BUT the assertion does need qualifying. It is only REGULARLY CLOCKED LFSR-based stream ciphers that are likely to be vulnerable. Where there is irregular, data-dependent clocking of the LFSRs then it will typically be much harder to build a representation of low algebraic degree, and it is much less likely that the cube attack will apply.

]]>Have you read the paper submitted ? How can we say this paper had to be accepted without knowing what was exactly inside ?

A good invited talk doesn't necessarily imply that the paper was well written (though I reckon it's hard to find a badly written paper from Shamir).

It's true that the reviewing process is far from perfect, and there are many papers every year which are unfairly rejected. The difference here is that only a few are cryptographic gods enough to tell everyone that their paper has been rejected from a conference.

]]>http://www.mail-archive.com/cryptography@metzdowd.com/msg09686.html

http://www.mail-archive.com/cryptography@metzdowd.com/msg09685.html

It's not a description of the attack but there are a few more details there.

]]>What this attack appears to affect is Radio Gatun, a nice, fairly new construction that can either be a hash or stream cipher, taking a key of any length. Radio Gatun is nice because its core can fit in under 2k of memory and it's an elegant, extensible construction.

However, scanning the paper describing Radio Gatun, I note the quote "It has algebraic degree 2" on page 10. So it looks like a nice, small elegant cryptographic primitive might now be fallen.

I'm assuming that FISH has had it's chips...

]]>Shamir has done work on algebraic attacks before (cf. the Kipnis-Shamir attack on HFE, XL), I expect that the "cube" attack relates to improved linearisation techniques for non-linear boolean equations. Precise details of the breakthrough will clearly have to wait. (The Eurocrypt deadline alluded to by Bruce is in 2-3 weeks.)

]]>You both say you went to the presentation, and have made assuring comments about some current systems.

Bruce you note that Adi (for whatever reasons) has not yet posted the paper up anywhere.

Is there any reason you cannot give us a bit more information on what the attack methodology and principles are?

After all you make comments such as "No, not even a little bit." About Blowfish etc and Adi "thinks that AES is immune to this attack -- the degree of the algebraic polynomial is too high". But say LFSRs are vulnerable.

I'm guessing that as LFSRs and AES can be defined as a closed algebraic formula, over a finite field. And Adi used this in his XL / FXL attacks on AES that this is an improvment or variation on them.

As AES used mainly linear building blocks as do LFSRs are other forms of cipher based shift registers but not using linear feedback vulnerable?

Also how about a little blue sky thinking the design of FEAL gave rise to differential attacks becoming effective and thinking about this gave rise to new linear attacks.

Does Adi's "cube attacks." Show potential as first "steping stones"?

]]>That reminds me of:

>SCIgen - An Automatic CS Paper Generator

>Using SCIgen to generate submissions for conferences like this gives us pleasure to no end.

>In fact, one of our papers was accepted to SCI 2005!

http://pdos.csail.mit.edu/scigen

No, not even a little bit.

]]>I had hoped he timed his paper to go live during his talk, but he didn't.

]]>Agreed. Unless someone implements a LFSR-based hash function -- even a complex one -- it's not going to fall to this technique. I'm certainly not worrying with my design.

]]>> Now we just need to find the key blog.

Well, duh. That's this blog, of course.

]]>You say broadcast HDTV formats might be vulnerable to this attack if it's good a cracking LFSR. That's good news!

]]>Is blowfish vulnerable? How about Twofish?

I'd hate to think our hero's algorithm has been weakened :(

]]>post the cyphertext on your blog along with the claim that it's unbreakable.

Someone should post the plaintext in your comments section pretty quickly.

]]>Actually I was hoping for some info on LFSR scheme and how that affects current hashes.

]]>