Advanced differential-style cryptanalysis of the NSA's Skipjack block Cipher

Jongsung Kim; Raphael C.W. Phan

doi:10.1080/01611190802653228

Advanced differential-style cryptanalysis of the NSA's Skipjack block Cipher

Jongsung Kim, Raphael C.W. Phan

Research output: Contribution to journal › Article › Research › peer-review

50 Citations (Scopus)

Abstract

Skipjack is a block cipher designed by the NSA for use in US government phones, and commercial mobile and wireless products by AT&T. Among its initial implementations in hardware were the Clipper chip and Fortezza PC cards, which have since influenced the private communications market to be compatible with this technology. For instance, the Fortezza card comes in PCMCIA interface and is a very easy plug-n-play device to add on to mobile and wireless systems to provide encryption for wireless transmissions. Initially classified when it was first proposed, Skipjack was declassified in 1998, and it sparked numerous security analyses from security researchers worldwide because it provides insight into the state-of-the-art security design techniques used by a highly secretive government intelligence agency such as the NSA. In this paper, commemorating a decade since Skipjack's public revelation, we revisit the security of Skipjack, in particular its resistance to advanced differential-style distinguishers. In contrast to previous work that considered conventional and impossible differential distinguishers, we concentrate our attention on the more recent advanced differential-style and related-key distinguishers that were most likely not considered in the original design objectives of the NSA. In particular, we construct first-known related-key impossible differential, rectangle and related-key rectangle distinguishers of Skipjack. Our related-key attacks (i.e., related-key miss-in-the-middle and related-key rectangle attacks) are better than all the previous related-key attacks on Skipjack. Finally, we characterize the strength of Skipjack against all these attacks and motivate reasons why, influenced by the Skipjack structure, some attacks fare better. What is intriguing about Skipjack is its simple key schedule and a structure that is a cross between conventional Feistel design principles and the unconventional use of different round types. This work complements past results on the security analysis of Skipjack and is hoped to provide further insight into the security of an NSA-designed block cipher; the only one publicly known to date.

Original language	English
Pages (from-to)	246-270
Number of pages	25
Journal	Cryptologia
Volume	33
Issue number	3
DOIs	https://doi.org/10.1080/01611190802653228
Publication status	Published - 2009
Externally published	Yes

Keywords

Analysis
Block ciphers
Boomerang and rectangle attacks
Distinguisher
NSA
Related-key miss-in-the-middle attacks
Skipjack

Access to Document

10.1080/01611190802653228

Cite this

@article{375316ac4d434ee19ecd71a50eccd53b,

title = "Advanced differential-style cryptanalysis of the NSA's Skipjack block Cipher",

abstract = "Skipjack is a block cipher designed by the NSA for use in US government phones, and commercial mobile and wireless products by AT&T. Among its initial implementations in hardware were the Clipper chip and Fortezza PC cards, which have since influenced the private communications market to be compatible with this technology. For instance, the Fortezza card comes in PCMCIA interface and is a very easy plug-n-play device to add on to mobile and wireless systems to provide encryption for wireless transmissions. Initially classified when it was first proposed, Skipjack was declassified in 1998, and it sparked numerous security analyses from security researchers worldwide because it provides insight into the state-of-the-art security design techniques used by a highly secretive government intelligence agency such as the NSA. In this paper, commemorating a decade since Skipjack's public revelation, we revisit the security of Skipjack, in particular its resistance to advanced differential-style distinguishers. In contrast to previous work that considered conventional and impossible differential distinguishers, we concentrate our attention on the more recent advanced differential-style and related-key distinguishers that were most likely not considered in the original design objectives of the NSA. In particular, we construct first-known related-key impossible differential, rectangle and related-key rectangle distinguishers of Skipjack. Our related-key attacks (i.e., related-key miss-in-the-middle and related-key rectangle attacks) are better than all the previous related-key attacks on Skipjack. Finally, we characterize the strength of Skipjack against all these attacks and motivate reasons why, influenced by the Skipjack structure, some attacks fare better. What is intriguing about Skipjack is its simple key schedule and a structure that is a cross between conventional Feistel design principles and the unconventional use of different round types. This work complements past results on the security analysis of Skipjack and is hoped to provide further insight into the security of an NSA-designed block cipher; the only one publicly known to date.",

