Paper 2007/075

Weaknesses in the Pseudorandom Bit Generation Algorithms of the Stream Ciphers TPypy and TPy

Gautham Sekar, Souradyuti Paul, and Bart Preneel

Abstract

The stream ciphers Py, Py6 were designed by Biham and Seberry for the ECRYPT-eSTREAM project in 2005. However, due to several recent cryptanalytic attacks on them, a strengthened version Pypy was proposed to rule out those attacks. The ciphers have been promoted to the `Focus' ciphers of the Phase II of the eSTREAM project. The impressive speed of the ciphers make them the forerunners in the competition. Unfortunately, even the new cipher Pypy was found to retain weaknesses, forcing the designers to again go for modifications. As a result, three new ciphers TPypy, TPy and TPy6 were built. Among all the members of the Py-family of ciphers, the TPypy is conjectured to be the strongest. So far, there is no known attack on the TPypy. This paper shows that the security of TPypy does not grow exponentially with the key-size. The main achievement of the paper is the detection of input-output correlations of TPypy that allow us to build a distinguisher with $2^{281}$ randomly chosen key/IVs and as many outputwords (each key generating one outputword). The cipher TPypy was claimed by the designers to be secure with keysize up to 256 bytes, i.e., 2048 bits. Our results establish that the TPypy fails to provide adequate security if the keysize is longer than 35 bytes, i.e., 280 bits. Note that the distinguisher is built within the design specifications of the cipher. Because of remarkable similarities between the TPypy and the TPy, our attacks are shown to be effective for TPy also. The paper also points out how the other members of the Py-family (i.e., TPy6, Py6, Pypy and Py6) are also weak against the current and some existing attacks.

Note: Please note that the attacks described in this paper only apply to TPypy, TPy, Pypy and Py; they do not apply to Py6 and TPy6.

Metadata
Available format(s)
PDF PS
Publication info
Published elsewhere. Unknown where it was published
Keywords
Stream CipherPRBGDistinguishing Attack
Contact author(s)
Gautham Sekar @ esat kuleuven be
History
2008-11-29: last of 6 revisions
2007-02-28: received
See all versions
Short URL
https://ia.cr/2007/075
License
Creative Commons Attribution
CC BY

BibTeX

@misc{cryptoeprint:2007/075,
      author = {Gautham Sekar and Souradyuti Paul and Bart Preneel},
      title = {Weaknesses in the Pseudorandom Bit Generation Algorithms of the Stream Ciphers TPypy and TPy},
      howpublished = {Cryptology ePrint Archive, Paper 2007/075},
      year = {2007},
      note = {\url{https://eprint.iacr.org/2007/075}},
      url = {https://eprint.iacr.org/2007/075}
}
Note: In order to protect the privacy of readers, eprint.iacr.org does not use cookies or embedded third party content.