Greg Rose
Tue, 19 Aug 2008 17:02:53 -0700
Perry E. Metzger wrote:
Greg Rose <[EMAIL PROTECTED]> writes:His example was an insanely complicated theoretical LFSR-based stream cipher; recovers keys with 2^28 (from memory, I might be a little out), with 2^40 precomputation, from only about a million output bits. They are working on applying the technique to real ciphers... Trivium, which is a well-respected E*Stream cipher, is in their sights. My team's last LFSR-based cipher, SOBER-128, is I think well respected and fairly conservative. I can say that we are extremely lucky in the way we load the key and IV, that the degree of the polynomials piles up and is quite high; once the cipher is actually running, there are output bits which would have been attackable (degree 16 is certainly tractable), except for lucky use of addition as well as s-boxes... the addition carries represent high degree terms.There are a bunch of deployed mobile phone ciphers that are in the stream cipher class -- any thoughts on whether any of them look vulnerable?
With the disclaimer that I think I understand the attack but might nevertheless have misunderstood something:
A5/1 is difficult for this attack to apply to because of the clock-controlled shift registers (Adi said this).
A5/3 and the current WCDMA f8/f9 is based on Kasumi, and I'd be surprised if the attack applys. Ditto for the AES based CDMA security.
The soon-to-be-adopted spare WCDMA algorithm, SNOW-3G, may be vulnerable if used in other ways, but appears to me to be secure in the way it is used in 3G phones. Again, somewhat lucky though, the attack comes very close to working. I believe the appropriate standards committee is going to go off and check this very closely (I spoke to one of the members).
Greg. --------------------------------------------------------------------- The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]