Distinguishing attack on SOBER-128 with linear masking

Joo Yeon Cho*, Josef Pieprzyk

*Corresponding author for this work

Research output: Chapter in Book/Report/Conference proceedingConference proceeding contributionpeer-review

6 Citations (Scopus)


We present a distinguishing attack against SOBER-128 with linear masking. We found a linear approximation which has a bias of 2-8.8 for the non-linear filter. The attack applies the observation made by Ekdahl and Johansson that there is a sequence of clocks for which the linear combination of some states vanishes. This linear dependency allows that the linear masking method can be applied. We also show that the bias of the distinguisher can be improved (or estimated more precisely) by considering quadratic terms of the approximation. The probability bias of the quadratic approximation used in the distinguisher is estimated to be equal to O(2-51.8), so that we claim that SOBER-128 is distinguishable from truly random cipher by observing O(2103.6) keystream words.

Original languageEnglish
Title of host publicationInformation Security and Privacy
Subtitle of host publication11th Australasian Conference, ACISP 2006, Melbourne, Australia, July 3-5, 2006, Proceedings
EditorsLynn Margaret Batten, Reihaneh Safavi-Naini
Place of PublicationBerlin; Heidelberg
PublisherSpringer, Springer Nature
Number of pages11
ISBN (Electronic)9783540354598
ISBN (Print)3540354581, 9783540354581
Publication statusPublished - 2006
Event11th Australasian Conference on Information Security and Privacy, ACISP 2006 - Melbourne, Australia
Duration: 3 Jul 20065 Jul 2006

Publication series

NameLecture Notes in Computer Science
ISSN (Print)0302-9743
ISSN (Electronic)16113-349


Other11th Australasian Conference on Information Security and Privacy, ACISP 2006


Dive into the research topics of 'Distinguishing attack on SOBER-128 with linear masking'. Together they form a unique fingerprint.

Cite this