Cryptography Reference
In-Depth Information
produce the Clipper and Capstone chips. And this is exactly the point where
the huge almighty authority made an elementary error, just as happens with
such authorities: they forgot to allow for alternatives. Had the protocol addi-
tionally permitted disclosed algorithms like RSA and 3DES as alternatives,
the chip could have been implemented in software, including key escrow,
since the latter is an integral part of the cryptographic protocol and not the
algorithm. But methods that are kept secret have to remain hidden in hard-
ware.
So, Alice needed an NSA chip to be able to communicate with some equipment
fitted accordingly, and she didn't have one. We don't know whether she found
the chips too expensive, or whether there simply weren't enough chips around.
Anyhow, problematic cases appeared to pile up. The only feasible way out was
to implement the chips in software.
Now, the NSA knew that people would have started mounting their analyses
on the very day such software was shipped, eager to closely inspect the first
algorithm ever developed by the NSA. All that remained was to take the bull by
the horns: the NSA disclosed the algorithm in mid-1998, along with its public-
key method called
KEA
(which will be briefly discussed in Section 6.1.1). You
can imagine (just as the NSA did back then) that cryptanalysts from all over
the world plunged into it.
Skipjack is a product algorithm (a Feistel network) with 64-bit blocks, an
80-bit key, and 32 rounds. It differs from the 'civilian' algorithms mainly in
that it uses linear feedback shift registers (LFSRs; Section 5.7.2), which are
commonly used for stream ciphers, a traditional military field. The design is
astonishingly simple, you can find the detailed description and source texts on
our Web site. In his online magazine
Cryptogram
7/98, Bruce Schneier wrote
that Skipjack is very 'vulnerable', and that even the slightest modification would
wreck its security.
A Spectacular Cryptanalysis
Biham, Biryukov, and Shamir, the cryptanalysts well known to our readers,
appear to have put up a memorial to themselves as they cryptanalyzed a Skip-
jack variant reduced by one round only. In fact, they invented a new variant
of differential cryptanalysis, the method of impossible differentials, spiritu-
ally slightly related to the negative pattern search discussed in Section 3.4.1:
roughly speaking, you look at differences that can currently
not
occur and
