Greg Rose (ggr@qualcomm.com)
Sat, 11 Jul 1998 17:56:16 +1000
"Tom Otvos" writes:
>According to the red book, "practical stream-cipher designs center around
>LFSRs", but "they are very inefficient in software".
SOBER is a stream cipher designed around an LFSR over GF(2^8), that is,
where the elements of the register are bytes, not bits. The paper about
it is about to be published in the proceedings of the 1998 Australian
Conference on Information Security and Privacy. Source code and a
preprint of the paper are available at http://www.home.aone.net.au/qualcom
m . The point of it is to leverage the "practical designs" bit while
eliminating the "inefficient" bit.
> If MT is faster than
>LFSR, can enough of them be used to make guessing the state (currently)
>impractical? Or, looked at another way, if a maximal length LFSR with an
>internal state of 624 bytes has a period of 2^(8*624) - 1, and an MT has
a
>period of 2^19937 - 1, doesn't it make MT substantially better for stream
>ciphers than LFSRs?
I haven't yet read about the mersenne twister, so take what I say with a
grain of salt, but the real question is just how much information about
the state leaks back out, and how much work you have to do to disguise
it. As the state gets larger, though, you approach all the same problems
as you have any time you need to truck around large amounts of
information to do anything. People think 1024-bit RSA keys are bad...
what about something nearly 20 times as big just to do symmetric crypto!
By the way, your comparison is unfair... I believe that MT uses 624
thirty-two bit *words*, not bytes. If it only has 624 bytes of state, its
period is provably no better than that of the LFSR.
Anyway, if the thing is really secure, no more than 256 bits of state
could possibly matter.
Greg.
QUALCOMM Australia VOICE: +61-2-9181 4851 FAX: +61-2-9181 5470
Suite 410, Birkenhead Point http://people.qualcomm.com/ggr/
Drummoyne NSW 2047 B5 DF 66 95 89 68 1F C8 EF 29 FA 27 F2 2A 94 8F
The following archive was created by hippie-mail 7.98617-22 on Fri Aug 21 1998 - 17:20:16 ADT