eng
Schloss Dagstuhl – Leibniz-Zentrum für Informatik
Dagstuhl Seminar Proceedings
1862-4405
2007-06-06
1
11
10.4230/DagSemProc.07021.4
article
A Key-Recovery Attack on SOBER-128
Nyberg, Kaisa
Hakala, Risto
In this talk we consider linear approximations of layered cipher constructions with secret key-dependent constants that are inserted between layers, and where the layers have strong interdependency. Then clearly, averaging over the constant would clearly be wrong as it will break the interdependencies, and the Piling Up-lemma cannot be used. We show how to use linear approximations to divide the constants into constant classes, not necessary determined by a linear relation. As an example, a nonlinear filter generator SOBER-128 is considered and we show how to extend Matsui's Algorithm I in this case. Also the possibility of using multiple linear approximations simultaneously is considered.
https://drops.dagstuhl.de/storage/16dagstuhl-seminar-proceedings/dsp-vol07021/DagSemProc.07021.4/DagSemProc.07021.4.pdf
Linear approximations
correlation
linear cryptanalysis
key recovery attack
piling-up lemma
SOBER-128