Cryptanalysis of the Full Spritz Stream Cipher
 8 Citations
 3 Mentions
 1k Downloads
Abstract
Spritz is a stream cipher proposed by Rivest and Schuldt at the rump session of CRYPTO 2014. It is intended to be a replacement of the popular RC4 stream cipher. In this paper we propose distinguishing attacks on the full Spritz, based on a shortterm bias in the first two bytes of a keystream and a longterm bias in the first two bytes of every cycle of N keystream bytes, where N is the size of the internal permutation. Our attacks are able to distinguish a keystream of the full Spritz from a random sequence with samples of first two bytes produced by \(2^{44.8}\) multiple keyIV pairs or \(2^{60.8}\) keystream bytes produced by a single keyIV pair. These biases are also useful in the event of plaintext recovery in a broadcast attack. In the second part of the paper, we look at a state recovery attack on Spritz, in a special situation when the cipher enters a class of weak states. We determine the probability of encountering such a state, and demonstrate a state recovery algorithm that betters the \(2^{1400}\) step algorithm of Ankele et al. at Latincrypt 2015.
Keywords
RC4 Spritz Stream cipher Shortterm bias Longterm bias Distinguishing attack Plaintext recovery attack State recovery attack1 Introduction
RC4, designed by Rivest in 1987, is still one of most widely used stream ciphers in the world. It is adopted in many software applications and standard protocols such as SSL/TLS, WEP, Microsoft Lotus and Oracle secure SQL. After the disclosure of its algorithm in 1994, RC4 has attracted intensive cryptanalytic efforts over past 20 years. Finally, in 2013, practical plaintext recovery attacks on RC4 in SSL/TLS were proposed by AlFardan et al. [1] and Isobe et al. [9]. In the response to these results, usage of RC4 has drastically decreased, especially in TLS, and major companies such as Google, Microsoft, and Mozilla announced that they will officially remove the RC4 from web browsers by early 2016.
At the same time, there has been extensive research in recent years to come up with RC4like stream ciphers that while marginally slower in software, would wipe out the known shortcomings of RC4. Many such ciphers like RC4A [17], NGG [14], GGHN [8], QuadRC4 [16], RC4+ [10] and VMPC [24] have been proposed to fulfil this objective. However, all the aforementioned ciphers have had distinguishing attacks reported against them [3, 4, 5, 12, 18, 20, 21]. Spritz [19] is a stream cipher proposed by Rivest and Schuldt at the rump session of CRYPTO 2014. The authors intended Spritz to be a replacement for RC4, and hence the design for Spritz was chosen meticulously, with special attention given to the fact that known weaknesses of RC4 [11, 13] do not carry over. The authors automatically examined many thousands of candidates to obtain cryptographically secure update functions and an estimated 5 “coremonths” of CPU time were used in the statistical experiments performed by them. Their experiments suggested that \(2^{81}\) samples were required to distinguish the output of Spritz from random.
1.1 Description of Spritz
1.2 Previous Work
The only published work on cryptanalysis of Spritz is presented in [2]. The authors tackle the problem of state recovery using three different approaches. The best algorithm they propose theoretically recovers the internal permutation used in Spritz in \(2^{1400}\) steps. Additionally, in [23], the author proposed a distinguisher for a scaled down version of Spritz (\(N =8\)). It was observed that the event \(Z_i=Z_{i+2}\) was biased. However, the bias was not theoretically proven and no analogous result for the full Spritz (\(N = 256\)) was proposed.
1.3 Our Contribution and Organization
In this paper, we first show a shortterm bias which is present in the first two bytes of a keystream and a longterm bias which appears in the first two bytes of every cycle of N keystream bytes. We theoretically prove that these biases exist in a keystream of Spritz regardless of the value of N. Based on these biases, we propose distinguishing attacks on the full Spritz (\(N = 256\)). Our attacks are able to distinguish a keystream of the full Spritz from a random sequence with samples of first two bytes produced by \(2^{44.8}\) multiple keyIV pairs or \(2^{60.8}\) keystream bytes produced by a single keyIV pair. These biases are applicable to a plaintext recovery attack in a broadcast setting and multisession setting in SSL/TLS.
Thereafter we show that under certain conditions, Spritz enters a weak class of states, during which, the odd and even elements of the permutation are never swapped with each other. In this case, the sequence constructed with the last bit of every keystream byte becomes periodic with period equal to 4. We show that in such an event, a state recovery attack on Spritz is more efficient and improves upon the \(2^{1400}\) step algorithm proposed in [2]. Table 1 shows the summary of our results.
Summary of results on Spritz
Type of attack  Complexity  Reference  

