Greg Rose <[EMAIL PROTECTED]> writes: > His example was an insanely complicated theoretical LFSR-based stream > cipher; recovers keys with 2^28 (from memory, I might be a little > out), with 2^40 precomputation, from only about a million output > bits. They are working on applying the technique to real > ciphers... Trivium, which is a well-respected E*Stream cipher, is in > their sights. > > My team's last LFSR-based cipher, SOBER-128, is I think well respected > and fairly conservative. I can say that we are extremely lucky in the > way we load the key and IV, that the degree of the polynomials piles > up and is quite high; once the cipher is actually running, there are > output bits which would have been attackable (degree 16 is certainly > tractable), except for lucky use of addition as well as s-boxes... the > addition carries represent high degree terms.
There are a bunch of deployed mobile phone ciphers that are in the stream cipher class -- any thoughts on whether any of them look vulnerable? Perry -- Perry E. Metzger [EMAIL PROTECTED] --------------------------------------------------------------------- The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
