InTech-New Classification of Existing Stream Ciphers

New Classication of Existing Stream Ciphers 219
X

New CIassification of Existing Stream Ciphers

KhaIed Suvais and Aznan Sansudin
Unitcrsi|i Sains Ma|aqsia (USM)
Ma|aqsia

1. Introduction
The denand on infornalion securily has exlensiveIy increased due lo lhe sensilivily of lhe
exchanged infornalion over pulIic connunicalion channeIs. One of lhe prinary goaIs of
cryplographic syslens (cryplosyslens) is lo heIp connunicalors exchanging lheir
infornalion secureIy. This goaI is achieved ly cryplographic appIicalions and prolocoIs.
Transforning a nessage (pIainlexl) lo an inconprehensive forn (cipherlexl) is
acconpIished ly a process knovn as encryplion. In conlrasl, lransforning an encrypled
nessage lo ils originaI forn is acconpIished ly a process knovn as decryplion.

In lhis chapler ve focus on one lype of synnelric key cryplosyslens knovn as slrean
ciphers. Slrean ciphers are inporlanl in securing slalic and slreaning infornalion.
Therefore, lhis chapler inlends lo presenl a nev cIassificalion of slrean ciphers lased on lhe
keyslrean generalors nechanisn. The nev cIassificalion is lased on an exlensive reviev of
exisling slrean ciphers. This reviev shoved lhal lhe conslruclionaI designs (underIying
lechniques) of sone slrean ciphers are siniIar, resuIling in forning nev calegories for
slrean ciphers lased on lhose siniIarilies.

The nain oljeclives of lhis chapler are sunnarized as foIIovs: lo provide conprehensive
survey for exisling slrean ciphers lased on lheir keyslrean generalors, lo anaIyze lhe
securily properlies of each nev calegory of slrean ciphers and lo expIicale slrean ciphers
designs lhrough a consislenl cIassificalion lhal can assisl lhe deveIopnenl process of nev
slrean ciphers.

The nev cIassificalion shovs lhal slrean ciphers are generaIIy divided inlo lhree nain
calegories: soflvare-orienled, hardvare-orienled and hylrid-design. This chapler viII sludy
lhe lhree calegories exlensiveIy in order lo undersland lhe veak and slrong poinls of each
calegory.

2. Stream Cipher: Concept and Definition
Cryplographic syslens are divided inlo lvo lypes of syslens: Secrel-key (Synnelric) and
IulIic-key (Asynnelric) cryplosyslens. In lhe Ialer syslens, lhe sender uses pulIic
infornalion of lhe receiver lo send a nessage secureIy lo lhe receiver. The receiver lhen uses
14
Computational ntelligence and Modern Heuristics 220

privale infornalion lo recover lhe originaI nessage. In Secrel-key cryplosyslens, lolh lhe
sender and receiver have previousIy sel up secrel infornalion in vhich lhey use lhis
infornalion for encryplion and decryplion. Synnelric cryplosyslens are furlher divided
inlo lIock ciphers and slrean ciphers.

The idea of slrean ciphers vas inspired fron lhe fanous cipher caIIed lhe One-line Iad
(MoIIin, 2OO7, DeIfs, 2OO2). This cipher is lased on XORing ( ) lhe nessage lils and lhe key
lils. The One-line pad is defined ly DeIfs (2OO2) as shovn in Lqualion 1:

(1)

vhere P and N denole pIainlexl and keyslrean lils respecliveIy. The generaI fornuIas of
encryplion and decryplion processes are descriled ly Lqualion 2 and 3 respecliveIy

(2)

(3)

CeneraIIy, slrean cipher uses Q-ileralions lo generale Q-successive keyslrean lased on lhe
slrean cipher inlernaI slale. The reviev conducled in lhis sludy shovs lhal lhe processing
lechniques of lhe inlernaI slales of currenl slrean ciphers are vary, vhere slrean ciphers
lend lo le, in nosl cases, eilher hardvare-orienled or soflvare-orienled.

3. Stream Ciphers Categories
In conlrasl lo lIock ciphers, slrean ciphers have no slandard nodeI for lheir conslruclion
design, vhich Ieads cryplographers lo conslrucl various nodeIs for slrean ciphers. This
sludy cIassifies slrean ciphers inlo calegories vherely each calegory incIudes slrean
ciphers lhal share specific properlies. The nev cIassificalion divides slrean ciphers inlo
lhree nain calegories: hardvare-lased slrean ciphers, soflvare-lased slrean ciphers and
hylrid designs of slrean ciphers. The cIassificalion ains lo Iook al slrean ciphers fron lhe
inpIenenlalion perspeclives. The in-deplh cIassificalion of hardvare-lased slrean ciphers
incIudes: ICSR/NLISR-lased, cIock conlroI-lased and LISR-lased slrean ciphers. On lhe
olher hand, soflvare-lased slrean ciphers incIudes: T-funclion-lased, lIock cipher-lased,
S-lox-lased and sinpIe IogicaI and arilhnelic operalions. The Iasl calegory, lhe hylrid
designs, incIudes lhose slrean ciphers vhich depend on lhe conlinalion of lolh hardvare
and soflvare lechniques in lheir conslruclionaI designs. The conprehensive cIassificalion of
slrean ciphers is iIIuslraled ly Iig. 1.

3.1 Hardware-Oriented Stream Cipher
The use of hardvare inpIenenlalions vas significanl in providing lhe securily needed for
various cryplographic appIicalions. The videIy used hardvare inpIenenlalion, as appears
in lhe Iileralure, reIies on lhe use of LISRs regislers (ojanic, el aI., 2OO4, LkdahI, 2OO3,
Canleaul, el aI., 2OOO). Hovever, in lhis seclion ve lriefIy inlroduce LISRs and anaIyze lhe
properlies of each calegory and provide sone exanpIes on slrean ciphers leIonging lo each
calegory.

Iig. 1. Slrean ciphers cIassificalions

An LISR is a shifl regisler vhich is alIe lo hoId one synloI al a line and ils inpul is a Iinear
conlinalion of lhe previous slales. The synloIs are nornaIIy eIenenls fron a fieId ,
vhere T = 2 refers lo lhe linary fieIds and refers lo sone exlension fieIds of lhe linary
fieId for a given synloIs size Z (LkdahI, 2OO3).

Shifl regisler of Ienglh consisls of regislers as shovn in Iig. 2. Lach of lhese
regislers is alIe lo hoId one synloI, one inpul and one oulpul. LISRs reIy on syslen cIocks
for lheir operalions in vhich lhe syslen cIock is responsilIe for lining aII evenls. Wilh
every cIocking of lhe LISR, lhe regislers read a nev synloI fron lheir inpul, and lhe
synloIs nove forvard fron regisler lo regisler O. Hovever, lhe firsl regisler receives
lhe nev synloI as a Iinear conlinalion of lhe synloIs ollained fron lhe previous cIocking.
CaIcuIaling lhe nev synloI is lasicaIIy delernined ly lhe feedlack coefficienls
as referred lo in Iig. 2.

Iig. 2. LISR of Ienglh
Stream
Ciphers
Hardware-
Based
ShiIt Registers
LFSR
Shrinking &
SelI Shrinking
Summation
Boolean
Functions
NLFSR/FCSR Clock Control
Stop & Go
Cascades
ABSG
Decimation
Mechanism
SoItware-
Based
T-Function S-Box Block Cipher
Elliptic Curve
Discrete Log
Simple Logical&
Arithmetic
Operations
Hybrid
Designs

0
F
1
F
F
A

The concepl of line cIocking is inporlanl in LISR funclionaIily. When lhe device cIocks al
line ve ollain a nev synloI , vhere is aIvays salisfying lhe Iinear
recurrence equalion found in (Weisslein, 2OO8, oIalallin, 2OO5) as shovn in Lqualion 4:

(4)

One inporlanl fealure of using LISR is ils aliIily lo produce an exlreneIy Iong sequence of
Iinear equalion equaI lo 2Q-1, vhere Q is lhe nunler of regisler eIenenls in lhe LISR.
Moreover, LISR is leIieved lo deIiver a slrean cipher vilh uniforned dislrilulion of lhe
vaIues generaled ly lhe keyslrean generalor. Hovever, lhe innediale oulpul of LISR is
nol acceplalIe lo le used as a keyslrean since lhe produclion of lhe oulpul vaIue is done in
Iinear fashion. In order lo use LISRs in generaling keyslrean vilh nininun IeveI of
securily, non-Iinear funclions have lo le added lo LISRs lo nake lhe lil produclion process
afler each cIocking vork in non-Iinear fashion. To achieve lhis purpose, differenl lechniques
have leen inlroduced such as adding sone non-Iinear fiIlers, non-Iinear updales and
irreguIar cIocking lo deslroy lhe Iinearily found in LISRs.

