Cryptanalysis of skipjack reduced to 31 rounds using impossible differentials. (English) Zbl 0927.94013

Stern, Jacques (ed.), Advances in cryptology - EUROCRYPT ’99. 17th annual Eurocrypt conference, international conference on The theory and application of cryptographic techniques, Prague, Czech Republic, May 2–6, 1999. Proceedings. Berlin: Springer. Lect. Notes Comput. Sci. 1592, 12-23 (1999).
Traditional differential cryptanalysis makes use of differentials with relatively high probabilities to distinguish correct decryption keys from the wrong ones. Particularly, frequent appearance of the difference predicted by the differential indicates that correct key was used while less frequent occurence of the difference suggests that the key used for decryption was a wrong one. In the paper a new variant of differential cryptanalysis is presented. The key idea is to make use of so called impossible differentials, i.e. differentials that predict that particular differences should not occur. Using such an idea a sieving attack can be launched which finds correct keys by eliminating those trial keys that certainly are not the correct ones. In the paper cryptanalysis of reduced Skipjack using impossible differentials is described.
After a short introduction to the key ideas of differential cryptanalysis and impossible differentials the paper continues with brief description of Skipjack cipher. In the next section an impossible differential for 24 rounds of Skipjack is described. In particular, only 24 rounds starting from round 5 and ending at round 28 of the full 32-round Skipjack are considered here. Then a simple attack on a 25-round variant of Skipjack from round 5 to round 29 is described. Also it is outlined how essentially the same attack can be used against a 26-round variant from round 4 to round 29.
In section 5 the main attack applied against Skipjack reduced to 31 rounds is described. Again, 24-round impossible differential is used here. First, the variant consisting of the first 31 rounds of Skipjack is analyzed followed by an analysis of the variant consisting of the last 31 rounds of Skipjack. Results are briefly discussed in the last section where also possible modifications of the ideas presented in the paper are mentioned. Finally, in the Appendix an automated technique for finding all the impossible differentials based on the global structure of the cipher is described. Using this approach the authors have found that the longest impossible differential based on the global structure of Skipjack has 24 rounds.
For the entire collection see [Zbl 0912.00038].


94A60 Cryptography
Full Text: DOI