D. J. Bernstein
Hash functions and ciphers
Notes on the ECRYPT Stream Cipher Project (eSTREAM)

Attacks

Introduction
A5/1: broken
A5/2: broken
ABC v1: withdrawn
ABC v2: withdrawn
ABC v3: broken
Achterbahn v1: withdrawn
Achterbahn-80: unresolved
Achterbahn-128: unresolved
AES with 10 rounds: 128-bit security?
AES with 14 rounds: 256-bit security?
ChaCha6: 139-bit security?
ChaCha7: 248-bit security?
ChaCha8: 256-bit security?
ChaCha9: 256-bit security?
ChaCha10: 256-bit security?
ChaCha11: 256-bit security?
ChaCha12: 256-bit security?
ChaCha20: 256-bit security?
CryptMT v1: 256-bit security?
CryptMT v2: 256-bit security?
CryptMT v3: 256-bit security?
DECIM v1: withdrawn
DECIM v2: 80-bit security?
DECIM-128: 128-bit security?
DICING v0: withdrawn
DICING v1: withdrawn
DICING v2: 256-bit security?
Dragon limited to 2^64 bits per key: 256-bit security?
Edon80: 80-bit security?
F-FCSR-8: withdrawn
F-FCSR-H: broken
F-FCSR-16: broken?
FISH: broken
Frogbit: broken
Fubuki: 256-bit security?
GGHN: broken
Grain v0: withdrawn
Grain v1: 79-bit security?
Grain-128: 128-bit security?
HC-128: 128-bit security?
HC-256: 256-bit security?
Hermes8: unresolved
Hermes8-128: withdrawn
Hermes8F: broken
Hermes8F-128: broken
IA: broken
ISAAC: 256-bit security?
LEVIATHAN: broken
LEX v1 limited to 2^46 bytes per key: 128-bit security?
LEX v2 limited to 2^46 bytes per key: 128-bit security?
LILI-128: unresolved
MAG v0: withdrawn
MAG v1: unresolved
MAG v2: unresolved
MAG v3: broken
MICKEY v1: 80-bit security?
MICKEY-128 v1: 128-bit security?
MICKEY v2: 80-bit security?
MICKEY-128 v2: 128-bit security?
Mir-1: withdrawn
Mosquito: withdrawn
Moustique: 90-bit security?
MUGI: 128-bit security?
NGG: broken
NLS v1: withdrawn
NLS v2 limited to 2^64 bits per key: 128-bit security?
ORYX: broken
PANAMA: 256-bit security?
Phelix: 256-bit security?
Pike: 256-bit security?
Polar Bear v1: withdrawn
Polar Bear v2: 128-bit security?
Pomaranch: withdrawn
Pomaranch v2: 128-bit security?
Pomaranch v3: 128-bit security?
ProVEST-4: 100-bit security?
ProVEST-16: 100-bit security?
ProVEST-32: 100-bit security?
Py: broken
Py6: broken
Pypy: broken
Rabbit: 128-bit security?
RC4: broken
Salsa20/5: broken
Salsa20/6: broken
Salsa20/7: 151-bit security?
Salsa20/8: 251-bit security?
Salsa20/9: 256-bit security?
Salsa20/10: 256-bit security?
Salsa20/11: 256-bit security?
Salsa20/12: 256-bit security?
Salsa20/20: 256-bit security?
Scream: 128-bit security?
SEAL 1.0: broken
SEAL 2.0: broken
SEAL 3.0: broken
SFINKS: withdrawn
Shannon: 256-bit security?
SNOW 1.0: withdrawn
SNOW 2.0: 256-bit security?
SOBER-128: 128-bit security?
SOSEMANUK: 226-bit security?
SSS: withdrawn
TPy limited to 2^64 bytes per key: 256-bit security?
TPy6 limited to 2^64 bytes per key: 256-bit security?
TPypy: 256-bit security?
Trivium: 80-bit security?
TSC-3: withdrawn
TSC-4: broken
Turing: 256-bit security?
WAKE: broken
WG v1: broken
WG v2 limited to 2^45 bits per key: 80-bit security?
YAMB: unresolved
ZK-Crypt v1: withdrawn
ZK-Crypt v2: 128-bit security?
ZK-Crypt v3: 128-bit security?