3.1.1 Shrinking and SeIf-Shrinking Generator
Coppersnilh, el aI., (1993) proposed a nev generalor vhich consisls of lvo LISRs and
caIIed il as a Shrinking Ceneralor. The shrinking generalor is designed as a pseudorandon
keyslrean generalor and il is preferred due lo lhe sinpIicily of ils design. The feedlack
coefficienls are represenled in poIynoniaI represenlalion. Lach one of lhe LISR produces a
lil slrean represenled ly and produced ly LISR-A and LISR-8 regislers respecliveIy
lo forn lhe keyslrean . Hovever, shrinking generalors are suljecled lo knovn-pIainlexl
dislinguishing allack vhich is firsl inlroduced ly (LkdahI, el aI., 2OO3). The allack delecled
sone non-randonness in lhe dislrilulion of lhe keyslrean lils. Nole lhal lhe allacker is
required lo knov lhe feedlack poIynoniaI of $ lo nake lhis allack feasilIe.

SeIf-Shrinking generalor is anolher varianl of lhe shrinking generalor concepl. The
generalor resls on a singIe LISR inslead of using lvo differenl LISRs as in shrinking
generalors. The procedure of cIocking seIf-shrinking generalors vorks ly firsl cIocking lvo
lils fron lhe LISR, resuIling in a pair of lils ( ). If ( ) equaIs lo lhe vaIue (1, O) or
(1, 1), il is laken lo produce lhe pseudorandon lil O or 1 respecliveIy. If lhe pair equaIs lhe
vaIue (O, O) or (O, 1), lhe pair viII le discarded lecause lhe oulpul viII aIvays le a sequence
of zeros as reporled ly Meier, el aI., (1994).

Lel le lhe oulpul lils of a non-lriviaIIy iniliaIized LISRs of Ienglh 1.
Therefore, is a sequence vilh period . Wilh respecl lo lhe period of , cryplanaIysis
allack in (Meier, el aI., 1994) shoved lhal if lhe period is al Ieasl and lhe Iinear
conpIexily of lhe conslruclion is , allacker can allack lhe conslruclion in sleps.
Anolher allack lased on a prolaliIislic approach vas inlroduced ly MihaIjevic (1996) and
shovs lhal seIf-shrinking generalors can le allacked vilh conpIexily for any oulpul
sequence under cerlain Iinilalion.


3.1.2 Summation Generator
Rainer RueppeI (1986) inlroduced a nev generalor lased on lhe use of LISRs caIIed lhe
Sunnalion Ceneralor. The idea lehind lhis generalor resls on lhe non-Iinearily provided ly
lhe carry-in inleger addilion. RueppeI uses lhis idea lo use lhe oulpul of severaI LISRs
lhrough an adder vilh carry vhich in lurn can provide a conlinalion funclion vilh good
non-Iinearily and high-order correIalion properlies (Rolshav, 1995). RueppeIs sunnalion
generalor is descriled as in Lqualions 5 and 6 (Iark, el aI., 2OO5):

(5)

(6)

vhere is lhe sequence generaled ly lhe firsl LISR, is lhe sequence generaled ly lhe
second LISR vilh lhe carry iniliaIizalion vaIue .

In lerns of lhe securily of RueppIs Sunnalion Ceneralor, lhe correIalion prolaliIily of lhis
generalor shoved lhal lhe generalor is suljecled lo correIalion allacks (CoIic, 1996) since lhe
prolaliIily of inpul-oulpul correIalion is (Iark, el aI., 2OO5). Hovever, severaI researchers
have lried lo inprove lhe securily of lhe sunnalion generalor lo le used in slrean ciphers.
One exanpIe of slrean ciphers using lhe sunnalion generalor is lhe LO slrean cipher
vhich is used in lhe Iueloolh prolocoI (Kilsos, el aI., 2OO3, CaIanis, el aI., 2OO5). LO slrean
cipher consisls of lhree conponenls: payIoad key generalor (iniliaIize), keyslrean generalor
and sunnalion conliner (encoder). Hovever, various cryplanaIysis and slalislicaI allacks
on LO vere presenled in (Lu, el aI., 2OO4), naking LO slrean cipher insecure for
cryplographic appIicalions. Anolher exanpIe lhal appears in lhe Iileralure is a paraIIeIized
slrean cipher presenled in 2OO2 ly Lee and Moon (Lee, el aI., 2OO2). The slrean cipher resls
on lhe inprovenenl nade on sunnalion generalors in (Lee, el aI., 2OOO). Iev years Ialer, an
aIgelraic allack againsl lhe inproved generalor vas presenled in (Han, el aI., 2OO5), naking
lhe paraIIeIized slrean cipher suljecl lo securily vuIneraliIily.

3.1.3 BooIean Function
In nalhenalics, a ooIean funclion is defined as a napping of one or nore linary inpul
varialIes lo one linary oulpul varialIe . IornaIIy, ve vrile lhe napping funclion as in
Lqualion 7:

(7)

vhere is lhe ooIean donain of lhe ooIean funclion , and N is lhe non-negalive
inleger caIIed lhe rank of lhe funclion. One vay of represenling ooIean funclions vilh a
snaII nunler of inpul varialIes is ly a lrulh lalIe as iIIuslraled in TalIe 1.

TalIe 1. Trulh lalIe of lhe ooIean funclion ( , ) = +
)(D)
O O O
O 1 O
1 O 1
1 1 O

Ior Iarger nunlers of inpul varialIes, il is infeasilIe lo Iisl aII lhe possilIe vaIues of lhe
lrulh lalIe. Therefore, ve have lo use a conpacl descriplion such as lhe AIgelraic NornaI
Iorn (ANI) as shovn Lqualion 8 (LkdahI, 2OO3):

(8)

vhere and . Anolher inleresling properly of ooIean funclion
vhich allracl severaI cryplographic appIicalions is lhe laIancing of lhe digils zero and one
in lhe generaled sequence. CeneraIIy, a ooIean funclion is said lo le laIanced if lhe
prolaliIily of lhal funclion lo produce lil O or 1, is for aII inpul varialIes chosen
unifornIy over .

LxanpIes of slrean ciphers lased on lhe conlinalion lelveen LISRs and ooIean funclions
are found in A5/1 (ihan, el aI., 2OOO) and LILI-128 (Davson, el aI., 2OOO) slrean ciphers.
A5/1 vas deveIoped in 1987 and Ialer lecane lhe nosl popuIar slrean cipher in nosl
Luropean counlries and Uniled Slales lo provide over-lhe-air connunicalion privacy in
CSM ceIIuIar leIephone slandard. The cipher is vorking in conjunclion vilh lhree LISRs (L-
A, L-, L-C) vilh irreguIar cIocking. The lhree LISRs vary in lheir Ienglh, in vhich lhe
Ienglhs are 19, 22 and 23 for L-A, L- and L-C respecliveIy. The nain idea of A5/1 is lo nix
lhe cycIed lils generaled ly lhe lhree LISRs vilh respecl lo lhe irreguIarily in lhe cIocking
process. Hovever, A5/1 seens lo le vuIneralIe lo cryplanaIysis allacks as presenled in
(iryukov, el aI., 2OOO) and (arkan, el aI., 2OO3).

LILI-128 is anolher slrean cipher vhich vas inlroduced in 2OOO (Davson, el aI., 2OOO). Il
uses lvo linary LISRs and lvo ooIean funclions lo generale a pseudorandon linary
keyslrean. The lvo funclions are evaIualed on lhe currenl slale dala and lhe feedlack lils
are caIcuIaled. asicaIIy, LILI-128 divides lhe overaII vork inlo lvo sulsyslens, in vhich
lhe firsl sulsyslen generales sone oulpul vaIues and conlroIs lhe cIocking irreguIarIy lo
conlroI lhe olher sulsyslen. NeverlheIess, severaI allacks presenled in (}nsson, el aI., 2OO2)
and (Tsunoo, el aI., 2OO5) nakes LILI-128 insecure.

IinaIIy, lhere are nany olher exanpIes on slrean ciphers using differenl lechniques
(funclions, fiIlers, elc) in conjunclion vilh LISRs lo achieve higher securily. One exanpIe is
lhe slrean cipher SNOW (LkdahI, el aI., 2OO3). SNOW is lased on lhe use of LISR of lhe
Ienglh 16 over an exlension lo a linary fieId of 32, feeding a finile slale nachine. Hovever,
SNOW vas allacked as presenled in (Coppersnilh, el aI., 2OO2), and lherefore invaIidale
SNOW lo le used for secure appIicalions.

