See discussions, stats, and author profiles for this publication at: https://www.researchgate.

net/publication/233923819

Cryptanalysis Techniques for Stream Cipher: A Survey

Article in International Journal of Computer Applications · December 2012

DOI: 10.5120/9721-4187

CITATIONS READS

22 7,017

3 authors:

Mohammad Ubaidullah Bokhari Shadab Alam

Aligarh Muslim University Jazan University
58 PUBLICATIONS 742 CITATIONS 93 PUBLICATIONS 1,904 CITATIONS

SEE PROFILE SEE PROFILE

Faheem Masoodi
University of Kashmir
52 PUBLICATIONS 548 CITATIONS

SEE PROFILE

All content following this page was uploaded by Shadab Alam on 17 May 2014.

The user has requested enhancement of the downloaded file.

 International Journal of Computer Applications (0975 – 8887)
Volume 60– No.9, December 2012

Cryptanalysis Techniques for Stream Cipher: A Survey

M. U. Bokhari Shadab Alam Faheem Syeed Masoodi
Chairman, Department of Research Scholar, Dept. of Research Scholar, Dept. of
Computer Science, AMU Computer Science, AMU Computer Science, AMU
Aligarh (India) Aligarh (India) Aligarh (India)

ABSTRACT less than exhaustive key search, then only these are
Stream Ciphers are one of the most important cryptographic considered as successful. A symmetric key cipher, especially
techniques for data security due to its efficiency in terms of a stream cipher is assumed secure, if the computational
resources and speed. This study aims to provide a capability required for breaking the cipher by best-known
comprehensive survey that summarizes the existing attack is greater than or equal to exhaustive key search.
cryptanalysis techniques for stream ciphers. It will also There are different Attack scenarios for cryptanalysis based
facilitate the security analysis of the existing stream ciphers on available resources:
and provide an opportunity to understand the requirements for
developing a secure and efficient stream cipher design. 1. Ciphertext only attack
2. Known plain text attack
Keywords
Stream Cipher, Cryptography, Cryptanalysis, Cryptanalysis 3. Chosen plaintext attack
Techniques
4. Chosen ciphertext attack

1. INTRODUCTION On the basis of intention of the attacker, the attacks can be

Cryptography is the primary technique for data and classified into two categories namely key recovery attack and
communication security. It becomes indispensable where the distinguishing attacks. The motive of key recovery attack is to
communication channels cannot be made perfectly secure. derive the key but in case of distinguishing attack, the
From the ancient times, the two fields of cryptology; attacker’s motive is only to derive the original from the
cryptography and cryptanalysis are developing side by side. ciphertext. There are different attacks known for the stream
ciphers. Majority of these attacks have been discussed here.
Cryptography studies the design of algorithms for information This study is conducted due to significance of stream ciphers
and communication security at the same time cryptanalysis is in data and communication security and will provide an
concerned with the study of different techniques to search extensive survey of different cryptanalysis techniques and
weakness in the cryptographic algorithms and try to break weaknesses of existing stream cipher designs that need to be
these algorithms. The developed designs or ciphers should be overcome for developing a secure and efficient stream cipher.
secured against any possible attack in an ideal situation, but
this is not possible in the practical world. Any cryptographic 2. CRYPTANALYSIS TECHNIQUES
primitive can only be tested for all the possible known attacks. Cryptanalysis techniques for stream ciphers are:
1. Exhaustive Key Search Attack
Cryptographic algorithms can be divided into two categories, 2. Side Channel Analysis Attack
Symmetric (Secret) key algorithms and Asymmetric (Public) 3. Time Memory Trade off Attacks
key algorithms. In some literature cryptographic algorithms 4. Distinguishing Attacks
have been divided into three categories; Symmetric key, 5. Algebraic Attack
Asymmetric key and Unkeyed algorithms. In Symmetric key 6. Correlation attacks
algorithm, both the sender and receiver share the secret key 7. Guess and Determine attacks
and in asymmetric key algorithms; there are two keys; Public 8. Linear Masking attacks
key and Private Key. Public key is made public and private 9. Related Key Attack
key is kept secret with the receiver. The third category i.e. 10. Divide and Conquer Attack
unkeyed algorithms use the hybrid of these two technologies
for e.g. hash functions. 2.1 Exhaustive Key Search Attack:
In an exhaustive key search attack or a brute force attack, the
The symmetric key algorithms are further divided into two cryptanalyst tries all possible keys to decrypt a ciphertext and
categories of Block Cipher and Stream cipher. In this paper can be used against any cryptographic algorithm including
we are focusing on Stream ciphers. stream ciphers except provable secure ciphers [1] though a
Cryptanalysis is the technique of deriving the original provable secure cipher is not practically feasible, for e.g. one
message from the ciphertext without any prior knowledge of time pad.
secret key or derivation of key from the ciphertext. A general If the key size is n bits, then the attacker has to try on an
technique for cryptanalysis, applicable to all cryptographic average 2n−1 keys for breaking a cipher and 2n keys in the
algorithms is to try all the possible keys until the correct key worst case. The computational complexity of an attack is
is matched, it is known as exhaustive key search. With every often stated as O (2n). [1] An attack with a higher
passing day, the computing ability of hardware is increasing computational complexity than an exhaustive key search is
manifold; therefore it becomes necessary to use long keys for not considered an attack at all.
avoiding exhaustive key search. All the other attacks applied
on stream ciphers are compared to exhaustive key search in
terms of data and memory complexity and if its complexity is

