Date of Submission


Date of Award


Institute Name (Publisher)

Indian Statistical Institute

Document Type

Doctoral Thesis

Degree Name

Doctor of Philosophy

Subject Name



Applied Statistics Unit (ASU-Kolkata)


Maitra, Subhamoy (ASU-Kolkata; ISI)

Abstract (Summary of the Work)

Stream Ciphers are important Symmetric Cryptological primitives, built for the purpose of providing secure message encryption. As no formal security proofs exist, our confidence in these algorithms is largely based on the fact that intense cryptanalysis has been carried out over several years without revealing any weakness. This thesis makes some independent contributions to the cryptanalysis of a selection of stream ciphers.In this thesis, we take a closer look at two stream ciphers viz. RC4+ designed by Maitra et al. at Indocrypt 2008 and GGHN designed by Gong et al. at CISC 2005. Both these ciphers were designed as viable alternatives to the RC4 stream cipher. It is shown that a distinguishing attack requiring around 227 keystream bytes can be mounted on RC4+. Also, a differential fault attack on RC4+ requiring 216 faults is presented. Thereafter, two cryptanalytic results are presented against the GGHN stream cipher. First, it is shown that numerous short cycles occur during the keystream generation phase of the cipher. Secondly, it is shown that a randomized variant of this cipher is expected to reach the all zero state in just around 2147 iterations, after which the cipher only produces the zero keystream byte at every iteration.The Grain family of stream ciphers (Grain v1, Grain-128 and Grain-128a) designed by ˚Agren, Hell, Johansson, Maximov and Meier are a prominent family of stream ciphers especially since Grain v1 is included in the hardware portfolio of eStream. We first outline probabilistic methods that compute Key-IV pairs in the Grain family that can generate key-streams which are either almost similar in the initial segment, or exact shifts (the value of the shift being 2lp , where lp is the length of the pad in bits used in the design of Grain) of each other throughout the generation of the stream. We then investigate the possibility of obtaining related Key-IV pairs that produce shifted keystream bits with smaller shifts. In a work by De Canni`ere et. al. at Africacrypt 2008, a method for finding related Key-IV pairs that produced i-bit shifted keystream (for Grain v1 and Grain-128) was proposed that required 4i random trials. The method mainly took advantage of the fact that in both Grain v1 and Grain 128, the symmetric all 1 constant was used as the pad. We propose a new algorithm that improves the complexity to 2i random trials. Furthermore, in the above work, it was observed that devising such a method for Grain-128a was not possible as the pad used in this cipher was asymmetric. However, we present a different technique to find related Key-IV pairs that produce 32-bit shifted keystream bits for Grain-128a in around 232 random trials. We also present another method that finds related Key-IV pairs that produces shifted keystream bits for shifts lesser than 32. The second method produces -bit shifted keystreams (for 0 < 32) using 2 32 1−2−random trials.Thereafter, we describe a set of three differential fault attacks on the Grain family, each of which is mounted under different experimental setups in which the attacker is granted varying degrees of freedom. The first attack assumes that the attacker can synchronize the timing of fault injection with a given stage of the cipher operation.


ProQuest Collection ID:

Control Number


Creative Commons License

Creative Commons Attribution 4.0 International License
This work is licensed under a Creative Commons Attribution 4.0 International License.


Included in

Mathematics Commons