Paper 2002/020

Cryptanalysis of stream ciphers with linear masking

Don Coppersmith, Shai Halevi, and Charanjit Jutla


We describe a cryptanalytical technique for distinguishing some stream ciphers from a truly random process. Roughly, the ciphers to which this method applies consist of a ``non-linear process'' (say, akin to a round function in block ciphers), and a ``linear process'' such as an LFSR (or even fixed tables). The output of the cipher can be the linear sum of both processes. To attack such ciphers, we look for any property of the ``non-linear process'' that can be distinguished from random. In addition, we look for a linear combination of the linear process that vanishes. We then consider the same linear combination applied to the cipher's output, and try to find traces of the distinguishing property. In this report we analyze two specific ``distinguishing properties''. One is a linear approximation of the non-linear process, which we demonstrate on the stream cipher SNOW. This attack needs roughly $2^{95}$ words of output, with work-load of about $2^{100}$. The other is a ``low-diffusion'' attack, that we apply to the cipher Scream-0. The latter attack needs only about $2^{43}$ bytes of output, using roughly $2^{50}$ space and $2^{80}$ time.

Available format(s)
Secret-key cryptography
Publication info
Published elsewhere. extended abstract appears in Crypto'02
Hypothesis testingLinear cryptanalysisLinear maskingLow-Diffusion attacksStream ciphers
Contact author(s)
shaih @ watson ibm com
2002-06-05: last of 2 revisions
2002-02-16: received
See all versions
Short URL
Creative Commons Attribution


      author = {Don Coppersmith and Shai Halevi and Charanjit Jutla},
      title = {Cryptanalysis of stream ciphers with linear masking},
      howpublished = {Cryptology ePrint Archive, Paper 2002/020},
      year = {2002},
      note = {\url{}},
      url = {}
Note: In order to protect the privacy of readers, does not use cookies or embedded third party content.