29
 International Journal of Computer Applications (0975 – 8887)
Volume 60– No.9, December 2012

2.2 Side Channel Analysis Attack: distinguishing attack tries to identify that if a given keystream
Generally there are two steps involved in developing any is a random sequence or a cipher or generator has created it.
cryptographic primitive. First, it is defined as an abstract Distinguishing attack tries to identify the relations between
mathematical object. Thereafter this mathematical entity internal state variables and output keystream. The internal
needs to be implemented in form of a program and in some structure of a cipher has to be analyzed extensively for
cases these programs are further implemented in some distinguishing attack. Distinguishing attack is a known
specific hardware. These programs after implementation will keystream attack.
be executed in a computing environment on processing units.
These executions will present some specific characteristics. Fluhrer and McGrew introduced the idea of this attack on
alleged RC4 key stream generator [18]. Some other works on
Side channel Analysis (SCA) refers to the attacks based on the this attack are Ekdahl and Johansson [19,53]; Goli´c and
physically observable characteristics during execution. Some Menicocci [20]; Junod [21]; Watan-abe et al. [22]; Englund
of the common physical characteristics that are used for Side and Johansson [23]; Paul et al. [24]; Rose and Hawkes [25]
Channel Analysis are Power and Microprocessor time and many more. In [26] Paul and Preneel unified
required for execution, electromagnetic radiation, heat distinguishing attacks into a single framework. Ciphers are
dissipation and noise of the system etc. required to use sufficiently long keystreams to avoid
On the basis of above characteristics; there are different Side distinguishing attacks.
Channel attacks on ciphers in general and on stream cipher in
particular. Some of powerful techniques, that generally used
2.5 Algebraic Attack
for Side Channel Analysis attacks are Simple Power analysis Algebraic attacks are relatively new attacks for stream ciphers
attack, Differential Power Analysis attack [2,3], Timing and progress is rapidly taking place in this field. Algebraic
Analysis attack [4,5], Electromagnetic Analysis attacks [6,7,8] attacks are very much effective against LFSR based
and Acoustic Cryptanalysis [9]. ciphers[17]. The basic principle of algebraic attacks is to
model a cryptographic system in terms of algebraic equations.
Though there is no general countermeasure to these attacks The first step of this attack is to find the set of algebraic
but some of the possible countermeasures maybe noise equations that relate the initial state with the output
addition, buffering of the output sequence, Physical shielding, keystream, then keystream bits are observed and these values
reduction of signal size, eliminating the branch processing in are substituted into the equations. Attackers try to collect
implemented algorithm that will make the encryption time maximum possible keystream bits. Finally, this system of
equivalent [10,11] and few more. equations is solved to determine the initial state and then
derive the secret key from it. Courtois in [27] against
2.3 Time Memory Tradeoff Attacks Toycrypt first proposed algebraic Attack on stream cipher and
