"Cube" cryptanalysis?

Perry E. Metzger perry at piermont.com
Tue Aug 19 19:20:56 EDT 2008

Greg Rose <ggr at qualcomm.com> writes:
> His example was an insanely complicated theoretical LFSR-based stream
> cipher; recovers keys with 2^28 (from memory, I might be a little
> out), with 2^40 precomputation, from only about a million output
> bits. They are working on applying the technique to real
> ciphers... Trivium, which is a well-respected E*Stream cipher, is in
> their sights.
> My team's last LFSR-based cipher, SOBER-128, is I think well respected
> and fairly conservative. I can say that we are extremely lucky in the
> way we load the key and IV, that the degree of the polynomials piles
> up and is quite high; once the cipher is actually running, there are
> output bits which would have been attackable (degree 16 is certainly
> tractable), except for lucky use of addition as well as s-boxes... the
> addition carries represent high degree terms.

There are a bunch of deployed mobile phone ciphers that are in the
stream cipher class -- any thoughts on whether any of them look

Perry E. Metzger		perry at piermont.com

The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com

More information about the cryptography mailing list