet.net>
To: <perry@piermont.com>, "Marcus Leech" <Marcus.Leech.mleech@nt.com>
Cc: <cryptography@c2.net>
Date: Thu, 25 Jun 1998 19:31:07 -0500
> From: Perry E. Metzger <perry@piermont.com>
> To: Marcus Leech <Marcus.Leech.mleech@nt.com>
> Cc: cryptography@c2.net
> Subject: Re: Musings on Skipjack
> Date: Thursday, June 25, 1998 2:29 PM
> My question is this: would it be possible to produce an F() that is
> better optimized against linear and differential attack? If so, we
can
> only assume the NSA did not pick such an F() because there are
other
> attacks they are simultaneously optimizing against.
> If people could come up with substantially better F()s from the
point
> of view of linear and differential analysis, the result would be
> interesting since it might indicate that there is something we
don't
> know.
That probably depends on how F() is distributed. I wouldn't be
surprised to see an NSA design that used a randomly-selected F(),
just chosen to be random and not to have too many statistics. The
DES S-boxes (optimized against differential attacks, but fairly weak
against linear attacks), and the existence of higher-order
differential attacks and interpolation attacks on S-boxes that had
too much structure, might have convinced NSA that they should stick
to random permutations with no obvious statistical weaknesses.
Of course, this is more-or-less what we did on Twofish, so I am
probably just reading my own beliefs into NSA's actions.
On the other hand, if F() doesn't look all that much like a random
permutation, and is somewhat optimized against differential and
linear attacks, but not quite optimal against them, that might imply
some specific attack against which they're optimizing.
> Perry
--John Kelsey, kelsey@counterpane.com / kelsey@plnet.net
NEW PGP print = 5D91 6F57 2646 83F9 6D7F 9C87 886D 88AF
