Distinguishing Attacks on Stream Ciphers Based on Arrays of Pseudo-random Words

In numerous modern stream ciphers, the internal state consists of a large array of pseudo-random words, and the output key-stream is a relatively simple function of the state. In [16], it was heuristically shown that in various cases this structure may lead to distinguishing attacks on the cipher. In this paper we further investigate this structural attack. We present a rigorous proof of the main probabilistic claim used in the attack in the basic cases, and demonstrate by examining a concrete example (the cipher sn3 [11]) that the heuristic assumptions of the attack are remarkably precise in more complicated cases. Furthermore, we use the general technique to devise a distinguishing attack on the stream cipher mv3 [9] requiring 282 words of key-stream. Unlike the attacks in [16], our attack does not concentrate on the least significant bits of the words, thus allowing to handle the combination of more operations (xors, modular additions and multiplications, and rotations by a fixed number of bits) in the update and output rules of the cipher. ∗This is the full version of a paper submitted for publication in a journal, which contains only Sections 1, 2, and 3. The material in Section 4 concerns an attack on the mv3 stream cipher. After writing up a description of our results, we learned that essentially identical arguments – but with important miscalculations – had simultaneously been published in [15]. For the sake of completeness we include an appendix reconciling the two attacks. See footnote 2 for similar comments on the sn3 stream cipher. †This author is supported by the Adams Fellowship Program of the Israel Academy of Sciences and Humanities. ‡Partially supported by NSF grant DMS-0601009.