Introduction

This page summarizes various attacks on stream ciphers, particularly the eSTREAM submissions. The official eSTREAM status of the submissions (SW focus for phase-2 "software focus" ciphers, SW for other phase-2 software ciphers, HW focus for phase-2 "hardware focus" ciphers, HW for other phase-2 hardware ciphers) is listed parenthetically, along with the location of the cipher software in the official eSTREAM benchmark suite.

I have a new paper summarizing attacks on the eSTREAM submissions and discussing the standard definition of cipher security:

The paper does not include stream ciphers that were not submitted to eSTREAM.

I also have a separate page on side-channel leaks.

ABC v1 (submissions/abc/v1): withdrawn

Proposed by Vladimir Anashin, Andrey Bogdanov, Ilya Kizhvatov, Sandeep Kumar. Cryptanalysis:

ABC v2 (submissions/abc/v2): withdrawn

Proposed 2005.07 by Vladimir Anashin, Andrey Bogdanov, Ilya Kizhvatov, Sandeep Kumar. Cryptanalysis:

ABC v3 (SW, submissions/abc/v3): broken

Proposed by Vladimir Anashin, Andrey Bogdanov, Ilya Kizhvatov, Sandeep Kumar. Cryptanalysis:

Achterbahn v1 (submissions/achterbahn/v1): withdrawn

Proposed by Berndt Gammel, Rainer Goettfert, Oliver Kniffler. Cryptanalysis:

Achterbahn-80 (HW, submissions/achterbahn/128-80) limited to 2^52 bits: unresolved

Proposed by Berndt Gammel, Rainer Goettfert, Oliver Kniffler. Cryptanalysis: My current impression is that, as in the case of Achterbahn v1, overwhelming communication costs are being ignored in these "attacks."

Achterbahn-128 (HW, submissions/achterbahn/128-80) limited to 2^56 bits: unresolved

Proposed by Berndt Gammel, Rainer Goettfert, Oliver Kniffler. Cryptanalysis: See above regarding communication costs.

AES with 10 rounds (benchmarks/aes-ctr/aes-128): 128-bit security?

Cryptanalysis:

AES with 14 rounds (benchmarks/aes-ctr/aes-256): 256-bit security?

Cryptanalysis:

ChaCha6: 139-bit security?

Cryptanalysis: For 128-bit keys, the Aumasson-et-al. attack uses 2^107 operations.

ChaCha7: 248-bit security?

Cryptanalysis: For 128-bit keys, the Aumasson-et-al. attack doesn't work at all: it needs to guess all key bits.

ChaCha8: 256-bit security?

Cryptanalysis:

ChaCha9: 256-bit security?

Cryptanalysis:

ChaCha10: 256-bit security?

Cryptanalysis:

ChaCha11: 256-bit security?

Cryptanalysis:

ChaCha12: 256-bit security?

Cryptanalysis:

ChaCha20: 256-bit security?

Cryptanalysis:

CryptMT v1 (SW, submissions/cryptmt/v1): 256-bit security?

[paper] Proposed by Makoto Matsumoto, Hagita Mariko, Takuji Nishimura, Matsuo Saito. Cryptanalysis:

CryptMT v2 (SW, submissions/cryptmt/v2): 256-bit security?

Proposed by Makoto Matsumoto, Hagita Mariko, Takuji Nishimura, Matsuo Saito. Cryptanalysis:

CryptMT v3 (SW, Phase 3 SW focus, submissions/cryptmt/v3): 256-bit security?

