Abstract. Filiol and Fontaine recently proposed a family of stream ciphers named COS. COS is based on nonlinear feedback shift registers and was claimed to be highly secure. Babbage showed that COS (2, 128) Mode II is extremely weak. But Babbage’s attack is very expensive to break the COS (2, 128) Mode I (the complexity is around 2 52). In this paper, we show that the COS (2, 128) Mode I is very weak. Secret information could be recovered easily with about 2 16-bit known plaintext. 

Feng Bao