[131106] in cryptography@c2.net mail archive
Re: "Cube" cryptanalysis?
daemon@ATHENA.MIT.EDU (Perry E. Metzger)
Tue Aug 19 20:02:01 2008
To: Greg Rose <ggr@qualcomm.com>
Cc: "cryptography\@metzdowd.com" <cryptography@metzdowd.com>
From: "Perry E. Metzger" <perry@piermont.com>
Date: Tue, 19 Aug 2008 19:20:56 -0400
In-Reply-To: <48AB4B73.1000503@qualcomm.com> (Greg Rose's message of "Tue\, 19 Aug 2008 15\:38\:43 -0700")
Greg Rose <ggr@qualcomm.com> writes:
> His example was an insanely complicated theoretical LFSR-based stream
> cipher; recovers keys with 2^28 (from memory, I might be a little
> out), with 2^40 precomputation, from only about a million output
> bits. They are working on applying the technique to real
> ciphers... Trivium, which is a well-respected E*Stream cipher, is in
> their sights.
>
> My team's last LFSR-based cipher, SOBER-128, is I think well respected
> and fairly conservative. I can say that we are extremely lucky in the
> way we load the key and IV, that the degree of the polynomials piles
> up and is quite high; once the cipher is actually running, there are
> output bits which would have been attackable (degree 16 is certainly
> tractable), except for lucky use of addition as well as s-boxes... the
> addition carries represent high degree terms.
There are a bunch of deployed mobile phone ciphers that are in the
stream cipher class -- any thoughts on whether any of them look
vulnerable?
Perry
--
Perry E. Metzger perry@piermont.com
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo@metzdowd.com
