1993-09-30 - Re: Clipper specifics (more)

Header Data

From: koontzd@lrcs.loral.com (David Koontz )
To: cypherpunks@toad.com
Message Hash: 79693f86118b82c7f012e1e9d78b3b7f8505f6ab124c9bb5b445f74a66a7f973
Message ID: <9309301819.AA04996@nebula.lrcs.loral.com>
Reply To: N/A
UTC Datetime: 1993-09-30 18:22:03 UTC
Raw Date: Thu, 30 Sep 93 11:22:03 PDT

Raw message

From: koontzd@lrcs.loral.com (David Koontz )
Date: Thu, 30 Sep 93 11:22:03 PDT
To: cypherpunks@toad.com
Subject: Re: Clipper specifics (more)
Message-ID: <9309301819.AA04996@nebula.lrcs.loral.com>
MIME-Version: 1.0
Content-Type: text/plain


>From MIKEINGLE@delphi.com Wed Sep 29 20:44:02 1993

>Where do you get the MYK spec?

From:

Mykotronx, Inc.
357 Van Ness Way, Suite 200
Torrance, CA 90501
    (310) 533-8100
FAX (310) 533-0527

The cover title is "VLSI Encryption/Decryption Device Data"
The title block on the first page is "MYK-78 Encryption/Decryption Device"

There is no copyright notice, I'm a bit vague on whether such notice is
required at present.  Each page bears the trademark of Mykotronx.

>Do Type 1 chips use 80-bit keys like Clipper?

One of the characteristics of data sheets for type I chips incommon with
the MYK-78, is that no where are byte counts mentioned.  The specs instead
refer to reading or writing requisite bytes to satisfy testable flags.

Even examining key storage device specs (Crypto Ignition Key, etc.) no
byte counts are mentioned, rather a count value is specified in the header
structure.  One could assume that the key size of a type I device is
classified.  Some with exposure to Type I implementations believe that 
independent round keys are loaded, requiring a lot more storage.  Having
seen references to the cryptographic check word in Type I specs, I don't.

Type I chip Cryptographic Algorithms (CA) are not specified in theire
unclassified spec sheets and are presumeably classified.

It is my personal belief that the cryptographic algorithm (SKIPJACK) may be
the same as used in Type I devices.

Major differences other than ambiguity with respect to the cryptographic
algorithm, between Clipper and Type I devices includes:

1) No Red/Black Separation
   the MYK-78 has a single data port

2) The MYK-78 allows you to "fish" for the Cryptographic Check Word (CCW),
   a value used to verify the key has been loaded correctly.  Type I devices
   require the CCW be correct, otherwise requiring passing through reset.
   This implies a central key management authority.

3) Strict certification requirements for Type I implementations, similar
   to that done for devices/firmware/software used for controling and 
   releasing nuclear weapons.  One presumes the level of testing for
   Escrow Encryption Standard compliant devices will be done to the
   black box level if conducted by NIST.

4) Some Type I chips include two sets of Cryptographic Algorithm hardware
   for FULL DUPLEX operatiion in a communications environment.  There are
   otherwise higher levels of integration as well.

5) Type I chips generally contain provision for remote rekeying and remote
   zeroizing.  Presumeably these same facilities are instead dedicated to
   the Law Enforcement Exploitation Field in the MYK-78.

6) At least one Type I chip is a hybrid, also cotaining an Intel 8051 type
   microprocessor.

It is possible that the same silicon is used for clipper and Type I devices,
were two different I/O pads (red and black ports) located adjacent but
interleaved, with the same package pin bonded to both pads.  Enabling
CCW fishing could be a bonding option.  While one could argue that red/black
area partitioning might be employed on the silicon it is worth remembering 
that during encryption, only the final product is black, and  for decryption
the final product is red.  The flexibility in control programming mentioned
for the MYK-78 could reflect the requisite ability to control red and black
ports as well as using remote rekeying/remote zeroizing facilities for LEEF.

>How far ahead of such cyphers as IDEA and 3DES are the Type 1 cyphers?
>Much more secure, or are we pretty close to *them*?

Judging from the clipper chip, not much.  The number of clocks for executing
the CA in a Type I chip is the same as the clipper chip (64 clocks).
The MYK-78 has been publicly stated to perform 32 rounds (one could image
64 rounds in 64 clocks).  

#From: wcs@anchor.ho.att.com (Bill Stewart +1-908-949-0705)
...
#There's a little more information than that, though not much.
#The Mykotronix blurb says that the algorithm uses S-boxes, and takes
#64 clocks to do the encryption; I think someone said it's 32 rounds of
>S-boxes, which would correspond well with this.
...
#My personal speculation is that it's probably about 24-key-bits
#stronger than DES, but I don't have a good guess on the weak keys issue.

In Dorthy Dennings preliminary report on Skipjack there were several points
of interest brought up in the overview on the cryptographic algorithm:

1) Differential Cryptanalysis
 				           ...We concluded it was not
+   possible to perform an attack based on differential cryptanalysis in
+   less time than with exhaustive search.

--
    Increasing the number of rounds descreases the S/N ratio.  Changing
    The XOR for mixing key and data iin the cryptographic function f(R,K)
    to an adder would likewise make exhaustive search faster than differential
    cryptanalysis for DES (Chapter 4 of E. Biham and A. Shamir "Differential
    Cryptanalysis of the DES Encryption Algorithm", 1993 Springer-Verlag.)
    
2) Weak Keys

+                            ... We saw no pattern of symmetry in the
+   SKIPJACK algorithm which could lead to weak keys.

-- 
   A key is weak when the encryption function and decryption function
   are identical (the same key works for either)

3) Symmetry Under Complementation

+			...We tested SKIPJACK for this property and found
+  that it did not hold.

--
   In DES K XOR E(R) == !K XOR E(!R).
   
All three of these can be defeated by exchanging the XOR between key and
data in f(R,K) with adders.  The carry is a good place to introduce more
key bits per round (8 bits when modulo 64).  Subtraction is used for 
decryption and addition for encryption (or vice versa).  The key schedule
is relatively easy to extend to 80 bits from 56.  It might not be this
easy, but then again it could.

DES also has a property of the S boxes that collectively map a 32 bit
input value (R) to a 32 bit output value (SboxP) according to a 48 bit
subkey (Kn) that for a large portion of the keys, there are not 2^32
distinct output values.  Where the holes occur in the output domain
are dependent on the key, and key and not key have the same holes.
Exploring this property has led investigators to discover differential
cryptanalysis and linear cryptanalysis.  If it were possible to "see"
the output of the P permutation directly you could discover the round
key (Kn) over a large amount of chiphertext by simply checking for 32 bit 
symbols that don't show up.  Correlating missing symbols to keys is a momentous
task, potentially requiring years.  It is possible that a 4th category of 
cryptanalysis attack (Brute  force is the other method) is predicated on this
property (D.W. Davies cryptically :) mentions a method of discovering 16 key 
bits in his book published in the U.S. in 1983, I believe). 

Skipjack may have provision for defeating this hypothetical attack.







Thread