From: Anonymous <nobody@replay.com>
To: cypherpunks@cyberpass.net
Message Hash: 1d853c48eedf4eb62526baf18c6a6424f1dbf1b503067cf4b9d654fae2a3c43b
Message ID: <199809110520.HAA29692@replay.com>
Reply To: N/A
UTC Datetime: 1998-09-10 16:19:12 UTC
Raw Date: Fri, 11 Sep 1998 00:19:12 +0800
From: Anonymous <nobody@replay.com>
Date: Fri, 11 Sep 1998 00:19:12 +0800
To: cypherpunks@cyberpass.net
Subject: Re: Impossible Analysis Paper at Crypto98
Message-ID: <199809110520.HAA29692@replay.com>
MIME-Version: 1.0
Content-Type: text/plain
> There's talk of a paper given at Crypto98 on "Impossible
> Differential Analysis" which got the NSA people scribbling
> like mad taking notes as though this was something that
> had never come up at the agency and they'd better get
> right on it.
>
> Roughly, as I heard it (and I may be way off), the premise is
> that instead of using differential analysis for finding weaknesses
> in a cipher, to flip that to determine what could not possibly be
> a weakness in a cipher and build one with just those attributes.
>
> Is this report correct, and is there a source for that paper?
This was presented at the rump session and apparently there is no paper
writeup yet. Biham's home page at http://www.cs.technion.ac.il/~biham/
has a place you can register to be notified when new material comes out.
With conventional differential cryptanalysis, you look for pairs of inputs
which have differences (xors usually) such that after a certain number of
rounds, the ciphertexts have certain differences with excess probability.
With "impossible" differential cryptanalysis, you look for inputs with
differences which lead to ciphertext differences that are "impossible",
or at least have reduced probability. It's the same basic idea but
you look for diminution rather than enhancement of the probability of
later differences.
Because of the reversal of the effect, the techniques for identifying
differentials, exploiting them, and designing against them are
rather different. As a result ciphers which were designed to resist
differential cryptanalysis may be vulnerable to impossible differentials.
This technique has apparently led to an improved attack on SkipJack,
announced on Biham's web page above as "coming soon". There was also
a moderate improvement in attacks on reduced-round IDEA (not effective
against the full number of rounds though). At Crypto everyone was
scurrying off to see if any of the AES candidates could be knocked out
by the new technique.
Return to September 1998
Return to “Anonymous <nobody@replay.com>”
1998-09-10 (Fri, 11 Sep 1998 00:19:12 +0800) - Re: Impossible Analysis Paper at Crypto98 - Anonymous <nobody@replay.com>