There's talk of a paper given at Crypto98 on "Impossible Differential Analysis" which got the NSA people scribbling like mad taking notes as though this was something that had never come up at the agency and they'd better get right on it. Roughly, as I heard it (and I may be way off), the premise is that instead of using differential analysis for finding weaknesses in a cipher, to flip that to determine what could not possibly be a weakness in a cipher and build one with just those attributes. Is this report correct, and is there a source for that paper?