The ISC Int'l Journal of Information Security January 2010, Volume 2, Number 1 (pp. 3{11) ISeCure http://www.isecure-journal.org Invited Paper Stream Ciphers and the eSTREAM Project? Vincent Rijmen a;∗ aKatholieke Universiteit Leuven, Dept. ESAT/SCD-COSIC and IBBT, Kasteelpark Arenberg 10, B-3001 Heverlee, Belgium, and Institute for Applied Information Processing and Communications (IAIK), Graz University of Technology, Inffeldgasse 16a, A-8010 Graz, Austria A R T I C L E I N F O. ABSTRACT Article history: Stream ciphers are an important class of symmetric cryptographic algorithms. Received: 6 October 2009 Revised: | The eSTREAM project contributed significantly to the recent increase of Accepted: 30 November 2009 activity in this field. In this paper, we present a survey of the eSTREAM Published Online: 18 January 2010 project. We also review recent time/memory/data and time/memory/key Keywords: trade-offs relevant for the generic attacks on stream ciphers. Cryptology, Stream Ciphers, Time-Memory Trade-offs, c 2010 ISC. All rights reserved. eSTREAM 1 Introduction design of secure stream ciphers. In Section2 we start with one of the remarkable issues in the stream ciphers The design of secure stream ciphers is one of the old- versus block ciphers debate, namely the fuzzy border est problems in cryptography. Although there exists separating them from one another. In Section3, we a nicely developed theory that answers several of the describe some general results that were obtained dur- important questions, the question is not fully solved ing the eSTREAM competition. These generic attacks (and it will probably never be). After the completion bound the best security that can be achieved for a of the Advanced Encryption Standard (AES) process, given size of the secret key and the internal state. Sec- block ciphers were firmly in the center of the crypto- tion4 discusses the eSTREAM highlights and events. graphic community's attention. Some people started We present some concluding remarks in Section5. wondering aloud whether there was still any practical application for stream ciphers or a reason to perform research on them. The eSTREAM project to evaluate 2 Synchronous Stream Ciphers, Self- stream ciphers, organized by the ECRYPT Network of Excellence, can be seen as an answer formulated by Synchronizing Stream Ciphers and the part of the cryptographic community that does Block Ciphers care about stream ciphers. It turned out to be a large Many introductory texts on symmetric cryptography part of the community. distinguish two classes of primitives for symmetric In this paper, we give an overview of the eSTREAM encryption, namely block ciphers and stream ciphers. project and we describe some lessons learnt on the An often-cited example of a historical block cipher is the Caesar cipher. More modern examples include the ? public algorithms Data Encryption Standard (DES) Sponsored by Onderzoeksfonds K.U.Leuven / Research fund and AES. Example stream ciphers are the historical K.U.Leuven OT/08/027. ∗ Corresponding author. Enigma cipher, RC4 and various ciphers based on Email address: [email protected] (V. Linear Feedback Shift Registers (LFSRs). Rijmen). ISSN: 2008-2045 c 2010 ISC. All rights reserved. ISeCure 4 Stream Ciphers and the eSTREAM Project |V. Rijmen 2.1 Definitions blocks (e.g. n ≥ 64 bits). The same function is used to encrypt successive blocks; thus (pure) block The Handbook of Applied Cryptography gives the fol- ciphers are memoryless. In contract, stream ciphers lowing definitions for a synchronous, respectively self- process plaintext in blocks as small as a single bit, synchronizing stream cipher. and the encryption function may vary as plaintext Definition 1 (Synchronous Stream Cipher [13, is processed; thus stream ciphers are said to have Definition 6.2]). A synchronous stream cipher memory. They are sometimes called state ciphers ... (SSC) is one in which the keystream is generated This distinction between block and stream ciphers independently of the plaintext message and of the is not definitive (. ); adding a small amount of ciphertext. memory to a block cipher (as in CBC mode) results in a stream cipher with large blocks. Denoting message blocks by m , ciphertext blocks i The Handbook proposes hence to take the size of by c , the key by κ and the content of the internal i the blocks processed and the presence or absence state of the stream cipher at time i by σ , an SSC can i of memory as criteria to distinguish between block be described by the following equations: ciphers and stream ciphers. σ = f(σ ; κ); (1) If we consider the modern stream cipher proposals, i+1 i for example the proposals submitted to the eSTREAM zi = g(σi; κ); (2) competition, then it turns out that many of the best- ci = h(zi; mi): (3) performing