1  Distinguishing attack on scaled down version (\(N=8\))  \(2^{21.9}\) outputs  [23] 
2  Distinguishing attack on full Spritz in multiple keyIV setting  \(2^{44.8}\) outputs  Sect. 2 
3  Distinguishing attack on full Spritz in single keyIV setting  \(2^{60.8}\) outputs  Sect. 2 
4  State recovery attack  \(2^{1400}\) steps  [2] 
\(2^{1247}\) steps  Sect. 3 
2 Distinguishing Attacks on Spritz
Before we proceed to outline the details of the distinguisher, let us present a few observations on how the various index pointers are used when Spritz is operated in the stream cipher mode. Note that when Spritz is used in the stream cipher mode: the sequence of execution of modules is
A. ABSORB(K)
B. ABSORBSTOP(), ABSORB(IV) (optional, only if IV is used)
C. SQUEEZE().
 1.
In the ABSORB(K) (and also ABSORB(IV)) phase, the internal permutation is swapped according to the nibble values of the key (IV). During this phase the index a is used only to keep track of the number of nibbles currently absorbed in the permutation. After the ABSORB phase, the index a plays no further role in the SQUEEZE phase when the cipher starts producing keystream bytes.
 2.
The index w, which is used to increment the index i, is constant during the SQUEEZE phase. The value of this index does not depend on the secret key, and hence is not secret. Its value can be deduced from the length of the secret key and IV. If the length of key is limited to Open image in new window bytes, and no IV is used, then the SHUFFLE procedure is executed only once. In that case, the value of w during the SQUEEZE phase is 7.
 3.
If the length of the Key is more than Open image in new window bytes the value of w can be deduced by examining the number of times the SHUFFLE module has been called during the ABSORB phases. For example, if \(N=256\), and a Key of size 80 bytes, the SHUFFLE procedure gets called twice, at the end of the 64th byte and at the beginning of SQUEEZE. Each SHUFFLE call increases the value of w by 6 and so the value of w during the keystream generation is \(1+6+6=13\).
 4.
The value of the index i at the beginning of the SQUEEZE phase is always 0, whatever be the the size of the Key and IV used in the ABSORB phases. This is because whenever Open image in new window bytes get absorbed, the value of the pointers i, j, k are altered by call to the SHUFFLE module. Each SHUFFLE module calls the WHIP(2N) module thrice. Each WHIP module in turn updates i using the rule \(i=i+w\) a total of 2N times. Whatever be the actual value of w, at the end of the any call to the WHIP module, the updated value of \(i=0+2wN \equiv 0 \bmod N\). And so the value of i remains 0 going in and out of the WHIP executions and hence also the SHUFFLE module.
 5.
The only indices that change during the SQUEEZE phase is i, j, k, z.
 6.The sequence of updates during the SQUEEZE phase is therefore given as:
 (a)
\(i=i+w\)
 (b)
\(j=k+S[j+S[i]]\)
 (c)
\(k=k+i+S[j]\)
 (d)
SWAP (S[i], S[j])
 (e)
return \(z= S[j+S[i+S[z+k]]]\)
 (a)
2.1 Bias in First Two Output Bytes of a Keystream
We first prove that the first two output bytes produced by the Spritz stream cipher are biased towards the tuple \((w,w)\). For example, if \(N=256\), and if a 64 byte key is used, then \(w=7\), and then the first 2 bytes are biased towards the value (249, 249).
Theorem 1
The first two output bytes \(Z_1\) and \(Z_2\) produced by the Spritz stream cipher are biased towards \((w,w)\). The probability of this event is given by \(\mathsf{Pr}[Z_1=Z_2= w] = \frac{1}{N^2} + \frac{3}{N^4}\).
Proof
We outline three mutually exclusive events I, II and III, each of which occurs with probability \(\frac{1}{N^4}\), that guarantees that the first two output bytes produced by the cipher are both equal to \(w\). Each of the three events are denoted by the states of the permutation and the values of the index pointers before the beginning of the SQUEEZE phase.