3.1.4 NLFSR and FCSR Registers
Non-Linear Ieedlack Shifl Regisler (NLISR) and Ieedlack vilh Carry Shifl Regisler (ICSR)
are lvo olher lypes of shifl regislers used in slrean ciphers. The nain purpose of lhese
regislers is lo eIininale and deslroy lhe Iinearily found in LISRs. The design of NLISR
appIies a non-Iinear funclion in lhe shifl regisler lo ensure lhe non-Iinearily in lhe oulpul
vaIues fron lhe corresponding shifl regisler. NLISRs are used in severaI slrean cipher
designs such as lhe Crain slrean cipher. Crain vas deveIoped in 2OO4 and sulnilled lo

eSTRLAM projecl for evaIualion in 2OO5 (HeII, el aI., 2OO5). Hovever, Crain vas allacked in
2OO6 ly lvo differenl cryplanaIysls as found in (Maxinov, 2OO6) and (Kucuk, 2OO6).
ICSRs are siniIar lo LISR lul differenl in lhe sense lhal lhe eIenenlary addilion in ICSR is
vilh propagalion of carrier inslead of addilion noduIo 2 as in LISR. An exanpIe of ICSR-
lased slrean cipher is lhe nev slrean cipher I-ICSR vhich vas deveIoped recenlIy and
sulnilled for eSTRLAM projecl evaIualion (ArnauIl, el aI., 2OO6). Hovever, I-ICSR vas
allacked ly (}auInes, el aI., 2OO6) due lo lhe veaknesses found in lhe iniliaIizalion
nechanisns as veII as Iack of enlropy of lhe inlernaI slale.

3.1.5 CIock ControI
One vay of inlroducing lhe non-Iinearily in lhe generaled keyslrean is ly having a shifl
regisler cIocked irreguIarIy. In olher vords, lhe keyslrean generalion is conlroIIed ly lhe
varying rale of regisler cIocking. One vay of achieving lhal is ly having lvo or nore shifl
regislers such lhal lhe cIocking of one regisler is dependenl on lhe olher regisler in sone
vays. Iig. 3 shovs an exanpIe of a cIock conlroIIed generalor caIIed lhe AIlering Slep
generalor vhere lhe oulpul of one LISR conlroIs lhe olher LISRs.

Iig. 3. AIlernaling slep generalor

There are various generalors lhal are lased on lhe idea of cIock-conlroIIing in shifl regislers
for cryplographic purposes. Sone of lhese generalors are: Slop-and-Co, Cascades and ASC
Ceneralors.

Slop-and-Co generalor vas firsl inlroduced in 1985 ly elh and Iiper (elh, el aI., 1985).
The idea of lhis generalor is lo Iel a conlroI regisler R-A conlroI lhe slepping of anolher
regisler R-. If lhe oulpul of R-A is 1, lhen R- is cIocked. Olhervise R- is nol cIocked. The
oulpul of R- is lhen XORed vilh lhe oulpul sequence of a lhird regisler R-C. The lhird
regisler R-C has lhe sane cIocking ralio as in R-A. elh and Iiper leIieve lhal lhe slop-and-
go generalor is secure and innune againsl cryplanaIysis allacks. Hovever, lhe generalor
vas suljecled lo efficienl cryplanaIysis allacks found in (Menezes, el aI., 1997) and (CoIic, el
aI., 2OO3).

Cascade generalor is lasicaIIy an exlension of lhe slop-and-go generalor, such lhal il is sliII
reIying on lhe idea lhal LISRs are conlroIIing each olher. There are lvo lypes of cascades
(Rolshav, 1995): The firsl lype aIIovs each regisler lo generale O-sequence and lhe second
lype reslricls lhe Ienglh of each regisler lo a prine Ienglh 1 vilh no feedlack fron any
inlernediale slage of lhe regisler. One exanpIe of lhe cascade slrean ciphers is lhe
Ionaranch slrean cipher vhich is lased on a }unp ConlroIIed Sequence Ceneralor
LISR -
LISR - C
LISR - A
Ou|pu|
C|cc|

(cascade). UnforlunaleIy, Ionaranch vas vuIneralIe lo severaI cryplanaIysis allacks found
in (LngIund, el aI., 2OO7) and (Cid, el aI., 2OO6).
ASC slrean cipher is inspired ly lhe shrinking and seIf-shrinking generalor. Ils nain
purpose vas lo provide irreguIarily for lhe generaled keyslrean lils. UnIike shrinking
generalors, ASC operales on a singIe inpul varialIe inslead of lvo. ASC aIso differs fron
lhe seIf-shrinking generalor in lhal lhe produclion of Q-lils of oulpul sequence requires
approxinale 3Q-lil of inpul, vhiIe in seIf-shrinking, lhe produclion requires 4Q-lil of inpul
sequence (AfzaI, el aI., 2OO6). The slrean cipher DLCIM-128 presenled in (erlain, el aI.,
2OO5) is lased on lhe use of LISRs and ASC decinalion nechanisn. Il is a hardvare-
orienled slrean cipher lhal handIes a secrel key of 8O-lil Ienglh and pulIic iniliaIizalion
veclors of 64-lil. The process of generaling keyslreans resls on lhe non-Iinearily fiIlered
LISR and lhe irreguIar decinalion nechanisn of ASC. Hovever, lhe allack presenled in
(Wu, el aI., 2OO6) shoved lhal DLCIM is suffering fron serious fIavs in lhe iniliaIizalion
slage and lhe keyslrean generalion aIgorilhn slage.

3.2 Software-Oriented Stream Ciphers
In conlrasl lo hardvare-lased slrean ciphers, lhere are various designs of slrean cipher
lased on lils nanipuIalion (sulslilulion, pernulalions, elc.), ooIean funclions and olher
aIlernalive designs. These designs of slrean ciphers are cIassified under soflvare-lased
slrean ciphers in vhich lhey are nol depending on hardvare inpIenenlalions for lheir
securily. This seclion viII inlroduce a variely of slrean cipher designs lhal are associaled lo
differenl calegories. The calegorizalion is lased on lhe nechanisns used in lhe process of
generaling keyslrean sequences used in lhese ciphers.

3.2.1 T-Function
In 2OO3, KIinov and Shanir inlroduced a nev lype of inverlilIe round funclion (knovn as
T-Iunclion) ly nixing sone arilhnelic and ooIean operalions on fuII nachine vords
(KIinov, el aI., 2OO3). The nane T-funclion refers lo lhe lrianguIar dependence lelveen lhe
coIunns of lhe operands. The funclion vorks as a napping funclion fornuIaled as in
Lqualion 9:

(9)

vhere is represenled ly a nalrix and lhere is a dependency lelveen lhe |-lh
coIunn of lhe oulpul vilh lhe firsl k sel of coIunns of lhe inpul. Il vas designed lo generale
pseudorandon vaIues of naxinun Ienglh. The process of generaling is
descriled in (KIinov, el aI., 2OO4) and shovn in Lqualion 1O:

(1O)

vhere referes lo OR operalion and & is used lo delernine a sel of conslanls defined in lhe
Iinear equalion lo hoId aII lhe sequences generaled ly lhe T-funclion. Since T-funclions are
so recenl, onIy fev slrean ciphers appear in lhe Iileralures are lased on lhen. One exanpIe
is lhe slrean cipher TSC-1 proposed ly (Hong, el aI., 2OO5). The proposed cipher is lased on
a singIe cycIe T-funclion. TSC-1 vorks in conjunclion vilh a fiIler funclion and 4 4 S-ox.

In generaI, T-funclion vas suljecled lo severaI allacks such as lhe correIalion allack lased
on lhe Iinear approxinalion of lhe T-funclion. The allack vas successfuIIy appIied on TSC-
128 vilh a conpIexily of knovn keyslrean lils lo dislinguish il fron randon (MuIIer, el
aI., 2OO5). The olher allack presenled in (KnzIi, el aI., 2OO5) descriles a dislinguishing allack
on singIe-vord and nuIli-vord T-funclions lased on lhe devialion found in lhe inleger
differences of conseculive oulpuls vilh a conpIexily of . The inporlance of T-funclion
cones fron lhe efficiency of inpIenenling il fron lolh hardvare and soflvare
perspeclives. Hovever, il seens lhal researchers need lo pul nore efforls on deveIoping and
enhancing lhe securily aspecls of T-funclion.

3.2.2 S-Box
A sulslilulion lox or aIso knovn as S-lox is an inporlanl conponenl of differenl
cryplographic prinilives. S-lox lasicaIIy vorks as a napping of P inpul lils inlo Q oulpul
lils as visuaIized in Iig. 4, resuIling in an S-lox.

