"Cube" cryptanalysis?
Perry E. Metzger
perry at piermont.com
Tue Aug 19 19:20:56 EDT 2008
Greg Rose <ggr at qualcomm.com> writes:
> His example was an insanely complicated theoretical LFSR-based stream
> cipher; recovers keys with 2^28 (from memory, I might be a little
> out), with 2^40 precomputation, from only about a million output
> bits. They are working on applying the technique to real
> ciphers... Trivium, which is a well-respected E*Stream cipher, is in
> their sights.
>
> My team's last LFSR-based cipher, SOBER-128, is I think well respected
> and fairly conservative. I can say that we are extremely lucky in the
> way we load the key and IV, that the degree of the polynomials piles
> up and is quite high; once the cipher is actually running, there are
> output bits which would have been attackable (degree 16 is certainly
> tractable), except for lucky use of addition as well as s-boxes... the
> addition carries represent high degree terms.
There are a bunch of deployed mobile phone ciphers that are in the
stream cipher class -- any thoughts on whether any of them look
vulnerable?
Perry
--
Perry E. Metzger perry at piermont.com
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com
More information about the cryptography
mailing list