I. \(S[w]=w,~ S[2w]=0, k=0, S[jw] = 2w \)

II. \(k=2w ,~ S[j+S[w]]=2w,~ S[2w]=w, S[0]=w\)

III. \(k+S[jw]=2w, ~ k+S[2w]=0,~ S[wk]=0,~S[w]=w\)
For example, when I occurs in the first round we have the following changes: \(1.~ i\leftarrow i+w=w\)
\(2.~j\leftarrow 0 + S[j +S[w]] = S[jw] = 2w\)
\(3.~k\leftarrow k+ i +S[j]=0+w+S[2w]=0+w+0=w\)
\(4.~S[w]\leftarrow 0,~S[2w]\leftarrow w\) after SWAP
\(5.~z\leftarrow S[j+S[i+S[z+k]]] = S[ 2w +S[w+S[w]]] = S[2w+S[w]]=S[2w]=w\)
Similarly in the second round we have the following changes:
\(1.~ i\leftarrow i+w=2w\),
\(2.~j\leftarrow w + S[2w +S[2w]] = w+S[w] = w\)
\(3.~k\leftarrow k+ i +S[j]=w+2w+S[w]=3w+0=3w\)
\(4.~S[w]\leftarrow w,~S[2w]\leftarrow 0\) after SWAP
\(5.~z\leftarrow S[ w +S[2w+S[3ww]]] = S[w+S[2w+S[2w]]]=S[w]=w\)
2.2 Distinguishing Attack with Multiple KeyIV Pairs Based on a ShortTerm Bias
We now state the following theorem from [11], which outlines the number of output samples required to distinguish two distributions X and Y.
Theorem 2
(MantinShamir [11]) Let X, Y be distributions, and suppose that the event e happens in X with probability p and in Y with probability \(p(1 + q)\). Then for small p and q, \(O\left( \frac{1}{pq^2}\right) \) samples suffice to distinguish X from Y with a constant probability of success.
Let X be the probability distribution of \(Z_1\) and \(Z_2\) in an ideal random stream, and let Y be the probability distribution of \(Z_1\) and \(Z_2\) in streams produced by Spritz for randomly chosen keys. Let the event e denote \(Z_1=Z_2=w\), which occurs with probability of \(\frac{1}{N^2}\) in X and \(\frac{1}{N^2}+\frac{3}{N^4}= \frac{1}{N^2}\cdot \left( 1 + \frac{3}{N^2}\right) \) in Y. By using the Theorem 2 with \(p = \frac{1}{N^2} \) and \(q= \frac{3}{N^2}\), we can conclude that we need about \(\frac{1}{pq^2}= \frac{N^6}{9} \approx 2^{44.8}\) output samples to reliably distinguish the two distributions.
Therefore, we can mount a distinguishing attack with multiple keyIV pairs, if output samples of \(Z_1\) and \(Z_2\) produced by \(2^{44.8}\) distinct keyIV pairs are available. In the single key setting, it requires samples of first two bytes \(Z_1\) and \(Z_2\) generated by \(2^{44.8}\) different IVs.
2.3 Distinguishing Attack with a Single KeyIV Pair Based on a LongTerm Bias
The distinguishing attack on Spritz described in Theorem 1 requires that i and z are both zero at the beginning of the SQUEEZE phase. In general, during the production of a single stream of keystream bytes from any key or key/IV pair i and z are not both zero at the beginning of each round. This is why although the result in Theorem 1, holds for distinguishing the first 2 output bytes produced by multiple key/IV pairs, the same result can not be translated for a single keystream byte sequence using the event \(Z_t=Z_{t+1}=w\).
2.4 Plaintext Recovery Attacks in the Broadcast Setting
These short and longterm biases are also used for plaintext recovery attacks in the broadcast setting where the same plaintext is encrypted with different keys or/and IV in the same manner of previous attacks [1, 9, 11, 15]. Note that the broadcast setting is converted into the multisession setting where the target plaintext block are repeatedly sent in the same position in the plaintexts in multiple SSL/TLS sessions. According to Theorem 2, given \(\frac{1}{pq^2}\) ciphertexts, we can distinguish the distribution of correct candidates of plaintext bytes (the biased distribution) from the distribution of wrong candidates of plaintext bytes (a random distribution) with a constant probability. It can be considered as the lower bound of the required number of ciphertexts for recovering biased bytes of a plaintext in this setting as mentioned in [11]. Recent statistical methods to detect a correct plaintext e.g. likelihood calculations of techniques [1, 22] and Bayesian analysis [7] might help to reduce the required number of ciphertexts when mounting an actual attack.
3 State Recovery Attack on Spritz
We first look at a class of special states of the Spritz stream cipher that occurs just before the beginning of the SQUEEZE phase.
Definition 1
Define a Spritz state as the 3tuple (S, j, k) just at the beginning of the SQUEEZE phase. A Spritz state is called a SPECIAL state if all the following conditions hold simultaneously.
 1.
\(S[t] \equiv 0 \bmod 2, \text { if } t\equiv 1\bmod 2\),
 2.
\(S[t] \equiv 1 \bmod 2, \text { if } t\equiv 0\bmod 2\),
 3.
\(j\equiv 0 \bmod 2\) and \(k\equiv 0 \bmod 2\)
In other words a SPECIAL state occurs when all the even indexed positions of the S array hold odd values, all the odd indexed positions hold even values and additionally j and k are even. We will now show that if the state at the beginning of the SQUEEZE phase is a SPECIAL state, then the sequence \(Z_t \bmod 2, ~t =0,1,2,3,\ldots \) is periodic with period equal to 4.
Lemma 1