Iig. 4. Inpul/oulpul napping using S-ox

The design of S-lox cones in lvo lypes: fixed and dynanic S-lox. Iixed S-loxes resl on pre-
conpuled vaIues caIcuIaled in severaI vays lased on lhe cryplographic conponenl leing
used. Dynanic S-lox are nore inleresling since lhe vaIues in lhe S-lox change during lhe
execulion. One vay of represenling S-loxes is ly inpIenenling lhen as lalIe Iookups of
enlries (LkdahI, 2OO3). Anolher possiliIily of represenling S-lox is ly caIcuIaling lhe S-loxs
enlries ly using a ooIean funclion as shovn in Lqualion 11:

(11)

In lhis calegory of slrean ciphers, ve found fev ciphers vhose designs are lased on S-lox.
Tvo exanpIes are discussed here: MUCI and WAKL slrean ciphers. MUCI slrean cipher
vas inlroduced in 2OO2 as an efficienl slrean cipher in hardvare and soflvare
inpIenenlalions (Walanale, el aI., 2OO2). MUCI uses a secrel key and inlernaI veclor of 128-
lil Ienglh lo generale a randon slring of 64-lil Ienglh for each round. The inlernaI slale of
MUCI consisls of lvo inlernaI slales (slale D and luffer E) updales ly lvo idenlicaI
funclions (caIIed I-funclion). The I-funclion uses lhree nain lechniques: key addilion, non-
S-ox 3
m-lils inpul
n-lils oulpul

Iinear S-lox and MDS (Maxinun Dislance SeparalIe) nalrix for Iinear lransfornalion as
descriled in Iig. 5.

Iig. 5. I-funclion of MUCI

MUCI is nol lroken yel. Hovever a veakness found in lhe Iinear parl of MUCI vas
presenled in (CoIic, 2OO4), proved lhal lhe reaI response of lhe luffer vilhoul lhe feedlack
fron lhe S-lox consisls of linary Iinear recurring sequences vilh Iinear conpIexily and vilh
a very snaII period of 48 cycIes. This lheorelicaI anaIysis shoved lhal ly using lhe veakness
nenlioned alove, il is possilIe lo use Iinear cryplanaIysis lo allack MUCI.

Anolher exanpIe of slrean cipher leIonging lo lhis calegory is lhe WAKL (Word Aulo Key
Lncryplion) slrean cipher invenled ly David }. WheeIer (1993). WAKL has a sinpIe
slruclure and perforns fasl. Il produces 4Q-lil vords lo le XORed vilh pIainlexl lo generale
cipherlexl, or vilh cipherlexl lo generale pIainlexl. The generalion of nev key depends on
lhe cipherlexl produced in lhe previous round. WAKL uses an S-lox of 256 32-lil vaIues
vilh speciaI properly vhere sone lyles are ollained fron a pernulalion of aII possilIe
lyles, and sone olher lyles are generaled randonIy. The S-lox of WAKL is nol vorking
independenlIy fron lhe overaII process of keyslrean generalion, inslead il is vorking as
parl of funclion * vhich uses S-lox in conjunclion vilh olher shifling operalions. Hovever,
WAKL vas suljecled lo a chosen pIainlexl or chosen cipherlexl allack, vhich vas fuIIy
anaIyzed in (Iudovkina, 2OO1). The anaIysis incIudes inpIenenling lvo chosen pIainlexl
allacks on WAKL vilh a conpIexily of and for lhe firsl and second allacks
respecliveIy.

Il seens lhal S-lox is efficienl in providing non-Iinearily vilh efficienl perfornance in lhe
inlernaI slales of lhe keyslrean generalors. Designing a cryplographicaIIy slrong S-lox is
nol easy. Therefore, any nisuse of S-lox in slrean cipher Ieads lo serious securily
vuIneraliIilies.

5 5 5 5 5 5 5 5
MD5 MD5
Buffcr

3.2.3 BIock Cipher
This is anolher approach used in lhe design of slrean ciphers. The lIock cipher is used as a
core of lhe keyslrean generalor of lhe corresponding slrean cipher. The conslruclion of lhe
slrean ciphers lhal leIong lo lhis calegory uses knovn lIock ciphers in lheir keyslrean
generalor such as using ALS in lhe slrean cipher (iryukov, 2OO5). The generaI slruclure of
slrean ciphers lased on lIock cipher is shovn in Iig. 6.

Iig. 6. Slrean cipher lased on lIock cipher schene

Anolher design phiIosophy of slrean ciphers in lhis calegory is lased on lhe Sulslilulion-
Iernulalion Nelvork (SIN) of lIock ciphers inslead of using lhe conponenls of lIock
ciphers as appeared in Hernes8 slrean cipher (Kaiser, 2OO5). The securily of such a design
depends on lhe underIying lIock cipher (conponenl or lechnique) lhal resides al lhe core of
lhe slrean cipher. Up lo lhis day, anong lhe sulnilled slrean ciphers lased on lIock
ciphers, LLX and Sosenanuk are lhe onIy lvo ciphers vhich have noved lo lhe lhird phase
of evaIualion of eSTRLAM projecl.

3.2.5 SimpIe LogicaI and MathematicaI Operations
There are slrean ciphers vhich do nol fil inlo lhe nenlioned calegories alove. Sone of
lhese ciphers are lased on lilvise addilion and lils rolalion operalions as in IheIix, SLAL
and RC4, vhiIe olhers lased on nixing various funclions in conjunclion vilh sone addilion
and rolalion operalions as in Rallil. In lhis calegory ve viII lriefIy descrile IheIix, SLAL
and Rallil slrean ciphers.

x Phc!Ix 5trcam CIphcr
IheIix slrean cipher (Whiling, el aI., 2OO5) is a high speed slrean cipher seIecled for lhe
soflvare and hardvare profiIes of eSTRLAM projecl for perfornance evaIualion. IheIix
supporls an 8-lil lo 256-lil Ienglh key and 128-lil nonce lo generale lhe keyslrean lils vilh
enledded MAC code for aulhenlicalion. The nain operalions of IheIix are: addilion
noduIo , lilvise XOR and rolalion operalions. The slale of IheIix is lroken inlo lvo
groups: five slale vords caIIed ac|itc slales vhich are aIvays parlicipaling in updaling lhe
inlernaI funclion and four slales caIIed c| slale vhich is onIy used in lhe process of
keyslrean generalion.

B.C B.C B.C B.C
CIphcrtcxt

3ODLQWH
|V
K
0
K
1
K
2
K
n

|
s
|
s
|
s

B.C.: Iock Cipher K: Inpul Key IV: IniliaI VaIue N
V
: Keyslrean

Since IheIix provides aulhenlicalion service during lransnission, exlra processing is done lo
produce a 128-lil MAC lag lo le enledded lo lhe nessage. IheIix requires 2O rounds in
order lo produce a singIe lIock. The nain operalions in one lIock of IheIix is onIy Iov-cosl
operalion, in vhich lhey are fasl in soflvare and hardvare inpIenenlalions. Hovever,
IheIix has nol noved lo lhe lhird phase of lhe eSTRLAM projecl evaIualion due lo sone
securily vuIneraliIily. DifferenliaI-Iinear allacks presenled ly Wu and IreneeI (2OO7)
shoved lhal vilh lhe assunplion of reusing lhe nonce, lhe key of IheIix can le recovered
vilh conpIexily chosen pIainlexl vords and operalions. In lhis allack, lhe aulhors
shoved lhal IheIix is an insecure slrean cipher since recovering lhe key ly reusing lhe
nonce (incorrecl use of lhe nonce) is possilIe: In praclice an allacker nay gain access lo a
IheIix encryplion device for a vhiIe, reuse a nonce and recover lhe key. We lhus consider
IheIix as insecure (Wu, el aI., 2OO7).

x RabbIt 5trcam CIphcr
Rallil is anolher design of slrean ciphers lased on ileraling a sel of coupIed non-Iinear
funclions - or as lhe aulhors caIIed lhen discrelized chaolic naps (oesgaard, el aI., 2OO3). Il
uses a 128-lil key and 64-lil iniliaI veclor (IV) as inpul paranelers lo generale a slrean of
128-lil lIocks. The encryplion is perforned ly XORing lhis lIock vilh lhe pIainlexl lIock.
The inner slale of Rallil consisls of 513 lils. The firsl 512 lils represenl 8-slale varialIes
( , ., ) of 32-lil Ienglh each and 8-counler varialIes ( , ., ). The renainder lil is
used as a counler carry lil, E. The inporlanl parl of any slrean cipher is lhe nexl slale
funclion since il is lhe parl lhal oflen needs lo generale a nev keyslrean. In Rallil, lhe nexl
slale funclion is lased on funclion J for napping lvo 32-lil inpuls lo one 32-lil oulpul.
Rallil uses funclion J lo updale lhe inner varialIes slales as shovn in Iig. 7.

Iig. 7. Updaling lhe inner slales of Rallil (oesgaard, el aI., 2OO3)

Il seens lhal Rallil slrean cipher is slrong againsl cryplanaIysis allacks. Il is seIecled
anong fev olher ciphers for furlher evaIualion ly eSTRLAM projecl. Hovever, a snaII lias
in lhe oulpul of Rallil exisls (Aunasson, 2OO7). Lven so, Rallil is sliII considered a secure
slrean cipher since lhe conpIexily of lhe dislinguisher is significanlIy higher lhan lhe lrule-
force allack on lhe key space, .

x 5EAL 5trcam CIphcr
SLAL (Soflvare-oplinized Lncryplion AIgorilhn) is a slrean cipher lhal vas designed lo
vork efficienlIy on soflvare inpIenenlalion (Rogavay, el aI., 1994). SLAL is a Ienglh-
increasing pseudorandon slring napping funclion lhal uses 16O-lil encryplion key lo nap
(slrelch) a 32-lil inpul Ienglh lo an Q-lil oulpul Ienglh. In lhe pre-processing slage, SLAL
uses lhe hash aIgorilhn SHA-1 (NalionaI, 2OO2) as a parl of lhe lalIe-generalion funclion lo
slrelch lhe key inlo a Iarge lalIe. Therefore, parl of SLALs securily depends on lhe securily
of lhe used hash aIgorilhn (SHA-1). In lerns of lhe required conpulalion, SLAL requires
inlensive pre-conpulalion for iniliaIizing severaI Iarge Iook-up lalIes vilh lolaI size
approxinaleIy 3 K in size.

In lerns of securily, SLAL is designed lo generale up lo lyles of oulpul per inpul seed.
An allack in 1997 shoved lhal lhis oulpul can le dislinguished fron randon afler lyles
of oulpul (Coppersnilh, el aI., 2OO2). The allack vas lhe reason lehind lhe nodificalion on
SLAL, resuIling in lhe nodified aIgorilhn SLAL 3.O. In 2OO1, IIuhrer inlroduced an allack
on SLAL 3.O lhal can dislinguish lhe oulpul fron randon afler oulpul lyles (IIuhrer,
2OO1). Il is olvious lhal SLAL needs lo avoid using lhe sane seed afler oulpuls lo avoid
lhese lypes of allacks.

x RC4 5trcam CIphcr
This is yel anolher inporlanl exanpIe of slrean cipher design. The veII knovn slrean
cipher is videIy used in nany securily prolocoIs and soflvare appIicalions such as SSL and
WLI prolocoIs inlegraled inlo Microsofl Windovs, Lolus Noles, AppIe AOCL, OracIe
Secure SQL and nany olher appIicalions. RC4 (Rivesl, 1992) vas deveIoped ly Ron Rivesl
in 1987 and lhe design vas kepl secrel unliI 1994, unliI soneone anonynousIy posled il lo
lhe Cypherpunks naiIing Iisl. The cipher uses a varialIe key-size vilh conpacl code size
and il is suilalIe for lyle-orienled processors. The encryplion process in RC4 is done ly
generaling a keyslrean lo le XORed vilh a slrean of pIainlexl lo produce a slrean of
cipherlexl.

Ceneraling keyslrean in RC4 conprises lvo aIgorilhns: The Key-ScheduIing AIgorilhn
(KSA) and lhe Iseudo-Randon Ceneralion AIgorilhn (IRCA). The KSA aIgorilhn uses a
pernulalion array 6 of aII 256 possilIe lyles. The lvo aIgorilhns cooperale vilh each olher
as foIIovs: lhe KSA derives lhe inlernaI secrel slale fron a varialIe key size lelveen 4O and
256 lils. IRCA in lurn nodifies lhe inlernaI slale and produces an oulpul. The iniliaIizalion
process in IRCA sels L and M lo O, and lhen L is increnenled as a counler and M is
increnenled ly adding lhe vaIue of lhe pernulalion array 6 poinled lo ly L. The lvo vaIues
of 6 poinled lo ly L and M are svapped and lhe oulpul is resuIled ly adding 6|Lj + 6|Mj
noduIo 256 as shovn in Iig. 8.


Iig. 8. IRCA round operalion

SiniIar lo IRCA, KSA iniliaIizes 6 lo lhe idenlily pernulalion and iniliaIizes L and M lo O.
SequenliaIIy, KSA appIies 256 rounds in vhich L slepped across 6 and M is updaled ly
adding 6|Lj lo il and lhe nexl vord of lhe key. Al lhe presenl line, RC4 is nol reconnended
for use in nev appIicalions. SeveraI veaknesses of lhe KSA aIgorilhn of RC4 (IIuhrer, el aI.,
2OO1) can le sunnarized in lvo poinls. Iirsl veakness is lhe exislence of nassive cIasses of
veak keys. These cIasses enalIe lhe allackers lo delernine a Iarge nunler of lils of KSA
oulpul ly using a snaII parl of lhe secrel key. Thus, lhe iniliaI oulpuls of lhe veak keys are
disproporlionaleIy affecled ly a snaII porlion of key lils. The second veakness resls on a
reIaled key vuIneraliIily.

rule Iorce allack on RC4 is possilIe ly inpIenenling exhauslive key-searches on IieId
IrogrannalIe Cale Array (IICAs) using a Nelvork on Chip (NoC) archileclure (Coulure,
el aI., 2OO4). The idea of lhis allack depends on lvo conponenls: Key-Checker Unil and lhe
ConlroIIer. The Ialler is responsilIe for dislriluling lhe key space. Key-Checker Unil is used
lo check each key independenlIy. Therefore, using nore lhan one Checker in a nelvork viII
provide an adjuslalIe IeveI of paraIIeIisn. The researchs resuIls shovs lhal RC4 is quile
vuIneralIe lo lrule-force allack and il is possilIe lo crack RC4 in ninules vilh a very Iarge
IICA of 5OO Checker unils in a nelvork.

Olher kinds of allacks on RC4 have leen presenled recenlIy. ResuIls in (Manlin, 2OO7)
shoved a slalislicaI lias of lhe digraphs dislrilulion of lhe generaled slrean of RC4.
Iurlhernore, a dislinguishing allack vas deveIoped lased on lhe slalislicaI lias found in
lhe oulpul sequences (Tsunoo, el aI., 2OO7). This lias is used aIong vilh lhe firsl lvo vords
of a keyslrean associaled vilh approxienlIy secrel keys.

3.3 Hybrid Designs
In lhis calegory ve discuss olher designs of slrean ciphers lased on a conlinalion of
hardvare devices and soflvare lechniques lo achieve lhe required securily. Mosl of slrean
ciphers in lhis calegory depend on LISRs as lhe nain conponenl in lhe core of lhe slrean
cipher. The soflvare lechniques vary fron using T-funclion as in AC slrean cipher,
dynanic pernulalions as in IoIar ear slrean cipher, and Iook-up lalIes as in ORYX. In lhis
seclion ve viII descrile each slrean cipher nenlioned alove and anaIyze lhe ciphers
slruclures and discuss lheir securily slrenglh.

3.3.1 ABC Stream Cipher
AC is a slrean cipher aIgorilhn deveIoped in 2OO5 (Anashin, el aI., 2OO5) and sulnilled
for eSTRLAM projecl for furlher evaIualion. Il deaIs vilh a 128-lil key and 128-lil IV. AC
5|Oj 5|1j 5|jj 5|ij 5||j
O 1 255 Oulpul i j
+

consisls of 38, 32-lil regislers. The regislers are divided inlo lvo groups: 3 regislers ( , ,
x) are represenling lhe slale of AC, and 35 regislers ( , , c, ,., ) represenl lhe
conslanl paranelers fed lo lhe cipher. In conjunclion vilh lhe LISRs, AC uses lhree nain
funclions denoled ly $, % and & as shovn in Iig. 9.

Iig. 9. Iunclions $, % and & in lhe keyslrean generalor AC (Anashin, el aI., 2OO5)

Iunclion $ is a Iinear lransfornalion over lhe space *)( ), and il is defined ly a
poIynoniaI characlerislic LISR of Ienglh 64. Iunclion % is a T-funclion vilh lhe reslriclions
lhal, for lhe lvo paranelers and , one nusl choose lhese lvo paranelers such lhal
and lo guaranlee lhal funclion % is a singIe cycIe nap.
LaslIy, funclion & is a highIy non-Iinear napping funclion (as lhe aulhors cIained).

In lerns of lhe securily, severaI allacks on AC nake il faiIs noving lo lhe lhird phase of
eSTRLAM projecl. ased on lhe veakness of funclion & as iIIuslraled in (Khazaei, 2OO5), a
correIalion lased divide-and-conquer allack vas alIe lo find 63-lil of lhe slale ly searching
possilIe choices. More specificaIIy, lhe allack on AC has a line conpIexily of lo
find lhe vhoIe iniliaI slale lils, vhich is fasler lhan lrule-force allack.

A fasl correIalion allack on AC vas presenled in (Zhang, el aI., 2OO6). The allack depends
on sone veak keys lo recover lhe inlernaI slale. Idenlifying one veak key and recovering
lhe inlernaI slale of lhal key has Iov conpulalion conpIexily. The allack is nainIy Iooking
for veak keys vhich vere delecled in funclion & for keyslrean generaled fron
randon keys (vhere each keyslrean is vilh 1615 oulpul), lhe keyslrean can le
dislinguished fron randon. Iinding one veak key lased on lhis allack requires 1615
4= lyles, XOR and addilion.

Il is olvious lhal lhe AC slrean cipher vas nol slrong enough againsl cryplanaIysis
allacks. The cipher is considered fasl conpared lo olher soflvare-orienled slrean ciphers.
NeverlheIess, choosing cryplographic prinilives for secure appIicalions requires nore
allenlion on lhe securily side of lhose prinilives. Hence, AC faiIed lo le considered as a

nenler of lhe lhird phase of eSTRLAM projecl due lo lhe exislence of sone securily
vuIneraliIily in ils design.

3.3.2 PoIar Bear Stream Cipher
IoIar ear vas presenled in 2OO5 and sulnilled lo eSTRLAM projecl for evaIualion ly
}ohan Haslad and Mals NasIund as reporled in (Nada, el aI., 2OO5). The cipher uses one 7-
vord LISR ( ) and one 9-vord LISR ( ) of Ienglh 112-lil and 144-lil respecliveIy.
Updaling lhe inlernaI slale depends on lhese lvo LISRs aIong vilh dynanic pernulalion of
lyles, . The cipher deaIs vilh 128-lil key and up lo 32 lyle iniliaI veclor. IoIar ear uses
lhe RijndaeI key scheduIe for ils key scheduIe aIgorilhn. The iniliaIizalion process is
achieved ly laking lhe expanded key and iniliaI veclor, and appIies 5 rounds of RijndaeI
encryplion vilh lIock Ienglh 256. and are lhen Ioaded ly lhe resuIled cipherlexl, and
as veII as RijndaeI S-lox are iniliaIized.

The aulhors of IoIar ear cIained lhal lhe cipher is efficienl and secure due lo lhe
conlinalion of LISRs vilh lhe dynanicaI pernulalion. Hovever, a Cuess-and-Delernine
allack presenled ly Mallsson (Mallsson, 2OO6) and inproved in (Hasanzadeh, el aI., 2OO6),
vas alIe lo recover lhe iniliaI slales of lhe regislers vilh line conpIexily of (ly
Mallsson allack) and vilh line conpIexily of (ly lhe inproved allack). These lvo
allacks shoved lhal lhe IoIar ear slrean cipher is nol secure due lo lhe inappropriale
usage of lhe LISR conlined vilh lhe dynanicaI pernulalions. To counler lhis allack, il vas
suggesled in (Hasanzadeh, el aI., 2OO6) lo iniliaIize lhe dynanic pernulalion vilh an 88
key iniliaI veclor dependenl S-lox, provided lhal lhe pernulalion is randon lo allackers.

3.3.3 ORYX Stream Cipher
ORYX is a slrean cipher aIgorilhn lhal has leen proposed for use in Norlh Anerican
digilaI ceIIuIar syslens. The slruclure of ORYX is very sinpIe, lased on linary LISRs, S-lox
(Iook-up lalIe) and pernulalion. More specificaIIy, ORYX has four conponenls, lhree
LISRs of 32-lil Ienglh ( , , ), and an S-lox conlaining a knovn
pernulalion of lhe vaIues ranging fron O lo 255, denoled ly /. The feedlack funclion for
(poIynoniaI characlerislic) is defined as in Lqualion 12:

(12)

vhiIe lhe feedlack funclions for is defined as in Lqualion 13:

(13)

and finaIIy, is defined as in Lqualion 14 as foIIovs:

(14)

The keyslrean generalion is perforned ly cIocking lhe lhree LISRs aIong vilh sone fixed
pernulalions in order lo ollain lhe high lyles of lhe currenl slale of each LISR using a
conlining funclion as slaled in Lqualion 15:

(15)

ORYX is nol a secure slrean cipher due lo lhe efficienl allack presenled in (Wagner, el aI.,
1998). The allack can direclIy recover lhe fuII 96 lils inlernaI slale using onIy 25-27 lyles of
knovn pIainlexl vilh line conpIexily of . Therefore, lhese resuIls shoved lhal ORYX
provides a very Iov IeveI of securily and nol suilalIe for cryplographic appIicalions.

4. Discussion and ConcIusion
Increasing lhe securily of lhe keyslrean generalor is lhe prinary goaI for researchers vho
inlend lo deveIop nev slrean cipher aIgorilhns. The cIassificalion presenled in lhis chapler
shoved lhal slrean ciphers are nainIy eilher soflvare orienled or hardvare orienled. In
sone cases, lhere are slrean ciphers vhich reIy on a conlinalion of hardvare devices and
soflvare lechniques in lhe design of lheir keyslrean generalors.

Iron lhe securily perspeclive, severaI slrean ciphers (hardvare-orienled and soflvare-
orienled) are found vuIneralIe lo eilher cryplanaIysis allacks, slalislicaI liased or lolh.
CryplanaIysis allacks on slrean ciphers cone in lvo lypes: hardvare-lased allacks and
soflvare-lased allacks. In lolh lypes of allacks, allacker lries lo exlracl usefuI infornalion
fron lhe keyslrean generalor in order lo ollain lhe secrel key or lhe pIainlexl nessage.
SlalislicaI liased such as correIalion lelveen keyslreans, pallerns and randonness are lhe
nain issues found in hardvare-orienled slrean ciphers. On lhe olher hand, lhe underIying
lechniques used in soflvare-orienled slrean ciphers are found vuIneralIe lo cryplanaIysis
allacks, due lo lhe reIalive sinpIicily of lheir conslruclionaI designs.

Revieving lhe conslruclionaI designs of slrean ciphers Ieads us lo lhe facl lhal lhe
keyslrean generalor nusl le conslrucled on soIid lases. These soIid lases can le
represenled ly: Iinearily-eIininalion lechniques, nalhenalicaI hard prolIens, chaolic
lehaviours or olher secure lechniques. The nain goaI of lhese nev lechniques is lo provide
cryplographic appIicalions vilh secure slrean ciphers againsl cryplanaIysis and slalislicaI
allacks.

5. References
AfzaI, M. K., & Masood, A. (2OO6). Conparalive AnaIysis of lhe Slruclures of eSTRLAM
Sulnilled Slrean Ciphers. |n Prcc. Tnc Scccn |n|crna|icna| Ccnfcrcncc cn |mcrging
Tccnnc|cgics (pp. 245-25O). Ieshavar, Iakislan: ILLL-ICLT.
Anashin, V. ., & Kunar, A. (2OO5, ApriI 29). A8C. A Ncu |as| ||cxi||c S|rcam Cipncr.
Relrieved May 2O, 2OO8, fron The eSTRLAM Irojecl: hllp://vvv.ecrypl.eu.org/
slrean/ciphers/alc/alc.pdf
ArnauIl, I. ., & Lauradoux, C. (2OO6, }anuary 2). Upa|c cn |-|CSR S|rcam Cipncr. Relrieved
May 26, 2OO8, fron The eSTRLAM Irojecl: hllp://vvv.ecrypl.eu.org/slrean/
papersdir/2OO6/O25.pdf
Aunasson, }. (2OO7, }anuary 2). On |ias cf Ra||i|. Relrieved May 3O, 2OO8, fron The
eSTRLAM Irojecl: hllp://vvv.ecrypl.eu.org/slrean/papersdir/2OO7/O33.pdf