Proposed by Makoto Matsumoto, Hagita Mariko, Takuji Nishimura, Matsuo Saito. Cryptanalysis:

DECIM v1 (submissions/decim/v1): withdrawn

[paper] Proposed by Come Berbain, Olivier Billet, Anne Canteaut, Nicolas Courtois, Blandine Debraize, Henri Gilbert, Louis Goubin, Aline Gouget, Louis Granboulan, Cedric Lauradoux, Marine Minier, Thomas Pornin, Herve Sibert. Cryptanalysis:

DECIM v2 (HW, Phase 3 HW focus, submissions/decim/v2): 80-bit security?

Cryptanalysis:

DECIM-128: 128-bit security?

Cryptanalysis:

DICING v0: withdrawn

[paper] Proposed by Li An-Ping. Cryptanalysis:

DICING v1 (submissions/dicing/v1): withdrawn

[paper] Proposed by Li An-Ping. Replaced DICING v0 in May 2005. Cryptanalysis:

DICING v2 (SW, submissions/dicing/v2): 256-bit security?

Proposed by Li An-Ping. Cryptanalysis:

Dragon (SW focus, Phase 3 SW focus, submissions/dragon) limited to 2^64 bits per key: 256-bit security?

[paper] Proposed by Ed Dawson, Kevin Chen, Matt Henricksen, William Millan, Leonie Simpson, HoonJae Lee, SangJae Moon. Cryptanalysis:

Edon80 (HW, Phase 3 HW focus, submissions/edon80): 80-bit security?

Proposed by Danilo Gligoroski, Smile Markovski, Ljupco Kocarev, Marjan Gusev. Cryptanalysis:

F-FCSR-8 (submissions/f-fcsr/f-fcsr-8): withdrawn

[paper] Proposed by Thierry Berger, Francois Arnault, Cedric Lauradoux. Cryptanalysis:

F-FCSR-H (HW, Phase 3 HW focus, submissions/f-fcsr/f-fcsr-h): broken

Proposed by Thierry Berger, Francois Arnault, Cedric Lauradoux. Cryptanalysis:

F-FCSR-16 (Phase 3 HW focus, submissions/f-fcsr/f-fcsr-16): broken?

[paper] Proposed by Thierry Berger, Francois Arnault, Cedric Lauradoux. Cryptanalysis:

Frogbit (submissions/frogbit): broken

Proposed by Thierry Moreau. Cryptanalysis:

Fubuki (submissions/fubuki): 256-bit security?

[paper] Proposed by Makoto Matsumoto, Hagita Mariko, Takuji Nishimura, Matsuo Saito. Cryptanalysis:

GGHN: broken

Proposed by Gong et al. Cryptanalysis:

Grain v0 (submissions/grain/v0): withdrawn

[paper] Proposed by Martin Hell, Thomas Johansson, Willi Meier. Cryptanalysis:

Grain v1 (HW focus, Phase 3 HW focus, submissions/grain/v1): 79-bit security?

Proposed by Martin Hell, Thomas Johansson, Willi Meier. Cryptanalysis:

Grain-128 (HW focus, Phase 3 HW focus, submissions/grain/128): 128-bit security?

Proposed by Martin Hell, Thomas Johansson, Willi Meier. Cryptanalysis:

HC-128 (Phase 3 SW focus, submissions/hc-256/hc-128): 128-bit security?

Proposed by Hongjun Wu. Cryptanalysis:

HC-256 (SW focus, Phase 3 SW focus, submissions/hc-256/hc-256): 256-bit security?

[paper] Proposed by Hongjun Wu. Cryptanalysis:

Hermes8 (HW, submissions/hermes/hermes8-80): unresolved

Proposed by Ulrich Kaiser. Cryptanalysis:

Hermes8-128 (HW, submissions/hermes/hermes8-128): withdrawn

Proposed by Ulrich Kaiser. Cryptanalysis:

Hermes8F (HW, submissions/hermes/hermes8f-80): broken

Proposed by Ulrich Kaiser. Cryptanalysis:

Hermes8F-128 (HW, submissions/hermes/hermes8f-128): broken

Proposed by Ulrich Kaiser. Cryptanalysis:

IA: broken

Proposed by Jenkins at FSE 1996. Cryptanalysis:

ISAAC: 256-bit security?

