[Cryptography] cryptography Digest, Vol 16, Issue 11

Jerry Leichter leichter at lrw.com
Thu Aug 14 06:22:29 EDT 2014 

On Aug 13, 2014, at 7:07 PM, Ryan Carboni <ryacko at gmail.com> wrote:
> Novel forms of cryptography will be used to create new algorithms safe from new methods of crypt-analysis. It's a guessing race, and partly why Skipjack was found to be so vulnerable, a new form of cryptanalysis was discovered....
It's not clear what point you're trying to make, but if it's that algorithms get broken, Skipjack is a poor example:  In the 15+ years since it was first published, no significant attack has been published against it.  The best published attacks are against reduced-round variants - including one against 31 rounds out of 32 using impossible differentials, an attack that gains no significant advantage over brute force that no one has been able to improve since it was published in 1999.  So, no, Skipjack is not *publicly* "broken" except in the sense that its 80-bit key is too short to survive modern brute force.

BTW, the precision of the defense in Skipjack is remarkable:  32 rounds are safe, 31 rounds are not (at least "not safe" in the certification sense).  There's no publicly known methodology for skating so close to the edge - publicly designed ciphers seem to always tack on an extra couple of rounds "just to be sure".  Between Skipjack (fully NSA-designed) and DES (NSA-modified), we have two ciphers that have survived the best public cryptanalysis for many years, delivering *exactly* the level of security NSA promised, with the minimum resources needed.  (OK, DES isn't quite there as linear cryptanalysis gets a bit of a toe-hold.)  This suggests that NSA has some design tricks for block ciphers up its sleeve that the public world has yet to find.  (There are vaguer hints that they have some similar design secrets for stream ciphers:  No public stream cipher has survived public attack, but while we don't know how they work internally, NSA has continue to field stream ciphers for its own use, so it apparently thinks it can produce secure ones.)
                                                        -- Jerry

More information about the cryptography mailing list