"Cube" cryptanalysis?

Greg Rose ggr at qualcomm.com
Tue Aug 19 18:38:43 EDT 2008

Perry E. Metzger wrote:
> According to Bruce Schneier...
> http://www.schneier.com/blog/archives/2008/08/adi_shamirs_cub.html
> ...Adi Shamir described a new generalized cryptanalytic attack at
> Crypto today.
> Anyone have details to share?

Stunningly smart, and an excellent and understandable presentation.

Basically, any calculation with inputs and outputs can be represented as 
  an (insanely complicated and probably intractable) set of binary 
multivariate polynomials. So long as the degree of the polynomials is 
not too large, the method allows most of the nonlinear terms to be 
cancelled out, even though the attacker can't possibly handle them. Then 
you solve a tractable system of linear equations to recover key (or 
state) bits.

His example was an insanely complicated theoretical LFSR-based stream 
cipher; recovers keys with 2^28 (from memory, I might be a little out), 
with 2^40 precomputation, from only about a million output bits. They 
are working on applying the technique to real ciphers... Trivium, which 
is a well-respected E*Stream cipher, is in their sights.

My team's last LFSR-based cipher, SOBER-128, is I think well respected 
and fairly conservative. I can say that we are extremely lucky in the 
way we load the key and IV, that the degree of the polynomials piles up 
and is quite high; once the cipher is actually running, there are output 
  bits which would have been attackable (degree 16 is certainly 
tractable), except for lucky use of addition as well as s-boxes... the 
addition carries represent high degree terms.


The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com

More information about the cryptography mailing list