Proposed by Jenkins at FSE 1996. Cryptanalysis:

LEX v1 (submissions/lex/v1) limited to 2^46 bytes per key: 128-bit security?

[paper] Proposed by Alex Biryukov. Cryptanalysis: There is also a 256-bit version of LEX v1, but my impression is that this version has not even been fully specified, let alone implemented.

LEX v2 (SW focus, HW, Phase 3 SW focus, non-functional submissions/lex/v2) limited to 2^46 bytes per key: 128-bit security?

Proposed by Alex Biryukov. Cryptanalysis:

MAG v0 (submissions/mag/v0?): withdrawn

Proposed by Rade Vuckovac. ("Provisional C++ version initially submitted to the ECRYPT.") Cryptanalysis:

MAG v1 (submissions/mag/v1?): unresolved

[paper] Proposed by Rade Vuckovac. ("MAG v1 (32 bit) is different from C++ version.") The standard presumption is that MAG v1, like MAG v0, is distinguishable at very low cost, but author disputes this. The standard presumption was also that MAG v1 was withdrawn when MAG v2 was introduced, but author says it wasn't.

MAG v2 (submissions/mag/v2): unresolved

Did not attract any attention. The standard presumption is that MAG v2, like MAG v0, is distinguishable at very low cost, but author disputes this. The standard presumption was also that MAG v2 was withdrawn when MAG v3 was introduced, but author says it wasn't.

MAG v3 (submissions/mag/v3): broken

Briefly attracted attention for its extremely high speed. Distinguishable at very low cost; I posted distinguishing code to the eSTREAM forum in 2007.02.

MICKEY v1 (submissions/mickey/v1): 80-bit security?

[paper] Proposed by Steve Babbage, Matthew Dodd. Cryptanalysis:

MICKEY-128 v1 (submissions/mickey/v1-128): 128-bit security?

Proposed by Steve Babbage, Matthew Dodd. Cryptanalysis:

MICKEY v2 (HW, Phase 3 HW focus, submissions/mickey/v2): 80-bit security?

Proposed by Steve Babbage, Matthew Dodd. Cryptanalysis:

MICKEY-128 v2 (HW focus, Phase 3 HW focus, submissions/mickey/v2-128): 128-bit security?

Proposed by Steve Babbage, Matthew Dodd. Cryptanalysis:

Mir-1 (submissions/mir-1): withdrawn

Proposed by Alexander Maximov. Cryptanalysis:

Mosquito: withdrawn

[paper (subsequently corrected)] Proposed by Joan Daemen, Paris Kitsos. "More of a research object than a standard proposal," Daemen said in his SKEW 2005 presentation. "Broken," Daemen said in his SASC 2006 presentation.

Moustique (HW, Phase 3 HW focus): 90-bit security?

Proposed by Joan Daemen, Paris Kitsos. Cryptanalysis:

NGG: broken

Proposed by Nawaz, Gupta, and Gong in 2005. Cryptanalysis:

NLS v1 (submissions/nls/sync?): withdrawn

Proposed by Gregory Rose, Philip Hawkes, Michael Paddon, Miriam Wiggers de Vries. NLS allows an add-on authenticator, ignored here.

Cryptanalysis:

NLS v2 (SW, HW, Phase 3 SW focus, submissions/nls/sync?) limited to 2^64 bytes per key: 128-bit security?

Proposed by Gregory Rose, Philip Hawkes, Michael Paddon, Miriam Wiggers de Vries. Cryptanalysis:

Phelix (SW focus, HW focus, submissions/phelix): 256-bit security?