A time memory tradeoff attack is a method of cryptanalysis later it was used on LILI-128 [28]. This attack was also
that aims to attack a cryptographic primitive with lower successfully applied to the stream ciphers with memory that
complexity than look up table and an online complexity lower were assumed to be more secure against this attack [29,30].
than exhaustive key search. TMTO is an improvement to the Later on Courtois further enhanced this attack and proposed
exhaustive key search attack that trades off computational Fast Algebraic attack [31] that was further strengthened by
time against memory complexity [12]. Armknecht [32]. The idea behind fast algebraic attack was to
get equations of lower degree by linearly combining the
This attack can be divided into two phases; an offline phase or
equations before solving the system of equation that
pre-computation phase and online phase. In offline phase a
drastically increases the speed of the attack.
table is constructed in like lookup table method by selecting
different random keys and generating the output for each 2.6 Correlation Attacks
chosen key. These pairs of output strings and keys are stored Correlation attack is a class of known plaintext attack. These
in an indexed table by the output strings. In the second phase
or online phase, the attacker observes the output generated by attacks are widely applicable to stream ciphers; especially to
unknown keys. Then these outputs are matched with the design based on feedback shift registers. A correlation attack
outputs of the table generated in the offline phase. If a match tries to extract some information about the initial state from
is found then corresponding key will be the key off the the output keystream by exploiting the weaknesses in the
matched output. combining function of the design.
Amirazizi and Hellmen were the first to propose Time
memory processor trade-off attack [12] on block ciphers and Siegenthaler first introduced the Correlation attack against
in case of stream ciphers, TMTO was proposed by Babbage combination generator [33] in 1985 but Meier and Staffelbach
[13] in 1995 and Golic [14] in 1997 independently. Later on further improved this attack in 1988 as Fast Correlation
Biryukov and Samir combined Babbage and Golic scheme Attack [34]. Zhang and Feng proposed an improved fast
with Hellmen attack [15]. This attack was further refined by correlation attack on stream ciphers in [35]. This attack was
Birykov, Shamir and Wagner and applied on A5/1 [16].
further discussed and applied in [36, 37, 38, 39]. Correlation-
To avoid TMTO on stream ciphers, Hong and Sarkar [52] immune functions need to be implemented for avoiding such
suggested that state size should be equal to or greater than attacks. In the case of LFSRs, the irregular clocking is one of
sum of key size and size of IV and it should be random. the concepts to avoid linearity that will help countering this
Babbabge [13] and Golic [14] suggested that state size should
attack.
be at least double the size of key.

2.4 Distinguishing Attack 2.7 Guess-and-Determine Attacks

The most important criterion for a good stream cipher design Guess and determine attacks are general attacks on stream
is that keystream generation should be random. A ciphers. As it is clear from the name, in Guess and determine

