Cryptographic Significance of the Carry for Ciphers Based on Integer Addition
CRYPTO '90 Proceedings of the 10th Annual International Cryptology Conference on Advances in Cryptology
Proceedings of the Third International Workshop on Fast Software Encryption
A Practical Attack on Broadcast RC4
FSE '01 Revised Papers from the 8th International Workshop on Fast Software Encryption
New Stream Cipher Designs
On the (in)security of stream ciphers based on arrays and modular addition
ASIACRYPT'06 Proceedings of the 12th international conference on Theory and Application of Cryptology and Information Security
Distinguishing attacks on the stream cipher py
FSE'06 Proceedings of the 13th international conference on Fast Software Encryption
New weaknesses in the keystream generation algorithms of the stream ciphers TPy and Py
ISC'07 Proceedings of the 10th international conference on Information Security
SPACE'12 Proceedings of the Second international conference on Security, Privacy, and Applied Cryptography Engineering
Optimized GPU implementation and performance analysis of HC series of stream ciphers
ICISC'12 Proceedings of the 15th international conference on Information Security and Cryptology
Hi-index | 0.00 |
The software-efficient stream cipher HC-256 was proposed by Wu at FSE 2004. Due to its impressive performance, the cipher was also a well-received entrant to the ECRYPT eSTREAM competition. The closely related stream cipher HC-128, also designed by Wu, went on to find a place in the final portfolio of the eSTREAM contest. The cipher HC-256 is word-oriented, with 32 bits in each word, and uses a 256-bit key and a 256-bit IV . Since HC-256 was published in 2004, barring a cache-timing analysis of unprotected implementations, there has not been any attack on the cipher. This paper makes two contributions. First, we build a class of distinguishers on HC-256, each of which requires testing the validity of about 2276.8 linear equations involving binary keystream variables. Thereby, our attacks improve the data complexity of the hitherto best-known distinguisher (presented by the designer along with the specifications of the cipher) by a factor of about 12. We also present another observation that, we believe, can be further exploited to build more efficient distinguishing attacks on the cipher. It is hoped that the results of this paper would also find use in future security evaluations of the closely-related ciphers HC-128 and HC-256'.