(a) The state after every four iterations is a SPECIAL state.

(b) In every iteration, the updated values of i and j are equal modulo 2. Hence no SWAP between odd and even values occur. And so, even and odd indexed positions of the S array will continue to hold odd and even values respectively.

(c) \(Z_t\equiv Z_{t+4} \bmod 2\), for all values of t.
Proof
Note that i and z are 0 at the beginning of the SQUEEZE phase and so both are even to begin with. If N is even, the design of the WHIP module ensures that the value of w is odd, whatever be the length of key/IV. Thereafter, all the above claims can be verified by running four iterations of the UPDATE function. We summarize the modulo 2 values of the various indices over 4 iterations in Table 2. Note that the updated values of i, j in each round is either both odd or both even, which means that the odd and even values are never swapped during the SQUEEZE phase. At the end of round 4, i, j, k, z become even again and so the modulo values of the above indices will repeat every 4 cycles. And therefore, the sequence of the modulo 2 values of the keystream byte z becomes periodic with period 4: \(0,1,1,0,~0,1,1,0,~0,1,1,0 \ldots \) \(\square \)
The modulo 2 values of the various indices through 4 iterations. The ones marked with Open image in new window are used in the State recovery process in Algorithm 1
#  Index  \(t=1\)  \(t=2\)  \(t=3\)  \(t=4\) 

1  1  0  1  0  
2  0  0  0  0  
3  1  0  1  0  
4  \(k=k+i+S[j]\)  1  0  1  0 
5  1  0  0  1  
6  1  1  0  0  
7  1  0  0  1  
8  \({z=S[j+S[i+S[z+k]]]}\)  0  1  1  0 
 1.
For a fixed key, and Multiple IVs collect keystream of around \(10*N\) bytes and inspect the sequence \(Z_t \bmod 2\).
 2.
If the sequence is \(0,1,1,0,~0,1,1,0,~0,1,1,0 \ldots \) i.e. periodic with period 4, then the attacker can conclude with high probability that he has encountered a SPECIAL state and he proceeds according to Algorithm 1.
 3.
The above technique is likely to succeed once in \(\rho ^{1}\) attempts.
3.1 State Recovery of SPECIAL states
Once the attacker is sure that he has encountered a SPECIAL state, he has the task of recovering a much simpler state and he proceeds in the same manner as in [2, Algorithm 1]. However, there a few differences as given in Algorithm 1.
3.2 Complexity of the Algorithm
The complexity is given by the number of guesses or assignments made, until a solution is found. As in [2], we compute the complexity by splitting the algorithm in several cases \(c_i(x)\) to which we assign probabilities according to the occurrence of each case. Note that we can view the above internal state recovery algorithm, as two modules each working to recover exactly one half of the elements of the permutation. This is true since, the odd and the even indices never swap among each other. Let us denote by \(\mathcal {T}_1,\mathcal {T}_2\) as the average number of assignments that would made in recovering the odd/even indexed elements of the permutation, if they were operating independent of the other. Since for every assignment in \(\mathcal {T}_1\) we would need \(\mathcal {T}_2\) assignments to verify the correctness of the solution, the total complexity of our algorithm is \(\mathcal {T}=\mathcal {T}_1\cdot \mathcal {T}_2\).

a. With probability \(\frac{x}{N/2}\), the verification index d is already filled.

b. Therefore with probability \(\frac{x}{N/2} \cdot (1\frac{x}{N/2} ) \), the index is already filled by a value other than \(Z_r\). In this case the path is terminated.