30
 International Journal of Computer Applications (0975 – 8887)
Volume 60– No.9, December 2012

attacks, an attacker guess a part of the internal state and try to [49, 50]. High correlation immunity decreases the
recover the full value of internal states by observing the vulnerability to divide and conquer attack [51].
keystream using the guessed part and small amount of known
keystream. In the end a part of keystream is generated using CONCLUSION
the guessed values and then it is compared with the known
keystream to check the correctness of the guessed values. In In this paper, we have tried to describe the existing
[40] guess and determine attack was given against Polar Bear. cryptanalytic attacks on stream ciphers and countermeasures
Guess and determine attacks were also presented in [41] to these attacks have been suggested with different examples.
against SNOW. By irregular clocking, resistance against These attacks are generally tried against any new
guess and determine attacks can be increased. Guess and cryptographic primitive at first. In order to develop a new
determine attacks are more effective against word oriented secure stream cipher, it is very much necessary that these
stream ciphers [42]. attacks should be taken into consideration during development
and countermeasures of these attacks should be applied in the
2.8 Linear Masking Attacks design, so that the new design is not vulnerable to these
Linear masking attacks can be applied to those ciphers where attacks. Though these are the available techniques in literature
some non-linear process resembling block cipher design exist for cryptanalysis of the stream ciphers but generally
and in which linear masking is used to hide this process. In combinations and variants of these attacks can be used in
these attacks first of all a non-linear characteristic is future and just by overcoming these attacks any cryptographic
distinguished that exhibits some bias. Then we look at linear primitive cannot be assumed secure. We are working in the
process and get some missing linear combinations. The same field of cryptanalysis for further enhancement of available
linear combinations are applied to the cipher output and we attacks and their applications on available stream ciphers.
try to find the traces of distinguishing property. Coppersmith
et al. in [43] described a generic attack on stream ciphers 3. REFERENCES
using linear masking. Watanabe et al. proposed linear [1] Christof Paar and Jan Pelzl. “Understanding
masking attack on SNOW [44]. It is a form of Guess and Cryptography: A textbook for students and
Determine attack. practitioners”, 2010 Springer p.7 ISBN 978-364204100-6
[2] W. Fischer, B. M. Gammel, O. Kniffler and J. Velton,
2.9 Related Key Attack “Differential Power Analysis of Stream Ciphers,” Topics
To provide a little bit of extra safety or security some of the in Cryptology-CT-RSA 2007, Springer-Verlag, LNCS,
cryptographic protocol limits the amount of data, which can Vol. 4377, pp. 257–270, 2007.
be encrypted using a single key. In such cases either the new [3] P. Kocher, J. Jaffe and B. Jun, “Differential Power
key is generated with using the IV (initialization vector) and Analysis”, in the Proceedings of Crypto 1999, LNCS, vol
with master key or to change the IV which in turns change the 1666, pp 398–412, Santa-Barbara, CA, USA, August
cipher key. 1999.
[4] J.-F. Dhem, F. Koeune, P.-A. Leroux, P. Mestré, J.-J.
In such type of ciphers if the rekeying strategy relates the Quisquater, and J.-L. Willems, “A practical
inputs to the internal states without sufficient non-linearity implementation of the timing attack”, Proc. CARDIS
then cipher may become prone to a related key attack. These 1998, Smart Card Research and Advanced Applications
types of weaknesses are not very common in case of stream (J.-J. Quisquater and B. Schneier, eds.), LNCS, Springer,
1998.
ciphers but there are some examples of related key attacks.
Fluhrer et al. shown the related key attack on RC4 in [45] by [5] P. Kocher, “Timing attacks on implementations of Diffe-
exploiting a weakness of invariance in the key initialization Hellman, RSA, DSS, and other systems”, Advances in
algorithm. This weakness of RC4 was used by Stubblefield et Cryptology - CRYPTO '96, Sant Barbara, California (N.
Koblitz, ed.), LNCS, vol. 1109, Springer, 1996, pp. 104-
al. to break the WEP protocol with practical complexity [46].
113.
Sekar et al. presented a related key attack on Py-family of
stream ciphers [47,48]. [6] K. Gandolfi, C. Mourtel and F. Olivier. “Electromagnetic
Attacks: Concrete Results”. In the Pro-ceedings of the
Workshop on Cryptographic Hardware and Embedded
2.10 Divide and Conquer Attack Systems 2001 (CHES 2001), LNCS 2162 Paris, France,
Divide and conquer is a common technique to divide the May 2001, pp 251–261
problem into small problems and try to solve the problem step
by step. The same strategy is applied in case of divide and [7] Jean–Jacques Quisquater and David Samyde. “Electro
Magnetic Analysis (EMA): Measures and Counter-
conquer attack where a cipher is partitioned into components
Measures for Smart Cards”. In Smart Card Programming
and only a few key bits are determined in each stage. First the and Security (E-smart 2001), Cannes, France, LNCS
most vulnerable components are attacked. Siegenthaler [33] 2140, pp.200-210, September 2001.
originally pointed out this concept. The attack can be termed
[8] Agrawal, D., Archambeault, B., Rao and J.R., Rohatgi,
as successful only if complexities of all the stages are smaller
P.: “The EM Side-Channel(s): Attacks and Assessment
than the exhaustive key search. Some examples of attack are Methodologies”. In: Cryptographic Hardware and
Embedded Systems – CHES 2002 (2002)

