Bob Jenkins' Web SiteJeanPhilippe Aumasson placed Distingishing attacks on ISAAC on the IACR's ePrint archive. Yeay, someone's cryptoanalyzing ISAAC! Aw, he got it wrong. Consider the 254/65536 of all cases where r[0]=m[0]+m[j] and r[1]=m[1]+m[j]. For the 2^{32} of those cases where m[0]==m[1], r[0]==r[1]. That's about 2^{40} of all cases. If the remaining (12^{40}) of the cases had the normal 2^{32} chance of having r[0]==r[1], that would give about 2^{32} + 2^{40} total chance of r[0]==r[1]. Unfortunately for his arguments, if you go back to those 254/65536 cases we originally looked at, if m[0]!=m[1] then r[0]!=r[1]. That's about 2^{8} of all cases. Combining these two, r[0]==r[1] with probability about 2^{32}(1  2^{8}) + 2^{40} = 2^{32}, which is what a uniform distribution says it ought to be. Or, perhaps simpler, r[0]==r[1] with probability 2^{32} overall in those 254/65536 cases we singled out. It happens that in those cases that whenever r[0]==r[1] we can conclude m[0]==m[1]. The other distinguishers he gave were also flawed, in the same way. This is all verifiable with IBAA scaled down to 8 terms with 6 bits each (making the fractions 2^{6} and 2^{3} instead of 2^{32} and 2^{8}, and allowing you to check for the claimed bias after 2^{12} results rather than 2^{48}). I'll post an official rebuttal on IACR as soon as I manage to set up all the tools needed to generate a LaTeX document. 

Table of Contents (internal links):