Bob Jenkins' Web Site
Jean-Philippe Aumasson placed Distingishing attacks on ISAAC on the IACR's ePrint archive. Yeay, someone's cryptoanalyzing ISAAC! Aw, he got it wrong.
Consider the 254/65536 of all cases where r=m+m[j] and r=m+m[j]. For the 2-32 of those cases where m==m, r==r. That's about 2-40 of all cases. If the remaining (1-2-40) of the cases had the normal 2-32 chance of having r==r, that would give about 2-32 + 2-40 total chance of r==r.
Unfortunately for his arguments, if you go back to those 254/65536 cases we originally looked at, if m!=m then r!=r. That's about 2-8 of all cases. Combining these two, r==r with probability about 2-32(1 - 2-8) + 2-40 = 2-32, which is what a uniform distribution says it ought to be. Or, perhaps simpler, r==r with probability 2-32 overall in those 254/65536 cases we singled out. It happens that in those cases that whenever r==r we can conclude m==m.
The other distinguishers he gave were also flawed, in the same way. This is all verifiable with IBAA scaled down to 8 terms with 6 bits each (making the fractions 2-6 and 2-3 instead of 2-32 and 2-8, and allowing you to check for the claimed bias after 212 results rather than 248). I'll post an official rebuttal on IACR as soon as I manage to set up all the tools needed to generate a LaTeX document.
Table of Contents (internal links):
Here are some other sites:
Send mail to Bob at email@example.com.