Spritz---a spongy RC4-like stream cipher and hash function.

This paper reconsiders the design of the stream cipher RC4, and proposes an improved variant, which we call ``Spritz\u27\u27 (since the output comes in fine drops rather than big blocks.) Our work leverages the considerable cryptanalytic work done on the original RC4 and its proposed variants. It also uses simulations extensively to search for biases and to guide the selection of intermediate expressions. We estimate that Spritz can produce output with about 24 cycles/byte of computation. Furthermore, our statistical tests suggest that about $2^{81}$ bytes of output are needed before one can reasonably distinguish Spritz output from random output; this is a marked improvement over RC4. [Footnote: However, see Appendix F for references to more recent work that suggest that our estimates of the work required to break Spritz may be optimistic.] In addition, we formulate Spritz as a ``sponge (or sponge-like) function,\u27\u27 (see Bertoni et al.), which can ``Absorb\u27\u27 new data at any time, and from which one can ``Squeeze\u27\u27 pseudorandom output sequences of arbitrary length. Spritz can thus be easily adapted for use as a cryptographic hash function, an encryption algorithm, or a message-authentication code generator. (However, in hash-function mode, Spritz is rather slow.

Tabu Cryptanalysis of VMPC Stream Cipher

In the era of global informatization, transmitting and storing information in digital form it is very important to ensure an adequate level of security of ciphers used. Cryptanalysis deals with studying the level of security, thus exposing the weakness of theoretical and implemented cryptographic solutions. In this paper cryptanalysis of stream cipher VMPC using Tabu Search is shown. From estimates made on a full version of VMPC cipher we concluded that about 2157 possibilities needs to be checked in order to find the proper one, which would be the best attack known so far

Tabu search against permutation based stream ciphers

Encryption is one of the most effective methods of securing data confidentiality, whether stored on hard drives or transferred (e.g. by e-mail or phone call). In this paper a new state recovery attack with tabu search is introduced. Based on research and theoretical approximation it is shown that the internal state can be recovered after checking 252 internal states for RC4 and 2180 for VMPC

Tabu search against permutation based stream ciphers

Encryption is one of the most effective methods of securing data confidentiality, whether stored on hard drives or transferred (e.g. by e-mail or phone call). In this paper a new state recovery attack with tabu search is introduced. Based on research and theoretical approximation it is shown that the internal state can be recovered after checking 2^52 internal states for RC4 and 2^180 for VMPC

State recovery of RC4 and Spritz Revisited

We provide an improved complexity analysis of backtracking-based state recovery attacks on RC4 and Spritz. Comparing new estimates with known results on Spritz, our analysis shows a significantly lower complexity estimate for simple state recovery attack as well as special state recovery attack. We validated the estimates by performing experiments for selected feasible parameters. We also propose a prefix check optimization for simple state recovery attack on Spritz. We believe that the simple state recovery attack with this optimization and so-called ``change order\u27\u27 optimization inspired by Knudsen et al. attack on RC4 constitutes currently the best state recovery attack on Spritz (when no special state is observed)

Determining Biases in the Card-Chameleon Cryptosystem

Throughout history, spies, soldiers, and others have relied on so-called {\em hand ciphers} to send encrypted messages. Since the creation of Pontifex (also known as Solitaire) by Bruce Schneier in 1999, a number of hand ciphers utilizing a standard deck of playing cards have emerged. Since there are $52! \approx 2^{225.58}$ possible ways to order a deck of cards, there are over 225 bits of entropy in a well-shuffled deck of cards. Theoretically, this can provide enough security to rival modern computer-based cryptosystems. In this paper, we describe and analyze one such playing card cipher, Card-Chameleon, created by Matthew McKague. Our analysis reveals new weaknesses in this cryptosystem, particularly the tendency for a letter to encrypt to itself. This bias makes it easy to recover the plaintext if it is encrypted into multiple different ciphertexts. We will describe variations of Card-Chameleon which significantly reduced these weaknesses but did not completely eliminate them

Revisiting RC4 Key Collision: Faster Search Algorithm and New 22-byte Colliding Key Pairs

If two different secret keys of a stream cipher yield the same internal state after the key scheduling algorithm (KSA) and hence generates the same sequence of keystream bits, they are called a colliding key pair. The number of possible internal states of RC4 stream cipher is very large (approximately $2^{1700}$), which makes finding key collision hard for practical key length (i.e., less than 30 bytes). Matsui [FSE 2009] for the first time reported a 24-byte colliding key pair and one 20-byte near-colliding key pair (i.e., for which the state arrays after the KSA differ in at most two positions) for RC4. Subsequently, Chen and Miyaji [ISC 2011] claimed to design a more efficient search algorithm using Matsui\u27s collision pattern and reported a 22-byte colliding key pair which remains the only shortest known colliding key pair so far. In this paper, we show some limitations of both the above approaches and propose a faster collision search algorithm that overcomes these limitations. Using our algorithm, we are able to find three additional 22-byte colliding key pairs that are different from the one reported by Chen and Miyaji [ISC 2011]. We additionally give 12 new 20-byte near-colliding key pairs different from Matsui\u27s [FSE 2009]. These results are significant, considering the argument by the experts [Biham and Dunkelman, 2007] that for shorter keys there might be no instances of collision at all