Advances in Cryptology — ASIACRYPT 2000

Volume 1976 of the series Lecture Notes in Computer Science pp 1-13


Cryptanalytic Time/Memory/Data Tradeoffs for Stream Ciphers

  • Alex BiryukovAffiliated withComputer Science Department, The Weizmann Institute
  • , Adi ShamirAffiliated withComputer Science Department, The Weizmann Institute


In 1980 Hellman introduced a general technique for breaking arbitrary block ciphers with N possible keys in time T and memory M related by the tradeoff curve TM2 = N2 for 1 ≤ T ≤ N. Recently, Babbage and Golic pointed out that a different TM = N tradeoff attack for 1 ≤ T ≤ D is applicable to stream ciphers, where D is the amount of output data available to the attacker. In this paper we show that a combination of the two approaches has an improved time/memory/data tradeoff for stream ciphers of the form TM 2 D 2 = N 2 for any D 2TN. In addition, we show that stream ciphers with low sampling resistance have tradeoff attacks with fewer table lookups and a wider choice of parameters.


Cryptanalysis stream ciphers time/memory tradeoff attacks