stream ciphers work on relatively large blocks, just like block ciphers. This is true in particular Here σ0 is the initial value of the internal state and for stream ciphers designed to have a high performance z0; z1; z2;::: is the keystream. The function g is called in software; they usually process large blocks in order the output transformation. to benefit from the large registers available on modern Definition 2 (Self-Synchronizing Stream Ci- processors. pher [13, Definition 6.5]). A self-synchronizing Secondly, it should be pointed out that for the vast stream cipher (SSSC) is one in which the keystream majority of practical applications, and for all appli- is generated as a function of the key and a fixed cations that require some kind of provable security, number of previous ciphertext digits. block ciphers are being used in a mode of operation which introduces state (memory). Hence, this crite- In an SSSC, Equation (1) is replaced by: rion to distinguish between block ciphers and stream σi = (ci−t; ci−t+1; : : : ; ci−1): (4) ciphers turns out to be imprecise. On the other hand, among cryptographers, there appears to be a common Note that the Handbook defines both synchronous intuition about which primitive should be considered stream ciphers and self-synchronizing stream ciphers to be a stream cipher and which a block cipher. We in terms of the more general class of stream ciphers. think that this intuition is captured by the following Interestingly, the Handbook omits to give a general working definition. definition of a stream cipher. Instead, the Handbook defines block ciphers and provides guidelines to dis- 2.2 New Working Definition tinguish stream ciphers from block ciphers. Although there exists a common and clear intu- Any secure encryption method contains a kind of inter- ition about the difference between a block cipher and nal state, a family fFκgκ of state update transforma- a stream cipher, capturing this intuition in precise tions and a family fGκgκ of mechanisms to produce mathematical statements proves to be a challenge. ciphertext. In mathematical notation, we can write: The Handbook defines a block cipher as follows: σ = F (σ ; m ); (5) Definition 3 ([13, Definition 7.1]). An n-bit block i+1 κ i i c = G (σ ; m ): (6) cipher is a function E : Vn × K ! Vn such that for i κ i i each key κ 2 K, Eκ(P ) is an invertible mapping from A block cipher is a family fEκgκ of permutations which Vn to Vn, written EK (P ). can be used in a certain configuration |known as a mode of operation| to define the transformations F , The Handbook also points out two properties in κ G . Hence a block cipher based encryption method is which block ciphers and stream ciphers tend to differ κ an example of a modular design, consisting of a block [13, page 192]: cipher on the one hand, and a mode of operation on Block ciphers process plaintext in relatively large the other hand. ISeCure January 2010, Volume 2, Number 1 (pp. 3{11) 5 A stream cipher is an encryption method which or chosen plaintexts. We count the amount of data doesn't necessarily employ this modular approach. By collected in units of k bits, and denote the binary allowing more general constructions for Fκ and Gκ, logarithm of this quantity by D. This data is com- the designers aim to achieve a better tradeoff between bined with the results of the precomputation phase performance, security and cost. to recover the key. We denote the binary logarithm of the computational complexity of this phase by T . Note: In the Electronic Code Book (ECB) mode of operation, there is no internal state. It can be We denote the binary logarithm of the sum of the treated as a special case of the previous definition, memory requirements of the precomputation phase with state size 0. Alternatively, we can exclude it from and the online phase of the attack by M. consideration because for the majority of applications, the ECB mode of operation can't be considered secure. 3.1 Exhaustive Attacks For a straightforward exhaustive key search, there is 2.3 Constructions no precomputation, the attacker collects a negligible Traditionally, definitely in academic research papers, amount of known plaintexts, and uses a negligible SSC's have been constructed from Linear Feedback amount of memory (P = D = M ≈ 0). The online Shift Registers (LFSRs). The main advantages of computational complexity is given by T = k. LFSRs are their compactness in hardware, the well- On the other hand, we can also imagine an attack developed mathematical theory surrounding their de- scenario where the attacker precomputes the cipher- sign and the good randomness properties. Their main text for a given chosen plaintext under all possible keys, disadvantage is of course their linearity, which needs and stores the result in a table.