BEAN is a recent stream cipher proposal that uses Feedback with Carry Shift Registers (FCSRs) and an output function. There is a sound motivation behind the use of FCSRs in BEAN as they provide several cryptographically interesting properties. In this paper, we show that the output function is not optimal. We give an eﬃcient distinguisher and a key recovery attack that is slightly better than brute force, requiring no signiﬁcant memory. We then show how this attack can be made better with access to more keystream. Already with access to 6 KiB, the 80-bit key is recovered in time 2^73
To submit an update or takedown request for this paper, please submit an Update/Correction/Removal Request.