A Key-Recovery Attack on SOBER-128

نویسندگان

  • Kaisa Nyberg
  • Risto M. Hakala
چکیده

In this paper, we consider how an unknown constant within a state update function or output function a ects biases of linear approximations. This allows us to obtain information from an unknown constant within a T-function. We use this knowledge for mounting an attack against stream cipher SOBER-128 where we gain information from the key dependent secret constant using multiple linear approximations. One to four bits of information can be obtained from 2 to 2 keystream words, respectively. More bits can be covered by increasing the number of linear approximations used.

برای دانلود متن کامل این مقاله و بیش از 32 میلیون مقاله دیگر ابتدا ثبت نام کنید

ثبت نام

اگر عضو سایت هستید لطفا وارد حساب کاربری خود شوید

منابع مشابه

A MAC Forgery Attack on SOBER-128

SOBER-128 is a stream cipher designed by Rose and Hawkes in 2003. It can be also used for generating Message Authentication Codes (MACs) and an authenticated encryption. The developers claimed that it is difficult to forge MACs generated by both functions of SOBER128, though, the security assumption in the proposal paper is not realistic in some instances. In this paper, we examine the security...

متن کامل

Distinguishing Attack on SOBER-128 with Linear Masking

We present a distinguishing attack against SOBER-128 with linear masking. We found a linear approximation which has a bias of 2−8.8 for the non-linear filter. The attack applies the observation made by Ekdahl and Johansson that there is a sequence of clocks for which the linear combination of some states vanishes. This linear dependency allows that the linear masking method can be applied. We a...

متن کامل

How to Break Py and Pypy by a Chosen-IV Attack

Biham and Seberry have submitted the stream cipher Py and Pypy to the ECRYPT stream cipher project (eSTREAM). A key recovery attack against Py and Pypy was proposed by Wu and Preneel. In their attack, (IV sizeb − 9) bytes of the key can be recovered with (IV sizeb − 4) × 2 chosen IVs, where IV sizeb indicates the size of the IV in bytes. For a 128-bit key and a 128-bit IV, which are recommended...

متن کامل

Breaking Grain-128 with Dynamic Cube Attacks

We present a new variant of cube attacks called a dynamic cube attack. Whereas standard cube attacks [4] find the key by solving a system of linear equations in the key bits, the new attack recovers the secret key by exploiting distinguishers obtained from cube testers. Dynamic cube attacks can create lower degree representations of the given cipher, which makes it possible to attack schemes th...

متن کامل

New Results on Cryptanalysis of Stream Ciphers

Stream ciphers are cryptographic primitives that ensure the confidentiality of communications. In this thesis, we study several attacks on stream ciphers. For practical applications, the candidates of stream ciphers of NESSIE and eSTREAM projects are scrutinized. Firstly, the algebraic attacks on SOBER-t32 and SOBER-t16 stream ciphers are performed under the assumption that the stuttering phase...

متن کامل

ذخیره در منابع من


  با ذخیره ی این منبع در منابع من، دسترسی به آن را برای استفاده های بعدی آسان تر کنید

برای دانلود متن کامل این مقاله و بیش از 32 میلیون مقاله دیگر ابتدا ثبت نام کنید

ثبت نام

اگر عضو سایت هستید لطفا وارد حساب کاربری خود شوید

عنوان ژورنال:

دوره   شماره 

صفحات  -

تاریخ انتشار 2007