How to Break Py and Pypy by a Chosen-IV Attack

Biham and Seberry have submitted the stream cipher Py and Pypy to the ECRYPT stream cipher project (eSTREAM). A key recovery attack against Py and Pypy was proposed by Wu and Preneel. In their attack, (IV sizeb − 9) bytes of the key can be recovered with (IV sizeb − 4) × 2 chosen IVs, where IV sizeb indicates the size of the IV in bytes. For a 128-bit key and a 128-bit IV, which are recommended parameters for security, the effective length of the key is reduced to 72 bits with approximately 2 chosen IVs. In this paper, we propose a key recovery attack that has two new effective processes as compared to those of Wu and Preneel. In our attack, (IV sizeb − 6) bytes of the key can be recovered with (IV sizeb− 4)× 2 chosen IVs. For a 128-bit key and a 128-bit IV, the effective length of the key is reduced to 48 bits with approximately 2 chosen IVs. Thus, our attack can recover the 128-bit key with a time complexity of 2.