Distinguishing Attacks on the Stream Cipher Py

The stream cipher Py, which was designed by Biham and Seberry, is a submission for ECRYPT stream cipher competition. The cipher which is based on two large arrays (one is 256 bytes and the other is 1040 bytes) is specifically designed for high speed software applications (Py is more than 2.5 times faster than the RC4 on Pentium III). The paper, for the first time, detects a weakness in the mechanism of the stream cipher Py. We find a statistical bias in the distribution of the output-words at the 1st and the 3rd rounds of the cipher (more generally at the rounds t and t+2 where t > 0). Using this bias, a distinguisher is constructed that works effectively with 2 randomly chosen key/IV’s. Essentially, for each of 2 randomly chosen key/IV’s, the attacker collects only a pair of bits from the outputs at the 1st and the 3rd rounds to establish the distinguisher. The first implication of the results is that it nullifies the claim of the designers of the cipher, that no distinguishing attacks on the cipher are possible with running time less than the exhaustive search (note that the recommended key-length of Py is 256 bits). Secondly, the fact that the bias is found within the outputs generated in the first three rounds (i.e., a segment of 24 bytes) shows that, for Py, the recommended stream length of 2 bytes is also not secure. These results constitute an academic break of the cipher. We have also detected several biases among many pairs of bits and designed distinguishers from them (with the numbers of key/IV’s 2, 2 etc.) however, they are less effective than the one described above. ? This work was supported in part by the Concerted Research Action (GOA) Mefisto 2000/06 and Ambiorix 2005/11 of the Flemish Government and in part by the European Commission through the IST Programme under Contract IST-2002-507932 ECRYPT.