ΑΕS _ CMCCv₁, ΑVΑLΑNCHEv₁, CLΟCv₁, and SILCv₁ are four candidates of the first round of CAESAR. CLΟCv₁ is presented in FSE 2014 and SILCv₁ is designed upon it with the aim of optimizing the hardware implementation cost. In this paper, structural weaknesses of these candidates are studied. We present distinguishing attacks against ΑES  _ CMCCv₁ with the complexity of two queries and the success ...

This paper presents two strong distinguishers for the deterministic random bit generator ISAAC, requiring 2 and 2 samples of respectively 64 and 32 bits, based on the observation that more than 2 167 initial states among the 2 192 ones induce a strongly non-uniform distribution of the bits produced at the first round of the algorithm. A previous attack on ISAAC presented at Asiacrypt’06 by Paul...

Klimov and Shamir proposed a new class of simple cryptographic primitives named T-functions. For two concrete proposals based on the squaring operation, a single word T-function and a previously unbroken multi-word T-function with a 256-bit state, we describe an efficient distinguishing attack having a 2 data complexity. Furthermore, Hong et al. recently proposed two fully specified stream ciph...

Two ways of mounting distinguishing attacks on two similar stream ciphers, SOBER-t16 and SOBER-t32, are proposed. It results in distinguishing attacks faster than exhaustive key search on full SOBERt16 and on SOBER-t32 without stuttering.

Knudsen and Meier applied the χ-attack to RC6. This attack is one of the most effective attacks for RC6. The χ-attack can be used for both distinguishing attacks and for key recovery attacks. Up to the present, theoretical analysis of χ-attacks, especially the relation between a distinguishing attack and a key recovery attack, has not been discussed. In this paper, we investigate the theoretica...

We demonstrate that the existence of distinguishing attacks against stream ciphers is unrelated to their security in practical use, and in particular that the amount of data required to perform a distinguishing attack is unrelated to the key length of the cipher. The implication for the NESSIE Project is that no submitted symmetric cipher would be accepted under the unpublished rules for distin...

In this paper theoretical aspects of multidimensional linear distinguishing attacks are investigated. Using known examples of highly nonlinear Boolean functions we demonstrate how multidimensional linear approximations offer significant reduction in data complexity in distinguishing attacks. We also get concrete examples where one-dimensional linear approximations are never statistically indepe...