Weaknesses of COSvd (2,128) stream cipher

Authors:
Bin Zhang;Hongjun Wu;Dengguo Feng;Hong Wang
Affiliations:
State Key Laboratory of Information Security, Institute of Software, the Chinese Academy of Sciences, Beijing, P.R. China;Dept. ESAT/COSIC, Katholieke Universiteit Leuven, Belgium;State Key Laboratory of Information Security, Institute of Software, the Chinese Academy of Sciences, Beijing, P.R. China;State Key Laboratory of Information Security, Graduate School of the Chinese Academy of Sciences, Beijing, P.R. China
Venue:
ICISC'05 Proceedings of the 8th international conference on Information Security and Cryptology
Year:
2005

Citing 4
Cited 0

What every computer scientist should know about floating-point arithmetic

ACM Computing Surveys (CSUR)
Cryptanalysis of Stream Cipher COS(2, 128) Mode I

ACISP '02 Proceedings of the 7th Australian Conference on Information Security and Privacy
A Practical Attack on Broadcast RC4

FSE '01 Revised Papers from the 8th International Workshop on Fast Software Encryption
A New Ultrafast Stream Cipher Design: COS Ciphers

Proceedings of the 8th IMA International Conference on Cryptography and Coding

Quantified Score

Hi-index	0.00

Visualization

Abstract

The COSvd (2,128) cipher was proposed at the ECRYPT SASC'2004 workshop by Filiol et. al to strengthen the past COS (2,128) stream cipher. It uses clock-controlled non-linear feedback registers filtered by a highly non-linear output function and was claimed to prevent any existing attacks. However, as we will show in this paper, there are some serious security weaknesses in COSvd (2,128). The poorly designed S-box generates biased keystream and the message could be restored by a ciphertext-only attack in some broadcast applications . Besides, we launch a divide-and-conquer attack to recover the secret keys from O(226)-byte known plaintext with high success rate and complexity O(2113), which is much lower than 2512, the complexity of exhaustive search.