Biham, et al, on Skipjack

Matt Blaze (mab@research.att.com)
Thu, 25 Jun 1998 16:52:08 -0400

• Next message: Kriston J. Rehberg: "Re: Random seeds"
• Previous message: Tom Weinstein: "Re: timing attacks."

------- Forwarded Message

Date: Thu, 25 Jun 1998 23:39:19 +0300
Message-Id: <199806252039.XAA19484@CS.Technion.AC.IL>
From: biham@csa.CS.Technion.AC.IL
To: <headers omitted>

Dear colleages,

Since the publication of the SkipJack encryption algorithm by NIST, we
were studying its design, and we are now making our initial
observations public.

They can be found in http://www.cs.technion.ac.il/~biham/Reports/SkipJack/.
Feel free to distribute.

The summary is enclosed below.

Sincerely,

Eli Biham, Alex Biryukov, Or Dunkelman, Eran Richardson, Adi Shamir

- ---------------------------------------------------------------------------

Initial Observations on the SkipJack Encryption Algorithm

    Eli Biham, Alex Biryukov, Or Dunkelman, Eran Richardson, Adi Shamir
                               June 25, 1998
                                   (DRAFT)

This note can be found in http://www.cs.technion.ac.il/~biham/Reports/SkipJack/
                              Feel free to distribute

Summary

SkipJack is the secret key encryption algorithm used by the US
government in the Clipper chip and Fortezza PC card. It was
implemented in tamper-resistant hardware and its structure had been
classified since its introduction in 1993. On June 24th, 1998,
SkipJack was unclassified, and described in the web site of NIST.

This note summarizes our main observations, after several hours of
analysis. Our main finding so far is that SkipJack reduced from 32 to
16 rounds can be broken by an attack which is faster than an
exhaustive search. This is obviously a very initial result, and may
indicate that SkipJack does not have a conservative design with large
margins of safety.

In the remainder of this note we describe an efficient implementation of
SkipJack, which will be also used as the basis for the subsequent
analysis, and then we use the standard terminology of differential and
linear cryptanalysis to describe our best results so far.
- --------------------------------------------------------------------
Eli Biham Tel: +972-4-8294308
Computer Science Department Fax: +972-4-8221128
Technion, Haifa 32000, Israel email: biham@cs.technion.ac.il
                                   WWW: http://www.cs.technion.ac.il/~biham/
Please do not send any unsolicited mail/email to this account.

------- End of Forwarded Message

• Next message: Kriston J. Rehberg: "Re: Random seeds"
• Previous message: Tom Weinstein: "Re: timing attacks."