## Cryptology ePrint Archive: Report 2007/075

Weaknesses in the Pseudorandom Bit Generation Algorithms of the Stream Ciphers TPypy and TPy

Gautham Sekar and Souradyuti Paul and Bart Preneel

Abstract: The stream ciphers Py, Py6 were designed by Biham and Seberry for the ECRYPT-eSTREAM project in 2005. However, due to several recent cryptanalytic attacks on them, a strengthened version Pypy was proposed to rule out those attacks. The ciphers have been promoted to the `Focus' ciphers of the Phase II of the eSTREAM project. The impressive speed of the ciphers make them the forerunners in the competition. Unfortunately, even the new cipher Pypy was found to retain weaknesses, forcing the designers to again go for modifications. As a result, three new ciphers TPypy, TPy and TPy6 were built. Among all the members of the Py-family of ciphers, the TPypy is conjectured to be the strongest. So far, there is no known attack on the TPypy. This paper shows that the security of TPypy does not grow exponentially with the key-size. The main achievement of the paper is the detection of input-output correlations of TPypy that allow us to build a distinguisher with $2^{281}$ randomly chosen key/IVs and as many outputwords (each key generating one outputword). The cipher TPypy was claimed by the designers to be secure with keysize up to 256 bytes, i.e., 2048 bits. Our results establish that the TPypy fails to provide adequate security if the keysize is longer than 35 bytes, i.e., 280 bits. Note that the distinguisher is built within the design specifications of the cipher. Because of remarkable similarities between the TPypy and the TPy, our attacks are shown to be effective for TPy also. The paper also points out how the other members of the Py-family (i.e., TPy6, Py6, Pypy and Py6) are also weak against the current and some existing attacks.

Category / Keywords: Stream Cipher, PRBG, Distinguishing Attack

Date: received 25 Feb 2007, last revised 29 Nov 2008

Contact author: Gautham Sekar at esat kuleuven be

Available format(s): Postscript (PS) | Compressed Postscript (PS.GZ) | PDF | BibTeX Citation

Note: Please note that the attacks described in this paper only apply to TPypy, TPy, Pypy and Py; they do not apply to Py6 and TPy6.

Short URL: ia.cr/2007/075

[ Cryptology ePrint archive ]