Security of a Keystream Cipher with Secret Initial Value

Abstract

A keystream can be produced by driving a known pseudo-random function with a counter, starting with a secret initial value. Knowledge of M blocks of keystream allows a speed-up of crypt-analysis by a factor of M over exhaustive search. A similar result holds when the function is a secret choice from a parameterized family. These results are the best possible under a black-box model, i.e., where the function is revealed to the analyst only by calling an oracle.

A synchronous cryptosystem can be produced by driving a pseudorandom function with a counter to generate a keystream. The initial value of the counter may be kept secret as part or all of the key. This paper shows that this provides some additional security, but not as much as might appear at first glance. The author wishes to thank H. Amirazizi, M. Hellman, E. Karnin, and J. Reyneri for useful conversations.

Naturally such a system depends upon the cryptographic security of the basic function. It must be one-way in a strong sense: given the values of the function on some set of arguments, it must be infeasible to compute the value on any argument not in the set.

For this paper, we assume that the basic function is a cryptographically secure pseudo-random function. We consider only attacks which are uniform, attacks which do not use particular weaknesses of the function. We present such an attack which reduces the cryptanalyst’s work by a factor of M over exhaustive search, when he is given M corresponding blocks of ciphertext and plaintext. Furthermore, we show that this is optimal for such uniform attacks.

In the first system we consider, the only secret is the initial value of the counter.