31
 International Journal of Computer Applications (0975 – 8887)
Volume 60– No.9, December 2012

[9] Adi Shamir and Eran Tromer. “Acoustic cryptanalysis: [24] S. Paul, B. Preneel, and G. Sekar, “Distinguishing
on nosy people and noisy machines”. Available from: Attacks on the Stream Cipher Py”, proceedings of Fast
http://www.wisdom.weizmann.ac.il/~tromer/acoustic/ Software Encryption 2006, Lecture Notes in Computer
Science 4047, pp. 405-421, Springer-Verlag.
[10] Y. Zhou and D. Feng, “Side-channel attacks: Ten years
after its publication and the impacts on cryptographic [25] G. Rose and P. Hawkes, “On the applicability of
module security testing”, NIST Physical Security Testing distinguishing attacks against stream ciphers”,
Workshop, Hawaii, USA, Sep. 2005. Cryptology ePrint Preproceedings of the 3rd NESSIE Workshop, available
Archive, Report 2005/388, 2005, http://eprint.iacr.org online at http://eprint.iacr.org/2002/142.pdf
[11] Standaert and Francois-Xavier.: “Introduction to side- [26] Souradyuti Paul and Bart Preneel, “On the (In)security of
channel attacks”, In Verbauwhede, I.M.R. (ed.) Secure Stream Ci-phers Based on Arrays and Modular
Integrated Circuits and Systems, pp. 27–42. Springer, Addition”, Advances in Cryptology - proceedings of
Heidelberg (2010) ISBN: 978-0-387-71827-9. ASIACRYPT 2006, Lecture Notes in Computer Science
4284, pp. 69-83, Springer-Verlag, 2006.
[12] H. R. Amirazizi and M. E. Hellman. “Time-memory-
processor trade-offs”. IEEE Transactions on Information [27] N. Courtois, “Higher order correlation attacks, XL
Theory, 34(3):505–512, 1988. algorithm and Cryptanalysis of Toyocrypt”, ICISC 2002,
LNCS 2587, Springer-Verlag, pp. 182-199, 2002.
[13] S. Babbage. “Improved exhaustive search attacks on
stream ciphers”. In ECOS 95 (European Convention on [28] N. Courtois and W. Meier, “Algebraic attacks on stream
Security and Detection), 1995. ciphers with linear feedback”, Advances in Cryptology,
Eurocrypt 2003, LNCS 2656, Springer-Verlag, pp. 345-
[14] J. D. Golic. “Cryptanalysis of alleged A5 stream cipher”. 359, 2003.
In EUROCRYPT, pages 239–255, 1997.
[29] F. Armknecht and M. Krause, “Algebraic attacks on
[15] A. Biryukov and A. Shamir. “Cryptanalytic combiners with memory”, Advances in Cryptology –
time/memory/data tradeoffs for stream ciphers”. In T. Crypto 2003, LNCS 2729, Springer-Verlag, pp. 162-175,
Okamoto, editor, ASIACRYPT, volume 1976 of Lecture 2003.
Notes in Computer Science, pages 1–13. Springer, 2000.
[30] N. Courtois, Algebraic attacks on combiners with
[16] A. Biryukov, A. Shamir, and D. Wagner. “Real time memory and several outputs, E-print archive,
cryptanalysis of A5/1 on a pc”. In B. Schneier, editor, http://eprint.iacr.org/2003/125. Accessed November 14,
FSE, volume 1978 of Lecture Notes in Computer 2012.
Science, pages 1–18. Springer, 2000.
[31] N. Courtois, “Fast algebraic attack on stream ciphers
