A Chosen IV Attack Against Turing

  • Antoine Joux
  • Frédéric Muller
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 3006)


In this paper, we show that the key scheduling algorithm of the recently proposed stream cipher Turing suffers from important flaws. These weaknesses allow an attacker that chooses the initialization vector (IV) to recover some partial information about the secret key. In particular, when using Turing with a 256-bit secret key and a 128-bit IV, we present an attack that requires the ability to choose 237 IV and then recovers the key with complexity 272, requiring 236 bytes of memory.


  1. 1.
  2. 2.
    Turing reference source code, Available at
  3. 3.
    Coppersmith, D., Halevi, S., Jutla, C.: Cryptanalysis of Stream Ciphers with Linear Masking. In: Yung, M. (ed.) CRYPTO 2002. LNCS, vol. 2442, pp. 515–532. Springer, Heidelberg (2002)CrossRefGoogle Scholar
  4. 4.
    Ekdahl, P., Johansson, T.: SNOW - a New Stream Cipher. In: First Open NESSIE Workshop, KU-Leuven (2000) (submission to NESSIE), Available at
  5. 5.
    Ekdahl, P., Johansson, T.: A New Version of the Stream Cipher SNOW. In: Selected Areas in Cryptography–2002. Lectures Notes in Computer Science. Springer, Heidelberg (2002)Google Scholar
  6. 6.
    Ekdahl, P., Johansson, T.: Distinguishing attacks on SOBER-t16 and t32. In: Daemen, J., Rijmen, V. (eds.) FSE 2002. LNCS, vol. 2365, p. 210. Springer, Heidelberg (2002)CrossRefGoogle Scholar
  7. 7.
    Fluhrer, S., Mantin, I., Shamir, A.: Weaknesses in the Key Scheduling Algorithm of RC4. In: Vaudenay, S., Youssef, A.M. (eds.) SAC 2001. LNCS, vol. 2259, pp. 1–24. Springer, Heidelberg (2001)CrossRefGoogle Scholar
  8. 8.
    Golic, J.D., Bagini, V., Morgari, G.: Linear Cryptanalysis of Bluetooth Stream Cipher. In: Knudsen, L.R. (ed.) EUROCRYPT 2002. LNCS, vol. 2332, pp. 238–255. Springer, Heidelberg (2002)CrossRefGoogle Scholar
  9. 9.
    Halevi, S., Coppersmith, D., Jutla, C.: Scream: a Software-efficient Stream Cipher. In: Knudsen, L. (ed.) Fast Software Encryption – 2002. Lectures Notes in Computer Science, vol. 2332, pp. 195–209. Springer, Heidelberg (2002)CrossRefGoogle Scholar
  10. 10.
    Hawkes, P., Rose, G.: Primitive Specification and Supporting Documentation for SOBER-t32. In: First Open NESSIE Workshop (2000) (submission to NESSIE)Google Scholar
  11. 11.
    Hawkes, P., Rose, G.: Guess-and-Determine Attacks on SNOW. In: Nyberg, K., Heys, H.M. (eds.) SAC 2002. LNCS, vol. 2595, pp. 37–46. Springer, Heidelberg (2003)CrossRefGoogle Scholar
  12. 12.
    Liskov, M., Rivest, R., Wagner, D.: Tweakable Block Ciphers. In: Yung, M. (ed.) CRYPTO 2002. LNCS, vol. 2442, pp. 31–46. Springer, Heidelberg (2002)CrossRefGoogle Scholar
  13. 13.
    Meier, W., Stafflebach, O.: Fast Correlations Attacks on Certain Stream Ciphers. Journal of Cryptology, 159–176 (1989) Springer-VerlagGoogle Scholar
  14. 14.
    Rose, G.: S32: A Fast Stream Cipher based on Linear Feedback over GF232Unpublished report, QUALCOMM, Australia, Available at
  15. 15.
    Rose, G., Hawkes, P.: On the Applicability of Distinguishing Attacks Against Stream Ciphers (2002), Available at
  16. 16.
    Rose, G., Hawkes, P.: Turing: a Fast Stream Cipher. In: Johansson, T. (ed.) Fast Software Encryption – 2003. Lectures Notes in Computer Science, Springer, Heidelberg (2003) (to appear)Google Scholar
  17. 17.
    Siegenthaler, T.: Correlation-immunity of Nonlinear Combining Functions for Cryptographic Applications. IEEE Transactions on Information Theory 30, 776–780 (1984)zbMATHCrossRefMathSciNetGoogle Scholar
  18. 18.
    Stubblefield, A., Ioannidis, J., Rubin, A.D.: Using the Fluhrer, Mantin and Shamir Attack to Break WEP (2001)Google Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2004

Authors and Affiliations

  • Antoine Joux
    • 1
  • Frédéric Muller
    • 1
  1. 1.DCSSI Crypto LabIssy-les-Moulineaux CedexFrance

Personalised recommendations