|
|
Watanabe & Furuya (FSE 2004) pointed
out a MAC forgery attack that turned out to
be very simple to address. However, we have
recently found that a similar, but less powerful, attack still applies to
SOBER-128. We have deleted the MAC functionality from SOBER-128 (but stay
tuned for new developments in this area). The stream cipher functionality
of SOBER-128 is still thought to be extremely strong.
There is a need for a primitive stream
cipher construction that is fast (faster than a block cipher in counter
mode), easy to use correctly, well understood, freely available, and
secure. SOBER-128 has been designed to meet these requirements, by being
based entirely on a well-studied primitive in a manner that preserves the
existing analyses. Additionally, SOBER-128 introduces functionality to
enable simultaneous calculation of a Message Authentication Code, and
allows integrity checking of partially encrypted messages.
- s128.tgz
(full source code for reference implementation, including test harness;
however the MAC functionality has been deleted)
- SOBER-128-v2.pdf
(design paper)
- sober128-src-2.2.jar (Source
code for Java implementation including test harness)
Errata:
Georny Lou pointed out to us that the
binary polynomial shown in the paper was incorrect (it was a byte-ordering
problem in the program that determined the polynomial). The paper above has
been updated to show the correct binary equivalent polynomial.
|
|