keywords = "Analysis, Block ciphers, Boomerang and rectangle attacks, Distinguisher, NSA, Related-key miss-in-the-middle attacks, Skipjack",

author = "Jongsung Kim and Phan, {Raphael C.W.}",

note = "Funding Information: Raphael Phan obtained his B. Eng (Hons) Electronics major in Computer Engineering; M. EngSc. (Research) on {\textquoteleft}{\textquoteleft}Cryptanalysis of the Advanced Encryption Standard (AES) and Skipjack,{\textquoteright}{\textquoteright} sponsored by the Intel Fellowship Grant award; and Ph.D (Eng) on {\textquoteleft}{\textquoteleft}Cryptanalysis of Block Ciphers: Generalization, Extensions & Integrations,{\textquoteright}{\textquoteright} from Multimedia University (MMU). Prior to joining the Electronic and Electrical Engineering department of Loughborough University, UK, Raphael was Director of the Information Security Research (iSECURES) Laboratory at Swinburne Uni of Tech from 2004 to 2007; and a researcher in the Laboratoire de s{\'e}curit{\'e} et de cryptographie (LASEC), Ecole Polytechnique F{\'e}d{\'e}rale de Lausanne (EPFL), Switzerland between 2007 and 2008. He does research on the security of ciphers, protocols; and related constructions. He is General Chair of Mycrypt {\textquoteright}05 and Asiacrypt {\textquoteright}07, Program Chair of ISH {\textquoteright}05 and serves in Technical Program Committees of international conferences since 2005. Funding Information: Keywords analysis, block ciphers, boomerang and rectangle attacks, distinguisher, NSA, related-key miss-in-the-middle attacks, Skipjack ·The first author was supported by the Second Brain Korea 21 Project. ··Part of this work done while author was with the Laboratoire de s{\'e}urit{\'e} et de crypto-graphie (LASEC), Ecole Polytechnique F{\'e}d{\'e}rale de Lausanne (EPFL), Switzerland. Copyright: Copyright 2009 Elsevier B.V., All rights reserved.",

year = "2009",

doi = "10.1080/01611190802653228",

language = "English",

volume = "33",

pages = "246--270",

journal = "Cryptologia",

issn = "0161-1194",

publisher = "Taylor & Francis",

number = "3",

}

TY - JOUR

T1 - Advanced differential-style cryptanalysis of the NSA's Skipjack block Cipher

AU - Kim, Jongsung

AU - Phan, Raphael C.W.

N1 - Funding Information: Raphael Phan obtained his B. Eng (Hons) Electronics major in Computer Engineering; M. EngSc. (Research) on ‘‘Cryptanalysis of the Advanced Encryption Standard (AES) and Skipjack,’’ sponsored by the Intel Fellowship Grant award; and Ph.D (Eng) on ‘‘Cryptanalysis of Block Ciphers: Generalization, Extensions & Integrations,’’ from Multimedia University (MMU). Prior to joining the Electronic and Electrical Engineering department of Loughborough University, UK, Raphael was Director of the Information Security Research (iSECURES) Laboratory at Swinburne Uni of Tech from 2004 to 2007; and a researcher in the Laboratoire de sécurité et de cryptographie (LASEC), Ecole Polytechnique Fédérale de Lausanne (EPFL), Switzerland between 2007 and 2008. He does research on the security of ciphers, protocols; and related constructions. He is General Chair of Mycrypt ’05 and Asiacrypt ’07, Program Chair of ISH ’05 and serves in Technical Program Committees of international conferences since 2005. Funding Information: Keywords analysis, block ciphers, boomerang and rectangle attacks, distinguisher, NSA, related-key miss-in-the-middle attacks, Skipjack ·The first author was supported by the Second Brain Korea 21 Project. ··Part of this work done while author was with the Laboratoire de séurité et de crypto-graphie (LASEC), Ecole Polytechnique Fédérale de Lausanne (EPFL), Switzerland. Copyright: Copyright 2009 Elsevier B.V., All rights reserved.

