More SKIPJACK Analysis From Biham, Biryukov, Dunkelman, Richardson, Shamir

This file is available on a Cryptome DVD offered by Cryptome. Donate $25 for a DVD of the Cryptome 10-year archives of 35,000 files from June 1996 to June 2006 (~3.5 GB). Click Paypal or mail check/MO made out to John Young, 251 West 89th Street, New York, NY 10024. Archives include all files of cryptome.org, cryptome2.org, jya.com, cartome.org, eyeball-series.org and iraq-kill-maim.org. Cryptome offers with the Cryptome DVD an INSCOM DVD of about 18,000 pages of counter-intelligence dossiers declassified by the US Army Information and Security Command, dating from 1945 to 1985. No additional contribution required -- $25 for both. The DVDs will be sent anywhere worldwide without extra cost.

30 June 1998

To: cryptography@c2.net
Subject: More analysis of Skipjack by Biham et al.
Date: Tue, 30 Jun 1998 13:13:54 -0400
From: "Perry E. Metzger" <perry@piermont.com>

I just received a note from Eli Biham indicating that he and his
colleagues have made some interesting and substantial progress in
attacking variants on Skipjack.

See:

http://www.cs.technion.ac.il/~biham/Reports/SkipJack/

for details. Here is a summary:

                       Cryptanalysis of SkipJack-4XOR

      Eli Biham, Alex Biryukov, Orr Dunkelman, Eran Richardson, Adi Shamir

                                June 30, 1998
                                  (DRAFT)

This note can be found in http://www.cs.technion.ac.il/~biham/Reports/SkipJack/
                           Feel free to distribute

Summary

SkipJack is the secret key encryption algorithm used by the US
government in the Clipper chip and Fortezza PC card.  It was
implemented in tamper-resistant hardware and its structure had been
classified since its introduction in 1993.  On June 24th, 1998,
SkipJack was unclassified, and its description is available at the web
site of NIST.

In a note from June 25th, we described our initial observations on
SkipJack, after several hours of analysis.  In this note we summarize
our new observations after several days of analysis.

The main new result in this note is an attack on a variant of SkipJack
which contains all 32 rounds but omits four XORs.  We call this
variant SkipJack-4XOR (SkipJack minus four XORs).  For the sake of
simplicity, we describe in this note an unoptimized attack which
requires 2^48 time, using about 2^25 chosen plaintexts or about 2^49
known plaintexts.  Improved attacks on SkipJack-4XOR and on other
variants which are even closer to SkipJack will be described in a
forthcoming note.

This is still a preliminary result, but it reiterates our earlier
comment that SkipJack does not have a conservative design with a large
margin of safety.

In the remainder of this note we first describe additional
observations and extensions of our previous note, and then describe a
new technical tool, which we call the Yoyo game.  Finally, we describe
a simple version of our attack on SkipJack-4XOR, which suffices to get
the above results.