more cryptanalysis of Skipjack variants by Biham et al

Matt Blaze (mab@research.att.com)
Thu, 02 Jul 1998 18:33:32 -0400

• Next message: Alex Alten: "Re: safety of blindly truncating hashes (Re: TEA)"
• Previous message: Bill Frantz: "Re: truncated hashes and MACs"

------- Forwarded Message

Received: from amontillado.research.att.com (amontillado.research.att.com [135.207.24.32]) by nsa.research.att.com (8.7.3/8.7.3) with ESMTP id SAA03463 for <mab-local@nsa.research.att.com>; Thu, 2 Jul 1998 18:31:08 -0400 (EDT)
Received: from research.att.com (research.research.att.com [135.207.30.100])
        by amontillado.research.att.com (8.8.7/8.8.7) with SMTP id SAA08746
        for <mab@issr.research.att.com>; Thu, 2 Jul 1998 18:35:23 -0400 (EDT)
Received: from csnet.cs.technion.ac.il ([132.68.32.7]) by research; Thu Jul 2 18:33:21 EDT 1998
Received: from CS.Technion.AC.IL (csa [132.68.32.1]) by csnet.cs.technion.ac.il (8.6.11/8.6.10) with ESMTP id BAA17536 for <mab@research.att.com>; Fri, 3 Jul 1998 01:32:28 +0300
Received: by CS.Technion.AC.IL (SMI-8.6/SMI-SVR4)
        id BAA16670; Fri, 3 Jul 1998 01:33:27 +0300
Date: Fri, 3 Jul 1998 01:33:27 +0300
From: biham@CS.Technion.AC.IL (Eli Biham)
Message-Id: <199807022233.BAA16670@CS.Technion.AC.IL>
To: mab@research.att.com

Dear colleages,

We have just released new results on the cryptanalysis of SkipJack variants.

They can be found in http://www.cs.technion.ac.il/~biham/Reports/SkipJack/.

Its summary is enclosed below.

Sincerely,

Eli Biham, Alex Biryukov, Orr Dunkelman, Eran Richardson, Adi Shamir

Cryptanalysis of SkipJack-3XOR in 2^20 time using 2^9 chosen plaintexts

                                   July 2nd, 1998
                                     (DRAFT)

This note can be found in http://www.cs.technion.ac.il/~biham/Reports/SkipJack/
                                 Feel free to distribute

Summary

SkipJack is the secret key encryption algorithm developed in 1993 by
the NSA for the Clipper chip and Fortezza PC card. Its description was
made public on June 24th 1998 at NIST's web site. It uses an 80 bit
key, 32*4=128 table lookup operations, and 32*10=320 XOR operations to
map a 64 bit plaintext into a 64 bit ciphertext in 32 rounds.

This note summarizes our first week of analysis. The main result is an
attack on a variant, which we call SkipJack-3XOR (SkipJack minus 3
XORs). The only difference between SkipJack and SkipJack-3XOR is the
removal of 3 out of the 320 XOR operations. The attack uses the
ciphertexts derived from about 500 plaintexts which are identical
except for the second 16 bit word. Its total running time is
equivalent to about one million SkipJack encryptions, which can be
carried out in seconds on a personal computer.

This is still a preliminary result, but it reiterates our earlier
comment that SkipJack does not have a conservative design with a large
margin of safety.

------- End of Forwarded Message

• Next message: Alex Alten: "Re: safety of blindly truncating hashes (Re: TEA)"
• Previous message: Bill Frantz: "Re: truncated hashes and MACs"