[paper] Proposed by Doug Whiting, Bruce Schneier, Stefan Lucks, Frederic Muller. Cryptanalysis:

Polar Bear v1 (submissions/polarbear/v1): withdrawn

[paper] Proposed by Johan Haastad, Mats Naeslund. Cryptanalysis:

Polar Bear v2 (SW, HW, submissions/polarbear/v2): 128-bit security?

Proposed by Johan Haastad, Mats Naeslund. Cryptanalysis:

Pomaranch (CJCSG) v1 (submissions/pomaranch/v1): withdrawn

[paper] [another paper] Proposed by Cees Jansen, Tor Helleseth, Alexander Kholosha. Cryptanalysis:

Pomaranch v2: 128-bit security?

[paper] Proposed by Cees Jansen, Tor Helleseth, Alexander Kholosha. Cryptanalysis:

Pomaranch v3 (HW, Phase 3 HW focus): 128-bit security?

Proposed by Cees Jansen, Tor Helleseth, Alexander Kholosha. Cryptanalysis:

ProVEST-4 (HW, submissions/vest/provest-4): 100-bit security?

[paper] Proposed by Claude Bigeard, Sean O'Neil, Benjamin Gittins, Howard Landman. Cryptanalysis:

ProVEST-16 (HW, submissions/vest/provest-16): 100-bit security?

Proposed by Claude Bigeard, Sean O'Neil, Benjamin Gittins, Howard Landman. Cryptanalysis:

ProVEST-32 (HW, submissions/vest/provest-32): 100-bit security?

Proposed by Claude Bigeard, Sean O'Neil, Benjamin Gittins, Howard Landman. Cryptanalysis:

Py (SW focus, submissions/py/py) limited to 2^64 bytes per key: broken

Proposed by Eli Biham, Jennifer Seberry. Cryptanalysis:

Py6 (SW focus, submissions/py/py6) limited to 2^64 bytes per key: broken

Proposed by Eli Biham, Jennifer Seberry. Cryptanalysis:

Pypy (SW focus, submissions/py/pypy) limited to 2^64 bytes per key: broken

Proposed by Eli Biham, Jennifer Seberry in "Pypy: Another Version of Py" (2006.06.27). Cryptanalysis:

Rabbit (SW, HW, Phase 3 SW focus, submissions/rabbit): 128-bit security?

[paper] Proposed by Martin Boesgaard, Mette Vesterager, Thomas Christensen, Erik Zenner. Cryptanalysis:

Salsa20/5: broken

Cryptanalysis:

Salsa20/6: broken

Cryptanalysis: For 128-bit keys, the Tsunoo-et-al. attack guesses 50 key bits.

Salsa20/7: 151-bit security?

Cryptanalysis: For 128-bit keys, the Tsunoo-et-al. attack guesses 115 key bits and might be slightly faster than brute force; the Aumasson-et-al. attack uses 2^111 operations.

Salsa20/8 (SW focus, HW, Phase 3 SW focus, submissions/salsa20/8-rounds): 249-bit security?

Proposed by me. Cryptanalysis: For 128-bit keys, the Tsunoo-et-al. attack doesn't work at all; it would have to guess all 128 key bits. The same is true for the Aumasson-et-al. attack.

Salsa20/9: 256-bit security?

Cryptanalysis:

Salsa20/10: 256-bit security?

Cryptanalysis:

Salsa20/11: 256-bit security?

Cryptanalysis:

Salsa20/12 (SW focus, HW, Phase 3 SW focus, submissions/salsa20/12-rounds): 256-bit security?

Proposed by me. Cryptanalysis:

Salsa20/20 = Salsa20 = Snuffle 2005 (SW focus, HW, Phase 3 SW focus, submissions/salsa20/full): 256-bit security?