c. With probability \((\frac{x}{N/2})^2\) the index is filled with \(Z_r\) and the algorithm moves to the next phase.

d. With probability \((1\frac{x}{N/2})\) the verification index d is empty.

e. Therefore with probability \((1\frac{x}{N/2})\cdot (\frac{x}{N/2} )\) it happens that \(Z_r\) exists in some other index of the permutation. In this case too the path is terminated.

f. With probability \((1\frac{x}{N/2})^2\), \(Z_r\) is not present in the permutation, and so after assigning \(S[d]\leftarrow Z_r\) it moves to the next stage.
Experimental Results: We performed the state recovery for \(N=14,16,18,20\) for 100 random permutations. The algorithm was always able to recover the permutation. In Fig. 4, we plot the base 2 logarithm of the theoretical estimate \(\mathcal {T}\) with the base 2 logarithm of the experimentally obtained average number of steps, for different even values of N. We can see that the theoretical value always overestimates the experimentally obtained complexity. For \(N=256\), the theoretical estimate for \(\mathcal {T}\approx 2^{1233}\). And so the estimated complexity of state recovery is given as \(\mathcal {T}\cdot \left( \frac{N}{2}\right) ^2\approx 2^{1247}\) (taking into account the additional complexity of guessing the values of j, k at the beginning of the SQUEEZE phase). So the total complexity consists of \(\rho ^{1}\) encryptions plus \(\mathcal {T}\cdot \left( \frac{N}{2}\right) ^2\) assignments which again comes to approximately \(2^{1247}\).
4 Conclusion
In this paper, we analyzed the security of the stream cipher Spritz. We first proposed distinguishing attacks based on the shortterm and the longterm biases in the keystream of Spritz. The distinguisher can be used both for distinguishing keystreams produced by multiple keyIVs and for distinguishing a keystream produced by a single keyIV pair. In the second half of the paper we looked at the state recovery attack on Spritz (in the multiple IV setting), in the situation when the cipher has entered a special class of SPECIAL states. We calculated the probability of such an event happening, and went on to outline an algorithm to recover the internal permutation. Our estimates suggest that in this case we need approximately \(2^{1247}\) assignments to recover the internal state which is an improvement on the \(2^{1400}\) step algorithm proposed in [2].
Notes
Acknowledgements
The authors would like to thank the anonymous reviewers who helped improve the quality of this paper.
References
 1.AlFardan, N.J., Bernstein, D.J., Paterson, K.G., Poettering, B., Schuldt, J.C.N.: On the security of RC4 in TLS and WPA. In: Proceedings of 22nd USENIX Conference on Security, pp. 305–320 (2013)Google Scholar
 2.Ankele, R., Kölbl, S., Rechberger, C.: Staterecovery analysis of Spritz. In: Lauter, K., RodríguezHenríquez, F. (eds.) LatinCrypt 2015. LNCS, vol. 9230, pp. 204–221. Springer, Heidelberg (2015)CrossRefGoogle Scholar
 3.Banik, S., Sarkar, S., Kacker, R.: Security analysis of the RC4+ stream cipher. In: Paul, G., Vaudenay, S. (eds.) INDOCRYPT 2013. LNCS, vol. 8250, pp. 297–307. Springer, Heidelberg (2013)CrossRefGoogle Scholar
 4.Banik, S., Jha, S.: How not to combine RC4 states. In: Chakraborty, R.S., Schwabe, P., Solworth, J. (eds.) SPACE 2015. LNCS, vol. 9354, pp. 95–112. Springer, Heidelberg (2015)CrossRefGoogle Scholar
 5.Banik, S., Jha, S.: Some security results of the RC4+ stream cipher. Secur. Commun. Netw. 8(18), 4061–4072 (2015). Wiley Online PublishingCrossRefGoogle Scholar
