Differential Cryptanalysis of the Stream Ciphers Py, Py6 and Pypy

Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 4515)


Py and Pypy are efficient array-based stream ciphers designed by Biham and Seberry. Both were submitted to the eSTREAM competition. This paper shows that Py and Pypy are practically insecure. If one key is used with about 216 IVs with special differences, with high probability two identical keystreams will appear. This can be exploited in a key recovery attack. For example, for a 16-byte key and a 16-byte IV, 223 chosen IVs can reduce the effective key size to 3 bytes. For a 32-byte key and a 32-byte IV, the effective key size is reduced to 3 bytes with 224 chosen IVs. Py6, a variant of Py, is more vulnerable to these attacks.


Differential Cryptanalysis Stream Cipher Py Py6 Pypy 


  1. 1.
    Biham, E., Shamir, A.: Differential Cryptanalysis of DES-like Cryptosystems. In: Menezes, A., Vanstone, S.A. (eds.) CRYPTO 1990. LNCS, vol. 537, pp. 2–21. Springer, Heidelberg (1991)Google Scholar
  2. 2.
    Biham, E., Seberry, J.: Py (Roo): A Fast and Secure Stream Cipher Using Rolling Arrays. The ECRYPT eSTREAM project Phase 2 focus ciphers. Available at
  3. 3.
    Biham, E., Seberry, J.: Pypy (Roopy): Another Version of Py. The ECRYPT eSTREAM project Phase 2 focus ciphers. Available at
  4. 4.
    Crowley, P.: Improved Cryptanalysis of Py. Available at
  5. 5.
    Fluhrer, S.R., McGrew, D.A.: Statistical Analysis of the Alleged RC4 Keystream Generator. In: Schneier, B. (ed.) FSE 2000. LNCS, vol. 1978, pp. 19–30. Springer, Heidelberg (2001)CrossRefGoogle Scholar
  6. 6.
    Fluhrer, S.R., Mantin, I., Shamir, A.: Weaknesses in the Key Scheduling Algorithm of RC4. In: Vaudenay, S., Youssef, A.M. (eds.) SAC 2001. LNCS, vol. 2259, pp. 1–24. Springer, Heidelberg (2001)CrossRefGoogle Scholar
  7. 7.
    Golić, J.D.: Linear statistical weakness of alleged RC4 keystream generator. In: Fumy, W. (ed.) EUROCRYPT 1997. LNCS, vol. 1233, pp. 226–238. Springer, Heidelberg (1997)Google Scholar
  8. 8.
    Jenkins Jr., R.J.: ISAAC. In: Gollmann, D. (ed.) FSE 1996. LNCS, vol. 1039, pp. 41–49. Springer, Heidelberg (1996)Google Scholar
  9. 9.
    Joux, A., Reinhard, J.-R.: Overtaking VEST. In: Biryukov, A. (ed.) FSE 2007. LNCS, vol. 4593, pp. 58–72. Springer, Heidelberg (2007)CrossRefGoogle Scholar
  10. 10.
    Keller, N., Miller, S.D., Mironov, I., Venkatesan, R.: MV3: A new word based stream cipher using rapid mixing and revolving buffers. In: Abe, M. (ed.) CT-RSA 2007. LNCS, vol. 4377, pp. 1–19. Springer, Heidelberg (2006)CrossRefGoogle Scholar
  11. 11.
    Knudsen, L.R., Meier, W., Preneel, B., Rijmen, V., Verdoolaege, S.: Analysis Methods for (Alleged) RC4. In: Ohta, K., Pei, D. (eds.) ASIACRYPT 1998. LNCS, vol. 1514, pp. 327–341. Springer, Heidelberg (1998)CrossRefGoogle Scholar
  12. 12.
    Mantin, I., Shamir, A.: A Practical Attack on Broadcast RC4. In: Matsui, M. (ed.) FSE 2001. LNCS, vol. 2355, pp. 152–164. Springer, Heidelberg (2002)CrossRefGoogle Scholar
  13. 13.
    Mantin, I.: A Practical Attack on the Fixed RC4 in the WEP Mode. In: Roy, B. (ed.) ASIACRYPT 2005. LNCS, vol. 3788, pp. 395–411. Springer, Heidelberg (2005)CrossRefGoogle Scholar
  14. 14.
    Mantin, I.: Predicting and Distinguishing Attacks on RC4 Keystream Generator. In: Cramer, R.J.F. (ed.) EUROCRYPT 2005. LNCS, vol. 3494, pp. 491–506. Springer, Heidelberg (2005)CrossRefGoogle Scholar
  15. 15.
    Mironov, I. (Not so) random shuffles of RC4. In: Yung, M. (ed.) CRYPTO 2002. LNCS, vol. 2442, pp. 304–319. Springer, Heidelberg (2002)CrossRefGoogle Scholar
  16. 16.
    Mister, S., Tavares, S.E.: Cryptanalysis of RC4-like Ciphers. In: Tavares, S., Meijer, H. (eds.) SAC 1998. LNCS, vol. 1556, pp. 131–143. Springer, Heidelberg (1999)CrossRefGoogle Scholar
  17. 17.
    Paul, S., Preneel, B.: A New Weakness in the RC4 Keystream Generator and an Approach to Improve the Security of the Cipher. In: Roy, B., Meier, W. (eds.) FSE 2004. LNCS, vol. 3017, pp. 245–259. Springer, Heidelberg (2004)Google Scholar
  18. 18.
    Paul, S., Preneel, B., Sekar, G.: Distinguishing Attacks on the Stream Cipher Py. In: Robshaw, M.J.B. (ed.) FSE 2006. LNCS, vol. 4047, pp. 405–421. Springer, Heidelberg (2006)CrossRefGoogle Scholar
  19. 19.
    Paul, S., Preneel, B.: On the (In)security of Stream Ciphers Based on Arrays and Modular Addition. In: Lai, X., Chen, K. (eds.) ASIACRYPT 2006. LNCS, vol. 4284, pp. 69–83. Springer, Heidelberg (2006)CrossRefGoogle Scholar
  20. 20.
    Wu, H., Preneel, B.: Cryptanalysis of the Stream Cipher DECIM. In: Robshaw, M.J.B. (ed.) FSE 2006. LNCS, vol. 4047, pp. 30–40. Springer, Heidelberg (2006)CrossRefGoogle Scholar
  21. 21.
    Wu, H., Preneel, B.: Resynchronization Attacks on WG and LEX. In: Robshaw, M.J.B. (ed.) FSE 2006. LNCS, vol. 4047, pp. 422–432. Springer, Heidelberg (2006)CrossRefGoogle Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2007

Authors and Affiliations

  1. 1.ESAT/SCD-COSICKatholieke Universiteit LeuvenLeuven-HeverleeBelgium

Personalised recommendations