Distinguishing Attack on SOBER-128 with Linear Masking

We present a distinguishing attack against SOBER-128 with linear masking. We found a linear approximation which has a bias of 2−8.8 for the non-linear filter. The attack applies the observation made by Ekdahl and Johansson that there is a sequence of clocks for which the linear combination of some states vanishes. This linear dependency allows that the linear masking method can be applied. We also show that the bias of the distinguisher can be improved (or estimated more precisely) by considering quadratic terms of the approximation. The probability bias of the quadratic approximation used in the distinguisher is estimated to be equal to O(2−51.8), so that we claim that SOBER-128 is distinguishable from truly random cipher by observing O(2) keystream words.