Chosen-Ciphertext Attacks Against MOSQUITO

  • Antoine Joux
  • Frédéric Muller
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 4047)


Self-Synchronizing Stream Ciphers (SSSC) are a particular class of symmetric encryption algorithms, such that the resynchronization is automatic, in case of error during the transmission of the ciphertext.

In this paper, we extend the scope of chosen-ciphertext attacks against SSSC. Previous work in this area include the cryptanalysis of dedicated constructions, like KNOT, HBB or SSS. We go further to break the last standing dedicated design of SSSC, i.e. the ECRYPT proposal MOSQUITO. Our attack costs about 270 computation steps, while a 96-bit security level was expected. It also applies to ΓΥ (an ancestor of MOSQUITO) therefore the only secure remaining SSSC are block-cipher-based constructions.


Block Cipher Stream Cipher Linear Feedback Shift Register Choose Ciphertext Attack Choose Plaintext Attack 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.


  1. 1.
    Alkassar, A., Geraldy, A., Pfitzmann, B., Sadeghi, A.-R.: Optimized Self- Synchronizing Mode of Operation. In: Matsui, M. (ed.) FSE 2001. LNCS, vol. 2355, pp. 78–91. Springer, Heidelberg (2002)CrossRefGoogle Scholar
  2. 2.
    Arnault, F., Berger, T.: A new class of stream ciphers combining LFSR and FCSR architectures. In: Menezes, A., Sarkar, P. (eds.) INDOCRYPT 2002. LNCS, vol. 2551, pp. 22–33. Springer, Heidelberg (2002)CrossRefGoogle Scholar
  3. 3.
    Babbage, S.: Stream Ciphers: What Does the Industry Want. In: State of the Art of Stream Ciphers workshop, SASC 2004 (2004)Google Scholar
  4. 4.
    Daemen, J.: Cipher and Hash Function Design. Strategies based on Linear and Differential Cryptanalysis. PhD thesis, ch. 9, Katholieke Universiteit Leuven (March 1995)Google Scholar
  5. 5.
    Daemen, J., Govaerts, R., Vandewalle, J.: A Practical Approach to the Design of High Speed Self-Synchronizing Stream Ciphers. In: Singapore ICCS/ISITA 1992, pp. 279–283. IEEE, Los Alamitos (1992)Google Scholar
  6. 6.
    Daemen, J., Kitsos, P.: Submission to ECRYPT call for stream ciphers: the self-synchronizing stream cipher Mosquito. eSTREAM, ECRYPT Stream Cipher Project, Report 2005/018 (2005),
  7. 7.
    Daemen, J., Lano, J., Preneel, B.: Chosen Ciphertext Attack on SSS. eSTREAM, ECRYPT Stream Cipher Project, Report 2005/044 (2005),
  8. 8.
    eSTREAM - The ECRYPT Stream Cipher Project,
  9. 9.
    FIPS PUB 81. DES Modes of Operation (1980)Google Scholar
  10. 10.
    Fouque, P.-A., Martinet, G., Poupard, G.: Practical Symmetric On-Line Encryption. In: Johansson, T. (ed.) FSE 2003. LNCS, vol. 2887, pp. 362–375. Springer, Heidelberg (2003)CrossRefGoogle Scholar
  11. 11.
    Hawkes, P., Rose, G.: Primitive Specification and Supporting Documentation for SOBER-t32. In: First Open NESSIE Workshop, Submission to NESSIE (2000)Google Scholar
  12. 12.
    Joux, A., Muller, F.: Loosening the KNOT. In: Johansson, T. (ed.) FSE 2003. LNCS, vol. 2887, pp. 87–99. Springer, Heidelberg (2003)CrossRefGoogle Scholar
  13. 13.
    Joux, A., Muller, F.: Two Attacks Against the HBB Stream Cipher. In: Gilbert, H., Handschuh, H. (eds.) FSE 2005. LNCS, vol. 3557, pp. 330–341. Springer, Heidelberg (2005)CrossRefGoogle Scholar
  14. 14.
    Maurer, U.: New Approaches to the Design of Self-Synchronizing Stream Ciphers. In: Davies, D.W. (ed.) EUROCRYPT 1991. LNCS, vol. 547, pp. 458–471. Springer, Heidelberg (1991)Google Scholar
  15. 15.
    Mitra, J.: A near-practical attack against B mode of HBB. In: Roy, B. (ed.) ASIACRYPT 2005. LNCS, vol. 3788, pp. 412–424. Springer, Heidelberg (2005)CrossRefGoogle Scholar
  16. 16.
    Muller, F.: Differential Attacks and Stream Ciphers. In: State of the Art in Stream Ciphers. ECRYPT Network of Excellence in Cryptology, Workshop Record (2004)Google Scholar
  17. 17.
    National Institute of Standards and Technology (NIST). Advanced Encryption Standard (AES) FIPS Publication 197 (November 2001), Available at,
  18. 18.
    Preneel, B., Nuttin, M., Rijmen, R., Buelens, J.: Cryptanalysis of the CFB Mode of the DES with a Reduced Number of Rounds. In: Stinson, D.R. (ed.) CRYPTO 1993. LNCS, vol. 773, pp. 212–223. Springer, Heidelberg (1994)Google Scholar
  19. 19.
    Rose, G., Hawkes, P., Paddon, G., Wiggers de Vries, M.: Primitive Specifications for SSS. eSTREAM, ECRYPT Stream Cipher Project, Report 2005/028 (2005),
  20. 20.
    Sarkar, P.: Hiji-Bij-Bij: A New Stream Cipher with a Self-Synchronizing Mode of Operation. In: Johansson, T., Maitra, S. (eds.) INDOCRYPT 2003. LNCS, vol. 2904, pp. 36–51. Springer, Heidelberg (2003)CrossRefGoogle Scholar
  21. 21.
    Wang, X., Yin, Y., Yu, H.: Finding Collisions in the Full SHA1. In: Shoup, V. (ed.) CRYPTO 2005. LNCS, vol. 3621, pp. 17–36. Springer, Heidelberg (2005)Google Scholar
  22. 22.
    Wang, X., Yu, H.: How to Break MD5 and Other Hash Functions. In: Cramer, R. (ed.) EUROCRYPT 2005. LNCS, vol. 3494, pp. 19–35. Springer, Heidelberg (2005)CrossRefGoogle Scholar
  23. 23.
    Wang, X., Yu, H., Yin, Y.: Efficient Collision Search Attacks on SHA0. In: Shoup, V. (ed.) CRYPTO 2005. LNCS, vol. 3621, pp. 1–16. Springer, Heidelberg (2005)Google Scholar
  24. 24.
    Watanabe, D., Furuya, S.: A MAC Forgery Attack on SOBER-128. In: Roy, B., Meier, W. (eds.) FSE 2004. LNCS, vol. 3017, pp. 472–482. Springer, Heidelberg (2004)CrossRefGoogle Scholar
  25. 25.
    Zhang, B., Wu, H., Feng, D., Bao, F.: Chosen Ciphertext Attack on a New Class of Self-Synchronizing Stream Ciphers. In: Canteaut, A., Viswanathan, K. (eds.) INDOCRYPT 2004. LNCS, vol. 3348, pp. 73–83. Springer, Heidelberg (2004)CrossRefGoogle Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2006

Authors and Affiliations

  • Antoine Joux
    • 1
    • 3
  • Frédéric Muller
    • 2
  1. 1.DGA 
  2. 2.HSBCFrance
  3. 3.Université de Versailles-Saint-QuentinFrance

Personalised recommendations