## Truncated Differentials and Skipjack (1999)

### Cached

### Download Links

- [www.mathmagic.cn]
- [www.informatik.uni-mannheim.de]
- [www.cs.berkeley.edu]
- [now.cs.berkeley.edu]
- DBLP

### Other Repositories/Bibliography

Venue: | Advances in Cryptology: CRYPTO’99, LNCS 1666 |

Citations: | 11 - 4 self |

### BibTeX

@INPROCEEDINGS{Knudsen99truncateddifferentials,

author = {Lars R. Knudsen and M. J. B. Robshaw and David Wagner},

title = {Truncated Differentials and Skipjack},

booktitle = {Advances in Cryptology: CRYPTO’99, LNCS 1666},

year = {1999},

pages = {165--180},

publisher = {Springer Verlag}

}

### OpenURL

### Abstract

Abstract. We consider a range of attacks on reduced-round variants of the block cipher Skipjack. In particular we concentrate on the role of truncated differentials and consider what insight they give us into the design and long-term security of Skipjack. An attack on the full 32 rounds of Skipjack remains elusive. However we give attacks on the first 16 rounds of Skipjack that can efficiently recover the key with about 2 17 chosen plaintexts and an attack on the middle sixteen rounds of Skipjack which recovers the secret key using only two chosen plaintexts. Several highprobability truncated differentials are presented the existence of which might best be described as surprising. Most notably, we show that the techniques used by Biham et al. can be presented in terms of truncated differentials and that there exists a 24-round truncated differential that holds with probability one. 1

### Citations

335 |
Differential Cryptanalysis of the Data Encryption Standard
- Biham, Shamir
- 1993
(Show Context)
Citation Context ... analysis by Biham et al. [1] studied some of the detailed properties of G and in particular some of the properties of the substitution table S. This provided a first description of some differential =-=[6]-=- and linear [10] cryptanalytic attacks on reduced-round versions of Skipjack. It was shown that reducing Skipjack to consist of the first 16 rounds (eight A-rounds followed by eight B-rounds) allowed ... |

135 | Slide attacks
- Biryukov, Wagner
- 1999
(Show Context)
Citation Context ...an entropy of 64 bits. We note that such a fortuitous key-scheduling coincidence occurs in the full 32-round Skipjack cipher. 5 Boomerang attacks Here we consider the feasibility of boomerang attacks =-=[17]-=- on reduced-round variants of Skipjack. Boomerang attacks may be considered to be a close relative of miss-in-the-middle attacks [5], although these techniques were developed independently. Boomerang ... |

110 |
cryptanalysis method for DES cipher
- Linear
- 1994
(Show Context)
Citation Context ...ham et al. [1] studied some of the detailed properties of G and in particular some of the properties of the substitution table S. This provided a first description of some differential [6] and linear =-=[10]-=- cryptanalytic attacks on reduced-round versions of Skipjack. It was shown that reducing Skipjack to consist of the first 16 rounds (eight A-rounds followed by eight B-rounds) allowed one to mount a d... |

107 | A.: Cryptanalysis of Skipjack Reduced to 31 Rounds Using Impossible Differentials
- Biham, Biryukov, et al.
- 1999
(Show Context)
Citation Context ...he counter is encrypted at each round and while it is included for completeness, it has no cryptanalytic significance with regards to the attacks in this paper. immaterial. Most recently Biham et al. =-=[5]-=- derived attacks that are faster than exhaustive search for the key if Skipjack is reduced by at least one round. In this paper we consider alternative enhancements which offer interesting insights in... |

8 | On the design and security of RC2
- Knudsen, Rijmen, et al.
- 1998
(Show Context)
Citation Context ...tion of Skipjack and other work The 64-bit input block of Skipjack is split into four words of 16 bits. At the time of its initial design (1987) this approach was perhaps somewhat uncommon though RC2 =-=[8]-=- adopts a similar structure. In each round of Skipjack one of the words passes through a keyed permutation which we denote by G, and at most two words are modified during a single round. The function ... |

