On the Sosemanuk Related Key-IV Sets

Sosemanuk is a software-based stream cipher that has passed all three stages of the ECRYPT stream cipher project and is currently a member of the eSTREAM software portfolio. In the recent works on cryptanalysis of Sosemanuk, its relatively small inner state size of 384 bits was identified to be one of the reasons that the attacks were possible. In this paper, we show that another consequence of the small inner state size of Sosemanuk is the existence of several classes of (K, IV ), (K′, IV ′) pairs that yield correlated keystreams. In particular, we provide a distinguisher which requires less than 2 kilobytes of data and an inner state recovery algorithm that works for two sets of key-IV pairs of expected size ≈ 2 each. In addition, a distinguisher requiring 2 keystream words is provided for another set of pairs of Sosemanuk instances. The expected number of such key-IV pairs is 2. Although the security of Sosemanuk is not practically threatened, the found features add to understanding of the security of the cipher and also provide the basis for an elegant attack in the fault analysis model.