Resynchronization Attacks on WG and LEX

WG and LEX are two stream ciphers submitted to eStream – the ECRYPT stream cipher project. In this paper, we point out security flaws in the resynchronization of these two ciphers. The resynchronization of WG is vulnerable to a differential attack. For WG with 80-bit key and 80-bit IV, 48 bits of the secret key can be recovered with about 231.3 chosen IVs . For each chosen IV, only the first four keystream bits are needed in the attack. The resynchronization of LEX is vulnerable to a slide attack. If a key is used with about 260.8 random IVs, and 20,000 keystream bytes are generated from each IV, then the key of the strong version of LEX could be recovered easily with a slide attack. The resynchronization attack on WG and LEX shows that block cipher related attacks are powerful in analyzing non-linear resynchronization mechanisms.

[1]  Eli Biham,et al.  Differential cryptanalysis of DES-like cryptosystems , 1990, Journal of Cryptology.

[2]  Joos Vandewalle,et al.  Resynchronization Weaknesses in Synchronous Stream Ciphers , 1994, EUROCRYPT.

[3]  Alex Biryukov,et al.  Slide Attacks , 1999, FSE.

[4]  Amr M. Youssef,et al.  Cryptographic properties of the Welch-Gong transformation sequence generators , 2002, IEEE Trans. Inf. Theory.

[5]  Jovan Dj. Golic,et al.  On the Resynchronization Attack , 2003, FSE.

[6]  Frederik Armknecht,et al.  Extending the Resynchronization Attack , 2004, Selected Areas in Cryptography.

[7]  Guang Gong,et al.  The WG Stream Cipher , 2005 .

[8]  Alex Biryukov,et al.  Resynchronization Attack , 2005, Encyclopedia of Cryptography and Security.

[9]  A. Biryukov A New 128-bit Key Stream Cipher LEX , 2005 .