A Review of Py (Roo) Stream Cipher and its Variants

ABSTRAC

New Weaknesses in the Keystream Generation Algorithms of the Stream Ciphers TPy and Py

The stream ciphers Py, Py6 designed by Biham and Seberry were promising candidates in the ECRYPT-eSTREAM project because of their impressive speed. Since their publication in April 2005, a number of cryptanalytic weaknesses of the ciphers have been discovered. As a result, a strengthened version Pypy was developed to repair these weaknesses; it was included in the category of 'Focus ciphers' of the Phase II of the eSTREAM competition. However, even the new cipher Pypy was not free from flaws, resulting in a second redesign. This led to the generation of three new ciphers TPypy, TPy and TPy6. The designers claimed that TPy would be secure with a key size up to 256 bytes, i.e., 2048 bits. In February 2007, Sekar et al. published an attack on TPy with 2281 data and comparable time. This paper shows how to build a distinguisher with 2275 key/IVs and one outputword per each key (i.e., the distinguisher can be constructed within the design specifications); it uses a different set of weak states of the TPy. Our results show that distinguishing attacks with complexity lower than the brute force exist if the key size of TPy is longer than 275 bits. Furthermore, we discover a large number of similar bias-producing states of TPy and provide a general framework to compute them. The attacks on TPy are also shown to be effective on Py. © Springer-Verlag Berlin Heidelberg 2007.status: publishe

New Weaknesses in the Keystream Generation Algorithms of the Stream Ciphers TPy and Py

The stream ciphers Py, Py6 designed by Biham and Seberry were promising candidates in the ECRYPT-eSTREAM project because of their impressive speed. Since their publication in April 2005, a number of cryptanalytic weaknesses of the ciphers have been discovered. As a result, a strengthened version Pypy was developed to repair these weaknesses; it was included in the category of ‘Focus ciphers ’ of the Phase II of the eSTREAM competition. However, even the new cipher Pypy was not free from flaws, resulting in a second redesign. This led to the generation of three new ciphers TPypy, TPy and TPy6. The designers claimed that TPy would be secure with a key size up to 256 bytes, i.e., 2048 bits. In February 2007, Sekar et al. published an attack on TPy with 2 281 data and comparable time. This paper shows how to build a distinguisher with 2 268.6 key/IVs and one outputword for each key (i.e., the distinguisher can be constructed within the design specifications); it uses a different set of weak states of the TPy. Our results show that distinguishing attacks with complexity lower than the brute force exist if the key size of TPy is longer than 268 bits. Therefore, for longer keys, our attack constitutes an academic break of the cipher. Furthermore, we discover a large number of similar bias-producing states of TPy and provide a general framework to compute them. The attacks on TPy are also shown to be effective on Py

New Attacks on the Stream Cipher TPy6 and Design of New Ciphers the TPy6-A and the TPy6-B

The stream ciphers Py, Pypy and Py6 were designed by Biham and Seberry for the ECRYPT-eSTREAM project in 2005. The ciphers were promoted to the 'Focus' ciphers of the Phase II of the eSTREAM project. However, due to some cryptanalytic results, strengthened versions of the ciphers, namely, the TPy, the TPypy and the TPy6 were built. In this paper, we find hitherto unknown weaknesses in the keystream generation algorithms of the Py6 and its stronger variant the TPy6. Exploiting these weaknesses, a large number of distinguishing attacks are mounted on the ciphers, the best of which works with 2 224.6 data and comparable time. In the second part, we present two new ciphers derived from the TPy6, namely, the TPy6-A and the TPy6-B, whose performances are 2.65 cycles/byte and 4.4 cycles/byte on Pentium III. As a result, to the best of our knowledge, on Pentium platforms the TPy6-A becomes the fastest stream cipher in the literature. Based on our security analysis, we conjecture that no attacks lower than the brute force are possible on the ciphers TPy6-A and TPy6-B. © 2008 Springer-Verlag Berlin Heidelberg.status: publishe