A Key-Recovery Attack on SOBER-128

In this talk we consider linear approximations of layered cipher constructions with secret key-dependent constants that are inserted between layers, and where the layers have strong interdependency. Then clearly, averaging over the constant would clearly be wrong as it will break the interdependencies, and the Piling Up-lemma cannot be used. We show how to use linear approximations to divide the constants into constant classes, not necessary determined by a linear relation. As an example, a nonlinear filter generator SOBER-128 is considered and we show how to extend Matsui\u27s Algorithm I in this case. Also the possibility of using multiple linear approximations simultaneously is considered

Comparative Analysis of Structures And Attacks on Various Stream Ciphers

ABSTRCAT INTRODUCTION Does increased security provide comfort to paranoid people? Or does security provide some very basic protections that we are naive to believe that we don't need? Today when tens of millions of people rely on Internet for essential communication and trade & commerce between them, a secure system becomes a very important issue to deal with. Cryptography under such circumstances forms an essential aspect for secure communications. Cryptography deals with four major goals viz Confidentiality, Data integrity, Authentication and Nonrepudiation and thus is widely used to secure telephonic messages, e-mails, credit card information, and corporate data[1] but with all these applications under its sleeve, one must keep in mind that cryptography on its own does not suffice all the requirements of security. Cryptography systems can be broadly classified into symmetric-key systems (AES,RC4,DES) that use a single key that both the sender and recipient have, and public-key or asymmetric systems (ElGamal, McEliece, RSA) that use two keys, a public key known to everyone and a private key that only the recipient of messages uses t = O(S t , K c C ) t = E(P t , Z t S ) t+1 = U (P, S t , K c Where the encryption function E is such that it is easy to construct a decryption function D, the decryption process can be described as follows: ), Z t = O(S t ,K c P ) t = D(C t , Z t S ) t+1 = U(P t , S t As stated in , Kc) . Stream ciphers are generally much faster than block ciphers No or limited error propagation Low hardware complexity The keystream can be sometimes generated prior to encryption/decryption.(in the synchronous case) Further on, Stream ciphers can be classified based on internal state as being either synchronous or self synchronizing. If the change in state occurs independent of the plaintext or cipher text messages the cipher is categorized as a synchronous stream cipher. In contrast, self-synchronizing stream ciphers update their state based on previous cipher text digits. In case of synchronous ciphers, the keystream generated is dependent only on the key and the position i while as in case of selfsynchronous the keystream depends only on the key and a fixed amount of previous ciphertext. Synchronous ciphers are described as having no error propagation while error propagation is limited in self-synchronous With synchronous ciphers, synchronization is achieved with 'marker positions' in the transmission, in contrast self-synchronizing ciphers have the facility to resume correct decryption if the keystream falls out of synchronization. Though desirable properties are found in both the variations, various implications are found in both of these. During decryption, the synchronous cipher limits the opportunity of detecting an error and a more serious limitation is that the attacker is able to make controlled changes to parts of ciphertext knowing very well the effect being induced on the corresponding plaintext. Rueppe

On Data Complexity of Distinguishing Attacks vs. Message Recovery Attacks on Stream Ciphers

We revisit the different approaches used in the literature to estimate the data complexity of distinguishing attacks on stream ciphers and analyze their inter-relationships. In the process, we formally argue which approach is applicable (or not applicable) in what scenario. To our knowledge, this is the first kind of such an exposition. We also perform a rigorous statistical analysis of the message recovery attack that exploits a distinguisher and show that in practice there is a significant gap between the data complexities of a message recovery attack and the underlying distinguishing attack. This gap is not necessarily determined by a constant factor as a function of the false positive and negative rate, as one would expect. Rather this gap is also a function of the number of samples of the distinguishing attack. We perform a case study on RC4 stream cipher to demonstrate that the typical complexities for message recovery attack inferred in the literature are but under-estimates and the actual estimates are quite larger

Distinguishing attacks on SOBER-t16 and t32

Two ways of mounting distinguishing attacks on two similar stream ciphers, SOBER-t16 and SOBER-t32, are proposed.. It results in distinguishing attacks faster than exhaustive key search on full SOBER-t16 and on SOBER-t32 without stuttering

Primitive Specification for SOBER-128

SOBER-128 joins the SOBER family of stream ciphers, with the added functionality of incorporating a Message Authentication Code generator if required. SOBER-128 draws on the research into the previous SOBER ciphers: the design does not differ significantly from its predecessor SOBER-t32. The biggest change is the replacement of the stuttering with a strengthened non-linear function. SOBER-128 is faster and more secure than SOBER-t32

and T.Johansson. Distinguishing attacks on sober-t16 and t32

Abstract. Two ways of mounting distinguishing attacks on two similar stream ciphers, SOBER-t16 and SOBER-t32, are proposed. It results in distinguishing attacks faster than exhaustive key search on full SOBERt16 and on SOBER-t32 without stuttering.