Distinguishing Attacks on the Stream Cipher Py

  • Souradyuti Paul
  • Bart Preneel
  • Gautham Sekar
Part of the Lecture Notes in Computer Science book series (LNCS, volume 4047)


The stream cipher Py designed by Biham and Seberry is a submission to the ECRYPT stream cipher competition. The cipher is based on two large arrays (one is 256 bytes and the other is 1040 bytes) and it is designed for high speed software applications (Py is more than 2.5 times faster than the RC4 on Pentium III). The paper shows a statistical bias in the distribution of its output-words at the 1st and 3rd rounds. Exploiting this weakness, a distinguisher with advantage greater than 50% is constructed that requires 284.7 randomly chosen key/IV’s and the first 24 output bytes for each key. The running time and the data required by the distinguisher are t 2 84.7 and 289.2 respectively (t denotes the running time of the key/IV setup). We further show that the data requirement can be reduced by a factor of about 3 with a distinguisher that considers outputs of later rounds. In such case the running time is reduced to t284.7 (t denotes the time for a single round of Py). The Py specification allows a 256-bit key and a keystream of 264 bytes per key/IV. As an ideally secure stream cipher with the above specifications should be able to resist the attacks described before, our results constitute an academic break of Py. In addition we have identified several biases among pairs of bits; it seems possible to combine all the biases to build more efficient distinguishers.


  1. 1.
    Baignéres, T., Junod, P., Vaudenay, S.: How Far Can We Go Beyond Linear Cryptanalysis? In: Lee, P.J. (ed.) ASIACRYPT 2004. LNCS, vol. 3329, pp. 432–450. Springer, Heidelberg (2004)CrossRefGoogle Scholar
  2. 2.
    Biham, E.: Personal Communication (December 2005)Google Scholar
  3. 3.
    Biham, E., Seberry, J.: Py. (Roo): A Fast and Secure Stream Cipher using Rolling Arrays. eSTREAM, ECRYPT Stream Cipher Project, Report 2005/023 (2005)Google Scholar
  4. 4.
    Blum, M., Micali, S.: How to Generate Cyptographically Strong Sequence of Psudorandom Bits. Siam Journal of Computing 13(4), 850–864 (1984)MATHCrossRefMathSciNetGoogle Scholar
  5. 5.
    Crowley, P.: Improved Cryptanalysis of Py. Workshop Record of SASC 2006 – Stream Ciphers Revisited, In: ECRYPT Network of Excellence in Cryptology, Leuven (Belgium), pp. 52–60 (February 2006)Google Scholar
  6. 6.
    Bernstein, D.J.: Comparison of 256-bit stream ciphers at the beginning of 2006, Workshop Record of SASC, – Stream Ciphers Revisited, ECRYPT Network of Excellence in Cryptology, pp. 70–83 (2006)Google Scholar
  7. 7.
  8. 8.
    Goldreich, O.: Lecture Notes on Pseudorandomness–Part-I. Department of Computer Science, Wiezmann Institute of Science, Rehovot, Israel (January 23, 2001)Google Scholar
  9. 9.
    Gong, G., Gupta, K.C., Hell, M., Nawaz, Y.: Towards a General RC4-Like Keystream Generator. In: Feng, D., Lin, D., Yung, M. (eds.) CISC 2005. LNCS, vol. 3822, pp. 162–174. Springer, Heidelberg (2005)CrossRefGoogle Scholar
  10. 10.
    Jenkins Jr., R.J.: ISAAC. In: Gollmann, D. (ed.) FSE 1996. LNCS, vol. 1039, pp. 41–49. Springer, Heidelberg (1996)Google Scholar
  11. 11.
    Mantin, I., Shamir, A.: A Practical Attack on Broadcast RC4. In: Matsui, M. (ed.) FSE 2001. LNCS, vol. 2355, pp. 152–164. Springer, Heidelberg (2002)CrossRefGoogle Scholar
  12. 12.
    NESSIE: New European Schemes for Signature, Integrity and Encryption,
  13. 13.
    Paul, S., Preneel, B.: A NewWeakness in the RC4 Keystream Generator and an Approach to Improve the Security of the Cipher. In: Roy, B., Meier, W. (eds.) FSE 2004. LNCS, vol. 3017, pp. 245–259. Springer, Heidelberg (2004)CrossRefGoogle Scholar
  14. 14.
    Wu, H.: A New Stream Cipher HC-256. In: Roy, B., Meier, W. (eds.) FSE 2004. LNCS, vol. 3017, pp. 226–244. Springer, Heidelberg (2004)CrossRefGoogle Scholar
  15. 15.
    Zoltak, B.: VMPC One-Way Function and Stream Cipher. In: Roy, B., Meier, W. (eds.) FSE 2004. LNCS, vol. 3017, pp. 210–225. Springer, Heidelberg (2004)CrossRefGoogle Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2006

Authors and Affiliations

  • Souradyuti Paul
    • 1
  • Bart Preneel
    • 1
  • Gautham Sekar
    • 1
    • 2
  1. 1.Dept. ESAT/COSICKatholieke Universiteit LeuvenLeuven-HeverleeBelgium
  2. 2.Dept. of Electronics and Instrumentation, Dept. of PhysicsBirla Institute of Technology and SciencePilaniIndia

Personalised recommendations