Proposed by me. Cryptanalysis:

SFINKS (submissions/sfinks/sync): withdrawn

[paper] Proposed by An Braeken, Joseph Lano, Nele Mentens, Bart Preneel, Ingrid Verbauwhede. Allows an add-on authenticator, ignored here. Cryptanalysis:

SOSEMANUK (SW focus, Phase 3 SW focus, submissions/sosemanuk): 226-bit security?

[paper] Proposed by Come Berbain, Olivier Billet, Anne Canteaut, Nicolas Courtois, Henri Gilbert, Louis Goubin, Aline Gouget, Louis Granboulan, Cedric Lauradoux, Marine Minier, Thomas Pornin, Herve Sibert. Cryptanalysis:

SSS: withdrawn

Proposed by Gregory Rose, Philip Hawkes, Michael Paddon, Miriam Wiggers de Vries. Cryptanalysis:

TPy (SW focus?, submissions/py/tpy) limited to 2^64 bytes per key: 256-bit security?

Proposed by Eli Biham, Jennifer Seberry in "Tweaking the IV Setup of the Py Family of Stream Ciphers---The Ciphers TPy, TPypy, and TPy6" (2007.01.25). Cryptanalysis:

TPy6 (SW focus?, submissions/py/tpy6) limited to 2^64 bytes per key: 256-bit security?

Proposed by Eli Biham, Jennifer Seberry in "Tweaking the IV Setup of the Py Family of Stream Ciphers---The Ciphers TPy, TPypy, and TPy6" (2007.01.25). Cryptanalysis:

TPypy (SW focus?, submissions/py/tpypy): 256-bit security?

Proposed by Eli Biham, Jennifer Seberry in "Tweaking the IV Setup of the Py Family of Stream Ciphers---The Ciphers TPy, TPypy, and TPy6" (2007.01.25). Cryptanalysis:

Trivium (HW focus, Phase 3 HW focus, submissions/trivium): 80-bit security?

[paper] Proposed by Christophe De Canniere, Bart Preneel. Cryptanalysis: I hope that the authors (or other people) specify a series of scaled versions of Trivium, with states of various sizes; these would be very nice targets for future cryptanalysis.

TSC-3 (submissions/tsc-3/tsc-3): withdrawn

[paper] Proposed by Jin Hong, Dong Hoon Lee, Yongjin Yeom, Daewan Han, Seongtaek Chee. Cryptanalysis:

TSC-4 (HW, submissions/tsc-3/tsc-4): 80-bit security?

Proposed by Dukjae Moon, Daesung Kwon, Daewan Han, Jooyoung Lee, Gwon Ho Ryu, Dong Wook Lee, Yongjin Yeom, and Seongtaek Chee. Cryptanalysis:

WG v1 (submissions/wg/v1/small-iv, submissions/wg/v1/long-iv): broken

Proposed by Guang Gong, Yassir Nawaz. Cryptanalysis:

WG v2 (HW, submissions/wg/v2/small-iv, submissions/wg/v2/long-iv) limited to 2^45 bits per key: 80-bit security?

Proposed by Guang Gong, Yassir Nawaz. Cryptanalysis:

YAMB (submissions/yamb): unresolved

[paper] Proposed by Anatoly N. Lebedev, Alexander Ivanov, Sergey Starodubtzev, Alexey Kolchkov. Cryptanalysis:

ZK-Crypt v1 (submissions/zk-crypt/v1): withdrawn

Proposed by Carmi Gressel, Ran Granot, Gabi Vago. Cryptanalysis:

The authors (at SASC 2006, and again in the ZK-Crypt v2 documentation) questioned the Lubkin-Ryabko result. I wrote a paper confirming and simplifying the Lubkin-Ryabko result:

ZK-Crypt v2 (HW, submissions/zk-crypt/v2): 128-bit security?

Proposed by Carmi Gressel, Ran Granot, Gabi Vago. Cryptanalysis:

ZK-Crypt v3 (HW, submissions/zk-crypt/v3): 128-bit security?

Proposed by Carmi Gressel, Ran Granot, Gabi Vago. Cryptanalysis: