Linear Cryptanalysis of the TSC Family of Stream Ciphers

In this paper, we introduce a new cryptanalysis method for stream ciphers based on T-functions and apply it to the TSC family which was proposed by Hong et al.. Our attack are based on linear approximations of the algorithms (in particular of the T-function). Hence, it is related to correlation attack, a popular technique to break stream ciphers with a linear update, like those using LFSR’s. We show a key-recovery attack for the two algorithms proposed at FSE 2005 : TSC-1 in 2 computation steps, and TSC-2 in 2 steps. The first attack has been implemented and takes about 4 minutes to recover the whole key on an average PC. Another algorithm in the family, called TSC-3, was proposed at the ECRYPT call for stream ciphers. Despite some differences with its predecessors, it can be broken by similar techniques. Our attack has complexity of 2 known keystream bits to distinguish it from random, and about 2 steps of computation to recover the full secret key. An extended version of this paper can be found on the ECRYPT website [23].