Linear Cryptanalysis of the TSC Family of Stream Ciphers

  • Frédéric Muller
  • Thomas Peyrin
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 3788)


In this paper, we introduce a new cryptanalysis method for stream ciphers based on T-functions and apply it to the TSC family which was proposed by Hong et al.. Our attack are based on linear approximations of the algorithms (in particular of the T-function). Hence, it is related to correlation attack, a popular technique to break stream ciphers with a linear update, like those using LFSR’s.

We show a key-recovery attack for the two algorithms proposed at FSE 2005 : TSC-1 in 225.4 computation steps, and TSC-2 in 248.1 steps. The first attack has been implemented and takes about 4 minutes to recover the whole key on an average PC. Another algorithm in the family, called TSC-3, was proposed at the ECRYPT call for stream ciphers. Despite some differences with its predecessors, it can be broken by similar techniques. Our attack has complexity of 242 known keystream bits to distinguish it from random, and about 266 steps of computation to recover the full secret key.

An extended version of this paper can be found on the ECRYPT website [23].


Output Function Block Cipher Stream Cipher Linear Feedback Shift Register Algebraic Attack 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.


  1. 1.
    Armknecht, F., Krause, M.: Algebraic Attacks on Combiners with Memory. In: Boneh, D. (ed.) CRYPTO 2003. LNCS, vol. 2729, pp. 162–175. Springer, Heidelberg (2003)CrossRefGoogle Scholar
  2. 2.
    Babbage, S.: Stream Ciphers: What Does the Industry Want? In: State of the Art of Stream Ciphers workshop, SASC 2004 (2004)Google Scholar
  3. 3.
    Biryukov, A., Shamir, A.: Cryptanalytic time/memory/data tradeoffs for stream ciphers. In: Okamoto, T. (ed.) ASIACRYPT 2000. LNCS, vol. 1976, pp. 1–13. Springer, Heidelberg (2000)CrossRefGoogle Scholar
  4. 4.
    Courtois, N., Meier, W.: Algebraic Attacks on Stream Ciphers with Linear Feedback. In: Biham, E. (ed.) EUROCRYPT 2003. LNCS, vol. 2656, pp. 345–359. Springer, Heidelberg (2003)CrossRefGoogle Scholar
  5. 5.
    Ding, C., Xiao, G., Shan, W.: The Stability Theory of Stream Ciphers. LNCS, vol. 561. Springer, Heidelberg (1991); see Section 3.3Google Scholar
  6. 6.
    ECRYPT Network of Excellence in Cryptology,
  7. 7.
    ECRYPT Stream Cipher Project. See,
  8. 8.
    Golić, J.: Linear Cryptanalysis of Stream Ciphers. In: Preneel, B. (ed.) FSE 1994. LNCS, vol. 1008, pp. 154–169. Springer, Heidelberg (1995)Google Scholar
  9. 9.
    Golić, J.: Linear Statistical Weakness of Alleged RC4 Keystream Generator. In: Fumy, W. (ed.) EUROCRYPT 1997. LNCS, vol. 1233, pp. 226–238. Springer, Heidelberg (1997)Google Scholar
  10. 10.
    Hong, J., Lee, D., Yeom, Y., Han, D.: A New Class of Single Cycle T-functions. In: Gilbert, H., Handschuh, H. (eds.) FSE 2005. LNCS, vol. 3557, pp. 68–82. Springer, Heidelberg (2005)CrossRefGoogle Scholar
  11. 11.
    Hong, J., Lee, D., Yeom, Y., Han, D., Chee, S.: T-function Based Stream Cipher TSC-3. ECRYPT Stream Cipher Project Report 2005/031 (2005),
  12. 12.
    Klimov, A.: Applications of T-functions in Cryptography. PhD thesis, Weizmann Institute of Science (2004),
  13. 13.
    Klimov, A., Shamir, A.: A New Class of Invertible Mappings. In: Kaliski Jr., B.S., Koç, Ç.K., Paar, C. (eds.) CHES 2002. LNCS, vol. 2523, pp. 470–483. Springer, Heidelberg (2003)CrossRefGoogle Scholar
  14. 14.
    Klimov, A., Shamir, A.: Cryptographic Applications of T-functions. In: Matsui, M., Zuccherato, R.J. (eds.) SAC 2003. LNCS, vol. 3006, pp. 248–261. Springer, Heidelberg (2004)CrossRefGoogle Scholar
  15. 15.
    Klimov, A., Shamir, A.: New Cryptographic Primitives Based on Multiword T-Functions. In: Roy, B., Meier, W. (eds.) FSE 2004. LNCS, vol. 3017, pp. 1–15. Springer, Heidelberg (2004)CrossRefGoogle Scholar
  16. 16.
    Klimov, A., Shamir, A.: The TFi Family of Stream Ciphers. In: Handout given at the SASC 2004 workshop (2004)Google Scholar
  17. 17.
    Klimov, A., Shamir, A.: New Applications of T-functions in Block Ciphers and Hash Functions. In: Gilbert, H., Handschuh, H. (eds.) FSE 2005. LNCS, vol. 3557, pp. 18–31. Springer, Heidelberg (2005)CrossRefGoogle Scholar
  18. 18.
    Künzli, S., Junod, P., Meier, W.: Attacks Against TSC. In: Rump Session at Fast Software Encryption, FSE 2005 (2005)Google Scholar
  19. 19.
    Künzli, S., Junod, P., Meier, W.: Distinguishing Attacks on T-Functions. In: Dawson, E., Vaudenay, S. (eds.) Mycrypt 2005. LNCS, vol. 3715, pp. 2–15. Springer, Heidelberg (2005) (to appear)Google Scholar
  20. 20.
    Matsui, M.: Linear Cryptanalysis Method for DES Cipher. In: Helleseth, T. (ed.) EUROCRYPT 1993. LNCS, vol. 765, pp. 386–397. Springer, Heidelberg (1994)Google Scholar
  21. 21.
    Meier, W., Staffelbach, O.: Fast Correlations Attacks on Certain Stream Ciphers. Journal of Cryptology, 159–176 (1989)Google Scholar
  22. 22.
    Mitra, J., Sarkar, P.: Time-Memory Trade-Off Attacks on Multiplications and T-functions. In: Lee, P. (ed.) ASIACRYPT 2004. LNCS, vol. 3329, pp. 468–482. Springer, Heidelberg (2004)CrossRefGoogle Scholar
  23. 23.
    Muller, F., Peyrin, T.: Linear Cryptanalysis of TSC Stream Ciphers - Applications to the ECRYPT proposal TSC-3. ECRYPT Stream Cipher Project Report 2005/042 (2005),
  24. 24.
    Shamir, A.: Stream Ciphers: Dead or Alive? In: Lee, P.J. (ed.) ASIACRYPT 2004. LNCS, vol. 3329, pp. 78–78. Springer, Heidelberg (2004)CrossRefGoogle Scholar
  25. 25.
    Siegenthaler, T.: Correlation-immunity of Nonlinear Combining Functions for Cryptographic Applications. IEEE Transactions on Information Theory 30, 776–780 (1984)zbMATHCrossRefMathSciNetGoogle Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2005

Authors and Affiliations

  • Frédéric Muller
    • 1
  • Thomas Peyrin
    • 1
  1. 1.DCSSI Crypto LabPARIS-07 SP

Personalised recommendations