[2899] in cryptography@c2.net mail archive
Eli Biham notches the pressure up a bit higher.
daemon@ATHENA.MIT.EDU (Perry E. Metzger)
Thu Jul 2 19:39:47 1998
To: cryptography@c2.net
Date: Thu, 02 Jul 1998 19:39:15 -0400
From: "Perry E. Metzger" <perry@piermont.com>
--Multipart_Thu_Jul__2_19:39:14_1998-1
Content-Type: text/plain; charset=US-ASCII
This just in before the holiday weekend.
Quite a stunning result. One can only wonder what he finds in coming
days.
Perry
--Multipart_Thu_Jul__2_19:39:14_1998-1
Content-Type: message/rfc822
Date: Fri, 3 Jul 1998 01:33:41 +0300
From: biham@CS.Technion.AC.IL (Eli Biham)
Message-Id: <199807022233.BAA16757@CS.Technion.AC.IL>
To: perry@piermont.com
Dear colleages,
We have just released new results on the cryptanalysis of SkipJack variants.
They can be found in http://www.cs.technion.ac.il/~biham/Reports/SkipJack/.
Its summary is enclosed below.
Sincerely,
Eli Biham, Alex Biryukov, Orr Dunkelman, Eran Richardson, Adi Shamir
Cryptanalysis of SkipJack-3XOR in 2^20 time using 2^9 chosen plaintexts
July 2nd, 1998
(DRAFT)
This note can be found in http://www.cs.technion.ac.il/~biham/Reports/SkipJack/
Feel free to distribute
Summary
SkipJack is the secret key encryption algorithm developed in 1993 by
the NSA for the Clipper chip and Fortezza PC card. Its description was
made public on June 24th 1998 at NIST's web site. It uses an 80 bit
key, 32*4=128 table lookup operations, and 32*10=320 XOR operations to
map a 64 bit plaintext into a 64 bit ciphertext in 32 rounds.
This note summarizes our first week of analysis. The main result is an
attack on a variant, which we call SkipJack-3XOR (SkipJack minus 3
XORs). The only difference between SkipJack and SkipJack-3XOR is the
removal of 3 out of the 320 XOR operations. The attack uses the
ciphertexts derived from about 500 plaintexts which are identical
except for the second 16 bit word. Its total running time is
equivalent to about one million SkipJack encryptions, which can be
carried out in seconds on a personal computer.
This is still a preliminary result, but it reiterates our earlier
comment that SkipJack does not have a conservative design with a large
margin of safety.
--Multipart_Thu_Jul__2_19:39:14_1998-1--
