A Key-Recovery Attack on SOBER-128
نویسندگان
چکیده
In this paper, we consider how an unknown constant within a state update function or output function a ects biases of linear approximations. This allows us to obtain information from an unknown constant within a T-function. We use this knowledge for mounting an attack against stream cipher SOBER-128 where we gain information from the key dependent secret constant using multiple linear approximations. One to four bits of information can be obtained from 2 to 2 keystream words, respectively. More bits can be covered by increasing the number of linear approximations used.
منابع مشابه
A MAC Forgery Attack on SOBER-128
SOBER-128 is a stream cipher designed by Rose and Hawkes in 2003. It can be also used for generating Message Authentication Codes (MACs) and an authenticated encryption. The developers claimed that it is difficult to forge MACs generated by both functions of SOBER128, though, the security assumption in the proposal paper is not realistic in some instances. In this paper, we examine the security...
متن کاملDistinguishing Attack on SOBER-128 with Linear Masking
We present a distinguishing attack against SOBER-128 with linear masking. We found a linear approximation which has a bias of 2−8.8 for the non-linear filter. The attack applies the observation made by Ekdahl and Johansson that there is a sequence of clocks for which the linear combination of some states vanishes. This linear dependency allows that the linear masking method can be applied. We a...
متن کاملHow to Break Py and Pypy by a Chosen-IV Attack
Biham and Seberry have submitted the stream cipher Py and Pypy to the ECRYPT stream cipher project (eSTREAM). A key recovery attack against Py and Pypy was proposed by Wu and Preneel. In their attack, (IV sizeb − 9) bytes of the key can be recovered with (IV sizeb − 4) × 2 chosen IVs, where IV sizeb indicates the size of the IV in bytes. For a 128-bit key and a 128-bit IV, which are recommended...
متن کاملBreaking Grain-128 with Dynamic Cube Attacks
We present a new variant of cube attacks called a dynamic cube attack. Whereas standard cube attacks [4] find the key by solving a system of linear equations in the key bits, the new attack recovers the secret key by exploiting distinguishers obtained from cube testers. Dynamic cube attacks can create lower degree representations of the given cipher, which makes it possible to attack schemes th...
متن کاملNew Results on Cryptanalysis of Stream Ciphers
Stream ciphers are cryptographic primitives that ensure the confidentiality of communications. In this thesis, we study several attacks on stream ciphers. For practical applications, the candidates of stream ciphers of NESSIE and eSTREAM projects are scrutinized. Firstly, the algebraic attacks on SOBER-t32 and SOBER-t16 stream ciphers are performed under the assumption that the stuttering phase...
متن کامل