[17] Faheem Masoodi, Shadab Alam and M U Bokhari. “An with linear feedback”, Advances in Cryptology - Crypto
Analysis of Linear Feedback Shift Registers in Stream 2003, LNCS 2729, Springer-Verlag, pp. 176-194, 2003.
Ciphers” .International Journal of Computer
Applications 46(17):46-49, May 2012. Published by [32] F. Armknecht, “Improving fast algebraic attacks”, Fast
Foundation of Computer Science, New York, USA. Software Encryption (FSE) 2004, LNCS 3017, Springer
Verlag, pp. 65-82, 2004.
[18] S. Fluhrer and D. McGrew, “Statistical Analysis of the
Alleged RC4 Keystream Generator”, proceedings of FSE [33] T. Siegenthaler, “Decrypting a class of stream ciphers
2000, Lecture Notes in Computer Science 1978, pp. 19- using ciphertext only,” IEEE Trans. Computers, vol. C-
30, Springer-Verlag, 2001. 34, no. 1, pp. 81–84, 1985.
[19] Ekdahl, P. and Johansson, T., “Distinguishing attacks on [34] W. Meier and O. Staffelbach, “Fast Correlation Attacks
SOBER-t16 and SOBER-t32”. In: Daemen, J., Rijmen, on Stream Ciphers", Advances in Cryptology-
V. (Eds.), Fast Software Encryption 2002. Vol. 2365 of EUROCRYPT'88, Lecture Notes in Computer Science,
Lecture Notes in Computer Science. Springer-Verlag, pp. vol. 330, Springer-Verlag, 1988, pp. 301-314.
210–224, 2002.
[35] B. Zhang and D. Feng, “An Improved Fast Correlation
[20] Goli´c, J. and Menicocci, R., “A new statistical Attack on Stream Ciphers”, Selected Areas in
distinguisher for the shrinking generator”, available at Cryptography Lecture Notes in Computer Science
http://eprint.iacr.org/2003/041,2003 Accessed November Volume 5381, 2009, pp 214-227
14, 2012.
[36] M. Mihaljevic, M. Fossorier, and H. Imai, “A low
[21] Junod, P., “On the optimality of linear, differ-ential and complexity and high-performance algorithm for the fast
sequential distinguishers”. In: Advances in Cryptology— correlation attack,” Fast Software Encryption-FSE'2000,
EUROCRYPT 2003. Vol. 2656 of Lecture Notes in Lecture Notes in Computer Science, Springer-Verlag ,
Computer Science. Springer-Verlag, pp. 17–32. vol. 1978 , 2001, pp. 194-212.
[22] Watanabe, D., Biryukov and A., Canniere, C. D., “A [37] A. Canteaut and M. Trabbia. “Improved fast correlation
distinguishing attack of SNOW 2.0 with linear masking attacks using parity-check equations of weight 4 and 5”.
method”. In: Selected Areas in Cryptography—SAC In Advances in Cryptology EUROCRYPT 2000,
2003. To be published in Lecture Notes in Computer Springer-Verlag, 2000 volume LNCS 1807, pp. 573-588.
Science. Springer Verlag.
[38] T. Johansson, F. Jonsson, “Fast correlation attacks based
[23] Englund, H. and Johansson., T., “A new distinguisher for on turbo code techniques”, Advances in Cryptology,
clock controlled stream ciphers”. In: Fast Software CRYPTO’99, Lecture Notes in Computer Science, vol.
Encryption 2005. Lecture Notes in Computer Science. 1666, Springer-Verlag, 1999, pp. 181-197.
Springer-Verlag.