 6.Biham, E., Granboulan, L., Nguyen, P.Q.: Impossible fault analysis of RC4 and differential fault analysis of RC4. In: Gilbert, H., Handschuh, H. (eds.) FSE 2005. LNCS, vol. 3557, pp. 359–367. Springer, Heidelberg (2005)CrossRefGoogle Scholar
 7.Garman, C., Paterson, K.G., van der Merwe, T.: Attacks only get better: password recovery attacks against RC4 in TLS. In: Proceedings of 24th USENIX Conference on Security, pp. 113–128 (2015)Google Scholar
 8.Gong, G., Gupta, K.C., Hell, M., Nawaz, Y.: Towards a general RC4like keystream generator. In: Feng, D., Lin, D., Yung, M. (eds.) CISC 2005. LNCS, vol. 3822, pp. 162–174. Springer, Heidelberg (2005)CrossRefGoogle Scholar
 9.Isobe, T., Ohigashi, T., Watanabe, Y., Morii, M.: Full plaintext recovery attack on broadcast RC4. In: Moriai, S. (ed.) FSE 2013. LNCS, vol. 8424, pp. 179–202. Springer, Heidelberg (2014)Google Scholar
 10.Maitra, S., Paul, G.: Analysis of RC4 and proposal of additional layers for better security margin. In: Chowdhury, D.R., Rijmen, V., Das, A. (eds.) INDOCRYPT 2008. LNCS, vol. 5365, pp. 27–39. Springer, Heidelberg (2008)CrossRefGoogle Scholar
 11.Mantin, I., Shamir, A.: A practical attack on broadcast RC4. In: Matsui, M. (ed.) FSE 2001. LNCS, vol. 2355, pp. 152–164. Springer, Heidelberg (2002)CrossRefGoogle Scholar
 12.Maximov, A.: Two linear distinguishing attacks on VMPC and RC4A and weakness of RC4 family of stream ciphers. In: Gilbert, H., Handschuh, H. (eds.) FSE 2005. LNCS, vol. 3557, pp. 342–358. Springer, Heidelberg (2005)CrossRefGoogle Scholar
 13.Maximov, A., Khovratovich, D.: New state recovery attack on RC4. In: Wagner, D. (ed.) CRYPTO 2008. LNCS, vol. 5157, pp. 297–316. Springer, Heidelberg (2008)CrossRefGoogle Scholar
 14.Nawaz, Y., Gupta, K.C., Gong, G.: A 32bit RC4like keystream generator. IACR Cryptology ePrint Archive 2005/175Google Scholar
 15.Ohigashi, T., Isobe, T., Watanabe, Y., Morii, M.: How to recover any byte of plaintext on RC4. In: Lange, T., Lauter, K., Lisoněk, P. (eds.) SAC 2013. LNCS, vol. 8282, pp. 155–173. Springer, Heidelberg (2014)CrossRefGoogle Scholar
 16.Paul, G., Maitra, S., Chattopadhyay, A.: QuadRC4: merging four RC4 states towards a 32bit stream cipher. IACR Cryptology eprint Archive 2013/572 (2013)Google Scholar
 17.Paul, S., Preneel, B.: A new weakness in the RC4 keystream generator and an approach to improve the security of the cipher. In: Roy, B., Meier, W. (eds.) FSE 2004. LNCS, vol. 3017, pp. 245–259. Springer, Heidelberg (2004)CrossRefGoogle Scholar
 18.Paul, S., Preneel, B.: On the (in)security of stream ciphers based on arrays and modular addition. In: Lai, X., Chen, K. (eds.) ASIACRYPT 2006. LNCS, vol. 4284, pp. 69–83. Springer, Heidelberg (2006)CrossRefGoogle Scholar
 19.Rivest, R., Schuldt, J.: Spritz  a spongy RC4like stream cipher and hash function. https://people.csail.mit.edu/rivest/pubs/RS14.pdf
 20.Tsunoo, Y., Saito, T., Kubo, H., Shigeri, M., Suzaki, T., Kawabata, T.: The most efficient distinguishing attack on VMPC and RC4A. In: SKEW 2005. http://www.ecrypt.eu.org/stream/papers.html
 21.Tsunoo, Y., Saito, T., Kubo, H., Suzaki, T.: A distinguishing attack on a fast softwareimplemented RC4like stream cipher. IEEE Trans. Inf. Theor. 53(9), 3250–3255 (2007)MathSciNetCrossRefzbMATHGoogle Scholar
 22.Vanhoef, M., Piessens, F.: All your biases belong to us: breaking RC4 in WPATKIP and TLS. In: Proceedings of 24th USENIX Conference on Security, pp. 97–112 (2015)Google Scholar
 23.Zoltak, B.: Statistical weakness in Spritz against VMPCR: in search for the RC4 replacement. http://eprint.iacr.org/2014/985.pdf
 24.Zoltak, B.: VMPC oneway function and stream cipher. In: Roy, B., Meier, W. (eds.) FSE 2004. LNCS, vol. 3017, pp. 210–225. Springer, Heidelberg (2004)CrossRefGoogle Scholar