arkan, L. ., & KeIIer, N. (2OO3). Inslanl Cipherlexl-OnIy CryplanaIysis of CSM Lncrypled
Connunicalion. In Atanccs in Crqp|c|cgq - CRYPTO 2003 (VoI. 2729 of LNCS, pp.
6OO-616). erIin: Springer.
erlain, C. ., & Silerl, H. (2OO5, ApriI 29). D|C|M-128. Relrieved May 26, 2OO8, fron The
eSTRLAM Irojecl:
hllp://vvv.ecrypl.eu.org/slrean/p3ciphers/decin/decin128_ p3.pdf
elh, T., & Iiper, I. (1985). The slop-and-go generalor. |n Prcc. cf |nc |UROCRYPT 84
ucr|sncp cn Atanccs in crqp|c|cgq. |nccrq an app|ica|icn cf crqp|cgrapnic |ccnniqucs
(pp. 88 - 92). Iaris, Irance: Springer-VerIag.
ihan, L., & DunkeInan, O. (2OOO). CryplanaIysis of lhe A5/1 CSM Slrean Cipher. In
Prcgrcss in Crqp|c|cgq |NDOCRYPT 2000 (VoI. 1977, pp. 43-51). erIin: Springer.
iryukov, A. (2OO5, ApriI 29). A ncu 128 |i| |cq s|rcam cipncr . ||X. Relrieved }une 2, 2OO8, fron
The eSTRLAM Irojecl: hllp://vvv.ecrypl.eu.org/slrean/ciphers/Iex/Iex.pdf
iryukov, A. S., & Wagner, D. (2OOO). ReaI Tine CryplanaIysis of A5/1 on a IC. In Prcc. |as|
Scf|uarc |ncrqp|icn, (pp. 1-18). Nev York.
oesgaard, M. V., & Scavenius, O. (2OO3). Rallil: A Nev High-Ierfornance Slrean Cipher.
In |as| Scf|uarc |ncrqp|icn (VoI. 2887 of LNCS, pp. 3O7-329). Springer.
ojanic, S. C., & TaIadriz, O. (2OO4). Slrean Cipher CryplanaIysis ased on Ldil-Dislance: A
Hardvare Approach. Ta|ra M|. Ma|n. Pu| , 17-29.
oIalallin, N. (2OO5, May 13). Rancm Num|cr Gcncra|cr Using |cap-|cruar Tccnniqucs.
Relrieved May 21, 2OO8, fron
hllp://vvv.pIdesignIine.con/shovArlicIe.jhlnI`arlicIeID=1922OO271
Canleaul, A., & IiIioI, L. (2OOO). Cipncr|cx| On|q Rcccns|ruc|icn cf ||SR-|asc S|rcam Cipncrs.
LL CHLSNAY: Unile de recherche INRIA Rocquencourl.
Cid, C. C., & }ohansson, T. (2OO6). CryplanaIysis of Ionaranch. |n Prcc. cf ||| |nfcrma|icn
Sccuri|q, 153, pp. 51-53.
Coppersnilh, D. H., & }ulIa, C. (2OO2). CryplanaIysis of slrean ciphers vilh Iinear nasking.
In Atanccs in Crqp|c|cgq - CRYPTO'02 (VoI. 2442 of LNCS, pp. 515-532). Springer.
Coppersnilh, D. H., & }ulIa, C. (2OO2). Screan: A Soflvare-Lfficienl Slrean Cipher. In |as|
Scf|uarc |ncrqp|icn (VoI. 2365 of LNCS). Springer.
Coulure, N., & Kenl, K. (2OO4). The Lffecliveness of rule Iorce on RC4. |n Prcc. cf |nc Scccn
Annua| Ccnfcrcncc cn Ccmmunica|icn Nc|ucr|s an Scrticcs Rcscarcn (pp. 333-336).
Washinglon, USA : ILLL Conpuler Sociely.
Davson, L. C., & Sinpson, L. (2OOO). The LILI-128 Keyslrean Ceneralor. |n Prcc. cf |irs|
N|SS|| Icr|sncp. HeverIee, eIgiun.
DeIfs, H. (2OO2). |n|rcuc|icn |c Crqp|cgrapnq. Princip|cs an App|ica|icns. Springer.
LkdahI, I. M., & }ohansson, T. (2OO3). Iredicling lhe Shriking Ceneralor vilh Iixed
Conneclions. In L. ihan (Ld.), Atanccs in Crqp|c|cgq - |UROCRYPT2003 (VoI.
2656 of LNCS, pp. 33O-344). Springer.
LkdahI, I. (2OO3). On ||SR 8asc S|rcam Cipncrs. Ana|qsis an Dcsign. Lund, Sveden : Lund
Universily.
LkdahI, I., & }ohansson, T. (2OO3). A Nev Version of lhe Slrean Cipher SNOW. In Sc|cc|c
Arcas in Crqp|cgrapnq (VoI. 2595 of LNCS, pp. 47-61). erIin: Springer.
LngIund, H. H., & }ohansson, T. (2OO7). Tvo CeneraI Allacks on Ionaranch-Like Keyslrean
Ceneralors. In |as| Scf|uarc |ncrqp|icn (VoI. 4593 of LNCS, pp. 274-289). erIin:
Springer.

IIuhrer, S. (2OO1). CryplanaIysis of lhe SLAL 3.O pseudorandon funclion faniIy. In |as|
Scf|uarc |ncrqp|icn (VoI. 2355 of LNCS, pp. 135-143). Springer.
IIuhrer, S. M., & Shanir, A. (2OO1). Weaknesses in lhe Key ScheduIing AIgorilhn of RC4. In
Sc|cc|c Arcas in Crqp|cgrapnq (VoI. 2259 of LNCS, pp. 1-24). erIin: Springer.
Ireier, A. K., & Kocher, I. (1996). Tnc SS| Prc|ccc| Vcrsicn 3.0. Relrieved }anuary 15, 2OO8,
fron hllp://vp.nelscape.con/eng/ssI3/ssI-loc.hlnI.
CaIanis, M. K., & Coulis, C. (2OO5). Conparison of lhe Hardvare InpIenenlalion of Slrean
Ciphers. Tnc |n|crna|icna| Ara| ]curna| cf |nfcrma|icn Tccnnc|cgq , 2 (4), 267-274.
CoIic, D., & Menicocci, R. (2OO3). Ldil prolaliIily correIalion allacks on slop/go cIocked
keyslrean generalors. ]curna| cf crqp|c|cgq , 16 (1), 41-68.
CoIic, }. (2OO4). A Weakness of lhe Linear Iarl of Slrean Cipher MUCI. In |as| Scf|uarc
|ncrqp|icn (VoI. 3O17 of LNCS, pp. 178-192). erIin: Springer.
CoIic, }. (1996). CorreIalion properlies of a generaI conliner vilh nenory. ]curna| cf
Crqp|c|cgq , 111-126.
Han, D., & Lee, M. (2OO5). An aIgelraic allack on lhe inproved sunnalion generalor vilh
2-lil nenory. |nfcrma|icn Prcccssing |c||crs , 93 (1), 43 - 46.
Hasanzadeh, M. S., & Khazaei, S. (2OO6). |mprctc Crqp|ana|qsis cf Pc|ar 8car. Relrieved May
29, 2OO8, fron The eSTRLAM Irojecl:
hllp://vvv.ecrypl.eu.org/slrean/papersdir/O84.pdf
HeII, H. }., & Meier, W. (2OO5, ApriI 29). Grain - A S|rcam Cipncr fcr Ccns|rainc |ntircnmcn|s.
Relrieved May 26, 2OO8, fron The eSTRLAM Irojecl:
hllp://vvv.ecrypl.eu.org/slrean/ciphers/grain/grain.pdf
HeIIeselh, T. }., & KhoIosha, A. (2OO6, }anuary 2). Pcmarancn - Dcsign an Ana|qsis cf a |ami|q
cf S|rcam Cipncrs. Relrieved May 27, 2OO8, fron The eSTRLAM Irojecl:
hllp://vvv.ecrypl.eu.org/slrean/papersdir/2OO6/OO8.pdf
Hong, }. L., & Han, D. (2OO5). A Nev CIass of SingIe CycIe T-Iunclions. In |as| Scf|uarc
|ncrqp|icn (VoI. 3557 of LNCS, pp. 68-82). erIin: Springer.
}auInes, L., & MuIIer, I. (2OO6). CryplanaIysis of lhe I-ICSR Slrean Cipher IaniIy. In
Sc|cc|c Arcas in Crqp|cgrapnq (VoI. 3897 of LNCS, pp. 2O-35). erIin: Springer.
}nsson, I., & }ohansson, T. (2OO2). A fasl correIalion allack on LILI-128. |nfcrma|icn
Prcccssing |c||crs , 81 (3), 127 - 132.
Kaiser, U. (2OO5, ApriI 29). Hcrmcs S|rcam Cipncr. Relrieved May 2O, 2OO8, fron eSTRLAM
IHASL 2: hllp://vvv.ecrypl.eu.org/slrean/ciphers/hernes8/hernes8.pdf
Khazaei, S. (2OO5). Ditic an ccnqucr a||ac| cn A8C s|rcam cipncr. Relrieved May 15, 2OO8, fron
eSTRLAM, LCRYIT Slrean Cipher Irojecl: hllp://vvv.ecrypl.eu.org/slrean
Kilsos, I. N., & KoufopavIou, O. (2OO3). Hardvare InpIenenlalion of Iueloolh Securily.
|||| Pcrtasitc Ccmpu|ing , 2 (1), 21-29.
KIinov, A., & Shanir, A. (2OO3). A Nev CIass of InverlilIe Mappings. In Crqp|cgrapnic
Haruarc an |m|cc Sqs|cms - CH|S 2002 (VoI. 2523 of LNCS, pp. 47O-483).
London, UK: Springer.
KIinov, A., & Shanir, A. (2OO4). Nev Cryplographic Irinilives ased on MuIlivord T-
Iunclions. In |as| Scf|uarc |ncrqp|icn (VoI. 3O17 of LNCS, pp. 1-15). erIin:
Springer.
Kucuk, O. (2OO6, }uIy 16). S|ic Rcsqncnrcniza|icn A||ac| cn |nc |ni|ia|iza|icn cf Grain 1.0.
Relrieved May 25, 2OO8, fron The eSTRLAM Irojecl:
hllp://vvv.ecrypl.eu.org/slrean/papersdir/2OO6/O44.ps