7 |
Privacy on the Line
- Diffie, Landau
- 1998
(Show Context)
Citation Context ...s of truncated differentials and that there exists a 24-round truncated differential that holds with probability one. 1 Introduction Skipjack is a 64-bit block cipher that is used in the Clipper Chip =-=[11,12]-=- and was recently made public by the NSA [15,16]. The length of the user-supplied key suggests that like other cryptographic proposals from the U.S. government [13,14] the security level is intended t... |

3 |
Applications of higher order differentials and partial differentials
- Knudsen
- 1995
(Show Context)
Citation Context ...per we will consider some of the structural properties of Skipjack. In particular we note that the simple rounds of Skipjack seem to be particularly amenable to analysis using truncated differentials =-=[7]-=-. We will provide details of some particularly effective attacks on reduced-round versions of Skipjack and we will consider the applicability of these and other potentially more powerful attacks to an... |

3 |
The Electronic Privacy Papers
- Banisar, Schneier
- 1997
(Show Context)
Citation Context ...s of truncated differentials and that there exists a 24-round truncated differential that holds with probability one. 1 Introduction Skipjack is a 64-bit block cipher that is used in the Clipper Chip =-=[11,12]-=- and was recently made public by the NSA [15,16]. The length of the user-supplied key suggests that like other cryptographic proposals from the U.S. government [13,14] the security level is intended t... |

2 |
Available at http://www.cs.technion.ac.il/~biham/Reports/SkipJack
- Biham, Biryukov, et al.
- 1998
(Show Context)
Citation Context ...round two, bytes k8, k9, k0, k1 are used in round three and so forth. We will sometimes write Gk0...k3 to illustrate which key bytes are used in the G transformation. A first analysis by Biham et al. =-=[1]-=- studied some of the detailed properties of G and in particular some of the properties of the substitution table S. This provided a first description of some differential [6] and linear [10] cryptanal... |

1 |
Initial Observations on the Skipjack Encryption Algorithm," SAC'98
- Biham, Biryukov, et al.
- 1998
(Show Context)
Citation Context ...round two, bytes k8, k9, k0, k1 are used in round three and so forth. We will sometimes write Gk0:::k3 to illustrate which key bytes are used in the G transformation. A first analysis by Biham et al. =-=[1]-=- studied some of the detailed properties of G and in particular some of the properties of the substitution table S. This provided a first description of some differential [6] and linear [10] cryptanal... |

1 |
Cryptanalysis of Skipjack-4XOR. June 30
- Biham, Biryukov, et al.
- 1998
(Show Context)
Citation Context ...irst 16 rounds (eight A-rounds followed by eight B-rounds) allowed one to mount a differential attack requiring about 255 chosen plaintexts 4. Independently of the authors of this paper, Biham et al. =-=[2, 3]-=- also considered the role of truncated differentials in Skipjack and some variants. All that is important for such attacks to be mounted is that the function G be a permutation. Further details about ... |

1 |
time and using 2 9 chosen plaintexts
- Biham, Biryukov, et al.
(Show Context)
Citation Context ...st 16 rounds (eight A-rounds followed by eight B-rounds) allowed one to mount a differential attack requiring about 2 55 chosen plaintexts 1 . Independently of the authors of this paper, Biham et al. =-=[2,3]-=- also considered the role of truncated differentials in Skipjack and some variants. All that is important for such attacks to be mounted is that the function G beapermutation. Further details about G ... |

1 | Available at http://www.cs.technion.ac.il/˜biham/Reports/SkipJack - Knudsen, Robshaw, et al. |

1 | Also available at http://www.cs.technion.ac.il/~biham/Reports/SkipJack - Verlag |

1 | Cryptanalysis of Skipjack-3XOR in 2 time and using 2 chosen plaintexts - Biham, Biryukov, et al. |

1 | Applications of higher order dierentials and partial dierentials - Knudsen - 1995 |