[2894] in cryptography@c2.net mail archive
More analysis of Skipjack by Biham et al.
daemon@ATHENA.MIT.EDU (Perry E. Metzger)
Tue Jun 30 13:53:51 1998
To: cryptography@c2.net
Date: Tue, 30 Jun 1998 13:13:54 -0400
From: "Perry E. Metzger" <perry@piermont.com>
I just received a note from Eli Biham indicating that he and his
colleagues have made some interesting and substantial progress in
attacking variants on Skipjack.
See:
http://www.cs.technion.ac.il/~biham/Reports/SkipJack/
for details. Here is a summary:
Cryptanalysis of SkipJack-4XOR
Eli Biham, Alex Biryukov, Orr Dunkelman, Eran Richardson, Adi Shamir
June 30, 1998
(DRAFT)
This note can be found in http://www.cs.technion.ac.il/~biham/Reports/SkipJack/
Feel free to distribute
Summary
SkipJack is the secret key encryption algorithm used by the US
government in the Clipper chip and Fortezza PC card. It was
implemented in tamper-resistant hardware and its structure had been
classified since its introduction in 1993. On June 24th, 1998,
SkipJack was unclassified, and its description is available at the web
site of NIST.
In a note from June 25th, we described our initial observations on
SkipJack, after several hours of analysis. In this note we summarize
our new observations after several days of analysis.
The main new result in this note is an attack on a variant of SkipJack
which contains all 32 rounds but omits four XORs. We call this
variant SkipJack-4XOR (SkipJack minus four XORs). For the sake of
simplicity, we describe in this note an unoptimized attack which
requires 2^48 time, using about 2^25 chosen plaintexts or about 2^49
known plaintexts. Improved attacks on SkipJack-4XOR and on other
variants which are even closer to SkipJack will be described in a
forthcoming note.
This is still a preliminary result, but it reiterates our earlier
comment that SkipJack does not have a conservative design with a large
margin of safety.
In the remainder of this note we first describe additional
observations and extensions of our previous note, and then describe a
new technical tool, which we call the Yoyo game. Finally, we describe
a simple version of our attack on SkipJack-4XOR, which suffices to get
the above results.