PY - 2009

Y1 - 2009

N2 - Skipjack is a block cipher designed by the NSA for use in US government phones, and commercial mobile and wireless products by AT&T. Among its initial implementations in hardware were the Clipper chip and Fortezza PC cards, which have since influenced the private communications market to be compatible with this technology. For instance, the Fortezza card comes in PCMCIA interface and is a very easy plug-n-play device to add on to mobile and wireless systems to provide encryption for wireless transmissions. Initially classified when it was first proposed, Skipjack was declassified in 1998, and it sparked numerous security analyses from security researchers worldwide because it provides insight into the state-of-the-art security design techniques used by a highly secretive government intelligence agency such as the NSA. In this paper, commemorating a decade since Skipjack's public revelation, we revisit the security of Skipjack, in particular its resistance to advanced differential-style distinguishers. In contrast to previous work that considered conventional and impossible differential distinguishers, we concentrate our attention on the more recent advanced differential-style and related-key distinguishers that were most likely not considered in the original design objectives of the NSA. In particular, we construct first-known related-key impossible differential, rectangle and related-key rectangle distinguishers of Skipjack. Our related-key attacks (i.e., related-key miss-in-the-middle and related-key rectangle attacks) are better than all the previous related-key attacks on Skipjack. Finally, we characterize the strength of Skipjack against all these attacks and motivate reasons why, influenced by the Skipjack structure, some attacks fare better. What is intriguing about Skipjack is its simple key schedule and a structure that is a cross between conventional Feistel design principles and the unconventional use of different round types. This work complements past results on the security analysis of Skipjack and is hoped to provide further insight into the security of an NSA-designed block cipher; the only one publicly known to date.

AB - Skipjack is a block cipher designed by the NSA for use in US government phones, and commercial mobile and wireless products by AT&T. Among its initial implementations in hardware were the Clipper chip and Fortezza PC cards, which have since influenced the private communications market to be compatible with this technology. For instance, the Fortezza card comes in PCMCIA interface and is a very easy plug-n-play device to add on to mobile and wireless systems to provide encryption for wireless transmissions. Initially classified when it was first proposed, Skipjack was declassified in 1998, and it sparked numerous security analyses from security researchers worldwide because it provides insight into the state-of-the-art security design techniques used by a highly secretive government intelligence agency such as the NSA. In this paper, commemorating a decade since Skipjack's public revelation, we revisit the security of Skipjack, in particular its resistance to advanced differential-style distinguishers. In contrast to previous work that considered conventional and impossible differential distinguishers, we concentrate our attention on the more recent advanced differential-style and related-key distinguishers that were most likely not considered in the original design objectives of the NSA. In particular, we construct first-known related-key impossible differential, rectangle and related-key rectangle distinguishers of Skipjack. Our related-key attacks (i.e., related-key miss-in-the-middle and related-key rectangle attacks) are better than all the previous related-key attacks on Skipjack. Finally, we characterize the strength of Skipjack against all these attacks and motivate reasons why, influenced by the Skipjack structure, some attacks fare better. What is intriguing about Skipjack is its simple key schedule and a structure that is a cross between conventional Feistel design principles and the unconventional use of different round types. This work complements past results on the security analysis of Skipjack and is hoped to provide further insight into the security of an NSA-designed block cipher; the only one publicly known to date.

KW - Analysis

KW - Block ciphers

KW - Boomerang and rectangle attacks

KW - Distinguisher

KW - NSA

KW - Related-key miss-in-the-middle attacks

KW - Skipjack

UR - http://www.scopus.com/inward/record.url?scp=68149099462&partnerID=8YFLogxK

U2 - 10.1080/01611190802653228

DO - 10.1080/01611190802653228

M3 - Article

AN - SCOPUS:68149099462

SN - 0161-1194

VL - 33

SP - 246

EP - 270

JO - Cryptologia

JF - Cryptologia

IS - 3

ER -

Advanced differential-style cryptanalysis of the NSA's Skipjack block Cipher

Abstract

Keywords

Access to Document

Other files and links

Cite this