32
 International Journal of Computer Applications (0975 – 8887)
Volume 60– No.9, December 2012

[39] S. Palit, B. Roy and A. De, “A Fast Correlation Attack [46] Adam Stubblefield, John Ioannidis, and Avi Rubin.
for LFSR-Based Stream Ciphers”, Lecture Notes in “Using the Fluhrer, Mantin, and Shamir Attack to break
Computer Science, Volume 2846, Springer-Verlag, 2003, WEP”. Technical report, TD-4ZCPZZ AT&T Labs
pp. 331 - 342. Technical Report, 2001.
[40] J. Mattsson. “A Guess and Determine Attack on the [47] Sekar, G., Paul, S., & Preneel, B., “Related-key attacks
Stream Cipher Polar Bear”. eSTREAM, ECRYPT on the Py-family of ciphers and an approach to repair the
Stream Cipher Project, Report 2006/017, 2006. weaknesses”. In LNCS Vol. 4859. Indocrypt’07 (pp. 58–
http://www.ecrypt.eu.org/stream. 72). Berlin: Springer, 2007.
[41] P. Hawkes and G. G. Rose. “Guess-and-Determine [48] Bokahri, Shadab and Faheem. “A Review of Py (Roo)
Attacks on SNOW”. In Selected Areas in Cryptography, Stream Cipher and its Variants”. In Proceedings of the
pages 37–46, 2002. 5th National Conference; INDIACom-2011
[42] Philip Hawkes and Gregory G. Rose. “Exploiting [49] Kevin Chen, Matt Henricksen, Leonie Simpson, William
Multiples of the Connection Polynomial in Word- Millan and Ed Dawson. “A Complete Divide and
Oriented Stream Ciphers”, Proceedings of the 6th conquer attack on the Alpha1 stream cipher”. ICISC
International Conference on the Theory and Application 2003, 6th International Conference, Seoul, November 27-
of Cryptology and Information Security: Advances in 28, 2003, Revised papers, volume 2971, of Lecture Notes
Cryptology, p.303-316, December 03-07, 2000. In Computer Science page 418-431. Springer 2004.
[43] D. Coppersmith, S. Halevi, and C. Jutla. “Cryptanalysis [50] S. Khazaei, “Divide and Conquer Attack on ABC Stream
of stream ciphers with linear masking”. In Advances in Cipher". eSTREAM, ECRYPT Available at:
Cryptology - CRYPTO 2002, volume 2442 of Lecture http://www.ecrypt.eu.org/stream/papersdir/052.pdf.
Notes in Computer Science, pages 515 – 532, January
2002. [51] T. Siegenthaler, “Design of Combiners to Prevent Divide
and Conquer Attacks”, Advances in Cryptology-
[44] D.Watanabe, A. Biryukov, and C. De Canniere. “A CRYPTO'85, H. C. Williams (Ed.), LNCS 218, Springer-
Distinguishing Attack of SNOW 2.0 with Linear verlag, 1986, pp. 273-279.
Masking Method”. In Selected Areas in Cryptography
(SAC 2003), LNCS 3006, pp. 222{233, Springer-Verlag, [52] J. Hong and P. Sarkar. “Rediscovery of time memory
2004. tradeoffs”, 2005.

[45] Scott Fluhrer, Itsik Mantin, and Adi Shamir. [53] Faheem Masoodi, Shadab Alam and M U Bokhari.
“Weaknesses in the key scheduling algorithm of RC4”. “SOBER Family of Stream Ciphers: A
In Mitsuru Matsui, editor, Proceedings of the 8th Review”. International Journal of Computer
International Workshop on Fast Software Encryption, Applications 23(1):1–5, June 2011. Published by
volume 2355 of Lecture Notes in Computer Science, Foundation of Computer Science, New York, USA.
pages 1–24. Springer-Verlag, 2001.

33

View publication stats