KnzIi, S. }., & Meier, W. (2OO5). Dislinguishing Allacks on T-Iunclions. In Prcgrcss in
Crqp|c|cgq - Mqcrqp| 2005 (VoI. 3715 of LNCS, pp. 2-15). erIin: Springer.
Lee, H., & Moon, S. (2OOO). On an inproved sunnalion generalor vilh 2-lil nenory. Signa|
Prcccssing , 80 (1), 211-217.
Lee, H., & Moon, S. (2OO2). IaraIIeI slrean cipher for secure high-speed connunicalions.
Signa| Prcccssing (82), 259-265.
Lu, Y., & Vaudenay, S. (2OO4). CryplanaIysis of Iueloolh Keyslrean Ceneralor Tvo-LeveI
LO. In Atanccs in Crqp|c|cgq - AS|ACRYPT 2004 (VoI. 3329 of LNCS, pp. 483-499).
erIin: Springer.
Manlin, I. (2OO7). Iredicling and Dislinguishing Allacks on RC4 Keyslrean Ceneralor. In
Atanccs in Crqp|c|cgq (VoI. 3494 of LNCS, pp. 491-5O6). erIin: Springer.
Mallsson, }. (2OO6). A Gucss-an-Dc|crminc A||ac| cn |nc S|rcam Cipncr Pc|ar 8car. Relrieved
May 1O, 2OO8, fron The eSTRLAM Irojecl:
hllp://vvv.ecrypl.eu.org/slrean/papersdir/2OO6/O17.pdf
Maxinov, A. (2OO6). CryplanaIysis of lhe "Crain" faniIy of slrean ciphers. |n Prcc. cf |nc
2006 ACM Sqmpcsium cn |nfcrma|icn, ccmpu|cr an ccmmunica|icns sccuri|q (pp. 283 -
288). Taipei, Taivan: ACM.
Meier, W., & SlaffeIlach, O. (1994). The SeIf-Shrinking Ceneralor. In |urccrqp| 94 (VoI. 95O
of LNCS, pp. 2O5-214). Springer.
Menezes, A. O., & Vanslone, S. (1997). Han|cc| cf App|ic Crqp|cgrapnq . oca Ralon, IL:
CRC Iress.
Misler, S., & Adans, C. (1996). IraclicaI S-ox Design. Icr|sncp cn Sc|cc|c Arcas in
Crqp|cgrapnq (SAC '96) (pp. 61-76). IhiIadeIphia, IennsyIvania: ACM.
MoIIand, H., & HeIIeselh, T. (2OO5). AIinear veakness in lhe KIinov-Shanir T-funclion. |n
Prcc. |n|crna|icna| Sqmpcsium cn |nfcrma|icn Tnccrq, |S|T 2005. (pp. 11O6 - 111O ).
AdeIaide, AuslraIia: ILLL.
MoIIin, R. A. (2OO7). An |n|rcuc|icn |c Crqp|cgrapnq (2nd Ldilion ed.). (K. H. Rosen, Ld.)
oca Ralon: Chapnan & HaII/CRC.
MuIIer, I., & Ieyrin, T. (2OO5). Linear CryplanaIysis of lhe TSC IaniIy of Slrean Ciphers. In
Atanccs in Crqp|c|cgq - AS|ACRYPT 2005 (VoI. 3788 of LNCS, pp. 373-394). erIin:
Springer.
Nada, }., & NasIund, M. (2OO5). Tnc S|rcam Cipncr Pc|ar 8car. Relrieved May 1O, 2OO8, fron
The eSTRLAM Irojecl:
hllp://vvv.ecrypl.eu.org/slrean/ciphers/poIarlear/poIarlear.pdf
NalionaI, S. A. (2OO2). Anncuncing |nc Sccurc Hasn S|anar. IederaI Infornalion Irocessing
Slandards IulIicalions 18O-2.
Iark, M., & Iark, D. (2OO5). A Nev Slrean Cipher Using Tvo NonIinear Iunclions. In
Ccmpu|a|icna| Scicncc an ||s App|ica|icns - |CCSA 2005 (VoI. 3481 of LNCS, pp. 235-
244). erIin: Springer.
Iudovkina, M. (2OO1). Ana|qsis cf cncscn p|ain|cx| a||ac|s cn |nc IAK| S|rcam Cipncr.
Relrieved May 29, 2OO8, fron eprinl: hllp://eprinl.iacr.org/2OO1/O65.pdf
Rivesl, R. (1992). Tnc RC4 |ncrqp|icn A|gcri|nm. RSA Dala Securily Inc.: Docunenl No. OO3-
O13OO5-1OO-OOOOOO.
Rolshav, M. (1995). S|rcam Cipncrs. CA: RSA Laloralories.
Rogavay, I., & Coppersnilh, D. (1994). A soflvare-oplinized encryplion aIgorilhn. In |as|
Scf|uarc |ncrqp|icn (VoI. 8O9 of LNCS, pp. 56-63). Springer.

SlaIIing, W. (2OO3). Crqp|cgrapnq an nc|ucr| sccuri|q. princip|cs an prac|icc (3rd ed.). Nev
}ersey: Irenlice HaII.
Tsunoo, Y. K., & Suzaki, T. (2OO7). A Dislinguishing Allack on a Iasl Soflvare-InpIenenled
RC4-Like Slrean Cipher. |||| Trans. cn |nfcrma|icn Tnccrq. 53, pp. 325O-3255. ILLL
Conpuler Sociely.
Tsunoo, Y. S., & Minenalsu, K. (2OO5). Shorler il Sequence Is Lnough lo reak Slrean
Cipher LILI-128. |||| Trans. cn |nfcrma|icn Tnccrq. 51 (12), pp. 4312-4319. ILLL
Conpuler Sociely.
Wagner, D. S., & Schneier, . (1998). CryplanaIysis of ORYX. In Sc|cc|c Arcas in
Crqp|cgrapnq (VoI. 1556 of LNCS, pp. 296-3O5). Springer.
Walanale, D. I., & IreneeI, . (2OO2). A Nev Keyslrean Ceneralor MUCI. In |as| Scf|uarc
|ncrqp|icn (VoI. 2365 of LNCS, pp. 179-194). erIin: Springer.
Weisslein, L. W. (2OO8). Gram-Scnmi| Or|ncncrma|iza|icn. Relrieved }uIy 2O, 2OO8, fron
MalhWorId--A WoIfran Wel Resource: hllp://nalhvorId.voIfran.con/Cran-
SchnidlOrlhonornaIizalion.hlnI
WheeIer, D. (1993). A uIk Dala Lncriplion AIgorilhn. In |as| Scf|uarc |ncrqp|icn, Cam|rigc
Sccuri|q Icr|sncp (VoI. 8O9 of LNCS, pp. 127 - 134). London, UK: Springer.
Whiling, D. S., & MuIIer, I. (2OO5, ApriI 29). Pnc|ix. |as| |ncrqp|icn an Au|ncn|ica|icn in a
Sing|c Crqp|cgrapnic Primi|itc. Relrieved May 12, 2OO8, fron The eSTRLAM Irojecl:
hllp://vvv.ecrypl.eu.org/slrean/ciphers/pheIix/pheIix.pdf
Wu, H., & IreneeI, . (2OO7). DifferenliaI-Linear Allacks Againsl lhe Slrean Cipher IheIix.
In |as| Scf|uarc |ncrqp|icn (VoI. 4593 of LNCS, pp. 87-1OO). erIin: Springer.
Wu, H., & IreneeI, I. (2OO6). CryplanaIysis of lhe Slrean Cipher DLCIM. In |as| Scf|uarc
|ncrqp|icn (VoI. 4O47 of LNCS, pp. 3O-4O). erIin: Springer.
Zenner, L. (2OO4). Crqp|ana|qsis cf ||SR-|asc Pscucrancm Gcncra|crs - a Surtcq. Reihe
Infornalik.
Zhang, H. L., & Wang, X. (2OO6). |as| Ccrrc|a|icn A||ac| cn S|rcam Cipncr A8C t3. Relrieved
May 18, 2OO8, fron hllp://vvv.ecrypl.eu.org/slrean/papersdir/2OO6/O49.pdf


InTech-New Classification of Existing Stream Ciphers

Hochgeladen von

Dokumentinformationen

Copyright

Verfügbare Formate

Dieses Dokument teilen

Dokument teilen oder einbetten

Freigabeoptionen

Stufen Sie dieses Dokument als nützlich ein?

Sind diese Inhalte unangemessen?

Copyright:

Verfügbare Formate

InTech-New Classification of Existing Stream Ciphers

Hochgeladen von

Copyright:

Verfügbare Formate

New Classication of Existing Stream Ciphers 219

Das könnte Ihnen auch gefallen