[Cryptography] cryptography Digest, Vol 16, Issue 11

Fri Aug 15 06:37:35 EDT 2014

On 14/08/2014 11:22 am, Jerry Leichter wrote:
> On Aug 13, 2014, at 7:07 PM, Ryan Carboni <ryacko at gmail.com> wrote:
>> Novel forms of cryptography will be used to create new algorithms safe from new methods of crypt-analysis. It's a guessing race, and partly why Skipjack was found to be so vulnerable, a new form of cryptanalysis was discovered....
> It's not clear what point you're trying to make, but if it's that algorithms get broken, Skipjack is a poor example:  In the 15+ years since it was first published, no significant attack has been published against it.  The best published attacks are against reduced-round variants - including one against 31 rounds out of 32 using impossible differentials, an attack that gains no significant advantage over brute force that no one has been able to improve since it was published in 1999.  So, no, Skipjack is not *publicly* "broken" except in the sense that its 80-bit key is too short to survive modern brute force.

Thanks for the update!  I'm still waiting for someone to report on which
big-name algorithm got broken in living memory.

(Oh, and what the strategy is for initiating a replacement in real
time... oops!  IETF, I'm speaking to you, but nobody's listening ;)

> BTW, the precision of the defense in Skipjack is remarkable:  32 rounds are safe, 31 rounds are not (at least "not safe" in the certification sense).  There's no publicly known methodology for skating so close to the edge - publicly designed ciphers seem to always tack on an extra couple of rounds "just to be sure".  Between Skipjack (fully NSA-designed) and DES (NSA-modified), we have two ciphers that have survived the best public cryptanalysis for many years, delivering *exactly* the level of security NSA promised, with the minimum resources needed.  (OK, DES isn't quite there as linear cryptanalysis gets a bit of a toe-hold.)  This suggests that NSA has some design tricks for block ciphers up its sleeve that the public world has yet to find.

OK, so why doesn't someone propose Skipjack expanded to more bits
security?  Skipjack-X?  3-Skipjack?

If the NSA are still decades ahead of the public sphere, why not use the
bounty?

>  (There are vaguer hints that they have some similar design secrets for stream ciphers:  No public stream cipher has survived public attack, but while we don't know how they work internally, NSA has continue to field stream ciphers for its own
>   use, so it apparently thinks it can produce secure ones.)

Hmmm... I haven't heard of any such embarrassment for the ChaCha family?

OTOH, as far as I can tell, it's just a block cipher internally with a
stream wrapper around it...

iang