Overtaking VEST

  • Antoine Joux
  • Jean-René Reinhard
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 4593)


VEST is a set of four stream cipher families submitted by S. O’Neil, B. Gittins and H. Landman to the eSTREAM call for stream cipher proposals of the European project ECRYPT. The state of any family member is made of three components: a counter, a counter diffusor and a core accumulator. We show that collisions can be found in the counter during the IV Setup. Moreover they can be combined with a collision in the linear counter diffusor to form collisions on the whole cipher. As a consequence, it is possible to retrieve 53 bits of the keyed state of the stream cipher by performing a chosen IV attack. For the default member of a VEST family, we present a “long” IV attack which requires 222.24 IV setups, and a “short” IV attack which requires 228.73 IV setups on average. The 53 bits retrieved can be used to reduce the complexity of the exhaustive key search. The chosen IV attack can be turned into a chosen message attack on a MAC based on VEST.


Stream cipher inner collision chosen IV attack 


  1. 1.
    Biryukov, A.: A new 128 bit key stream cipher : LEX. eSTREAM, ECRYPT Stream Cipher Project, Report 2005/013 (2005),
  2. 2.
    Biryukov, A.: The Design of a Stream Cipher LEX. In: Biham, E., Youssef, A. (eds.) Selected Areas in Cryptography – SAC 2006, LNCS, vol. 4356, Springer, Heidelberg (to appear, 2007)Google Scholar
  3. 3.
    Boneh, D., Joux, A., Nguyen, P.: Why Textbook ElGamal and RSA Encryption are Insecure. In: Okamoto, T. (ed.) ASIACRYPT 2000. LNCS, vol. 1976, pp. 30–43. Springer, Heidelberg (2000)CrossRefGoogle Scholar
  4. 4.
    Chabaud, F., Joux, A.: Differential Collisions in SHA-0. In: Krawczyk, H. (ed.) CRYPTO 1998. LNCS, vol. 1462, pp. 56–71. Springer, Heidelberg (1998)Google Scholar
  5. 5.
    Cid, C., Gilbert, H., Johansson, T.: Cryptanalysis of Pomaranch. eSTREAM, ECRYPT Stream Cipher Project, Report 2005/060 (2005)
  6. 6.
    ECRYPT. eSTREAM: ECRYPT Stream Cipher Project, IST-2002-507932,
  7. 7.
    Jaulmes, E., Muller, F.: Cryptanalysis of ECRYPT Candidates F-FCSR-8 and F-FCSR-H. eSTREAM, ECRYPT Stream Cipher Project, Report 2005/046 (2005),
  8. 8.
    O’Neil, S., Gittins, B., Landman, H.: VEST – Hardware-Dedicated Stream Ciphers. eSTREAM, ECRYPT Stream Cipher Project, Report 2005/032 (2005),
  9. 9.
    O’Neil, S., Gittins, B., Landman, H.: VEST Ciphers. eSTREAM, ECRYPT Stream Cipher Project (2006),
  10. 10.
    Schroeppel, R., Shamir, A.: A T = O(2n/2), S = O(2n/4) algorithm for certain NP-complete problems. SIAM Journal on Computing 10(3), 456–464 (1981)zbMATHCrossRefMathSciNetGoogle Scholar
  11. 11.
    Wu, H., Preneel, B.: Chosen IV Attack on Stream Cipher WG. eSTREAM, ECRYPT Stream Cipher Project, Report 2005/045 (2005),
  12. 12.
    Wu, H., Preneel, B.: Key Recovery Attack on Py and Pypy with Chosen IVs. eSTREAM, ECRYPT Stream Cipher Project, Report 2006/052 (2006),

Copyright information

© Springer-Verlag Berlin Heidelberg 2007

Authors and Affiliations

  • Antoine Joux
    • 1
    • 2
  • Jean-René Reinhard
    • 3
  1. 1.DGA 
  2. 2.Université de Versailles St-Quentin-en-Yvelines, PRISM, 45, avenue des États-Unis, 78035 Versailles CedexFrance
  3. 3.DCSSI Crypto Lab, 51, Boulevard de La Tour-Maubourg, 75700 Paris 07 SPFrance

Personalised recommendations