From MIKEINGLE@delphi.com Wed Sep 29 20:44:02 1993

Where do you get the MYK spec?

From: Mykotronx, Inc. 357 Van Ness Way, Suite 200 Torrance, CA 90501 (310) 533-8100 FAX (310) 533-0527 The cover title is "VLSI Encryption/Decryption Device Data" The title block on the first page is "MYK-78 Encryption/Decryption Device" There is no copyright notice, I'm a bit vague on whether such notice is required at present. Each page bears the trademark of Mykotronx.

Do Type 1 chips use 80-bit keys like Clipper?

One of the characteristics of data sheets for type I chips incommon with the MYK-78, is that no where are byte counts mentioned. The specs instead refer to reading or writing requisite bytes to satisfy testable flags. Even examining key storage device specs (Crypto Ignition Key, etc.) no byte counts are mentioned, rather a count value is specified in the header structure. One could assume that the key size of a type I device is classified. Some with exposure to Type I implementations believe that independent round keys are loaded, requiring a lot more storage. Having seen references to the cryptographic check word in Type I specs, I don't. Type I chip Cryptographic Algorithms (CA) are not specified in theire unclassified spec sheets and are presumeably classified. It is my personal belief that the cryptographic algorithm (SKIPJACK) may be the same as used in Type I devices. Major differences other than ambiguity with respect to the cryptographic algorithm, between Clipper and Type I devices includes: 1) No Red/Black Separation the MYK-78 has a single data port 2) The MYK-78 allows you to "fish" for the Cryptographic Check Word (CCW), a value used to verify the key has been loaded correctly. Type I devices require the CCW be correct, otherwise requiring passing through reset. This implies a central key management authority. 3) Strict certification requirements for Type I implementations, similar to that done for devices/firmware/software used for controling and releasing nuclear weapons. One presumes the level of testing for Escrow Encryption Standard compliant devices will be done to the black box level if conducted by NIST. 4) Some Type I chips include two sets of Cryptographic Algorithm hardware for FULL DUPLEX operatiion in a communications environment. There are otherwise higher levels of integration as well. 5) Type I chips generally contain provision for remote rekeying and remote zeroizing. Presumeably these same facilities are instead dedicated to the Law Enforcement Exploitation Field in the MYK-78. 6) At least one Type I chip is a hybrid, also cotaining an Intel 8051 type microprocessor. It is possible that the same silicon is used for clipper and Type I devices, were two different I/O pads (red and black ports) located adjacent but interleaved, with the same package pin bonded to both pads. Enabling CCW fishing could be a bonding option. While one could argue that red/black area partitioning might be employed on the silicon it is worth remembering that during encryption, only the final product is black, and for decryption the final product is red. The flexibility in control programming mentioned for the MYK-78 could reflect the requisite ability to control red and black ports as well as using remote rekeying/remote zeroizing facilities for LEEF.

How far ahead of such cyphers as IDEA and 3DES are the Type 1 cyphers? Much more secure, or are we pretty close to *them*?

Judging from the clipper chip, not much. The number of clocks for executing the CA in a Type I chip is the same as the clipper chip (64 clocks). The MYK-78 has been publicly stated to perform 32 rounds (one could image 64 rounds in 64 clocks). #From: wcs@anchor.ho.att.com (Bill Stewart +1-908-949-0705) ... #There's a little more information than that, though not much. #The Mykotronix blurb says that the algorithm uses S-boxes, and takes #64 clocks to do the encryption; I think someone said it's 32 rounds of

S-boxes, which would correspond well with this. ... #My personal speculation is that it's probably about 24-key-bits #stronger than DES, but I don't have a good guess on the weak keys issue.

In Dorthy Dennings preliminary report on Skipjack there were several points of interest brought up in the overview on the cryptographic algorithm: 1) Differential Cryptanalysis ...We concluded it was not + possible to perform an attack based on differential cryptanalysis in + less time than with exhaustive search. -- Increasing the number of rounds descreases the S/N ratio. Changing The XOR for mixing key and data iin the cryptographic function f(R,K) to an adder would likewise make exhaustive search faster than differential cryptanalysis for DES (Chapter 4 of E. Biham and A. Shamir "Differential Cryptanalysis of the DES Encryption Algorithm", 1993 Springer-Verlag.) 2) Weak Keys + ... We saw no pattern of symmetry in the + SKIPJACK algorithm which could lead to weak keys. -- A key is weak when the encryption function and decryption function are identical (the same key works for either) 3) Symmetry Under Complementation + ...We tested SKIPJACK for this property and found + that it did not hold. -- In DES K XOR E(R) == !K XOR E(!R). All three of these can be defeated by exchanging the XOR between key and data in f(R,K) with adders. The carry is a good place to introduce more key bits per round (8 bits when modulo 64). Subtraction is used for decryption and addition for encryption (or vice versa). The key schedule is relatively easy to extend to 80 bits from 56. It might not be this easy, but then again it could. DES also has a property of the S boxes that collectively map a 32 bit input value (R) to a 32 bit output value (SboxP) according to a 48 bit subkey (Kn) that for a large portion of the keys, there are not 2^32 distinct output values. Where the holes occur in the output domain are dependent on the key, and key and not key have the same holes. Exploring this property has led investigators to discover differential cryptanalysis and linear cryptanalysis. If it were possible to "see" the output of the P permutation directly you could discover the round key (Kn) over a large amount of chiphertext by simply checking for 32 bit symbols that don't show up. Correlating missing symbols to keys is a momentous task, potentially requiring years. It is possible that a 4th category of cryptanalysis attack (Brute force is the other method) is predicated on this property (D.W. Davies cryptically :) mentions a method of discovering 16 key bits in his book published in the U.S. in 1983, I believe). Skipjack may have provision for defeating this hypothetical attack.